Comment 0 for bug 1977516

Revision history for this message
Pavlo Shchelokovskyy (pshchelo) wrote :

This might lead to unintended password disclosure, so marking as security vulnerability

What I have now using self-deployed keycloak as IdP (hence insecure: true)

$ cat ~/.config/openstack/clouds.yaml
clouds:
  federated:
    auth_type: v3oidcpassword
    auth:
      auth_url: https://keystone.it.just.works/v3
      project_name: admin
      project_domain_name: Default
      identity-provider: keycloak
      protocol: mapped
      client-id: os
      client-secret: someRandomClientSecretMightBeNull
      openid-scope: openid
      access-token-endpoint: https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/token
      discovery-endpoint: https://keycloak.it.just.works/auth/realms/iam/.well-known/openid-configuration
      username: pshchelokovskyy
      password: "CLEAR TEXT PASSWORD!!!"
    region_name: RegionOne
    insecure: true
    identity_api_version: 3

$ openstack --os-cloud federated --debug token issue
...
Using auth plugin: v3oidcpassword
Using parameters {'scope': 'openid', 'auth_url': 'https://keystone.it.just.works/v3', 'project_name': 'admin', 'project_domain_name': 'Default', 'identity_provider': 'keycloak', 'protocol': 'mapped', 'client_id': 'os', 'client_secret': '***', 'access_token_endpoint': 'https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/token', 'discovery_endpoint': 'https://keycloak.it.just.works/auth/realms/iam/.well-known/openid-configuration', 'username': 'pshchelokovskyy', 'password': '***'}
Turning off SSL warnings for federated:RegionOne since verify=False
Turning off Insecure SSL warnings since verify=False
Get auth_ref
REQ: curl -g -i --insecure -X GET https://keycloak.it.just.works/auth/realms/iam/.well-known/openid-configuration -H "User-Agent: openstacksdk/0.52.0 keystoneauth1/4.2.1 python-requests/2.25.0 CPython/3.6.9"
Starting new HTTPS connection (1): keycloak.it.just.works:443
https://keycloak.it.just.works:443 "GET /auth/realms/iam/.well-known/openid-configuration HTTP/1.1" 200 2578
RESP: [200] Cache-Control: no-cache, must-revalidate, no-transform, no-store Connection: keep-alive Content-Length: 2578 Content-Type: application/json Date: Thu, 03 Dec 2020 14:25:29 GMT
RESP BODY: {"issuer":"https://keycloak.it.just.works/auth/realms/iam","authorization_endpoint":"https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/auth","token_endpoint":"https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/token","token_introspection_endpoint":"https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/token/introspect","userinfo_endpoint":"https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/userinfo","end_session_endpoint":"https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/logout","jwks_uri":"https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/certs","check_session_iframe":"https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/login-status-iframe.html","grant_types_supported":["authorization_code","implicit","refresh_token","password","client_credentials"],"response_types_supported":["code","none","id_token","token","id_token token","code id_token","code token","code id_token token"],"subject_types_supported":["public","pairwise"],"id_token_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"id_token_encryption_alg_values_supported":["RSA-OAEP","RSA1_5"],"id_token_encryption_enc_values_supported":["A128GCM","A128CBC-HS256"],"userinfo_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"request_object_signing_alg_values_supported":["PS384","ES384","RS384","ES256","RS256","ES512","PS256","PS512","RS512","none"],"response_modes_supported":["query","fragment","form_post"],"registration_endpoint":"https://keycloak.it.just.works/auth/realms/iam/clients-registrations/openid-connect","token_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","client_secret_jwt"],"token_endpoint_auth_signing_alg_values_supported":["RS256"],"claims_supported":["aud","sub","iss","auth_time","name","given_name","family_name","preferred_username","email"],"claim_types_supported":["normal"],"claims_parameter_supported":false,"scopes_supported":["openid","profile","web-origins","offline_access","email","roles","phone","address","microprofile-jwt"],"request_parameter_supported":true,"request_uri_parameter_supported":true,"code_challenge_methods_supported":["plain","S256"],"tls_client_certificate_bound_access_tokens":true,"introspection_endpoint":"https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/token/introspect"}
REQ: curl -g -i --insecure -X POST https://keycloak.it.just.works/auth/realms/iam/protocol/openid-connect/token -H "User-Agent: openstacksdk/0.52.0 keystoneauth1/4.2.1 python-requests/2.25.0 CPython/3.6.9" -d '{'username': 'pshchelokovskyy', 'password': 'CLEAR TEXT PASSWORD!!!', 'scope': 'openid', 'grant_type': 'password'}'
...

Notice how the password is masked when just logging args (Using parameters ... log line) but is printed unmasked when logging the curl equivalent of the request.

Initially filed quite some time ago for python-openstackclient, but now I came back to it and found some time to dig thru to the actual cause.

In the attached patch I attempted to keep as much useful info at debug level as possible. If it is deemed not so useful, patch could be made much shorter