Bug #2862
closed
We log oauth consumer key in the production.log
Added by Lukas Zapletal over 11 years ago.
Updated over 11 years ago.
Description
We should not do that, just saying "is invalid" is enough and more secure.
I personally don't like this change too much. oauth_key is something like username (and oauth_consumer is more like password) so I think we can log this. I find this useful for debugging. If we want to hide usernames we should think of filtering usernames coming from login forms (and probably other places). Anyone else concerned?
- Status changed from Assigned to Ready For Testing
I ran this by Grant from RH's security team and he seemed to agree with Marek's response:
The consumer_key makes up part of the client credentials but it is not
a secret component of them.
It is intended to be a unique identifier for the client that is
transmitted when requesting a request_token
and access_token. The consumer_secret should never be exposed. In this
case I'm not sure it would matter
if you logged the consumer_key anyway as AFAICT only one consumer_key /
consumer_secret
can be configured for the application.
- Status changed from Ready For Testing to Rejected
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by