Comment 2 for bug 1977516

Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security
reviewers for the affected project or projects confirm the bug and
discuss the scope of any vulnerability along with potential
solutions.

I agree that logging sensitive data counts as a security-related bug, even when it's limited to debug level logging. OpenStack has, however, not traditionally treated debug-level information disclosure as a severe enough vulnerability to warrant an embargo process in order to discuss and fix (class B3 in our report taxonomy https://security.openstack.org/vmt-process.html#report-taxonomy ), nor severe enough to issue a security advisory. My recommendation if Keystone folks can confirm this is the impact, I'll switch this to a normal "Public" bug report and add the "security" bugtag in order to indicate it's a potential security hardening opportunity.