TokenRequestValidator.LogWithRequestDetails may leak RefreshToken

[mustakimali]

Issue / Steps to reproduce the problem

If refresh_token is configured to be scrubbed like this

services.AddIdentityServer(options =>
                {
                    // ...
                    options.Logging.TokenRequestSensitiveValuesFilter = new List<string>{ "client_secret", "refresh_token"};
                })

however due to how the TokenRequestValidationLog constructor also sets the RefreshToken property

IdentityServer4/src/IdentityServer4/src/Logging/Models/TokenRequestValidationLog.cs

Lines 32 to 47 in b406b60

	Raw = request.Raw.ToScrubbedDictionary(sensitiveValuesFilter.ToArray());
	if (request.Client != null)
	{
	ClientId = request.Client.ClientId;
	ClientName = request.Client.ClientName;
	}
	if (request.RequestedScopes != null)
	{
	Scopes = request.RequestedScopes.ToSpaceSeparatedString();
	}
	GrantType = request.GrantType;
	AuthorizationCode = request.AuthorizationCodeHandle;
	RefreshToken = request.RefreshTokenHandle;

This means LogSuccess Here will eventually log the RefreshToken.

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.