Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is it safe to log facebook oauth access tokens?

I am having an issue with hard to reproduce issue of facebook login timeouts with my app so opened a ticket with facebook. They asked me to send them a user access token from when the issue occurred. As the issue is hard to reproduce I would need to log the access token, so it would be in our log files but also on our log analysis tool, is it risky for the access token to be in our log file and on our analysis tool, assuming its not publicly available?

like image 480
Heisenberg Avatar asked Jan 04 '23 10:01

Heisenberg


2 Answers

You should not log access tokens. Anyone who has access to access tokens can temporarily hijack those accounts.

If you follow the Oauth guidance, your access tokens should have short life, which reduces the risk. Nevertheless, the amount of users that may be exposed from logging of these tokens makes it of serious concern.

The threat of access tokens in log files is discussed in the Oauth threat model.

like image 147
TheGreatContini Avatar answered Jan 05 '23 23:01

TheGreatContini


Actually they said to always make sure access token is secure so I wont be including it in the log file

like image 33
Heisenberg Avatar answered Jan 05 '23 23:01

Heisenberg