Bug #2862
closed
I personally don't like this change too much. oauth_key is something like username (and oauth_consumer is more like password) so I think we can log this. I find this useful for debugging. If we want to hide usernames we should think of filtering usernames coming from login forms (and probably other places). Anyone else concerned?
- Status changed from Assigned to Ready For Testing
I ran this by Grant from RH's security team and he seemed to agree with Marek's response:
The consumer_key makes up part of the client credentials but it is not
a secret component of them.
It is intended to be a unique identifier for the client that is
transmitted when requesting a request_token
and access_token. The consumer_secret should never be exposed. In this
case I'm not sure it would matter
if you logged the consumer_key anyway as AFAICT only one consumer_key /
consumer_secret
can be configured for the application.
- Status changed from Ready For Testing to Rejected
Also available in: Atom
PDF