diff --git a/test/integration/cli_test.go b/test/integration/cli_test.go
index 014eebb4..bed3a3dd 100644
--- a/test/integration/cli_test.go
+++ b/test/integration/cli_test.go
@@ -208,7 +208,7 @@ func TestCLILoginOIDC(t *testing.T) {
 			}
 		}()
 
-		reader := bufio.NewReader(stderr)
+		reader := bufio.NewReader(library.NewLoggerReader(t, "stderr", stderr))
 		line, err := reader.ReadString('\n')
 		if err != nil {
 			return fmt.Errorf("could not read login URL line from stderr: %w", err)
@@ -233,7 +233,7 @@ func TestCLILoginOIDC(t *testing.T) {
 				err = fmt.Errorf("stdout stream closed with error: %w", closeErr)
 			}
 		}()
-		reader := bufio.NewReader(stdout)
+		reader := bufio.NewReader(library.NewLoggerReader(t, "stdout", stdout))
 		var out clientauthenticationv1beta1.ExecCredential
 		if err := json.NewDecoder(reader).Decode(&out); err != nil {
 			return fmt.Errorf("could not read ExecCredential from stdout: %w", err)
diff --git a/test/library/iotest.go b/test/library/iotest.go
new file mode 100644
index 00000000..dcb0e695
--- /dev/null
+++ b/test/library/iotest.go
@@ -0,0 +1,43 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package library
+
+import (
+	"fmt"
+	"io"
+	"regexp"
+	"testing"
+)
+
+// NewLoggerReader wraps an io.Reader to log its input and output. It also performs some heuristic token masking.
+func NewLoggerReader(t *testing.T, name string, reader io.Reader) io.Reader {
+	t.Helper()
+	return &testlogReader{t: t, name: name, r: reader}
+}
+
+type testlogReader struct {
+	t    *testing.T
+	name string
+	r    io.Reader
+}
+
+func (l *testlogReader) Read(p []byte) (n int, err error) {
+	l.t.Helper()
+	n, err = l.r.Read(p)
+	if err != nil {
+		l.t.Logf("%s > %q: %v", l.name, maskTokens(p[0:n]), err)
+	} else {
+		l.t.Logf("%s > %q", l.name, maskTokens(p[0:n]))
+	}
+	return
+}
+
+//nolint: gochecknoglobals
+var tokenLike = regexp.MustCompile(`(?mi)[a-zA-Z0-9._-]{30,}|[a-zA-Z0-9]{20,}`)
+
+func maskTokens(in []byte) string {
+	return tokenLike.ReplaceAllStringFunc(string(in), func(t string) string {
+		return fmt.Sprintf("[...%d bytes...]", len(t))
+	})
+}