Hi! Our OpenID provider has had a glitch where they accidentally gave out too much information about users (the Norwegian equivalent of a social security number) and they’re now asking whether our Discourse instance may have stored the information. The information in question would most likely appear as something like this in the userinfo response:
“norEduPersonNIN”: “23080374554”
Is there any chance this extraneous information could have been stored anywhere?
It seems unlikely to me, but
Does the entire response get logged/stashed away somewhere?
Does the presence of such a tag trigger an error message that is stored/logged somewhere?
Does the system extract & store all it can from the response, “just in case”?
Would really appreciate a definitive response along the lines of “no chance” or “yeah, it gets stored but here’s how you delete that information”
Thanks! Nothing suspicious turns up there. I also got our “database hotel” guys to do a full dump of the database, and grepping among the contents turned up zilch. Phew. This was a newspaper-worthy incident, although AFAIK the SSN-equivalents have not yet been leaked per se, just erroneously given out to auth clients.
Thanks! Was disabled, fortunately. But do you mean “/log”, not “/logs”? Can’t find the latter under the install directory (we have a direct install on RHEL8).
