This might lead to unintended password disclosure, so marking as security vulnerability
What I have now using self-deployed keycloak as IdP (hence insecure: true)
$ cat ~/.config/openstack/clouds.yaml
clouds:
federated:
auth_type: v3oidcpassword
auth:
auth_url: https://keystone.it.just.works/v3
project_name: admin
project_domain_name: Default
identity-provider: keycloak
protocol: mapped
client-id: os
client-secret: someRandomClientSecretMightBeNull
openid-scope: openid
access-token-endpoint: https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/token
discovery-endpoint: https://keycloak.it.just.works/auth/realms/iam/.well-known/openid-configuration
username: pshchelokovskyy
password: "CLEAR TEXT PASSWORD!!!"
region_name: RegionOne
insecure: true
identity_api_version: 3
$ openstack --os-cloud federated --debug token issue
...
Using auth plugin: v3oidcpassword
Using parameters {'scope': 'openid', 'auth_url': 'https://keystone.it.just.works/v3', 'project_name': 'admin', 'project_domain_name': 'Default', 'identity_provider': 'keycloak', 'protocol': 'mapped', 'client_id': 'os', 'client_secret': '***', 'access_token_endpoint': 'https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/token', 'discovery_endpoint': 'https://keycloak.it.just.works/auth/realms/iam/.well-known/openid-configuration', 'username': 'pshchelokovskyy', 'password': '***'}
Turning off SSL warnings for federated:RegionOne since verify=False
Turning off Insecure SSL warnings since verify=False
Get auth_ref
REQ: curl -g -i --insecure -X GET https://keycloak.it.just.works/auth/realms/iam/.well-known/openid-configuration -H "User-Agent: openstacksdk/0.52.0 keystoneauth1/4.2.1 python-requests/2.25.0 CPython/3.6.9"
Starting new HTTPS connection (1): keycloak.it.just.works:443
https://keycloak.it.just.works:443 "GET /auth/realms/iam/.well-known/openid-configuration HTTP/1.1" 200 2578
RESP: [200] Cache-Control: no-cache, must-revalidate, no-transform, no-store Connection: keep-alive Content-Length: 2578 Content-Type: application/json Date: Thu, 03 Dec 2020 14:25:29 GMT
RESP BODY: {"issuer":"https://keycloak.it.just.works/auth/realms/iam","authorization_endpoint":"https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/auth","token_endpoint":"https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/token","token_introspection_endpoint":"https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/token/introspect","userinfo_endpoint":"https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/userinfo","end_session_endpoint":"https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/logout","jwks_uri":"https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/certs","check_session_iframe":"https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/login-status-iframe.html","grant_types_supported":["authorization_code","implicit","refresh_token","password","client_credentials"],"response_types_supported":["code","none","id_token","token","id_token token","code id_token","code token","code id_token token"],"subject_types_supported":["public","pairwise"],"id_token_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"id_token_encryption_alg_values_supported":["RSA-OAEP","RSA1_5"],"id_token_encryption_enc_values_supported":["A128GCM","A128CBC-HS256"],"userinfo_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"request_object_signing_alg_values_supported":["PS384","ES384","RS384","ES256","RS256","ES512","PS256","PS512","RS512","none"],"response_modes_supported":["query","fragment","form_post"],"registration_endpoint":"https://keycloak.it.just.works/auth/realms/iam/clients-registrations/openid-connect","token_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","client_secret_jwt"],"token_endpoint_auth_signing_alg_values_supported":["RS256"],"claims_supported":["aud","sub","iss","auth_time","name","given_name","family_name","preferred_username","email"],"claim_types_supported":["normal"],"claims_parameter_supported":false,"scopes_supported":["openid","profile","web-origins","offline_access","email","roles","phone","address","microprofile-jwt"],"request_parameter_supported":true,"request_uri_parameter_supported":true,"code_challenge_methods_supported":["plain","S256"],"tls_client_certificate_bound_access_tokens":true,"introspection_endpoint":"https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/token/introspect"}
REQ: curl -g -i --insecure -X POST https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/token -H "User-Agent: openstacksdk/0.52.0 keystoneauth1/4.2.1 python-requests/2.25.0 CPython/3.6.9" -d '{'username': 'pshchelokovskyy', 'password': 'CLEAR TEXT PASSWORD!!!', 'scope': 'openid', 'grant_type': 'password'}'
...
Notice how the password is masked when just logging args (Using parameters ... log line) but is printed unmasked when logging the curl equivalent of the request.
Initially filed quite some time ago for python-openstackclient, but now I came back to it and found some time to dig thru to the actual cause.
In the attached patch I attempted to keep as much useful info at debug level as possible. If it is deemed not so useful, patch could be made much shorter
Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security
reviewers for the affected project or projects confirm the bug and
discuss the scope of any vulnerability along with potential
solutions.
I agree that logging sensitive data counts as a security-related bug, even when it's limited to debug level logging. OpenStack has, however, not traditionally treated debug-level information disclosure as a severe enough vulnerability to warrant an embargo process in order to discuss and fix (class B3 in our report taxonomy https:/ /security. openstack. org/vmt- process. html#report- taxonomy ), nor severe enough to issue a security advisory. My recommendation if Keystone folks can confirm this is the impact, I'll switch this to a normal "Public" bug report and add the "security" bugtag in order to indicate it's a potential security hardening opportunity.