Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

google-http-java-client being used by storage library logs partial access tokens. #1705

Open
tikurahul opened this issue Apr 18, 2022 · 2 comments
Open

google-http-java-client being used by storage library logs partial access tokens. #1705

tikurahul opened this issue Apr 18, 2022 · 2 comments
Labels
priority: p2 Moderately-important priority. Fix may not be included in next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.

Comments

@tikurahul
Copy link

The offending line of code is here.

Problem

If you are authoring a Java module which uses the cloud storage client library under the hood, access tokens are always logged to the console appender by default.

Note: This is typically not a problem for web apps running on App Engine / k8s et.al given apps have full control on logging configuration.

This affects JAR modules distributed by a Maven like repository, or places where console applications are used but the module does not necessarily have full control on the calling context. For e.g. GitHub actions.

When running the module, you can see log messages that look like:

2022-04-18T06:22:23.9671345Z -------------- REQUEST  --------------
2022-04-18T06:22:23.9671995Z POST https://oauth2.googleapis.com/token
2022-04-18T06:22:23.9672738Z Accept-Encoding: gzip
2022-04-18T06:22:23.9673405Z User-Agent: Google-HTTP-Java-Client/1.41.5 (gzip)
2022-04-18T06:22:23.9674329Z Content-Type: application/x-www-form-urlencoded; charset=UTF-8
2022-04-18T06:22:23.9677079Z Content-Length: 980
2022-04-18T06:22:23.9677420Z 
2022-04-18T06:22:23.9680061Z curl -v --compressed -X POST -H 'Accept-Encoding: gzip' -H 'User-Agent: Google-HTTP-Java-Client/1.41.5 (gzip)' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -d '@-' -- 'https://oauth2.googleapis.com/token' << $$$
2022-04-18T06:22:23.9681037Z Total: 980 bytes
2022-04-18T06:22:23.9694930Z grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=***
2022-04-18T06:22:23.9695912Z -------------- RESPONSE --------------
2022-04-18T06:22:23.9790894Z HTTP/1.1 200 OK
2022-04-18T06:22:23.9791424Z Transfer-Encoding: chunked
2022-04-18T06:22:23.9791864Z X-Frame-Options: SAMEORIGIN
...
2022-04-18T06:22:23.9797172Z Total: 1,083 bytes
2022-04-18T06:22:23.9799859Z ***"access_token":"ya29.c.b0AXv0zTOyVPYZ45W_cQIypBveTXRoQDlSjg53C_6KXvTWKcATx8uEgLqymqPI3xv_IboLmCijXUt9r2UxFml72hqCC_Qm6m06gXdBDE1oAcxL93c05U2B2PTDeKPbOGYb3BjJt33Radqn0ym-5nSzy5UdQHtjR-VZdYRtgCZ2mTzs2sMq_fXD5rhPar1pgA-9sSwnnmqQD9VCvh-LlTPWG_25V2ONcNiRr-YK...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................","expires_in":3599,"token_type":"Bearer"***

Note: The partial access token visible:

ya29.c.b0AXv0zTOyVPYZ45W_cQIypBveTXRoQDlSjg53C_6KXvTWKcATx8uEgLqymqPI3xv_IboLmCijXUt9r2UxFml72hqCC_Qm6m06gXdBDE1oAcxL93c05U2B2PTDeKPbOGYb3BjJt33Radqn0ym-5nSzy5UdQHtjR-VZdYRtgCZ2mTzs2sMq_fXD5rhPar1pgA-9sSwnnmqQD9VCvh-LlTPWG_25V2ONcNiRr-YK.....

Current Workaround

Apps, that want to disable all logging of requests have to use a delegating HttpRequestInitializer by doing something like:

class WrappedTransportOptions(builder: Builder) : HttpTransportOptions(builder) {
    override fun getHttpRequestInitializer(serviceOptions: ServiceOptions<*, *>?): HttpRequestInitializer {
        // Delegate to the underlying initializer.
        val initializer = super.getHttpRequestInitializer(serviceOptions)
        return HttpRequestInitializer {
            // Disable request logging
            it.isLoggingEnabled = false
            initializer.initialize(it)
        }
    }
}

While this works, this approach needs to be duplicated when multiple client libraries are involved.

Ideal Solution

The client library should provide the library to control request level logging. Ideally all client libraries using the same http-client should respect the log-level. We should also only log errors by default.
@product-auto-label product-auto-label bot added the api: storage Issues related to the Cloud Storage API. label Apr 18, 2022
@yoshi-automation yoshi-automation added the triage me I really want to be triaged. label Apr 19, 2022
@Neenu1995 Neenu1995 added priority: p2 Moderately-important priority. Fix may not be included in next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns. and removed triage me I really want to be triaged. labels Apr 20, 2022
@Neenu1995 Neenu1995 transferred this issue from googleapis/java-storage Apr 20, 2022
@tritone tritone removed the api: storage Issues related to the Cloud Storage API. label Apr 20, 2022
@clundin25 clundin25 mentioned this issue Aug 11, 2022
Closed
4 tasks
@TimurSadykov
Copy link
Contributor

We took a look and it turns out that it is not related to auth library as it does not set log levels for HttpRequests. We also verified that with default settings auth data logs only with Level == ALL:
sample

The issue seems to be that certain loggers like sl4j get misconfigured by default. Probably logger initialization need improvements to support some popular loggers better.

@TimurSadykov
Copy link
Contributor

TimurSadykov commented Aug 11, 2022
edited
Loading

Also, the access_token with dots referred above as partial - is actually a full access_token. It is a Google thing to have access_token with trailing dots.. They are fine and accepted back by Google as is. https://stackoverflow.com/questions/68654502/why-am-i-getting-a-jwt-with-a-bunch-of-periods-dots-back-from-google-oauth

@blakeli0 blakeli0 transferred this issue from googleapis/google-oauth-java-client Aug 12, 2022
@TimurSadykov TimurSadykov removed their assignment Aug 16, 2022
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
priority: p2 Moderately-important priority. Fix may not be included in next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: disable logging from http requests and responses. clundin25/google-auth-library-java
5 participants
@tikurahul @TimurSadykov @tritone @Neenu1995 @yoshi-automation