Skip to content

Auth configuration logging with redaction for sensitive values#444

Draft
rodrigobr-msft wants to merge 3 commits into
mainfrom
users/robrandao/startup-logging
Draft

Auth configuration logging with redaction for sensitive values#444
rodrigobr-msft wants to merge 3 commits into
mainfrom
users/robrandao/startup-logging

Conversation

@rodrigobr-msft

Copy link
Copy Markdown
Contributor

This pull request introduces several improvements and fixes across configuration loading, authentication, and logging utilities, with a focus on better handling of sensitive information and more robust type checks. The most important changes are summarized below.

Authentication and Logging Utilities

  • Added a new _utils.py module in microsoft_agents.authentication.msal containing helper functions for redacting sensitive information (strings, URLs, scopes) and for logging summarized authentication configuration in a safe way. This includes _redact_str, _redact_url, _redact_scopes, and _log_config functions.
  • Integrated the new logging utility into MsalConnectionManager, ensuring that authentication configurations and connection maps are logged in a redacted and summarized format during initialization. [1] [2] [3]

Configuration and Type Handling

  • Improved type safety for the CONNECTIONSMAP field in both the configuration loader and MsalConnectionManager, ensuring it is always a list (not a dict), and raising a ValueError if the type is incorrect. [1] [2]
  • In the OAuth authorization handler, ensured that the handler configuration dictionary always defaults to an empty dictionary and that the auth_type argument defaults to an empty string instead of None.

Testing and Miscellaneous

  • Added comprehensive tests for the new redaction utility functions to verify correct behavior for various input scenarios.
  • Removed unnecessary debug logging from AgentApplication initialization and a redundant logging setup from the empty_agent.py test sample. [1] [2]
  • Cleaned up an unused import in agent_application.py.

These changes collectively improve the security, reliability, and maintainability of configuration and authentication handling in the codebase.

Copilot AI review requested due to automatic review settings July 7, 2026 17:03
@rodrigobr-msft rodrigobr-msft linked an issue Jul 7, 2026 that may be closed by this pull request

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR improves authentication/configuration logging by introducing redaction utilities for MSAL auth configuration, tightening CONNECTIONSMAP typing/defaults, and reducing noisy debug logging in samples and core app initialization.

Changes:

  • Add MSAL redaction/logging helpers and integrate them into MsalConnectionManager initialization logging.
  • Make CONNECTIONSMAP consistently default to a list and add runtime type validation in MsalConnectionManager.
  • Minor config-handling adjustments in OAuth authorization plus cleanup of sample/core debug logging; add tests for the new redaction helpers.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 7 comments.

Show a summary per file
File Description
tests/authentication_msal/test_utils.py Adds tests validating redaction behavior for strings, URLs, and scopes.
test_samples/app_style/empty_agent.py Removes redundant logging setup from a sample.
libraries/microsoft-agents-hosting-core/microsoft_agents/hosting/core/app/oauth/authorization.py Adjusts handler config defaults when building OAuth auth handlers.
libraries/microsoft-agents-hosting-core/microsoft_agents/hosting/core/app/agent_application.py Removes debug logging during AgentApplication initialization and drops an unused import.
libraries/microsoft-agents-authentication-msal/microsoft_agents/authentication/msal/msal_connection_manager.py Adds config logging + stricter CONNECTIONSMAP default/type checks.
libraries/microsoft-agents-authentication-msal/microsoft_agents/authentication/msal/_utils.py Introduces redaction + safe config summarization/logging helpers.
libraries/microsoft-agents-activity/microsoft_agents/activity/config/_load_configuration.py Changes default CONNECTIONSMAP return type to an empty list.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +140 to +154
obj = {
"CONNECTION": mapping.get("CONNECTION", ""),
}

if "AUDIENCE" in mapping:
obj["AUDIENCE"] = mapping["AUDIENCE"]

if "SERVICEURL" in mapping:

service_url = mapping.get("SERVICEURL", "").strip()
if service_url != "*":
service_url = _redact_url(service_url)

connections_map_output.append(mapping)

Comment on lines +79 to +83
try:
url_parsed = urlparse(url)
return f"{url_parsed.scheme}://{url_parsed.netloc}/..."
except:
return "..."
Comment on lines +126 to +128
IDPM_RESOURCE=SkipNone(_redact_url_or_none(config.IDPM_RESOURCE)),
AZURE_REGION=SkipNone(_redact_url_or_none(config.AZURE_REGION)),
ANNONYMOUS_ALLOWED=str(config.ANONYMOUS_ALLOWED),
Comment on lines +12 to +17
from microsoft_agents.hosting.core import (
AgentAuthConfiguration,
AccessTokenProviderBase,
ClaimsIdentity,
Connections,
)
Comment on lines +4 to +10
import logging

from typing import Any

from ._configure_logging import _configure_logging

logger = logging.getLogger(__name__)
Comment on lines +86 to +94
handlers_config: dict[str, dict] = auth_configuration.get("HANDLERS", {})
auth_handlers = {
handler_name: AuthHandler(
name=handler_name,
auth_type=config.get("TYPE", ""),
**config.get("SETTINGS", {}),
)
for handler_name, config in handlers_config.items()
}
Comment on lines +43 to +48
self._connections_map = connections_map or kwargs.get("CONNECTIONSMAP", [])
if not isinstance(self._connections_map, list) or (
len(self._connections_map) > 0
and not isinstance(self._connections_map[0], dict)
):
raise ValueError("CONNECTIONSMAP must be a list of dictionaries.")
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add logging for app startup configuration

2 participants