-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Identity] allowLoggingAccountIdentifiers support #20516
Conversation
API changes have been detected in API changes + allowLoggingAccountIdentifiers?: boolean; |
} | ||
const unavailableUpn = "No User Principal Name available"; | ||
try { | ||
const parsed = (response as any).parsedBody || JSON.parse(response.bodyAsText); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would it be possible to get any of this info from MSAL in a way that doesn't require us to parse the raw response? I'm a bit concerned that we could somehow unintentionally log the wrong sensitive data.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As long as we limit ourselves to these 4 values we should be ok to not log something too sensitive.
MSAL does allow you to retrieve this with their AccountRecord, but we don’t use MSAL in every credential.
AllowLoggingAccountIdentifiers
to the credential options
Azure/azure-sdk-for-go#17166
API changes have been detected in API changes + loggingOptions?: LogPolicyOptions & {
+ allowLoggingAccountIdentifiers?: boolean;
+ }; |
This pull request is protected by Check Enforcer. What is Check Enforcer?Check Enforcer helps ensure all pull requests are covered by at least one check-run (typically an Azure Pipeline). When all check-runs associated with this pull request pass then Check Enforcer itself will pass. Why am I getting this message?You are getting this message because Check Enforcer did not detect any check-runs being associated with this pull request within five minutes. This may indicate that your pull request is not covered by any pipelines and so Check Enforcer is correctly blocking the pull request being merged. What should I do now?If the check-enforcer check-run is not passing and all other check-runs associated with this PR are passing (excluding license-cla) then you could try telling Check Enforcer to evaluate your pull request again. You can do this by adding a comment to this pull request as follows: What if I am onboarding a new service?Often, new services do not have validation pipelines associated with them, in order to bootstrap pipelines for a new service, you can issue the following command as a pull request comment: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great!!
- All of our credentials now support a new option on their constructor: `loggingOptions`, which allows configuring the logging options of the HTTP pipelines. - Within the new `loggingOptions` we have also added `allowLoggingAccountIdentifiers`, a property that if set to true logs information specific to the authenticated account after each successful authentication, including: the Client ID, the Tenant ID, the Object ID of the authenticated user, and if possible the User Principal Name.
While investigating what sensitive logging to add to our credentials, we have determined that the most useful information we could log are the account identifiers after retrieving a token. This issue describes a flexible approach to add support to log the account information on our credentials.
Since we specifically didn’t want to depend on MSAL for this feature, and we only wanted the account identifiers, I’m parsing the access token and extracting some of the values for this feature. I’m doing that, and the logging, at the network layer of the Identity library, which covers all credentials.
This PR:
allowLoggingAccountIdentifiers
to the options of the credentials’ constructors..
(which can be obtained withaccess_token.split(“.”)[1]
), then extracts the following properties:appid
,upn
,tid
,oid
.allowLoggingAccountIdentifiers
was set in the constructor of the credential, now we log a message similar to the following:[Authenticated account] Client ID: ${appid}. Tenant ID: ${tid}. User Principal Name: ${upn || "No User Principal Name available"}. Object ID (user): ${oid}
.Feedback appreciated 🙏
Fixes #20502
Fixes #17460