- Issue created by @woutgg
- Status changed to Postponed: needs info
5 months ago 9:25pm 8 August 2024 - 🇮🇹Italy apaderno Brescia, 🇮🇹
Does the exception message literally contains (truncated...)?
Yes, the text I quoted is the literal message in the log entry.
The full message does still exist though, as I could access it via the temporary statement I mentioned.- 🇮🇹Italy apaderno Brescia, 🇮🇹
The client secret is intentionally not logged, similarly to what Drupal core does which does not log the previous or the current password when an account password is changed.
The exception is logged just to make possible to understand what happened (in this case, that an invalid client secret has been provided). The correct client secret can be retrieved from the Microsoft Azure portal. I see, that makes sense.
In my case, I had no access the Azure portal itself and a bit of potentially important information was also truncated: namely the suggestion that secret key and secret ID might have been swapped (I do not have the exact message at hand). Additionally, seeing the client secret in the full message helped me to be more confident I did not misconfigure the module itself.I agree that in the choice between this shortcoming and revealing the client secret, the latter if probably more important in most cases.
Perhaps an override toggle might be useful though, to enable in a dev environment for instance?- 🇧🇪Belgium borisson_ Mechelen, 🇧🇪
While I could see it being valuable to help in debugging the problem, I think the chosen route here makes sense and for that reason I think the behavior should stay as-is. I suggest closing this issue as won't fix.