When OIDC authentication fails, the full bearer token is logged at DEBUG level in plaintext. If debug logging is enabled in production, JWT tokens are exposed in application logs and any connected log aggregation system.

An attacker with access to application logs (e.g., via a compromised log aggregation pipeline, shared logging infrastructure, or misconfigured log access controls) can extract valid JWT tokens and replay them to authenticate as legitimate users.

All versions using OIDC authentication are affected.

In oxiad/common/rpc/auth/interceptor.go, the validateTokenWithContext() function logs the complete token value via slog.String("token", token) when authentication fails. This includes the full JWT header, payload, and signature.

Fixed by redacting the token in log output — only the last 8 characters are preserved for correlation purposes.

Ensure DEBUG-level logging is never enabled in production environments.