Keycloak API password is leaked as cleartext in logs #1302
Description
Current Behavior
The Keycloak admin API password (as injected by the KEYCLOAK_PASSWORD envvar) appears as clear text in the logs when keycloak-config-cli starts and queries the /token route.
2025-06-20T13:05:41.973Z DEBUG 1 --- [ main] org.apache.http.wire : http-outgoing-0 >> "POST /realms/master/protocol/openid-connect/token HTTP/1.1[\r][\n]"
2025-06-20T13:05:41.973Z DEBUG 1 --- [ main] org.apache.http.wire : http-outgoing-0 >> "Accept: application/json[\r][\n]"
2025-06-20T13:05:41.973Z DEBUG 1 --- [ main] org.apache.http.wire : http-outgoing-0 >> "Authorization: Basic YWRtaW4tY2xpOg==[\r][\n]"
2025-06-20T13:05:41.973Z DEBUG 1 --- [ main] org.apache.http.wire : http-outgoing-0 >> "Content-Type: application/x-www-form-urlencoded[\r][\n]"
2025-06-20T13:05:41.973Z DEBUG 1 --- [ main] org.apache.http.wire : http-outgoing-0 >> "Content-Length: 84[\r][\n]"
2025-06-20T13:05:41.973Z DEBUG 1 --- [ main] org.apache.http.wire : http-outgoing-0 >> "Host: keycloak.keycloak.svc.cluster.local[\r][\n]"
2025-06-20T13:05:41.973Z DEBUG 1 --- [ main] org.apache.http.wire : http-outgoing-0 >> "Connection: Keep-Alive[\r][\n]"
2025-06-20T13:05:41.973Z DEBUG 1 --- [ main] org.apache.http.wire : http-outgoing-0 >> "User-Agent: Apache-HttpClient/4.5.14 (Java/21.0.5)[\r][\n]"
2025-06-20T13:05:41.973Z DEBUG 1 --- [ main] org.apache.http.wire : http-outgoing-0 >> "[\r][\n]"
2025-06-20T13:05:41.973Z DEBUG 1 --- [ main] org.apache.http.wire : http-outgoing-0 >> "grant_type=password&username=<USERNAME>&password=<LEAKED_PASSWORD>"
Expected Behavior
Like other sensitive credentials, this password should be redacted in the logs.
Steps To Reproduce
I'm running keycloak-config-cli in Kubernetes with the docker.io/adorsys/keycloak-config-cli Docker image, using the following Job spec:
apiVersion: batch/v1
kind: Job
metadata:
name: keycloak-keycloak-config-cli
spec:
template:
spec:
automountServiceAccountToken: true
serviceAccountName: keycloak
containers:
- image: docker.io/adorsys/keycloak-config-cli:6.2.1-26.0.5
name: keycloak-config-cli
env:
- name: KEYCLOAK_URL
value: http://keycloak.keycloak.svc.cluster.local/
- name: KEYCLOAK_USER
value: admin
- name: KEYCLOAK_PASSWORD
valueFrom:
secretKeyRef:
name: admin-password
key: ADMIN_PASSWORD
- name: IMPORT_FILES_LOCATIONS
value: /config/*
- name: IMPORT_VARSUBSTITUTION_ENABLED
value: "true"
- name: KEYCLOAK_AVAILABILITYCHECK_ENABLED
value: "true"
- name: KEYCLOAK_AVAILABILITYCHECK_TIMEOUT
value: "20m"
- name: LOGGING_LEVEL_KEYCLOAKCONFIGCLI
value: debug
- name: LOGGING_LEVEL_HTTP
value: debug
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsGroup: 1001
runAsNonRoot: true
runAsUser: 1001
volumeMounts:
- mountPath: /tmp
name: empty-dir
subPath: tmp-dir
- mountPath: /config
name: config-volume
- mountPath: /my-realm-secrets
name: my-realm-secrets
restartPolicy: Never
securityContext:
fsGroup: 1001
fsGroupChangePolicy: Always
volumes:
- emptyDir: {}
name: empty-dir
- configMap:
name: my-realm-config
name: config-volume
- name: my-realm-secrets
secret:
secretName: my-realm-secretsEnvironment
- Keycloak Version: 26.0.5
- keycloak-config-cli Version: 6.2.1
- Java Version: 21.0.5
Anything else?
No response