Describe the bug
during SSO login, cmd/login.go unconditionally prints the OAuth2 access token and refresh token to stderr via log.Printf after successful authentication — regardless of whether --verbose is set.
Lines 296–297 in cmd/login.go:
### Expected behavior
token values should never appear in logs or stderr output. The "Authentication successful" message is sufficient confirmation. If token visibility is needed for debugging, it should be gated behind the --verbose flag, consistent with how all other sensitive data is handled in this codebase (via config.Verbose / config.DumpRequestIfRequired).
### Actual behavior
On every SSO login, the full OAuth2 access token string and refresh token string are printed to stderr unconditionally. Any CI/CD pipeline or log aggregation system (GitHub Actions, Jenkins, Datadog, Splunk) that captures stderr will silently record long-lived credentials in plaintext. Refresh tokens are particularly dangerous as they allow obtaining new access tokens without user interaction.
### How to Reproduce?
1) Configure a Microcks instance with Keycloak SSO enabled
2) Run: microcks login --keycloak-realm <realm> --sso (any flow that calls connectAndGetTokenWithSSO in cmd/login.go)
3) Observe that the full token strings are printed to stderr after "Authentication successful"
4) Capture stderr (e.g., redirect to a log file) — credentials are stored in plaintext
### Microcks version or git rev
All versions including latest (master: b892bbb). Bug introduced with the SSO login flow — affects any release containing cmd/login.go's connectAndGetTokenWithSSO function.
### Install method (`docker-compose`, `helm chart`, `operator`, `docker-desktop extension`,...)
microcks-cli binary (any platform)
### Additional information
The fix is straightforward — remove lines 296–297 from cmd/login.go entirely. The fmt.Printf("Authentication successful\n") line immediately above already confirms success without leaking any credential.
all other sensitive output in the codebase follows the pattern:
if config.Verbose { ... }
or uses config.DumpRequestIfRequired — these two log.Printf calls are the only exception.
A fix PR is available: https://github.com/microcks/microcks-cli/compare/master...Harishrs2006:microcks-cli:fix/oauth-token-leak-login-log
Describe the bug
during SSO login,
cmd/login.gounconditionally prints the OAuth2 access token and refresh token to stderr vialog.Printfafter successful authentication — regardless of whether--verboseis set.Lines 296–297 in
cmd/login.go: