@azure/identity 2.1.0-alpha.20220315.2 → 2.1.0-alpha.20220318.2

package/CHANGELOG.md

@@ -4,6 +4,9 @@
 
 ### Features Added
 
+- All of our credentials now support a new option on their constructor: `loggingOptions`, which allows configuring the logging options of the HTTP pipelines.
+- Within the new `loggingOptions` we have also added `allowLoggingAccountIdentifiers`, a property that if set to true logs information specific to the authenticated account after each successful authentication, including: the Client ID, the Tenant ID, the Object ID of the authenticated user, and if possible the User Principal Name.
+
 ### Breaking Changes
 
 ### Bugs Fixed

package/dist/index.js

@@ -367,7 +367,7 @@ function getIdentityClientAuthorityHost(options) {
  */
 class IdentityClient extends coreClient.ServiceClient {
     constructor(options) {
-        var _a;
+        var _a, _b;
         const packageDetails = `azsdk-js-identity/2.1.0-beta.2`;
         const userAgentPrefix = ((_a = options === null || options === void 0 ? void 0 : options.userAgentOptions) === null || _a === void 0 ? void 0 : _a.userAgentPrefix)
             ? `${options.userAgentOptions.userAgentPrefix} ${packageDetails}`
@@ -383,6 +383,7 @@ class IdentityClient extends coreClient.ServiceClient {
             }, baseUri }));
         this.authorityHost = baseUri;
         this.abortControllers = new Map();
+        this.allowLoggingAccountIdentifiers = (_b = options === null || options === void 0 ? void 0 : options.loggingOptions) === null || _b === void 0 ? void 0 : _b.allowLoggingAccountIdentifiers;
     }
     async sendTokenRequest(request, expiresOnParser) {
         logger$j.info(`IdentityClient: sending token request to [${request.url}]`);
@@ -397,6 +398,7 @@ class IdentityClient extends coreClient.ServiceClient {
             if (!parsedBody.access_token) {
                 return null;
             }
+            this.logIdentifiers(response);
             const token = {
                 accessToken: {
                     token: parsedBody.access_token,
@@ -518,6 +520,7 @@ class IdentityClient extends coreClient.ServiceClient {
             abortSignal: this.generateAbortSignal(noCorrelationId),
         });
         const response = await this.sendRequest(request);
+        this.logIdentifiers(response);
         return {
             body: response.bodyAsText ? JSON.parse(response.bodyAsText) : undefined,
             headers: response.headers.toJSON(),
@@ -534,12 +537,45 @@ class IdentityClient extends coreClient.ServiceClient {
             abortSignal: this.generateAbortSignal(this.getCorrelationId(options)),
         });
         const response = await this.sendRequest(request);
+        this.logIdentifiers(response);
         return {
             body: response.bodyAsText ? JSON.parse(response.bodyAsText) : undefined,
             headers: response.headers.toJSON(),
             status: response.status,
         };
     }
+    /**
+     * If allowLoggingAccountIdentifiers was set on the constructor options
+     * we try to log the account identifiers by parsing the received access token.
+     *
+     * The account identifiers we try to log are:
+     * - `appid`: The application or Client Identifier.
+     * - `upn`: User Principal Name.
+     *   - It might not be available in some authentication scenarios.
+     *   - If it's not available, we put a placeholder: "No User Principal Name available".
+     * - `tid`: Tenant Identifier.
+     * - `oid`: Object Identifier of the authenticated user.
+     */
+    logIdentifiers(response) {
+        if (!this.allowLoggingAccountIdentifiers || !response.bodyAsText) {
+            return;
+        }
+        const unavailableUpn = "No User Principal Name available";
+        try {
+            const parsed = response.parsedBody || JSON.parse(response.bodyAsText);
+            const accessToken = parsed.access_token;
+            if (!accessToken) {
+                // Without an access token allowLoggingAccountIdentifiers isn't useful.
+                return;
+            }
+            const base64Metadata = accessToken.split(".")[1];
+            const { appid, upn, tid, oid } = JSON.parse(Buffer.from(base64Metadata, "base64").toString("utf8"));
+            logger$j.info(`[Authenticated account] Client ID: ${appid}. Tenant ID: ${tid}. User Principal Name: ${upn || unavailableUpn}. Object ID (user): ${oid}`);
+        }
+        catch (e) {
+            logger$j.warning("allowLoggingAccountIdentifiers was set, but we couldn't log the account information. Error:", e.message);
+        }
+    }
 }
 
 // Copyright (c) Microsoft Corporation.
@@ -978,7 +1014,7 @@ class MsalNode extends MsalBaseUtilities {
         const tenantId = resolveTenantId(options.logger, options.tenantId, options.clientId);
         this.authorityHost = options.authorityHost || process.env.AZURE_AUTHORITY_HOST;
         const authority = getAuthority(tenantId, this.authorityHost);
-        this.identityClient = new IdentityClient(Object.assign(Object.assign({}, options.tokenCredentialOptions), { authorityHost: authority }));
+        this.identityClient = new IdentityClient(Object.assign(Object.assign({}, options.tokenCredentialOptions), { authorityHost: authority, loggingOptions: options.loggingOptions }));
         let clientCapabilities = ["cp1"];
         if (process.env.AZURE_IDENTITY_DISABLE_CP1) {
             clientCapabilities = [];