Some sensitive informations can be displayed in logs

Problem

When deploying a new infrastructure, before the keycloak got it's valid certificates, laboite try to connect without success and leak the admapi password in logs

logs from laboite, I replaced the password with X

2023-05-17 13:50:14.205 [error] [SYSTEM]    	APPCLIENT - KcCLIENT - _getToken - ** Keycloak: could not get token, please check settings ** {"error":{"message":"self signed certificate","name":"Error","stack":"Error: self signed certificate\n    at TLSSocket.onConnectSecure (_tls_wrap.js:1515:34)\n    at TLSSocket.emit (events.js:400:28)\n    at TLSSocket.emit (domain.js:475:12)\n    at TLSSocket._finishInit (_tls_wrap.js:937:8)\n    at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:709:12)","config":{"transitional":{"silentJSONParsing":true,"forcedJSONParsing":true,"clarifyTimeoutError":false},"transformRequest":[null],"transformResponse":[null],"timeout":0,"xsrfCookieName":"XSRF-TOKEN","xsrfHeaderName":"X-XSRF-TOKEN","maxContentLength":-1,"maxBodyLength":-1,"headers":{"Accept":"application/json, text/plain, */*","Content-Type":"application/x-www-form-urlencoded","User-Agent":"axios/0.26.1","Content-Length":129},"method":"post","url":"https://auth.mim-libre.fr/auth/realms/mim/protocol/openid-connect/token","data":"username=admapi&password=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&grant_type=password&client_id=admin-cli"},"code":"DEPTH_ZERO_SELF_SIGNED_CERT","status":null}}

Proposal

Several things could be made to avoid the leak:

• do not include the config key in the logs
• restrict the full message log to debug