Azure · sadasant · Mar 18, 2022 · Feb 24, 2022 · Feb 24, 2022 · Feb 24, 2022
@@ -4,6 +4,8 @@
 
 ### Features Added
 
+- All of our credentials now support a new option on their constructor: `allowLoggingAccountIdentifiers`. If set to true, after a successful authentication our logging will include information specific to the authenticated account, including: the Client ID, the Tenant ID, the Object ID of the authenticated user, and if possible the User Principal Name.
+
 ### Breaking Changes
 
 ### Bugs Fixed

diff --git a/...wordcredential/recording_authenticates_with_allowloggingaccountidentifiers_set_to_true.js b/...wordcredential/recording_authenticates_with_allowloggingaccountidentifiers_set_to_true.js
@@ -295,6 +295,7 @@ export { TokenCredential }
 
 // @public
 export interface TokenCredentialOptions extends CommonClientOptions {
+    allowLoggingAccountIdentifiers?: boolean;
     authorityHost?: string;
 }
 

@@ -10,6 +10,7 @@ import {
   createHttpHeaders,
   createPipelineRequest,
   PipelineRequest,
+  PipelineResponse,
 } from "@azure/core-rest-pipeline";
 import { AbortController, AbortSignalLike } from "@azure/abort-controller";
 import { AuthenticationError, AuthenticationErrorName } from "../errors";
@@ -75,6 +76,7 @@ export function getIdentityClientAuthorityHost(options?: TokenCredentialOptions)
  */
 export class IdentityClient extends ServiceClient implements INetworkModule {
   public authorityHost: string;
+  private allowLoggingAccountIdentifiers?: boolean;
   private abortControllers: Map<string, AbortController[] | undefined>;
 
   constructor(options?: TokenCredentialOptions) {
@@ -102,6 +104,7 @@ export class IdentityClient extends ServiceClient implements INetworkModule {
 
     this.authorityHost = baseUri;
     this.abortControllers = new Map();
+    this.allowLoggingAccountIdentifiers = options?.allowLoggingAccountIdentifiers;
   }
 
   async sendTokenRequest(
@@ -124,6 +127,8 @@ export class IdentityClient extends ServiceClient implements INetworkModule {
         return null;
       }
 
+      this.logIdentifiers(response);
+
       const token = {
         accessToken: {
           token: parsedBody.access_token,
@@ -280,6 +285,9 @@ export class IdentityClient extends ServiceClient implements INetworkModule {
     });
 
     const response = await this.sendRequest(request);
+
+    this.logIdentifiers(response);
+
     return {
       body: response.bodyAsText ? JSON.parse(response.bodyAsText) : undefined,
       headers: response.headers.toJSON(),
@@ -301,10 +309,51 @@ export class IdentityClient extends ServiceClient implements INetworkModule {
     });
 
     const response = await this.sendRequest(request);
+
+    this.logIdentifiers(response);
+
     return {
       body: response.bodyAsText ? JSON.parse(response.bodyAsText) : undefined,
       headers: response.headers.toJSON(),
       status: response.status,
     };
   }
+
+  /**
+   * If allowLoggingAccountIdentifiers was set on the constructor options
+   * we try to log the account identifiers by parsing the received access token.
+   *
+   * The account identifiers we try to log are:
+   * - `appid`: The application or Client Identifier.
+   * - `upn`: User Principal Name.
+   *   - It might not be available in some authentication scenarios.
+   *   - If it's not available, we put a placeholder: "No User Principal Name available".
+   * - `tid`: Tenant Identifier.
+   * - `oid`: Object Identifier of the authenticated user.
+   */
+  private logIdentifiers(response: PipelineResponse): void {
+    if (!this.allowLoggingAccountIdentifiers || !response.bodyAsText) {
+      return;
+    }
+    const unavailableUpn = "No User Principal Name available";
+    try {
+      const parsed = (response as any).parsedBody || JSON.parse(response.bodyAsText);
+      const accessToken = parsed.access_token;
+      if (!accessToken) {
+        // Without an access token allowLoggingAccountIdentifiers isn't useful.
+        return;
+      }
+      const { appid, upn, tid, oid } = JSON.parse(atob(accessToken.split(".")[1]));
+      logger.info(
+        `[Authenticated account] Client ID: ${appid}. Tenant ID: ${tid}. User Principal Name: ${
+          upn || unavailableUpn
+        }. Object ID (user): ${oid}`
+      );
+    } catch (e) {
+      logger.warning(
+        "allowLoggingAccountIdentifiers was set, but we couldn't log the account information. Error:",
+        e.message
+      );
+    }
+  }
 }
@@ -39,6 +39,10 @@ export interface MsalNodeOptions extends MsalFlowOptions {
    * If the property is not specified, uses a non-regional authority endpoint.
    */
   regionalAuthority?: string;
+  /**
+   * Allows logging account information once the authentication flow succeeds.
+   */
+  allowLoggingAccountIdentifiers?: boolean;
 }
 
 /**
@@ -119,6 +123,7 @@ export abstract class MsalNode extends MsalBaseUtilities implements MsalFlow {
     this.identityClient = new IdentityClient({
       ...options.tokenCredentialOptions,
       authorityHost: authority,
+      allowLoggingAccountIdentifiers: options.allowLoggingAccountIdentifiers,
     });
 
     let clientCapabilities: string[] = ["cp1"];

@@ -14,4 +14,8 @@ export interface TokenCredentialOptions extends CommonClientOptions {
    * The default is "https://login.microsoftonline.com".
    */
   authorityHost?: string;
+  /**
+   * Allows logging account information once the authentication flow succeeds.
+   */
+  allowLoggingAccountIdentifiers?: boolean;
 }