Closed
Description
openedon Feb 24, 2022
This is a copy of the same issue in JS: Azure/azure-sdk-for-js#20502
Draft PR in JS: Azure/azure-sdk-for-js#20516
While investigating what sensitive logging to add to our credentials, we have determined that the most useful information we could log are the account identifiers after retrieving a token. This issue describes a flexible approach to add support to log the account information on our credentials.
Tasks:
- Add
AllowLoggingAccountIdentifiers
to the options of the credentials’ constructors. - Retrieve the account identifiers after authenticating.
- Parse the first section of the access token after the
.
(which can be obtained withaccess_token.split(“.”)[1]
), then extract the following properties:appid
,upn
,tid
,oid
.
- After a token is retrieved and the identifiers have been extracted, if
allowLoggingAccountIdentifiers
was set in the constructor of the credential, log a message similar to the following:[Authenticated account] Client ID: ${appid}. Tenant ID: ${tid}. User Principal Name: ${upn || "No User Principal Name available"}. Object ID (user): ${oid}
.
What do you think? Feedback appreciated.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment