Uploaded image for project: 'Red Hat 3scale API Management'
  1. Red Hat 3scale API Management
  2. THREESCALE-12415

Token leak in audit log when impersonating users from master portal

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • 2.16.2 GA
    • System
    • False
    • Hide

      None

      Show
      None
    • False
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started

      Issue

      When impersonating a user from the master portal, system-provider logs the authorization token used

      Reproduction example log entries

      [63097abd-4528-43ee-8ade-7053533d952c]
 [3scale-admin.apps.example.com] 
[$IP] Started GET "/p/sso?expires_at=1772047211&token=hohHot3Jovel%2F9fpNOnYmQURxqHkXI0aTZx00UtVoXoNq8bNRhPN%2BUtS62wYNKOyezo%3D--x4QLoUTXMhLeRajT--foXI8VC%2FFFXrHkdcQBYuIg%3D%3D"
 for $IP at 2026-02-25 19:19:12 +0000

[63097abd-4528-43ee-8ade-7053533d952c]
 [3scale-admin.apps.example.com] 
[$IP] Processing by Provider::SessionsController#create as 
HTML

[63097abd-4528-43ee-8ade-7053533d952c]
 [3scale-admin.apps.example.com] 
[$IP]   Parameters: {"expires_at"=>"1772047211", 
"token"=>"hohHot3Jovel/9fpNOnYmQURxqHkXI0aTZx00UtVoXoNq8bNRhPN+UtS62wYNKOyezo=--x4QLoUTXMhLeRajT--foXI8VC/FFXrHkdcQBYuIg=="}

      Reproduction Steps

      1. Log into the 3scale master portal
      2. Under Accounts > Listing, use the "Act As"  link
      3. Review the sytem-provider logs

       

              Unassigned Unassigned
              rhn-support-oherling Olivia Herlinger
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: