[Identity] enable support logging (#26462)

Azure · Aug 10, 2023 · f8e37e5 · f8e37e5
1 parent 01af2d3
commit f8e37e5
Show file tree

Hide file tree

Showing 9 changed files with 62 additions and 5 deletions.
diff --git a/sdk/identity/identity/CHANGELOG.md b/sdk/identity/identity/CHANGELOG.md
@@ -1,5 +1,16 @@
 # Release History
 
+## 3.3.0 (2023-08-10)
+
+### Features Added
+-  Enabled support for logging [personally identifiable information](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/PII), required for customer support through the `enableSupportLogging` option on `loggingOptions` under `TokenCredentialOptions`.
+- Continuous Access Evaluation (CAE) is now configurable per-request by setting the `enable_cae` keyword argument to `True` in `get_token`. This applies to user credentials and service principal credentials. ([#26614](https://github.com/Azure/azure-sdk-for-js/pull/26614))
+
+### Breaking Changes
+- CP1 client capabilities for CAE is no longer always-on by default for user credentials. This capability will now be configured as-needed in each `getToken` request by each SDK.  ([#26614](https://github.com/Azure/azure-sdk-for-js/pull/26614))
+  - Suffixes are now appended to persistent cache names to indicate whether CAE or non-CAE tokens are stored in the cache. This is to prevent CAE and non-CAE tokens from being mixed/overwritten in the same cache. This could potentially cause issues if you are trying to share the same cache between applications that are using different versions of the Azure Identity library as each application would be reading from a different cache file.
+  - Since CAE is no longer always enabled for user-credentials, the `AZURE_IDENTITY_DISABLE_CP1` environment variable is no longer supported.
+
 ## 3.2.4 (2023-07-21)
 
 ### Bug Fixes

diff --git a/sdk/identity/identity/README.md b/sdk/identity/identity/README.md
@@ -342,7 +342,7 @@ Object ID of the authenticated user, and if possible the User Principal Name.
 
 For example, using the `DefaultAzureCredential`:
 
-```js
+```ts
 import { setLogLevel } from "@azure/logger";
 
 setLogLevel("info");
@@ -358,6 +358,21 @@ Once that credential authenticates, the following message will appear in the log
 azure:identity:info [Authenticated account] Client ID: HIDDEN. Tenant ID: HIDDEN. User Principal Name: HIDDEN. Object ID (user): HIDDEN
 ```
 
+In cases where the user's [Personally Identifiable Information](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/PII) needs to be logged for customer support, developers can set `enableSupportLogging` to true in the
+`loggingOptions`.
+
+For example, using the `DefaultAzureCredential`:
+
+```ts
+import { setLogLevel } from "@azure/logger";
+
+setLogLevel("info");
+
+const credential = new DefaultAzureCredential({
+  loggingOptions: { enableSupportLogging: true },
+});
+```
+
 For assistance with troubleshooting, see the [troubleshooting guide](https://aka.ms/azsdk/js/identity/troubleshoot).
 
 ## Next steps

diff --git a/sdk/identity/identity/package.json b/sdk/identity/identity/package.json
@@ -1,7 +1,7 @@
 {
   "name": "@azure/identity",
   "sdk-type": "client",
-  "version": "3.2.4",
+  "version": "3.3.0",
   "description": "Provides credential implementations for Azure SDK libraries that can authenticate with Azure Active Directory",
   "main": "dist/index.js",
   "module": "dist-esm/src/index.js",

diff --git a/sdk/identity/identity/review/identity.api.md b/sdk/identity/identity/review/identity.api.md
@@ -365,6 +365,7 @@ export interface TokenCredentialOptions extends CommonClientOptions {
     authorityHost?: string;
     loggingOptions?: LogPolicyOptions & {
         allowLoggingAccountIdentifiers?: boolean;
+        enableUnsafeSupportLogging?: boolean;
     };
 }
 

diff --git a/sdk/identity/identity/src/constants.ts b/sdk/identity/identity/src/constants.ts
@@ -5,7 +5,7 @@
  * Current version of the `@azure/identity` package.
  */
 
-export const SDK_VERSION = `3.2.4`;
+export const SDK_VERSION = `3.3.0`;
 
 /**
  * The default client ID for authentication

diff --git a/sdk/identity/identity/src/msal/browserFlows/msalAuthCode.ts b/sdk/identity/identity/src/msal/browserFlows/msalAuthCode.ts
@@ -40,6 +40,7 @@ export class MSALAuthCode extends MsalBrowser {
       loggerOptions: {
         loggerCallback: defaultLoggerCallback(this.logger, "Browser"),
         logLevel: getMSALLogLevel(getLogLevel()),
+        piiLoggingEnabled: options.loggingOptions?.enableUnsafeSupportLogging,
       },
     };
 

diff --git a/sdk/identity/identity/src/msal/browserFlows/msalBrowserCommon.ts b/sdk/identity/identity/src/msal/browserFlows/msalBrowserCommon.ts
@@ -16,6 +16,7 @@ import { BrowserLoginStyle } from "../../credentials/interactiveBrowserCredentia
 import { CredentialFlowGetTokenOptions } from "../credentials";
 import { DefaultTenantId } from "../../constants";
 import { MultiTenantTokenCredentialOptions } from "../../credentials/multiTenantTokenCredentialOptions";
+import { LogPolicyOptions } from "@azure/core-rest-pipeline";
 
 /**
  * Union of the constructor parameters that all MSAL flow types take.
@@ -26,6 +27,19 @@ export interface MsalBrowserFlowOptions extends MsalFlowOptions {
   redirectUri?: string;
   loginStyle: BrowserLoginStyle;
   loginHint?: string;
+  /**
+   * Allows users to configure settings for logging policy options, allow logging account information and personally identifiable information for customer support.
+   */
+  loggingOptions?: LogPolicyOptions & {
+    /**
+     * Allows logging account information once the authentication flow succeeds.
+     */
+    allowLoggingAccountIdentifiers?: boolean;
+    /**
+     * Allows logging personally identifiable information for customer support.
+     */
+    enableUnsafeSupportLogging?: boolean;
+  };
 }
 
 /**

diff --git a/sdk/identity/identity/src/msal/nodeFlows/msalNodeCommon.ts b/sdk/identity/identity/src/msal/nodeFlows/msalNodeCommon.ts
@@ -45,10 +45,17 @@ export interface MsalNodeOptions extends MsalFlowOptions {
    */
   regionalAuthority?: string;
   /**
-   * Allows logging account information once the authentication flow succeeds.
+   * Allows users to configure settings for logging policy options, allow logging account information and personally identifiable information for customer support.
    */
   loggingOptions?: LogPolicyOptions & {
+    /**
+     * Allows logging account information once the authentication flow succeeds.
+     */
     allowLoggingAccountIdentifiers?: boolean;
+    /**
+     * Allows logging personally identifiable information for customer support.
+     */
+    enableUnsafeSupportLogging?: boolean;
   };
 }
 
@@ -187,6 +194,7 @@ export abstract class MsalNode extends MsalBaseUtilities implements MsalFlow {
         loggerOptions: {
           loggerCallback: defaultLoggerCallback(options.logger),
           logLevel: getMSALLogLevel(getLogLevel()),
+          piiLoggingEnabled: options.loggingOptions?.enableUnsafeSupportLogging,
         },
       },
     };

diff --git a/sdk/identity/identity/src/tokenCredentialOptions.ts b/sdk/identity/identity/src/tokenCredentialOptions.ts
@@ -16,9 +16,16 @@ export interface TokenCredentialOptions extends CommonClientOptions {
    */
   authorityHost?: string;
   /**
-   * Allows logging account information once the authentication flow succeeds.
+   * Allows users to configure settings for logging policy options, allow logging account information and personally identifiable information for customer support.
    */
   loggingOptions?: LogPolicyOptions & {
+    /**
+     * Allows logging account information once the authentication flow succeeds.
+     */
     allowLoggingAccountIdentifiers?: boolean;
+    /**
+     * Allows logging personally identifiable information for customer support.
+     */
+    enableUnsafeSupportLogging?: boolean;
   };
 }