During development we added to error logs details of http requests, including headers, to have better understanding for error investigation. Our architect pointed that we should not place sensitive information in logs. My question was should we consider bearer token as highly sensitive information taking into account that access token is short-lived object.
The recommendations from The OAuth 2.0 Authorization Framework: Bearer Token Usage :
If bearer tokens are passed in page URLs, attackers might be able to steal them from the history data, logs, or other unsecured locations.
I assume that recording the tokens into error logs is also not recommended.
However Asp.Net Core generates Information messages, that includes bearer token (both encoded and in JSON)
2017-09-15 08:32:42.571 +00:00 [Information] Failed to validate the token "eyJ0eXAiOiJKV1QiLCJhb(I've truncated the token but full token can be decoded in JWT.io)". Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10501: Signature validation failed. Unable to match 'kid': 'HHByKU-0DqAxxx', token: '{"alg":"RS256","typ":"JWT","x5t":"HHByKU-0DqAxxx","kid":"HHByKU-0DqAxxx"}.{"aud":"https://webjet.group/eb694f3a-xxx","iss":"https://sts.windows.net/5de0e68cxxx","iat":1505464062,"nbf":1505464062,"exp":1505467962,"acr":"1","aio":"ASQAxxx","amr":["pwd"],"appid":"cc9aa533-xxx","appidacr":"1","e_exp":262800,"family_name":"Freidgeim","given_name":"Michael","groups":[xxx]","2d62738a-xxx"],"in_corp":"true","ipaddr":"121.1.1.1","name":"Michael Freidgeim","oid":"138f5eca-xxx","onprem_sid":"S-1-5-21-xxx","roles":["UATAdmin"],"scp":"user_impersonation","sub":"vTFBQRxxx","tid":"5de0e68c-xxx","unique_name":"Michael.Freidgeim@xxx","upn":"Michael.Freidgeim@xxx","ver":"1.0"}'. at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken) at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.< HandleAuthenticateAsync>d__1.MoveNext()
Does it means that the risk is not so big, because Microsoft consider it acceptable to include in logs?
Or should we exclude Microsoft/System Information LogLevel from logs? It will be quite restrictive, as we are using information logs for investigation, as well as for some monitoring/stats(such as number of logins).
What is the recommended approach regarding storing tokens into logs if we want to satisfy both security and investigation requirements?