[Bug] MSAL exceptions should not have PII #3788

AMaini503 · 2022-11-03T18:48:04Z

Which version of MSAL.NET are you using?
Assembly Microsoft.Identity.Client, Version=4.47.1.0,

Platform
WPF

What authentication flow has the issue?

Desktop
- Interactive
- Integrated Windows Authentication
- Username Password
- Device code flow (browserless)

Not sure. The app tries to acquire the token silently and AcquireTokenSilent throws an MsalUiRequiredException.

Other?
The issue is that the exception message accessed through System.Exception.Message.ToStirng() contains PII: the email ID of the user.
e.g. (Message: (Could not find a WAM account for the selected user [[email protected]]. Status: AccountNotFound Context: Account with id '(pii)' not found Tag: some-hex-number)).

Some information is scrubbed '(pii)' but not the email id of the user.

Is this a new or existing app?
b. The app is in production, I haven't upgraded MSAL, but started seeing this issue.

Repro

var builder = PublicClientApplicationBuilder.Create(s_clientId)
                    .WithBrokerPreview(true)
                    .WithAuthority(authority)
                    .WithDefaultRedirectUri()
                    .WithLogging(OnMsalLoggingInvoked, LogLevel.Warning, enablePiiLogging: false, enableDefaultPlatformLogging: false);

public class ExceptionLogging
{
        public static string GetExceptionMessage(Exception _ex)
        {
            return $"(Message: ({_ex.Message.ToString()}))";
        }
}


try
{
    AuthenticationResult result = await s_clientApp.AcquireTokenSilent(scope, account)
                        .WithCorrelationId(correlationId)
                        .ExecuteAsync();
    ....
}
catch (MsalUiRequiredException ex)
{
    Log(ExceptionLogging.GetExceptionMessage(ex));
}

Expected behavior
With enablePiiLogging set to false, email ID should be scrubbed in the exception message.

Actual behavior
Email ID is not scrubbed in the exception message.

bgavrilMS · 2022-11-04T13:59:53Z

Fix is to remove PII from that particular message and to review all other exceptions comming from RuntimeBroker.cs

AMaini503 · 2022-11-04T21:24:22Z

@bgavrilMS Is your comment addressed to me or to the developers?

Are you saying the PII needs to be filtered by me manually or will this be addressed in MSAL.NET?

bgavrilMS · 2022-11-04T22:48:34Z

@AMaini503 - comment is addressed to MSAL developers, not to you. We will fix this.

bgavrilMS added this to the 4.49.0 milestone Nov 3, 2022

bgavrilMS added bug P2 labels Nov 3, 2022

bgavrilMS changed the title ~~[Bug] Is there a way to get a scrubbed exception message from MsalUiRequiredException object/~~ [Bug] MSAL exceptions should not have PII Nov 3, 2022

bgavrilMS added the WAM label Nov 4, 2022

bgavrilMS mentioned this issue Nov 4, 2022

[Feature Request] GA the WAM Integration with MSAL C++ Interop / Runtime #3375

Closed

23 tasks

gladjohn self-assigned this Nov 23, 2022

gladjohn added this to MSAL Customer Trust / QM Nov 26, 2022

gladjohn moved this to Triage in MSAL Customer Trust / QM Nov 26, 2022

gladjohn moved this from Triage to In Progress in MSAL Customer Trust / QM Nov 26, 2022

bgavrilMS self-assigned this Dec 13, 2022

bgavrilMS mentioned this issue Dec 14, 2022

Fix PII messages #3865

Merged

bgavrilMS closed this as completed in #3865 Dec 15, 2022

Repository owner moved this from In Progress to Fixed in MSAL Customer Trust / QM Dec 15, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Bug] MSAL exceptions should not have PII #3788

[Bug] MSAL exceptions should not have PII #3788

AMaini503 commented Nov 3, 2022

bgavrilMS commented Nov 4, 2022

AMaini503 commented Nov 4, 2022

bgavrilMS commented Nov 4, 2022

[Bug] MSAL exceptions should not have PII #3788

[Bug] MSAL exceptions should not have PII #3788

Comments

AMaini503 commented Nov 3, 2022

bgavrilMS commented Nov 4, 2022

AMaini503 commented Nov 4, 2022

bgavrilMS commented Nov 4, 2022