@@ -111,7 +111,8 @@ func (s *sts) Exchange(ctx context.Context, request *pboidc.ExchangeRequest) (_
111111 // Validate the Bearer token.
112112 issuer , err := apiauth .ExtractIssuer (bearer )
113113 if err != nil {
114- return nil , status .Errorf (codes .InvalidArgument , "invalid bearer token: %v" , err )
114+ clog .FromContext (ctx ).Debugf ("invalid bearer token: %v" , err )
115+ return nil , status .Error (codes .InvalidArgument , "invalid bearer token" )
115116 }
116117
117118 // Validate issuer format
@@ -122,7 +123,8 @@ func (s *sts) Exchange(ctx context.Context, request *pboidc.ExchangeRequest) (_
122123 // Fetch the provider from the cache or create a new one and add to the cache
123124 p , err := provider .Get (ctx , issuer )
124125 if err != nil {
125- return nil , status .Errorf (codes .InvalidArgument , "unable to fetch or create the provider: %v" , err )
126+ clog .FromContext (ctx ).Debugf ("unable to fetch or create the provider: %v" , err )
127+ return nil , status .Error (codes .InvalidArgument , "unable to fetch or create the provider" )
126128 }
127129
128130 verifier := p .Verifier (& oidc.Config {
@@ -131,7 +133,8 @@ func (s *sts) Exchange(ctx context.Context, request *pboidc.ExchangeRequest) (_
131133 })
132134 tok , err := verifier .Verify (ctx , bearer )
133135 if err != nil {
134- return nil , status .Errorf (codes .Unauthenticated , "unable to validate token: %v" , err )
136+ clog .FromContext (ctx ).Debugf ("unable to validate token: %v" , err )
137+ return nil , status .Error (codes .Unauthenticated , "unable to verify bearer token" )
135138 }
136139 // This is typically overwritten below, but we populate this here to enrich
137140 // certain error paths with the issuer and subject.
@@ -170,18 +173,23 @@ func (s *sts) Exchange(ctx context.Context, request *pboidc.ExchangeRequest) (_
170173 // body typically, so extract that.
171174 if herr .Response .StatusCode == http .StatusUnprocessableEntity {
172175 if body , err := io .ReadAll (herr .Response .Body ); err == nil {
173- return nil , status .Errorf (codes .PermissionDenied , "token exchange failure: %s" , body )
176+ clog .FromContext (ctx ).Debugf ("token exchange failure (StatusUnprocessableEntity): %s" , body )
177+ return nil , status .Error (codes .PermissionDenied , "token exchange failure (StatusUnprocessableEntity)" )
174178 }
175179 } else {
176180 body , err := httputil .DumpResponse (herr .Response , true )
177181 if err == nil {
178- clog .FromContext (ctx ).Warnf ("token exchange failure: %s" , body )
182+ clog .FromContext (ctx ).Warn ("token exchange failure, redacting body in logs" )
183+ // Log the response body in debug mode only, as it may contain sensitive information.
184+ clog .FromContext (ctx ).Debugf ("token exchange failure: %s" , body )
179185 }
180186 }
181187 } else {
182- clog .FromContext (ctx ).Warnf ("token exchange failure: %v" , err )
188+ clog .FromContext (ctx ).Debugf ("token exchange failure: %v" , err )
189+ clog .FromContext (ctx ).Warn ("token exchange failure, redacting error in logs" )
183190 }
184- return nil , status .Errorf (codes .Internal , "failed to get token: %v" , err )
191+ clog .FromContext (ctx ).Debugf ("failed to get token: %v" , err )
192+ return nil , status .Error (codes .Internal , "failed to get token" )
185193 }
186194
187195 // Compute the SHA256 hash of the token and store the hex-encoded value into e.TokenSHA256
0 commit comments