Add docs on PAR sensitive values filter, update authorize request sensitive values filter docs#694
Merged
Merged
Conversation
josephdecock
changed the title
josephdecock
commented
Apr 25, 2025
Member
Author
|
7.2.2 etc aren't yet released, so I've converted this to a draft. It is otherwise ready for review, just didn't think we wanted to publish the docs ahead of releasing. |
Contributor
|
The docs release is pretty quick so either works. Releasing early doesn't hurt as we can revert if something was to happen with the release. |
maartenba
approved these changes
Apr 26, 2025
Member
maartenba
left a comment
maartenba
left a comment
There was a problem hiding this comment.
Looks good, we can merge when the release is baked
khalidabuhakmeh
approved these changes
Apr 28, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
PushedAuthorizationSensitiveValues filter option wasn't documented at all, so this adds that.
7.2.2, 7.1.2, and 7.0.9 will client_secret and client_assertion to the AuthorizeRequestSensitiveValues filter, so this updates the docs to show that as well.
Omitting the client_secret and assertion was not great, because it allowed client secrets to be logged. (The pushed values eventually get handled by the regular authorize request pipeline, and when that happens, if the raw request is logged, it includes the client secret that was originally pushed). So, we've hardened the defaults to make them secure by default starting now.