Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: How to stop bearer tokens leaking
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Stephen Booth via curl-library <curl-library_at_lists.haxx.se>
Date: Fri, 5 Nov 2021 15:40:03 +0000
On 05/11/2021 13:44, Patrick Monnerat via curl-library wrote:
> On 11/5/21 10:43, Stephen Booth via curl-library wrote:
>> If I use basic-auth the curl binary hides the credentials passed on
>> the command line from being seen using ps -1
>> Whats the best way of protecting bearer tokens in the same way?
>> AFAIK the only way of setting a bearer token is to use the generic -H
>> flag
>
> You should use the --oauth2-bearer option. Unfortunately it does not
> (yet) obfuscate its argument. A PR for it is pending:
> https://github.com/curl/curl/pull/7964
>
> Patrick
Thank you Patrick. I think that would be a big improvement
especially for interactive use where people don't have time to setup
config files etc.
I missed the --oauth-bearer option because I checked the flags on an old
box with an old curl version :-)
Stephen
======================================================================
|epcc| Dr Stephen P Booth Principal Architect |epcc|
|epcc| s.booth_at_epcc.ed.ac.uk Phone 0131 650 5746 |epcc|
======================================================================
Date: Fri, 5 Nov 2021 15:40:03 +0000
On 05/11/2021 13:44, Patrick Monnerat via curl-library wrote:
> On 11/5/21 10:43, Stephen Booth via curl-library wrote:
>> If I use basic-auth the curl binary hides the credentials passed on
>> the command line from being seen using ps -1
>> Whats the best way of protecting bearer tokens in the same way?
>> AFAIK the only way of setting a bearer token is to use the generic -H
>> flag
>
> You should use the --oauth2-bearer option. Unfortunately it does not
> (yet) obfuscate its argument. A PR for it is pending:
> https://github.com/curl/curl/pull/7964
>
> Patrick
Thank you Patrick. I think that would be a big improvement
especially for interactive use where people don't have time to setup
config files etc.
I missed the --oauth-bearer option because I checked the flags on an old
box with an old curl version :-)
Stephen
======================================================================
|epcc| Dr Stephen P Booth Principal Architect |epcc|
|epcc| s.booth_at_epcc.ed.ac.uk Phone 0131 650 5746 |epcc|
======================================================================
-- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. -- Unsubscribe: https://lists.haxx.se/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.htmlReceived on 2021-11-05