Auth configuration logging with redaction for sensitive values#444
Draft
rodrigobr-msft wants to merge 3 commits into
Draft
Auth configuration logging with redaction for sensitive values#444rodrigobr-msft wants to merge 3 commits into
rodrigobr-msft wants to merge 3 commits into
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR improves authentication/configuration logging by introducing redaction utilities for MSAL auth configuration, tightening CONNECTIONSMAP typing/defaults, and reducing noisy debug logging in samples and core app initialization.
Changes:
- Add MSAL redaction/logging helpers and integrate them into
MsalConnectionManagerinitialization logging. - Make
CONNECTIONSMAPconsistently default to a list and add runtime type validation inMsalConnectionManager. - Minor config-handling adjustments in OAuth authorization plus cleanup of sample/core debug logging; add tests for the new redaction helpers.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/authentication_msal/test_utils.py | Adds tests validating redaction behavior for strings, URLs, and scopes. |
| test_samples/app_style/empty_agent.py | Removes redundant logging setup from a sample. |
| libraries/microsoft-agents-hosting-core/microsoft_agents/hosting/core/app/oauth/authorization.py | Adjusts handler config defaults when building OAuth auth handlers. |
| libraries/microsoft-agents-hosting-core/microsoft_agents/hosting/core/app/agent_application.py | Removes debug logging during AgentApplication initialization and drops an unused import. |
| libraries/microsoft-agents-authentication-msal/microsoft_agents/authentication/msal/msal_connection_manager.py | Adds config logging + stricter CONNECTIONSMAP default/type checks. |
| libraries/microsoft-agents-authentication-msal/microsoft_agents/authentication/msal/_utils.py | Introduces redaction + safe config summarization/logging helpers. |
| libraries/microsoft-agents-activity/microsoft_agents/activity/config/_load_configuration.py | Changes default CONNECTIONSMAP return type to an empty list. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+140
to
+154
| obj = { | ||
| "CONNECTION": mapping.get("CONNECTION", ""), | ||
| } | ||
|
|
||
| if "AUDIENCE" in mapping: | ||
| obj["AUDIENCE"] = mapping["AUDIENCE"] | ||
|
|
||
| if "SERVICEURL" in mapping: | ||
|
|
||
| service_url = mapping.get("SERVICEURL", "").strip() | ||
| if service_url != "*": | ||
| service_url = _redact_url(service_url) | ||
|
|
||
| connections_map_output.append(mapping) | ||
|
|
Comment on lines
+79
to
+83
| try: | ||
| url_parsed = urlparse(url) | ||
| return f"{url_parsed.scheme}://{url_parsed.netloc}/..." | ||
| except: | ||
| return "..." |
Comment on lines
+126
to
+128
| IDPM_RESOURCE=SkipNone(_redact_url_or_none(config.IDPM_RESOURCE)), | ||
| AZURE_REGION=SkipNone(_redact_url_or_none(config.AZURE_REGION)), | ||
| ANNONYMOUS_ALLOWED=str(config.ANONYMOUS_ALLOWED), |
Comment on lines
+12
to
+17
| from microsoft_agents.hosting.core import ( | ||
| AgentAuthConfiguration, | ||
| AccessTokenProviderBase, | ||
| ClaimsIdentity, | ||
| Connections, | ||
| ) |
Comment on lines
+4
to
+10
| import logging | ||
|
|
||
| from typing import Any | ||
|
|
||
| from ._configure_logging import _configure_logging | ||
|
|
||
| logger = logging.getLogger(__name__) |
Comment on lines
+86
to
+94
| handlers_config: dict[str, dict] = auth_configuration.get("HANDLERS", {}) | ||
| auth_handlers = { | ||
| handler_name: AuthHandler( | ||
| name=handler_name, | ||
| auth_type=config.get("TYPE", ""), | ||
| **config.get("SETTINGS", {}), | ||
| ) | ||
| for handler_name, config in handlers_config.items() | ||
| } |
Comment on lines
+43
to
+48
| self._connections_map = connections_map or kwargs.get("CONNECTIONSMAP", []) | ||
| if not isinstance(self._connections_map, list) or ( | ||
| len(self._connections_map) > 0 | ||
| and not isinstance(self._connections_map[0], dict) | ||
| ): | ||
| raise ValueError("CONNECTIONSMAP must be a list of dictionaries.") |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request introduces several improvements and fixes across configuration loading, authentication, and logging utilities, with a focus on better handling of sensitive information and more robust type checks. The most important changes are summarized below.
Authentication and Logging Utilities
_utils.pymodule inmicrosoft_agents.authentication.msalcontaining helper functions for redacting sensitive information (strings, URLs, scopes) and for logging summarized authentication configuration in a safe way. This includes_redact_str,_redact_url,_redact_scopes, and_log_configfunctions.MsalConnectionManager, ensuring that authentication configurations and connection maps are logged in a redacted and summarized format during initialization. [1] [2] [3]Configuration and Type Handling
CONNECTIONSMAPfield in both the configuration loader andMsalConnectionManager, ensuring it is always a list (not a dict), and raising aValueErrorif the type is incorrect. [1] [2]auth_typeargument defaults to an empty string instead ofNone.Testing and Miscellaneous
AgentApplicationinitialization and a redundant logging setup from theempty_agent.pytest sample. [1] [2]agent_application.py.These changes collectively improve the security, reliability, and maintainability of configuration and authentication handling in the codebase.