Skip to content

fix(oauth2): mask sensitive tokens in HTTP logs#1900

Merged
lqiu96 merged 16 commits intomainfrom
mask-sensitive-tokens
Mar 20, 2026
Merged

fix(oauth2): mask sensitive tokens in HTTP logs#1900
lqiu96 merged 16 commits intomainfrom
mask-sensitive-tokens

Conversation

@lqiu96
Copy link
Member

@lqiu96 lqiu96 commented Mar 19, 2026
edited
Loading

Disables automatic logging by google-http-java-client throughout the auth library to prevent leakage of sensitive tokens like (access_token and subject_token). Token masking logging via LoggingUtils is introduced instead, which hashes sensitive keys.

This was discovered in use cases where info level logging was enabled and CIs were outputting Bearer Token values.

See b/456079208 and b/465090182 for more info

Behavior change

  • HttpRequests are no longer being logged as they may contains sensitive information. This also removes transport specific logs that output the request and response data.
  • Info is going to be logged via LoggingUtils (Client Library Debug Logging) and the logs must be explicitly enabled via the Env Var. The different log levels configured INFO vs DEBUG will output different data (request, response, or payload)

@lqiu96
fix(oauth2): mask sensitive tokens in HTTP logs
909b710 
Disables automatic logging by google-http-java-client in StsRequestHandler and UrlIdentityPoolSubjectTokenSupplier to prevent leakage of access_token and subject_token. Explicit secure logging via LoggingUtils is introduced instead, which hashes sensitive keys.
@lqiu96 lqiu96 requested review from a team as code owners March 19, 2026 20:07
@product-auto-label product-auto-label bot added the size: m Pull request size is medium. label Mar 19, 2026
@lqiu96 lqiu96 marked this pull request as draft March 20, 2026 15:34
@product-auto-label product-auto-label bot added size: l Pull request size is large. and removed size: m Pull request size is medium. labels Mar 20, 2026
@lqiu96
Copy link
Member Author

lqiu96 commented Mar 20, 2026

Should we also mask content in

google-auth-library-java/oauth2_http/java/com/google/auth/oauth2/Slf4jLoggingHelpers.java

Line 98 in c3d80ef

String jsonData = gson.toJson(((JsonHttpContent) request.getContent()).getData());
for Json?

@lqiu96 lqiu96 requested a review from zhumin8 March 20, 2026 17:32
@lqiu96 lqiu96 marked this pull request as ready for review March 20, 2026 17:32
zhumin8
zhumin8 reviewed Mar 20, 2026
View reviewed changes
@zhumin8
Copy link
Contributor

zhumin8 commented Mar 20, 2026
edited
Loading

Should we also mask content in

google-auth-library-java/oauth2_http/java/com/google/auth/oauth2/Slf4jLoggingHelpers.java

Line 98 in c3d80ef

String jsonData = gson.toJson(((JsonHttpContent) request.getContent()).getData());

for Json?

We can. I don't recall exactly what is in the content. In practice, I think we only want to hash where absolutely necessary, otherwise log with all hash don't provide much value. Again, this is under terms that this logging is not designed for production usage, but for debug purposes only. See warnings in guide.

@lqiu96 lqiu96 mentioned this pull request Mar 20, 2026
Open
@lqiu96
Copy link
Member Author

lqiu96 commented Mar 20, 2026

Should we also mask content in

google-auth-library-java/oauth2_http/java/com/google/auth/oauth2/Slf4jLoggingHelpers.java

Line 98 in c3d80ef

String jsonData = gson.toJson(((JsonHttpContent) request.getContent()).getData());

for Json?

We can. I don't recall exactly what is in the content. In practice, I think we only want to hash where absolutely necessary, otherwise log with all hash don't provide much value. Again, this is under terms that this logging is not designed for production usage, but for debug purposes only. See warnings in guide.

Gotcha. I just added reference to it just in case. Looks like if there is no match to sensitive keys, it'll just keep it as-is. I think that should be fine since it's most likely the case that the JsonHttpContent doesn't have anything that needs to be masked.

@lqiu96 lqiu96 requested a review from zhumin8 March 20, 2026 19:53
@sonarqubecloud
Copy link

sonarqubecloud bot commented Mar 20, 2026

Quality Gate Failed Quality Gate failed

Failed conditions
0.0% Coverage on New Code (required ≥ 80%)
C Reliability Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

zhumin8
zhumin8 approved these changes Mar 20, 2026
View reviewed changes
Copy link
Contributor

@zhumin8 zhumin8 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@lqiu96 lqiu96 merged commit 1a81a7e into main Mar 20, 2026
26 of 27 checks passed
@lqiu96 lqiu96 deleted the mask-sensitive-tokens branch March 20, 2026 20:49
@release-please release-please bot mentioned this pull request Mar 20, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zhumin8 zhumin8 zhumin8 approved these changes

Assignees

No one assigned

Labels

size: l Pull request size is large.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lqiu96 @zhumin8