Notice how the password is masked when just logging args (Using parameters ... log line) but is printed unmasked when logging the curl equivalent of the request.
Initially filed quite some time ago for python-openstackclient, but now I came back to it and found some time to dig thru to the actual cause.
In the attached patch I attempted to keep as much useful info at debug level as possible. If it is deemed not so useful, patch could be made much shorter
This might lead to unintended password disclosure, so marking as security vulnerability
What I have now using self-deployed keycloak as IdP (hence insecure: true)
$ cat ~/.config/ openstack/ clouds. yaml /keystone. it.just. works/v3 domain_ name: Default provider: keycloak secret: someRandomClien tSecretMightBeN ull token-endpoint: https:/ /keycloak. it.just. works/auth/ realms/ iam/protocol/ openid- connect/ token -endpoint: https:/ /keycloak. it.just. works/auth/ realms/ iam/.well- known/openid- configuration api_version: 3
clouds:
federated:
auth_type: v3oidcpassword
auth:
auth_url: https:/
project_name: admin
project_
identity-
protocol: mapped
client-id: os
client-
openid-scope: openid
access-
discovery
username: pshchelokovskyy
password: "CLEAR TEXT PASSWORD!!!"
region_name: RegionOne
insecure: true
identity_
$ openstack --os-cloud federated --debug token issue /keystone. it.just. works/v3', 'project_name': 'admin', 'project_ domain_ name': 'Default', 'identity_ provider' : 'keycloak', 'protocol': 'mapped', 'client_id': 'os', 'client_secret': '***', 'access_ token_endpoint' : 'https:/ /keycloak. it.just. works/auth/ realms/ iam/protocol/ openid- connect/ token', 'discovery_ endpoint' : 'https:/ /keycloak. it.just. works/auth/ realms/ iam/.well- known/openid- configuration', 'username': 'pshchelokovskyy', 'password': '***'} /keycloak. it.just. works/auth/ realms/ iam/.well- known/openid- configuration -H "User-Agent: openstacksdk/0.52.0 keystoneauth1/4.2.1 python- requests/ 2.25.0 CPython/3.6.9" it.just. works:443 /keycloak. it.just. works:443 "GET /auth/realms/ iam/.well- known/openid- configuration HTTP/1.1" 200 2578 /keycloak. it.just. works/auth/ realms/ iam","authorizatio n_endpoint" :"https:/ /keycloak. it.just. works/auth/ realms/ iam/protocol/ openid- connect/ auth","token_ endpoint" :"https:/ /keycloak. it.just. works/auth/ realms/ iam/protocol/ openid- connect/ token","token_ introspection_ endpoint" :"https:/ /keycloak. it.just. works/auth/ realms/ iam/protocol/ openid- connect/ token/introspec t","userinfo_ endpoint" :"https:/ /keycloak. it.just. works/auth/ realms/ iam/protocol/ openid- connect/ userinfo","end_ session_ endpoint" :"https:/ /keycloak. it.just. works/auth/ realms/ iam/protocol/ openid- connect/ logout","jwks_uri":"https:/ /keycloak. it.just. works/auth/ realms/ iam/protocol/ openid- connect/ certs","check_ session_ iframe" :"https:/ /keycloak. it.just. works/auth/ realms/ iam/protocol/ openid- connect/ login-status- iframe. html","grant_ types_supported ":["authorizati on_code" ,"implicit" ,"refresh_ token", "password" ,"client_ credentials" ],"response_ types_supported ":["code" ,"none" ,"id_token" ,"token" ,"id_token token","code id_token","code token","code id_token token"] ,"subject_ types_supported ":["public" ,"pairwise" ],"id_token_ signing_ alg_values_ supported" :["PS384" ,"ES384" ,"RS384" ,"HS256" ,"HS512" ,"ES256" ,"RS256" ,"HS384" ,"ES512" ,"PS256" ,"PS512" ,"RS512" ],"id_token_ encryption_ alg_values_ supported" :["RSA- OAEP"," RSA1_5" ],"id_token_ encryption_ enc_values_ supported" :["A128GCM" ,"A128CBC- HS256"] ,"userinfo_ signing_ alg_values_ supported" :["PS384" ,"ES384" ,"RS384" ,"HS256" ,"HS512" ,"ES256" ,"RS256" ,"HS384" ,"ES512" ,"PS256" ,"PS512" ,"RS512" ,"none" ],"request_ object_ signing_ alg_values_ supported" :["PS384" ,"ES384" ,"RS384" ,"ES256" ,"RS256" ,"ES512" ,"PS256" ,"PS512" ,"RS512" ,"none" ],"response_ modes_supported ":["query" ,"fragment" ,"form_ post"], "registration_ endpoint" :"https:/ /keycloak. it.just. works/auth/ realms/ iam/clients- registrations/ openid- connect","token_ endpoint_ auth_methods_ supported" :["private_ key_jwt" ,"client_ secret_ basic", "client_ secret_ post"," client_ secret_ jwt"]," token_endpoint_ auth_signing_ alg_values_ supported" :["RS256" ],"claims_ supported" :["aud" ,"sub", "iss"," auth_time" ,"name" ,"given_ name"," family_ name"," preferred_ username" ,"email" ],"claim_ types_supported ":["normal" ],"claims_ parameter_ supported" :false, "scopes_ supported" :["openid" ,"profile" ,"web-origins" ,"offline_ access" ,"email" ,"roles" ,"phone" ,"address" ,"microprofile- jwt"]," request_ parameter_ supported" :true," request_ uri_parameter_ supported" :true," code_challenge_ methods_ supported" :["plain" ,"S256" ],"tls_ client_ certificate_ bound_access_ tokens" :true," introspection_ endpoint" :"https:/ /keycloak. it.just. works/auth/ realms/ iam/protocol/ openid- connect/ token/introspec t"} /keycloak. it.just. works/auth/ realms/ iam/protocol/ openid- connect/ token -H "User-Agent: openstacksdk/0.52.0 keystoneauth1/4.2.1 python- requests/ 2.25.0 CPython/3.6.9" -d '{'username': 'pshchelokovskyy', 'password': 'CLEAR TEXT PASSWORD!!!', 'scope': 'openid', 'grant_type': 'password'}'
...
Using auth plugin: v3oidcpassword
Using parameters {'scope': 'openid', 'auth_url': 'https:/
Turning off SSL warnings for federated:RegionOne since verify=False
Turning off Insecure SSL warnings since verify=False
Get auth_ref
REQ: curl -g -i --insecure -X GET https:/
Starting new HTTPS connection (1): keycloak.
https:/
RESP: [200] Cache-Control: no-cache, must-revalidate, no-transform, no-store Connection: keep-alive Content-Length: 2578 Content-Type: application/json Date: Thu, 03 Dec 2020 14:25:29 GMT
RESP BODY: {"issuer":"https:/
REQ: curl -g -i --insecure -X POST https:/
...
Notice how the password is masked when just logging args (Using parameters ... log line) but is printed unmasked when logging the curl equivalent of the request.
Initially filed quite some time ago for python- openstackclient , but now I came back to it and found some time to dig thru to the actual cause.
In the attached patch I attempted to keep as much useful info at debug level as possible. If it is deemed not so useful, patch could be made much shorter