All posts
September 9, 20251 min read

Linux Terminal Command Leak Exposes OpenID Connect (OIDC) Tokens

It happened fast. A developer was testing OIDC authentication against a production identity provider, debugging through the terminal. One curl request later, tokens meant for the browser were spilled into logs and shell history. The command returned more than JSON. It returned a session lifeline. Most people think of OIDC as secure by design. Most of the time, it is. But in the Linux terminal, even a safe protocol can become dangerous. The bug wasn’t in the OIDC spec. It was in the way the term

Free White Paper

OpenID Connect (OIDC) + JSON Web Tokens (JWT): The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

It happened fast. A developer was testing OIDC authentication against a production identity provider, debugging through the terminal. One curl request later, tokens meant for the browser were spilled into logs and shell history. The command returned more than JSON. It returned a session lifeline.

Most people think of OIDC as secure by design. Most of the time, it is. But in the Linux terminal, even a safe protocol can become dangerous. The bug wasn’t in the OIDC spec. It was in the way the terminal handled sensitive data: tokens echoed to stdout, stored in ~/.bash_history, cached by helper tools, scrolled in plain text for anyone with local access.

This is the kind of bug that hides in plain sight. Every identity provider, from small open-source stacks to enterprise SSO, uses tokens with short lifespans. But “short” in security terms might still mean ten minutes. In ten minutes, a leaked access token can call APIs, pull data, or escalate privileges if scopes are too broad. Combine that with refresh tokens, and the attacker doesn’t need minutes—they own the session until someone notices.

Continue reading? Get the full guide.

OpenID Connect (OIDC) + JSON Web Tokens (JWT): Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Here’s the sequence that creates trouble:

  1. The developer runs an OIDC token exchange in the terminal.
  2. The output includes credentials not masked or filtered.
  3. A shell or a monitoring process stores that output.
  4. Logs or history get synced to a shared server or repo.

The bug isn’t rare. It’s a workflow flaw. And because CLI-based OIDC flows are common in DevOps, build pipelines, and CLI tools for APIs, the attack surface is much bigger than people realize.

Mitigation starts with awareness. Never expose tokens in stdout. Use tools that mask sensitive output at the terminal layer. Redirect JSON payloads to a secure file instead of printing them. Rotate credentials often. Restrict refresh token use whenever possible. And if you’re building automation around OIDC, test exactly how your CLI handles sensitive data under every authentication step.

Mistakes like this don’t need weeks of auditing to surface. They can be prevented in minutes. That’s exactly what rapid, real-world testing environments were designed for. With hoop.dev, you can spin up secure sandboxes, simulate OIDC flows, and watch for leaks before they hit production. See it live in minutes.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts