azure-sdk-for-net icon indicating copy to clipboard operation
azure-sdk-for-net copied to clipboard

Published 20 hours ago verified publisher icon Azure

[QUESTION] Access token masking for OpenTelemetry Monitor

Open dzejsien opened this issue 8 months ago • 5 comments

Library name and version

Azure.Monitor.OpenTelemetry.AspNetCore" Version="1.2.0"

Query/Question

Hi,

I have issue with the access token which is exposed in logs, for the SignalR related requests.

builder.Services.AddOpenTelemetry().UseAzureMonitor(options =>
{
    options.ConnectionString = appInsightsConnectionString;
});

In application insights, I can see access_token under "request" and "traces" tables.

I tried to write Processer<Activity>, but no luck with that

public class MaskingTelemetryProcessor : BaseProcessor<Activity>
{
    public override void OnEnd(Activity data)
    {
        if (data.Kind == ActivityKind.Server)
        {
            var queryString = data.GetTagItem("url.query") as string;

            if (!string.IsNullOrEmpty(queryString) && queryString.Contains("access_token"))
            {
                Console.WriteLine(queryString);
                var queryParameters = System.Web.HttpUtility.ParseQueryString(queryString);

                if (queryParameters["access_token"] != null)
                {
                    queryParameters["access_token"] = "***";
                    data.SetTag("url.query", queryParameters.ToString());
                }
            }
        }

        base.OnEnd(data);

Please, help to understand how to filter out the access token.

Btw, https://learn.microsoft.com/en-us/aspnet/core/signalr/security?view=aspnetcore-8.0#access-token-logging

Setting this to Warning doesn't help. Moreover, middleware is also not clear - as token is needed for SignalR to authenticate properly.

The thread was started in scope of SignalR, but was refused as "not related" to the SignalR's context. https://github.com/Azure/azure-signalr/issues/1770

Please advise. Thanks

Environment

net8 "Microsoft.AspNetCore.SignalR.Core" Version="1.2.0"

dzejsien avatar Mar 27 '25 13:03 dzejsien

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @rajkumar-rangaraj @TimothyMothra.

github-actions[bot] avatar Mar 27 '25 19:03 github-actions[bot]

Hi @dzejsien, Can you please test this with the ConsoleExporter?

builder.Services.AddOpenTelemetry()
    .UseAzureMonitor()
    .WithTracing(builder => builder.AddConsoleExporter());

If you're getting the same behavior with the ConsoleExporter, then this isn't a problem with the AzureMonitor Exporter and we need to investigate the AspNetCore Instrumentation library. In that case, I would ask you to please open an issue here: https://github.com/open-telemetry/opentelemetry-dotnet-contrib

TimothyMothra avatar Apr 01 '25 22:04 TimothyMothra

Hi @TimothyMothra ,

:warning: I checked it only on my local env. I will double check it on azure again. Please do not close the ticket yet.

I set up the console exporter. I needed to add package: OpenTelemetry.Exporter.Console Version="1.11.2"

Also, I configured the logs level to the warning, as indicated in the SignalR docs.

{
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft.AspNetCore": "Warning",
      "Microsoft.AspNetCore.Hosting": "Warning"
    }
  }

In console, I can see access_token

Image

After adding the masking processor, console logs are correctly masked.

Image

After, I changed a little bit the logging to:

 "Logging": {
   "LogLevel": {
     "Default": "Information",
     "Microsoft.AspNetCore": "Information",
     "Microsoft.AspNetCore.Hosting": "Warning"
   }
 }

I stopped seeing access_token in the console and in the app insights as well, which is much different behavior which I had before. I'm wondering if by adding the package OpenTelemetry.Exporter.Console Version="1.11.2" I have overridden the other, invalid package?

Image

Next, I changed a little bit the logging to:

 "Logging": {
   "LogLevel": {
     "Default": "Information",
     "Microsoft.AspNetCore": "Information"
   }
 }

I can see, that requests are correctly masked, but traces still have access_token present. Any recommendation how to mask it there also by the Processor or something else?

Image

Looks like, the solution works if (at least in local env, please wait for azure verification)

  • Processor (Masking)
  • "Microsoft.AspNetCore.Hosting": "Warning"

Question:

  • is it possible to avoid "Microsoft.AspNetCore.Hosting": "Warning" and mask the traces via OTL-related component, like Processor or so?

dzejsien avatar Apr 02 '25 09:04 dzejsien

Tested after the release to azure container apps - looks good :). Please just help with the above question and feel free to close. Thanks.

dzejsien avatar Apr 02 '25 11:04 dzejsien

Sorry, I don't understand the question.

It sounds like you've already confirmed that this behavior exists with the ConsoleExporter as well, confirming that this isn't a problem specifically with the AzureMonitorExporter. I think the next step should be to file an issue in the other repo for that community to take a look: https://github.com/open-telemetry/opentelemetry-dotnet-contrib

Please also share a minimal repro app that demonstrates the issue you're having.

TimothyMothra avatar Apr 02 '25 22:04 TimothyMothra