Password visible in the http debug logs for /api/v1/authn


The password is visible in the http debug logs when i use this. I saw different forums and this looks as a limitation, is this fixed now? Seeing the logs can be done by admins and its highly risky.

I am using apache httpclient.execute method in my application and then passing request body similar to above. It clearly prints the password.

Lets say my customer uses the application which i send to them. They will ask their partners to login using okta through the https hosted service, which uses this okta and if he enables debug logging, this will clearly shows the password. There is no way in documentation other than String for password, we cannot provide any algorithms/hash anything.

Passwords are hashed on the Okta server side. Postman and other tools may provide ways to view content being sent to Okta before it is encrypted by the network layer.
All communications are done over SSL so any actor sitting in between a user and Okta will not see clear text.
It is common to hash on the server side as opposed to the client side.

1 Like

Hi Erik,

Thank you so much for the response.

Consider the following scenario:

Lets say you are the client and i am hosting the https service. (In my https service, i use the endpoint /api/v1/authn to validate you through authn/factors SMS/Email/Okta Verify/Push).

You as a client, come to my hosted login page and log in with your okta credentials. Now, ofcourse its https (tls) so transfer is secured, i agree.

I on the other hand will enable a debug logging for http and i start seeing your password and other users passwords printed in the logs, will you be comfortable in such situation as a client? This is the exact situation we are in and completely stuck, neither able to remove this password field in the logging nor able to hash in the request body, because password field is String and no child elements like algorithm etc.

Is there any way we can come out from this?

@erik Is there a way we can workaround with this?