[QUESTION] Access token masking for OpenTelemetry Monitor

[dzejsien]

Library name and version

Azure.Monitor.OpenTelemetry.AspNetCore" Version="1.2.0"

Query/Question

Hi,

I have issue with the access token which is exposed in logs, for the SignalR related requests.

builder.Services.AddOpenTelemetry().UseAzureMonitor(options =>
{
    options.ConnectionString = appInsightsConnectionString;
});

In application insights, I can see access_token under "request" and "traces" tables.

I tried to write Processer, but no luck with that

public class MaskingTelemetryProcessor : BaseProcessor<Activity>
{
    public override void OnEnd(Activity data)
    {
        if (data.Kind == ActivityKind.Server)
        {
            var queryString = data.GetTagItem("url.query") as string;

            if (!string.IsNullOrEmpty(queryString) && queryString.Contains("access_token"))
            {
                Console.WriteLine(queryString);
                var queryParameters = System.Web.HttpUtility.ParseQueryString(queryString);

                if (queryParameters["access_token"] != null)
                {
                    queryParameters["access_token"] = "***";
                    data.SetTag("url.query", queryParameters.ToString());
                }
            }
        }

        base.OnEnd(data);

Please, help to understand how to filter out the access token.

Btw,
https://learn.microsoft.com/en-us/aspnet/core/signalr/security?view=aspnetcore-8.0#access-token-logging

Setting this to Warning doesn't help. Moreover, middleware is also not clear - as token is needed for SignalR to authenticate properly.

The thread was started in scope of SignalR, but was refused as "not related" to the SignalR's context.
Azure/azure-signalr#1770

Please advise. Thanks

Environment

net8
"Microsoft.AspNetCore.SignalR.Core" Version="1.2.0"

[github-actions]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @rajkumar-rangaraj @TimothyMothra.

[TimothyMothra]

Hi @dzejsien,
Can you please test this with the ConsoleExporter?

builder.Services.AddOpenTelemetry()
    .UseAzureMonitor()
    .WithTracing(builder => builder.AddConsoleExporter());

If you're getting the same behavior with the ConsoleExporter, then this isn't a problem with the AzureMonitor Exporter and we need to investigate the AspNetCore Instrumentation library. In that case, I would ask you to please open an issue here: https://github.com/open-telemetry/opentelemetry-dotnet-contrib

[dzejsien]

Hi @TimothyMothra ,

⚠️ I checked it only on my local env. I will double check it on azure again. Please do not close the ticket yet.

I set up the console exporter.
I needed to add package: OpenTelemetry.Exporter.Console Version="1.11.2"

Also, I configured the logs level to the warning, as indicated in the SignalR docs.

{
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft.AspNetCore": "Warning",
      "Microsoft.AspNetCore.Hosting": "Warning"
    }
  }

In console, I can see access_token

After adding the masking processor, console logs are correctly masked.

After, I changed a little bit the logging to:

 "Logging": {
   "LogLevel": {
     "Default": "Information",
     "Microsoft.AspNetCore": "Information",
     "Microsoft.AspNetCore.Hosting": "Warning"
   }
 }

I stopped seeing access_token in the console and in the app insights as well, which is much different behavior which I had before. I'm wondering if by adding the package OpenTelemetry.Exporter.Console Version="1.11.2" I have overridden the other, invalid package?

Next, I changed a little bit the logging to:

 "Logging": {
   "LogLevel": {
     "Default": "Information",
     "Microsoft.AspNetCore": "Information"
   }
 }

I can see, that requests are correctly masked, but traces still have access_token present. Any recommendation how to mask it there also by the Processor or something else?

Looks like, the solution works if (at least in local env, please wait for azure verification)

• Processor (Masking)
• "Microsoft.AspNetCore.Hosting": "Warning"

Question:

• is it possible to avoid "Microsoft.AspNetCore.Hosting": "Warning" and mask the traces via OTL-related component, like Processor or so?

[dzejsien]

Tested after the release to azure container apps - looks good :).
Please just help with the above question and feel free to close. Thanks.

[TimothyMothra]

Sorry, I don't understand the question.

It sounds like you've already confirmed that this behavior exists with the ConsoleExporter as well, confirming that this isn't a problem specifically with the AzureMonitorExporter. I think the next step should be to file an issue in the other repo for that community to take a look: https://github.com/open-telemetry/opentelemetry-dotnet-contrib

Please also share a minimal repro app that demonstrates the issue you're having.