[Security Fix] fix: don't log JWT SSO token on .info() log (#15145)

* fix: get_redirect_response_from_openid

* fix info log check

* fix: forward_upstream_to_client

Author: ishaan-jaff

litellm/model_prices_and_context_window_backup.json

@@ -3308,6 +3308,64 @@
         "supports_tool_choice": true,
         "supports_web_search": true
     },
+    "azure_ai/grok-4": {
+        "input_cost_per_token": 5.5e-06,
+        "litellm_provider": "azure_ai",
+        "max_input_tokens": 131072,
+        "max_output_tokens": 131072,
+        "max_tokens": 131072,
+        "mode": "chat",
+        "output_cost_per_token": 2.75e-05,
+        "source": "https://azure.microsoft.com/en-us/blog/grok-4-is-now-available-in-azure-ai-foundry-unlock-frontier-intelligence-and-business-ready-capabilities/",
+        "supports_function_calling": true,
+        "supports_reasoning": true,
+        "supports_response_schema": true,
+        "supports_tool_choice": true,
+        "supports_web_search": true
+    },
+    "azure_ai/grok-4-fast-non-reasoning": {
+        "input_cost_per_token": 5e-06,
+        "litellm_provider": "azure_ai",
+        "max_input_tokens": 131072,
+        "max_output_tokens": 131072,
+        "max_tokens": 131072,
+        "mode": "chat",
+        "output_cost_per_token": 2.5e-03,
+        "source": "https://azure.microsoft.com/en-us/blog/grok-4-is-now-available-in-azure-ai-foundry-unlock-frontier-intelligence-and-business-ready-capabilities/",
+        "supports_function_calling": true,
+        "supports_response_schema": true,
+        "supports_tool_choice": true,
+        "supports_web_search": true
+    },
+    "azure_ai/grok-4-fast-reasoning": {
+        "input_cost_per_token": 5.8e-06,
+        "litellm_provider": "azure_ai",
+        "max_input_tokens": 131072,
+        "max_output_tokens": 131072,
+        "max_tokens": 131072,
+        "mode": "chat",
+        "output_cost_per_token": 2.9e-03,
+        "source": "https://azure.microsoft.com/en-us/blog/grok-4-is-now-available-in-azure-ai-foundry-unlock-frontier-intelligence-and-business-ready-capabilities/",
+        "supports_function_calling": true,
+        "supports_reasoning": true,
+        "supports_response_schema": true,
+        "supports_tool_choice": true,
+        "supports_web_search": true
+    },
+    "azure_ai/grok-code-fast-1": {
+        "input_cost_per_token": 3.5e-06,
+        "litellm_provider": "azure_ai",
+        "max_input_tokens": 131072,
+        "max_output_tokens": 131072,
+        "max_tokens": 131072,
+        "mode": "chat",
+        "output_cost_per_token": 1.75e-05,
+        "source": "https://azure.microsoft.com/en-us/blog/grok-4-is-now-available-in-azure-ai-foundry-unlock-frontier-intelligence-and-business-ready-capabilities/",
+        "supports_function_calling": true,
+        "supports_response_schema": true,
+        "supports_tool_choice": true,
+        "supports_web_search": true
+    },
     "azure_ai/jais-30b-chat": {
         "input_cost_per_token": 0.0032,
         "litellm_provider": "azure_ai",

litellm/proxy/management_endpoints/ui_sso.py

@@ -1594,7 +1594,6 @@ async def get_redirect_response_from_openid(  # noqa: PLR0915
             master_key or "",
             algorithm="HS256",
         )
-        verbose_proxy_logger.info(f"user_id: {user_id}; jwt_token: {jwt_token}")
         if user_id is not None and isinstance(user_id, str):
             litellm_dashboard_ui += "?login=success"
         verbose_proxy_logger.info(f"Redirecting to {litellm_dashboard_ui}")

litellm/proxy/pass_through_endpoints/pass_through_endpoints.py

@@ -1254,7 +1254,7 @@ async def forward_upstream_to_client() -> None:
                             logging_obj.model_call_details[
                                 "custom_llm_provider"
                             ] = "vertex_ai_language_models"
-                            verbose_proxy_logger.info(
+                            verbose_proxy_logger.debug(
                                 f"WebSocket passthrough ({endpoint}): Successfully extracted model '{extracted_model}' and set provider to 'vertex_ai' from server setup response"
                             )
                         else:

tests/code_coverage_tests/info_log_check.py

@@ -126,8 +126,13 @@ def _is_format_string_with_sensitive_data(self, arg) -> bool:
             for value in arg.values:
                 if isinstance(value, ast.FormattedValue):
                     value_str = self._get_arg_string(value.value).lower()
-                    if any(pattern in value_str for pattern in 
-                          ['request', 'response', 'data', 'body', 'content', 'messages']):
+                    # Check for any sensitive data patterns in f-string interpolations
+                    sensitive_f_string_patterns = [
+                        'request', 'response', 'data', 'body', 'content', 'messages',
+                        'token', 'jwt', 'auth', 'api_key', 'apikey', 'credential',
+                        'secret', 'password', 'passwd'
+                    ]
+                    if any(pattern in value_str for pattern in sensitive_f_string_patterns):
                         return True
 
         # Check for .format() calls
@@ -137,10 +142,14 @@ def _is_format_string_with_sensitive_data(self, arg) -> bool:
                 base_str = self._get_arg_string(arg.func.value).lower()
                 if "{}" in base_str or "{" in base_str:
                     # Check format arguments for sensitive data
+                    sensitive_format_patterns = [
+                        'request', 'response', 'data', 'body', 'content',
+                        'token', 'jwt', 'auth', 'api_key', 'apikey', 'credential',
+                        'secret', 'password', 'passwd'
+                    ]
                     for format_arg in arg.args:
                         format_str = self._get_arg_string(format_arg).lower()
-                        if any(pattern in format_str for pattern in 
-                              ['request', 'response', 'data', 'body', 'content']):
+                        if any(pattern in format_str for pattern in sensitive_format_patterns):
                             return True
 
         return False
@@ -171,16 +180,16 @@ def _get_violation_reason(self, arg) -> str:
         """Get a human-readable reason for the violation"""
         arg_str = self._get_arg_string(arg).lower()
 
-        if 'request' in arg_str:
+        if any(pattern in arg_str for pattern in ['jwt', 'token', 'api_key', 'apikey', 'auth', 'credential', 'secret', 'password', 'passwd']):
+            return "Potentially logging authentication/secret data (JWT, token, API key, etc.)"
+        elif 'request' in arg_str:
             return "Potentially logging request data"
         elif 'response' in arg_str:
             return "Potentially logging response data"
         elif any(pattern in arg_str for pattern in ['data', 'body', 'payload', 'content']):
             return "Potentially logging sensitive data/body/content"
         elif any(pattern in arg_str for pattern in ['messages', 'input', 'output']):
             return "Potentially logging message/input/output data"
-        elif any(pattern in arg_str for pattern in ['api_key', 'token', 'auth', 'credentials']):
-            return "Potentially logging authentication data"
         else:
             return "Potentially logging sensitive data"