chore: Add additional warnings for sensitive tokens

Author: lqiu96

oauth2_http/java/com/google/auth/oauth2/AccessToken.java

@@ -114,6 +114,13 @@ public int hashCode() {
     return Objects.hash(tokenValue, expirationTimeMillis, scopes);
   }
 
+  /**
+   * Returns a string representation of this access token, including the raw token value.
+   *
+   * <p><b>Security Warning:</b> The output of this method includes the raw, unmasked access token
+   * value. Do not log this output in production environments as it may expose sensitive
+   * credentials.
+   */
   @Override
   public String toString() {
     return MoreObjects.toStringHelper(this)

oauth2_http/java/com/google/auth/oauth2/ExternalAccountAuthorizedUserCredentials.java

@@ -284,6 +284,13 @@ public int hashCode() {
         quotaProjectId);
   }
 
+  /**
+   * Returns a string representation of this credential.
+   *
+   * <p><b>Security Warning:</b> The output of this method includes sensitive fields such as the
+   * client secret, refresh token, and request metadata containing the raw Bearer access token. Do
+   * not log this output in production environments as it may expose sensitive credentials.
+   */
   @Override
   public String toString() {
     return MoreObjects.toStringHelper(this)

oauth2_http/java/com/google/auth/oauth2/ImpersonatedCredentials.java

@@ -710,6 +710,13 @@ public int hashCode() {
         iamEndpointOverride);
   }
 
+  /**
+   * Returns a string representation of this credential.
+   *
+   * <p><b>Security Warning:</b> The output of this method includes the source credentials which may
+   * recursively contain sensitive fields such as access tokens. Do not log this output in production
+   * environments as it may expose sensitive credentials.
+   */
   @Override
   public String toString() {
     return MoreObjects.toStringHelper(this)

oauth2_http/java/com/google/auth/oauth2/LoggingUtils.java

@@ -79,7 +79,8 @@ static void logResponsePayload(
   /**
    * Generic log method to use when not logging standard request, response and payload.
    *
-   * <p>Note: This does not mask the data. Log carefully if the data contains sensitive tokens.
+   * <p>Any key in the provided {@code contextMap} that matches the sensitive keys set (e.g.
+   * access_token, refresh_token) will have its value masked via SHA-256 hash before being logged.
    */
   static void log(
       LoggerProvider loggerProvider, Level level, Map<String, Object> contextMap, String message) {

oauth2_http/java/com/google/auth/oauth2/OAuth2Credentials.java

@@ -446,6 +446,14 @@ protected Map<String, List<String>> getRequestMetadataInternal() {
     return null;
   }
 
+  /**
+   * Returns a string representation of this credential, including request metadata and access
+   * token.
+   *
+   * <p><b>Security Warning:</b> The output of this method includes the request metadata which
+   * contains the raw Bearer access token, and the raw access token value. Do not log this output in
+   * production environments as it may expose sensitive credentials.
+   */
   @Override
   public String toString() {
     OAuthValue localValue = value;

oauth2_http/java/com/google/auth/oauth2/Slf4jLoggingHelpers.java

@@ -115,8 +115,8 @@ static void logResponse(HttpResponse response, LoggerProvider loggerProvider, St
         responseLogDataMap.put("response.status", String.valueOf(response.getStatusCode()));
         responseLogDataMap.put("response.status.message", response.getStatusMessage());
 
-        Map<String, Object> headers = new HashMap<>(response.getHeaders());
-        responseLogDataMap.put("response.headers", headers.toString());
+        Map<String, Object> headers = parseGenericData(response.getHeaders());
+        responseLogDataMap.put("response.headers", gson.toJson(headers));
         Slf4jUtils.log(logger, org.slf4j.event.Level.INFO, responseLogDataMap, message);
       }
     } catch (Exception e) {
@@ -138,12 +138,24 @@ static void logResponsePayload(
     }
   }
 
+  /**
+   * Generic log method for non-standard request/response/payload logging.
+   *
+   * <p>Any key in the provided {@code contextMap} that matches the {@code SENSITIVE_KEYS} set will
+   * have its value masked via SHA-256 hash before being logged.
+   *
+   * @param loggerProvider the logger provider for the calling class
+   * @param level the java.util.logging level to map to SLF4J
+   * @param contextMap the key-value pairs to log
+   * @param message the log message
+   */
   static void log(
       LoggerProvider loggerProvider, Level level, Map<String, Object> contextMap, String message) {
     try {
       Logger logger = loggerProvider.getLogger();
       org.slf4j.event.Level slf4jLevel = matchUtilLevelToSLF4JLevel(level);
-      Slf4jUtils.log(logger, slf4jLevel, contextMap, message);
+      Map<String, Object> maskedContextMap = parseGenericData(contextMap);
+      Slf4jUtils.log(logger, slf4jLevel, maskedContextMap, message);
     } catch (Exception e) {
       // let logging fail silently
     }

oauth2_http/java/com/google/auth/oauth2/UserCredentials.java

@@ -361,6 +361,13 @@ public int hashCode() {
         quotaProjectId);
   }
 
+  /**
+   * Returns a string representation of this credential.
+   *
+   * <p><b>Security Warning:</b> The output of this method includes sensitive fields such as the
+   * refresh token and request metadata containing the raw Bearer access token. Do not log this
+   * output in production environments as it may expose sensitive credentials.
+   */
   @Override
   public String toString() {
     return MoreObjects.toStringHelper(this)

oauth2_http/javatests/com/google/auth/oauth2/LoggingTest.java

@@ -650,7 +650,23 @@ void impersonatedCredentials_exchangeToken_masksSensitiveTokens()
 
     assertEquals(3, testAppender.events.size());
 
-    // Verify response payload has tokens masked
+    // 1. Verify request log contains properly formatted payload (JsonHttpContent masking)
+    ILoggingEvent requestLog = testAppender.events.get(0);
+    assertEquals(
+        "Sending request to refresh access token", requestLog.getMessage());
+    String requestPayload = null;
+    for (KeyValuePair kvp : requestLog.getKeyValuePairs()) {
+      if ("request.payload".equals(kvp.key)) {
+        requestPayload = (String) kvp.value;
+      }
+    }
+    // When logged at DEBUG level, the request payload should be present and valid JSON
+    // (the JsonHttpContent payload goes through parseGenericData for masking)
+    if (requestPayload != null) {
+      assertTrue(isValidJson(requestPayload), "Request payload should be valid JSON");
+    }
+
+    // 2. Verify response payload has tokens masked
     assertEquals("Response payload for access token", testAppender.events.get(2).getMessage());
     boolean foundAccessToken = false;
     for (KeyValuePair kvp : testAppender.events.get(2).getKeyValuePairs()) {
@@ -669,4 +685,67 @@ void impersonatedCredentials_exchangeToken_masksSensitiveTokens()
     assertTrue(foundAccessToken, "Expected accessToken in response payload logs");
     testAppender.stop();
   }
+
+  @Test
+  void impersonatedCredentials_requestPayload_masksJsonHttpContentSensitiveKeys()
+      throws IOException, IllegalStateException {
+    // Set DEBUG level to ensure request payloads are logged
+    Logger logger = LoggerFactory.getLogger(ImpersonatedCredentials.class);
+    ch.qos.logback.classic.Logger logbackLogger = (ch.qos.logback.classic.Logger) logger;
+    ch.qos.logback.classic.Level previousLevel = logbackLogger.getLevel();
+    logbackLogger.setLevel(ch.qos.logback.classic.Level.DEBUG);
+
+    TestAppender testAppender = new TestAppender();
+    testAppender.start();
+    logbackLogger.addAppender(testAppender);
+
+    try {
+      MockIAMCredentialsServiceTransportFactory mockTransportFactory =
+          new MockIAMCredentialsServiceTransportFactory();
+      mockTransportFactory.getTransport().setTargetPrincipal(IMPERSONATED_CLIENT_EMAIL);
+      mockTransportFactory.getTransport().setAccessToken(ACCESS_TOKEN);
+      mockTransportFactory.getTransport().setExpireTime(getDefaultExpireTime());
+      mockTransportFactory
+          .getTransport()
+          .addStatusCodeAndMessage(HttpStatusCodes.STATUS_CODE_OK, "");
+      ImpersonatedCredentials targetCredentials =
+          ImpersonatedCredentials.create(
+              ImpersonatedCredentialsTest.getSourceCredentials(),
+              IMPERSONATED_CLIENT_EMAIL,
+              null,
+              IMMUTABLE_SCOPES_LIST,
+              VALID_LIFETIME,
+              mockTransportFactory);
+
+      targetCredentials.refreshAccessToken();
+
+      // Find the request log event
+      ILoggingEvent requestLog = testAppender.events.get(0);
+      assertEquals("Sending request to refresh access token", requestLog.getMessage());
+
+      // Extract request.payload
+      String requestPayload = null;
+      for (KeyValuePair kvp : requestLog.getKeyValuePairs()) {
+        if ("request.payload".equals(kvp.key)) {
+          requestPayload = (String) kvp.value;
+        }
+      }
+
+      // At DEBUG level, request payload must be present
+      assertNotNull(requestPayload, "Request payload should be logged at DEBUG level");
+      assertTrue(isValidJson(requestPayload), "Request payload should be valid JSON");
+
+      // The ImpersonatedCredentials request payload uses JsonHttpContent with fields:
+      // delegates, scope, lifetime. None of these are in SENSITIVE_KEYS, so they should
+      // appear as-is (not hashed). This validates that JsonHttpContent goes through
+      // parseGenericData without breaking.
+      assertFalse(
+          requestPayload.contains("\"delegates\":null"),
+          "Payload should be properly serialized from JsonHttpContent");
+    } finally {
+      logbackLogger.setLevel(previousLevel);
+      testAppender.stop();
+    }
+  }
 }
+