Skip to content

Access and Refresh tokens are visible in browser console #1788

New issue
New issue
Open
#1789
Open
Access and Refresh tokens are visible in browser console#1788
#1789
Assignees
fschade
Labels
Type:Bug
@krambo-ss

Description

@krambo-ss
krambo-ss
opened on Dec 20, 2025

Describe the bug

The Access Token and Refresh Token are both shown in browser's console.

Steps to reproduce

  1. Login to OpenCloud
  2. Open browser's dev tools (firefox in my case)
  3. Wait until "AccessToken Expiring" appears

Expected behavior

Those two should not be visible

Actual behavior

The Access Token and Refresh Token are both shown in browser's console.

Setup

OpenCloud production image (version 4.0.1 stable) was spun up with Keycloak, Collabora, and Radicale. Using my own nginx server for reverse proxy. Main functionalities appear to work fine.

I'm pasting below my sanitized .env file contents and a screenshot of said browser console.

Image
Details 

LOG_DRIVER=
INSECURE=true
COMPOSE_FILE=docker-compose.yml:weboffice/collabora.yml:external-proxy/opencloud-exposed.yml:external-proxy/collabora-exposed.yml:idm/ldap-keycloak.yml:external-proxy/keycloak-exposed.yml:radicale/radicale.yml
TRAEFIK_DASHBOARD=
TRAEFIK_DOMAIN=
TRAEFIK_BASIC_AUTH_USERS=
TRAEFIK_ACME_MAIL=
TRAEFIK_ACME_CASERVER=
TRAEFIK_SERVICES_TLS_CONFIG="tls.certresolver=letsencrypt"
TRAEFIK_ACCESS_LOG=
TRAEFIK_LOG_LEVEL=
OC_DOCKER_IMAGE=opencloudeu/opencloud
OC_DOCKER_TAG=
OC_DOMAIN=<removed>
DEMO_USERS=
INITIAL_ADMIN_PASSWORD=<removed>
LOG_LEVEL= warn
LOG_PRETTY=true
OC_CONFIG_DIR=/opt/opencloud-data/config
OC_DATA_DIR=/opt/opencloud-data/data
OC_APPS_DIR=/opt/opencloud-data/apps
DECOMPOSEDS3_ENDPOINT=
DECOMPOSEDS3_REGION=
DECOMPOSEDS3_ACCESS_KEY=
DECOMPOSEDS3_SECRET_KEY=
DECOMPOSEDS3_BUCKET=
SMTP_HOST=
SMTP_PORT=
SMTP_SENDER=
SMTP_USERNAME=
SMTP_PASSWORD=
SMTP_AUTHENTICATION=
SMTP_TRANSPORT_ENCRYPTION=
SMTP_INSECURE=
START_ADDITIONAL_SERVICES=""
TIKA_IMAGE=
COLLABORA_DOMAIN=<removed>
WOPISERVER_DOMAIN=<removed>
COLLABORA_ADMIN_USER=<removed>
COLLABORA_ADMIN_PASSWORD=<removed>
COLLABORA_SSL_ENABLE=false
COLLABORA_SSL_VERIFICATION=false
COLLABORA_HOME_MODE=
CLAMAV_DOCKER_TAG=
COMPOSE_PATH_SEPARATOR=:
LDAP_BIND_PASSWORD=
IDP_DOMAIN=
IDP_ISSUER_URL=
IDP_ACCOUNT_URL=
KEYCLOAK_DOMAIN=<removed>
KEYCLOAK_ADMIN=<removed>
KEYCLOAK_ADMIN_PASSWORD=<removed>
KC_DB_USERNAME=<removed>
KC_DB_PASSWORD=<removed>
RADICALE_DOCKER_IMAGE=opencloudeu/radicale
RADICALE_DOCKER_TAG=latest
RADICALE_DATA_DIR=/opt/opencloud-data/radicale/data

Additional context

Add any other context about the problem here.

Metadata

Metadata

Assignees

Labels

Type:Bug

Type

No type

Projects

OpenCloud Team Board

Status

In Progress

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions