-
-
Notifications
You must be signed in to change notification settings - Fork 32
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature Request] Use securefmt
to redact sensitive data
#121
Comments
securefmt
to obfuscate sensitive datasecurefmt
to redact sensitive data
Hi @rblaine95! It is interesting idea, thank you! I am currently trying to avoid If we have such cases in generated code, this is a little bit more tricky, cause we need to know from Could you maybe elaborate on which fields exactly should be [redacted] in |
Hi @kilork One use case I've run into is the let client = kc_client
.realm_clients_post(
"example-realm",
ClientRepresentation {
client_id: Some("example-client".to_string()),
direct_access_grants_enabled: Some(true),
name: Some("example-client".to_string()),
public_client: Some(false),
authorization_services_enabled: Some(true),
service_accounts_enabled: Some(true),
..Default::default()
},
)
.await
.unwrap();
println!("{:#?}", client); Which prints the following: ClientRepresentation {
[... trim long output ...]
client_authenticator_type: Some(
"client-secret",
),
client_id: Some(
"example-client",
),
[... trim long output ...]
secret: Some(
"xeM3U1VMizbgCbIaVDHnqTkaoXkHe8FQ",
),
[... trim long output ...]
} Scanning through the
That's just searching for the word Scanning through the OpenAPI v3 Spec I don't really see anything about marking specific fields as sensitive. However, one possible workaround could be for Keycloak to mark sensitive fields as For example, from the Keycloak 25.0.0 OpenAPI Yaml : openapi: 3.0.3
info:
title: Keycloak Admin REST API
description: This is a REST API reference for the Keycloak Admin REST API.
version: "1.0"
[... trim unnecessary fields from very long doc...]
components:
schemas:
ClientRepresentation:
properties:
secret:
- type: string
+ type: password It looks like, unless Keycloak marks sensitive fields as sensitive when they generate their OpenAPI spec, there's potentially quite a bit of legwork to identify and mark all the sensitive fields. A potential approach could be to have a list of known sensitive fields and to inject the |
Hello, I've been using this library in an API I've been building and it's worked exceptionally well so far.
One of the crates I've been using is
securefmt
which redacts sensitive fields when I enable debug logging.An example of using it:
Which will then output
I think it would be useful to add this to sensitive fields such as Client Secrets
The text was updated successfully, but these errors were encountered: