Hi,
In the application ecosystem we are developing, one type of authentication is being made by calling an external service (Identity Provider) with the username and password.
These fields are being passed as plain text in the request, as this is the way the external API is exposed. If logging is enabled in this REST API, then these requests will be available in Service Center, in the Integration Logs section.
Additionally, in the current configuration, OutSystems Logs are being exported to an external logging repository (Elastic), and if logging is activated, this information will be exported to that repository as well.
Therefore, we would like to have a way to mask sensitive data sent/received in integrations logs, namely passwords.
Is there any way this information can be obfuscated/removed/masked in case an admin starts logging the requests/responses of the service in the Production environment?
Regards,João Mateus
Hi João,
This is not possible. There is no way to identify what "sensitive" data is. Service Center even warns you for this:
Just don't set the logging to anything but "Default" if you do not want information to be captured.
This topic is of concern to enterprise architects that have to deal with centralized log and GDPR/sensitive data management.
It seems that OutSystems is developing a feature, it is bundled in Service Studio 11.8.1, that is going to fulfill the use case I mentioned:
It is still unclear, at this time, when the Platform version that supports it will be released.
Regards,
João Mateus
Also, it seems only available for consumed REST, not exposed REST. Not sure if it's also for SOAP.