You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
By default, Oathkeeper redacts sensitive values from the logs like the Authorization HTTP header and cookie values. However, when defining a custom bearer token in the bearer_token authenticator, the value of this token is not redacted.
I think this is a bug as I explicitly defined a specific HTTP header in the bearer_token authenticator as comprising a sensitive value, so its value should be redacted.
Reproducing the bug
Start an Oathkeeper instance with a bearer_token authenticator configured to retrieve the secret from a custom HTTP header (X-Fallback-Cookies in my configuration example).
Send an HTTP request comprising the custom HTTP header to the Oathkeeper instance.
The value of the custom HTTP header is visible in the logs, which is not the desired behaviour.
Preflight checklist
Describe the bug
By default, Oathkeeper redacts sensitive values from the logs like the
Authorization
HTTP header and cookie values. However, when defining a custom bearer token in thebearer_token
authenticator, the value of this token is not redacted.I think this is a bug as I explicitly defined a specific HTTP header in the
bearer_token
authenticator as comprising a sensitive value, so its value should be redacted.Reproducing the bug
bearer_token
authenticator configured to retrieve the secret from a custom HTTP header (X-Fallback-Cookies
in my configuration example).Relevant log output
Relevant configuration
Version
0.40.1
On which operating system are you observing this issue?
Linux
In which environment are you deploying?
Docker Compose
Additional Context
No response
The text was updated successfully, but these errors were encountered: