You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
While investigating what sensitive logging to add to our credentials, we have determined that the most useful information we could log are the account identifiers after retrieving a token. This issue describes a flexible approach to add support to log the account information on our credentials.
Tasks:
Add allow_logging_account_adentifiers to the options of the credentials’ constructors.
Retrieve the account identifiers after authenticating.
Parse the first section of the access token after the . (which can be obtained with access_token.split(“.”)[1]), then extract the following properties: appid, upn, tid, oid.
After a token is retrieved and the identifiers have been extracted, if allowLoggingAccountIdentifiers was set in the constructor of the credential, log a message similar to the following: [Authenticated account] Client ID: ${appid}. Tenant ID: ${tid}. User Principal Name: ${upn || "No User Principal Name available"}. Object ID (user): ${oid}.
What do you think? Feedback appreciated.
The text was updated successfully, but these errors were encountered:
sadasant
changed the title
[Identity] Add allowLoggingAccountIdentifiers to the credential options
[Identity] Add allow_logging_account_identifiers to the credential options
Feb 24, 2022
This is a copy of the same issue in JS: Azure/azure-sdk-for-js#20502
Draft PR in JS: Azure/azure-sdk-for-js#20516
While investigating what sensitive logging to add to our credentials, we have determined that the most useful information we could log are the account identifiers after retrieving a token. This issue describes a flexible approach to add support to log the account information on our credentials.
Tasks:
allow_logging_account_adentifiers
to the options of the credentials’ constructors..
(which can be obtained withaccess_token.split(“.”)[1]
), then extract the following properties:appid
,upn
,tid
,oid
.allowLoggingAccountIdentifiers
was set in the constructor of the credential, log a message similar to the following:[Authenticated account] Client ID: ${appid}. Tenant ID: ${tid}. User Principal Name: ${upn || "No User Principal Name available"}. Object ID (user): ${oid}
.What do you think? Feedback appreciated.
The text was updated successfully, but these errors were encountered: