azure-sdk-for-cpp icon indicating copy to clipboard operation
azure-sdk-for-cpp copied to clipboard
verified publisher icon Azure

[Identity] Add `AllowLoggingAccountIdentifiers` to the credential options

Open sadasant opened this issue 3 years ago • 0 comments

This is a copy of the same issue in JS: https://github.com/Azure/azure-sdk-for-js/issues/20502

Draft PR in JS: https://github.com/Azure/azure-sdk-for-js/pull/20516

While investigating what sensitive logging to add to our credentials, we have determined that the most useful information we could log are the account identifiers after retrieving a token. This issue describes a flexible approach to add support to log the account information on our credentials.

Tasks:

  1. Add AllowLoggingAccountIdentifiers to the options of the credentials’ constructors.
  2. Retrieve the account identifiers after authenticating.
  • Parse the first section of the access token after the . (which can be obtained with access_token.split(“.”)[1]), then extract the following properties: appid, upn, tid, oid.
  1. After a token is retrieved and the identifiers have been extracted, if allowLoggingAccountIdentifiers was set in the constructor of the credential, log a message similar to the following: [Authenticated account] Client ID: ${appid}. Tenant ID: ${tid}. User Principal Name: ${upn || "No User Principal Name available"}. Object ID (user): ${oid}.

What do you think? Feedback appreciated.

sadasant avatar Feb 24 '22 22:02 sadasant