Skip to content

oauth2: debug logging toggled by INSECURE_OAUTH2_LOG_TRACES

Warren Gifford requested to merge bl/oauth2-logging into main

Created by: beyang

Logs will look like this, when INSECURE_OAUTH2_LOG_TRACES=true in the frontend environment:

18:06:37                          frontend | >>>>> HTTP Request: POST https://github.com/login/oauth/access_token                                                                                                                                                                                 
18:06:37                          frontend |       Header: map[Authorization:[Basic xxxxxxxxxxxxxxxxxxxxxx] Content-Type:[application/x-www-form-urlencoded]]                                                                       
18:06:37                          frontend |       Body: code=xxxxxxxxxxx&grant_type=authorization_code                                                                                                                                                                                                          
18:06:37                          frontend | >>>>> HTTP Request: POST https://github.com/login/oauth/access_token                                                                                                                                                                                                                                           
18:06:37                          frontend |       Header: map[Content-Type:[application/x-www-form-urlencoded]]                                                                                                                                                                                                                                            
18:06:37                          frontend |       Body: client_id=xxxxxxxxxxxxx&client_secret=xxxxxxxxxxxxxxxxxxxxxxx&code=xxxxxxxxxxxxxxxxxxxxxxx&grant_type=authorization_code                                                                                                                                                      

Also added validation for the GitHub client ID and secret to ensure no hidden or non-alphanumeric characters are used.

Merge request reports

Loading