I’m using Pac4j version 5.4.4, and I noticed that sensitive credential information like the access token is being printed at DEBUG level logging.
In particular, in DefaultCallbackLogic.java, there is this line:
final var credentials = foundClient.getCredentials(webContext, sessionStore);
LOGGER.debug("credentials: {}", credentials);
Latest version also has something similar https://github.com/pac4j/pac4j/blob/master/pac4j-core/src/main/java/org/pac4j/core/engine/DefaultCallbackLogic.java#L82
This results in logs like the following:
2025-07-28 10:18:55,046 [[36mdebug[0m] o.p.c.e.DefaultCallbackLogic [io-compute-2] []: credentials: Optional[#OidcCredentials# | code: niLSF0CtmlblL1D5U_.... | accessToken: eyJraWQiOiJHZWJQSlpLSzdSaW9ocXNteXVtUWhDWS0xdkZRZkF4dm5TN1g4M0ViNWZJIiwidHlwIjoiYXBwbGljYXRpb24vb2t0YS1pbnRlcm5hbC1hdCtqd3QiLCJhbGciOiJSUzI1NiJ9.eyJ2ZXIiOjEsImp0aSI6IkFULm5ZMzBLNWwtb2JFc0ZHbVYyWGpGSTVpX1pObGNMQVNodUZlaHFWeW9nN2ciLCJpc3MiOiJodHRwczovL2V2b2x1dGlvbmdhbWluZ......
Question is: is it considered safe? Shouldn't sensitive information be masked?
There is always a balance to find between debugging easyness and security. Access tokens could be truncated for better safety, but as they live a few hours and are displayed at DEBUG level, this is acceptable. That said, a PR to improve that will be welcomed.