This is a copy of the same issue in JS: Azure/azure-sdk-for-js#20502

Draft PR in JS: Azure/azure-sdk-for-js#20516

While investigating what sensitive logging to add to our credentials, we have determined that the most useful information we could log are the account identifiers after retrieving a token. This issue describes a flexible approach to add support to log the account information on our credentials.

Tasks:

1. Add allow_logging_account_adentifiers to the options of the credentials’ constructors.
2. Retrieve the account identifiers after authenticating.

• Parse the first section of the access token after the . (which can be obtained with access_token.split(“.”)[1]), then extract the following properties: appid, upn, tid, oid.

3. After a token is retrieved and the identifiers have been extracted, if allowLoggingAccountIdentifiers was set in the constructor of the credential, log a message similar to the following: [Authenticated account] Client ID: ${appid}. Tenant ID: ${tid}. User Principal Name: ${upn || "No User Principal Name available"}. Object ID (user): ${oid}.

What do you think? Feedback appreciated.