Need to check if extra information has been stored from OpenID provider

Hi! Our OpenID provider has had a glitch where they accidentally gave out too much information about users (the Norwegian equivalent of a social security number) and they’re now asking whether our Discourse instance may have stored the information. The information in question would most likely appear as something like this in the userinfo response:

“norEduPersonNIN”: “23080374554”

Is there any chance this extraneous information could have been stored anywhere?

It seems unlikely to me, but

• Does the entire response get logged/stashed away somewhere?
• Does the presence of such a tag trigger an error message that is stored/logged somewhere?
• Does the system extract & store all it can from the response, “just in case”?

Would really appreciate a definitive response along the lines of “no chance” or “yeah, it gets stored but here’s how you delete that information”

Hi @steinhh, I think this is the best description:

The information is stored in the user_associated_accounts database table, so you could take a look there to see what might need to be cleaned up.

Thanks! Nothing suspicious turns up there. I also got our “database hotel” guys to do a full dump of the database, and grepping among the contents turned up zilch. Phew. This was a newspaper-worthy incident, although AFAIK the SSN-equivalents have not yet been leaked per se, just erroneously given out to auth clients.

If the openid_connect_verbose_logging site setting is enabled, the response from the userinfo endpoint gets logged: discourse-openid-connect/lib/omniauth_open_id_connect.rb at f31a869611a2fad8efadd9b2504440215169a391 · discourse/discourse-openid-connect · GitHub.

Thanks! Was disabled, fortunately. But do you mean “/log”, not “/logs”? Can’t find the latter under the install directory (we have a direct install on RHEL8).

Yes, the directory is called log. I’m fairly sure that anything relevant to your situation would be found in the production.log file.