google-http-java-client being used by storage library logs partial access tokens.

[tikurahul]

The offending line of code is here.

Problem

If you are authoring a Java module which uses the cloud storage client library under the hood, access tokens are always logged to the console appender by default.

Note: This is typically not a problem for web apps running on App Engine / k8s et.al given apps have full control on logging configuration.

This affects JAR modules distributed by a Maven like repository, or places where console applications are used but the module does not necessarily have full control on the calling context. For e.g. GitHub actions.

When running the module, you can see log messages that look like:

2022-04-18T06:22:23.9671345Z -------------- REQUEST  --------------
2022-04-18T06:22:23.9671995Z POST https://oauth2.googleapis.com/token
2022-04-18T06:22:23.9672738Z Accept-Encoding: gzip
2022-04-18T06:22:23.9673405Z User-Agent: Google-HTTP-Java-Client/1.41.5 (gzip)
2022-04-18T06:22:23.9674329Z Content-Type: application/x-www-form-urlencoded; charset=UTF-8
2022-04-18T06:22:23.9677079Z Content-Length: 980
2022-04-18T06:22:23.9677420Z 
2022-04-18T06:22:23.9680061Z curl -v --compressed -X POST -H 'Accept-Encoding: gzip' -H 'User-Agent: Google-HTTP-Java-Client/1.41.5 (gzip)' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -d '@-' -- 'https://oauth2.googleapis.com/token' << $$$
2022-04-18T06:22:23.9681037Z Total: 980 bytes
2022-04-18T06:22:23.9694930Z grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=***
2022-04-18T06:22:23.9695912Z -------------- RESPONSE --------------
2022-04-18T06:22:23.9790894Z HTTP/1.1 200 OK
2022-04-18T06:22:23.9791424Z Transfer-Encoding: chunked
2022-04-18T06:22:23.9791864Z X-Frame-Options: SAMEORIGIN
...
2022-04-18T06:22:23.9797172Z Total: 1,083 bytes
2022-04-18T06:22:23.9799859Z ***"access_token":"ya29.c.b0AXv0zTOyVPYZ45W_cQIypBveTXRoQDlSjg53C_6KXvTWKcATx8uEgLqymqPI3xv_IboLmCijXUt9r2UxFml72hqCC_Qm6m06gXdBDE1oAcxL93c05U2B2PTDeKPbOGYb3BjJt33Radqn0ym-5nSzy5UdQHtjR-VZdYRtgCZ2mTzs2sMq_fXD5rhPar1pgA-9sSwnnmqQD9VCvh-LlTPWG_25V2ONcNiRr-YK...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................","expires_in":3599,"token_type":"Bearer"***

Note: The partial access token visible:

ya29.c.b0AXv0zTOyVPYZ45W_cQIypBveTXRoQDlSjg53C_6KXvTWKcATx8uEgLqymqPI3xv_IboLmCijXUt9r2UxFml72hqCC_Qm6m06gXdBDE1oAcxL93c05U2B2PTDeKPbOGYb3BjJt33Radqn0ym-5nSzy5UdQHtjR-VZdYRtgCZ2mTzs2sMq_fXD5rhPar1pgA-9sSwnnmqQD9VCvh-LlTPWG_25V2ONcNiRr-YK.....

Current Workaround

Apps, that want to disable all logging of requests have to use a delegating HttpRequestInitializer by doing something like:

class WrappedTransportOptions(builder: Builder) : HttpTransportOptions(builder) {
    override fun getHttpRequestInitializer(serviceOptions: ServiceOptions<*, *>?): HttpRequestInitializer {
        // Delegate to the underlying initializer.
        val initializer = super.getHttpRequestInitializer(serviceOptions)
        return HttpRequestInitializer {
            // Disable request logging
            it.isLoggingEnabled = false
            initializer.initialize(it)
        }
    }
}

While this works, this approach needs to be duplicated when multiple client libraries are involved.

Ideal Solution

The client library should provide the library to control request level logging. Ideally all client libraries using the same http-client should respect the log-level. We should also only log errors by default.

[TimurSadykov]

We took a look and it turns out that it is not related to auth library as it does not set log levels for HttpRequests. We also verified that with default settings auth data logs only with Level == ALL:
sample

The issue seems to be that certain loggers like sl4j get misconfigured by default. Probably logger initialization need improvements to support some popular loggers better.

[TimurSadykov]

Also, the access_token with dots referred above as partial - is actually a full access_token. It is a Google thing to have access_token with trailing dots.. They are fine and accepted back by Google as is. https://stackoverflow.com/questions/68654502/why-am-i-getting-a-jwt-with-a-bunch-of-periods-dots-back-from-google-oauth