Use IIdentityLogger for MSAL logging in TokenAcquisition and ManagedIdentityClientAssertion (#3820)#3880
Conversation
…dentityClientAssertion Route MSAL's internal logging through IdentityLoggerAdapter (the IIdentityLogger overload of WithLogging) instead of the legacy LogCallback. Previously the whole MSAL log line (version, platform, correlation id, message) was flattened into a single unstructured ILogger message and the log-level threshold was computed manually. IdentityLoggerAdapter preserves per-entry log levels and lets ILogger own filtering, matching the pattern already used for Wilson logging in MicrosoftIdentityBaseAuthenticationBuilder. Removes the now-unused Log callback and ConvertMicrosoftExtensionsLogLevelToMsal helpers in both types, and adds the Microsoft.IdentityModel.LoggingExtensions package reference to the Certificateless project. Fixes AzureAD#3820 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
trwalke
left a comment
There was a problem hiding this comment.
The log level we use in MSAL is slightly different from the one used in IdWeb since IdWeb used the standard .Net log levels. will this translation still happen correctly?
https://learn.microsoft.com/en-us/aspnet/core/fundamentals/logging/?view=aspnetcore-10.0#log-level
|
Good question — there are two hops now (MSAL
4/5 are identical. Only |
Pinned [Microsoft.Identity.Web](https://github.com/AzureAD/microsoft-identity-web) at 4.11.0. <details> <summary>Release notes</summary> _Sourced from [Microsoft.Identity.Web's releases](https://github.com/AzureAD/microsoft-identity-web/releases)._ ## 4.11.0 ## What's Changed * Bump vitest from 3.2.4 to 4.1.0 in /tests/DevApps/SidecarAdapter/typescript by @dependabot[bot] in AzureAD/microsoft-identity-web#3836 * Bump MSAL.NET to 4.84.2 and align OWIN binding redirects by @gladjohn with @Copilot in AzureAD/microsoft-identity-web#3844 * docs(design): devex proposal for mTLS PoP on Managed Identity and FIC by @gladjohn in AzureAD/microsoft-identity-web#3832 * Prevent OpenIdConnectMiddlewareDiagnostics from logging sensitive values by @iarekk in AzureAD/microsoft-identity-web#3850 * Add MSI mTLS PoP support: pure MI + FIC-with-MI (impl for devex #3832) by @gladjohn in AzureAD/microsoft-identity-web#3839 * docs(design): devex proposal for Bearer tokens with bound credentials by @gladjohn in AzureAD/microsoft-identity-web#3833 * Add bound-credential support for Bearer tokens (cert + mTLS) by @gladjohn in AzureAD/microsoft-identity-web#3835 * Upgrade IdWeb Sidecar to .NET 10 (LTS) by @soodt in AzureAD/microsoft-identity-web#3841 * MTLS Without Tokens Support - MicrosoftIdentityMessageHandler Support by @tlupes in AzureAD/microsoft-identity-web#3815 * fix: include isTokenBinding in CCA cache key to prevent bearer/PoP collision by @gladjohn in AzureAD/microsoft-identity-web#3867 * Test + doc: x-ms-tokenboundauth header for AKV mTLS PoP via ExtraHeaderParameters by @gladjohn in AzureAD/microsoft-identity-web#3864 * Add mTLS PoP Copilot skill (certificate, MSI, FIC) by @gladjohn in AzureAD/microsoft-identity-web#3872 * Fix CVE-2026-48109: Pin MessagePack to patched version 2.5.301 by @soodt in AzureAD/microsoft-identity-web#3865 * Sidecar: gate agent identity parameters behind AllowOverrides by @iNinja in AzureAD/microsoft-identity-web#3871 * Bump System.Formats.Asn1 base version to 10.0.2 by @iarekk in AzureAD/microsoft-identity-web#3875 * Bump Microsoft.IdentityModel.* from 8.18.0 to 8.19.1 by @iarekk in AzureAD/microsoft-identity-web#3879 * Use IIdentityLogger for MSAL logging in TokenAcquisition and ManagedIdentityClientAssertion (#3820) by @neha-bhargava in AzureAD/microsoft-identity-web#3880 * Update Microsoft.Identity.Abstractions to 12.2.0 and MSAL to 4.85.0 by @neha-bhargava in AzureAD/microsoft-identity-web#3881 * Surface MSAL AuthenticationResultMetadata + exception details on AcquireTokenResult by @neha-bhargava in AzureAD/microsoft-identity-web#3856 * Flow outgoing request to header providers via AcquireTokenOptions by @neha-bhargava in AzureAD/microsoft-identity-web#3876 * Throw on Authority vs Instance/TenantId conflict (OIDC + MSAL parity) by @iarekk in AzureAD/microsoft-identity-web#3873 * Delete .github/workflows/evergreen.yml by @bgavrilMS in AzureAD/microsoft-identity-web#3803 * Add comprehensive authority configuration and precedence documentation by @jmprieur with @Copilot in AzureAD/microsoft-identity-web#3617 * Bump js-yaml from 4.1.1 to 4.2.0 in /tests/DevApps/SidecarAdapter/typescript by @dependabot[bot] in AzureAD/microsoft-identity-web#3862 * Move authority docs into docs/authority-configuration/ subfolder by @iarekk in AzureAD/microsoft-identity-web#3885 * Revert "Throw on Authority vs Instance/TenantId conflict (#3873)" by @iarekk in AzureAD/microsoft-identity-web#3888 * Update Microsoft.Identity.Client to 4.85.1 by @neha-bhargava in AzureAD/microsoft-identity-web#3889 * Enable E2E test coverage on internal Azure DevOps pipelines by @gladjohn in AzureAD/microsoft-identity-web#3883 * Bump esbuild and tsx in /tests/DevApps/SidecarAdapter/typescript by @dependabot[bot] in AzureAD/microsoft-identity-web#3859 * Skip AcquireTokenWithMtlsPop test: AAD westus3 test slice returns Bearer by @neha-bhargava in AzureAD/microsoft-identity-web#3892 ## New Contributors * @iarekk made their first contribution in AzureAD/microsoft-identity-web#3850 * @soodt made their first contribution in AzureAD/microsoft-identity-web#3841 **Full Changelog**: AzureAD/microsoft-identity-web@4.10.0...4.11.0 Commits viewable in [compare view](AzureAD/microsoft-identity-web@4.10.0...4.11.0). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Summary
Fixes #3820.
TokenAcquisitionandManagedIdentityClientAssertionconfigured MSAL's internal logging via the legacyWithLogging(LogCallback, …)overload. That callback hands back a single pre-formatted string, so the entire MSAL log line (MSAL version, runtime, OS, correlation id, message) was flattened into one unstructuredILoggermessage, and the log-level threshold was computed up front by a hand-rolledConvertMicrosoftExtensionsLogLevelToMsalhelper.This PR switches all MSAL logging configuration to the
IIdentityLoggeroverload, passingIdentityLoggerAdapterfromMicrosoft.IdentityModel.LoggingExtensions— the same adapter IdentityWeb already uses for Wilson logging inMicrosoftIdentityBaseAuthenticationBuilder. MSAL now emits each log entry at its proper level andILoggerowns the filtering.Changes
TokenAcquisition.cs(confidential client build) — usenew IdentityLoggerAdapter(_logger).TokenAcquisition.ManagedIdentity.cs(managed identity build) — usenew IdentityLoggerAdapter(_logger).ManagedIdentityClientAssertion.cs(Certificateless) — usenew IdentityLoggerAdapter(_logger); added theMicrosoft.IdentityModel.LoggingExtensionspackage reference to the project.Logcallbacks andConvertMicrosoftExtensionsLogLevelToMsalhelpers from both types.Notes / out of scope
ManagedIdentityClientAssertion's log entries carry the source contextMicrosoft.Identity.Web.DefaultCertificateLoader. That comes from theILoggercategory supplied by the caller that constructs the assertion, not from the logging API used here, so it is intentionally left out of this change. Happy to follow up separately if a dedicated category is desired.Testing
Microsoft.Identity.Web.TokenAcquisitionandMicrosoft.Identity.Web.Certificatelessbuild clean (0 warnings) across all target frameworks.Microsoft.Identity.Web.Testbuilds clean; no existing tests referenced the removed private helpers.