-
Notifications
You must be signed in to change notification settings - Fork 219
Logging
Microsoft Identity Web integrates with the logging available in ASP .NET Core. Starting in Microsoft Identity Web v1.4.1, the MSAL .NET logs are also enabled to assist with troubleshooting and understanding any issues that may occur during token acquisition. The Microsoft.IdentityModel logs are useful to troubleshoot token validation issues.
See the web API troubleshooting page.
To enable logging in Microsoft.Identity.Web, add this line to the Logging
section of appsettings.json:
"Microsoft.Identity": "Information"
Example appsettings.json snippet showing line location:
"AzureAd":
{
// Change to true to see PII, but beware privacy compliance, GDPR, etc.
"EnablePiiLogging": false,
},
"Logging": {
"LogLevel": {
"Default": "Information",
"Microsoft": "Warning",
"Microsoft.Identity": "Information"
}
...
The "Microsoft.Identity": "Information"
line enables the Microsoft.Identity.Web, MSAL.NET, and IdentityModel logs at the "information" level.
MSAL .NET provides four log settings:
- Info - recommended setting for generating key parts of the authentication flow in MSAL .NET. For debugging and development. Use with caution in production due to high volume.
- Verbose - contain the most detailed messages. For debugging and development. Use with caution in production due to high volume.
- Warning - for abnormal or unexpected events. Typically includes conditions that don't cause the app to fail.
- Error - for errors and exceptions.
These log levels are mapped as follows in Microsoft.Identity.Web:
ASP .NET log level | MSAL .NET log level |
---|---|
Microsoft.Extensions.Logging.LogLevel.Information | Microsoft.Identity.Client.LogLevel.Info |
Microsoft.Extensions.Logging.LogLevel.Debug | Microsoft.Identity.Client.LogLevel.Verbose |
Microsoft.Extensions.Logging.LogLevel.Trace | Microsoft.Identity.Client.LogLevel.Verbose |
Microsoft.Extensions.Logging.LogLevel.Warning | Microsoft.Identity.Client.LogLevel.Warning |
Microsoft.Extensions.Logging.LogLevel.Error | Microsoft.Identity.Client.LogLevel.Error |
Microsoft.Extensions.Logging.LogLevel.Critical | Microsoft.Identity.Client.LogLevel.Error |
By default, MSAL.NET logging does not capture or log any PII or OII. The library allows you to turn this on (See PiiLoggingEnabled
below). By turning on PII or OII, the app takes responsibility for safely handling highly-sensitive data and complying with any regulatory requirements and in particular GDPR.
To enable Pii logs in Microsoft.Identity.Web, in appsettings.json
in the AzureAd
section include the following:
"EnablePiiLogging": true,
By default, this value is set to false.
When using the token cache serializers from Microsoft Identity Web in .NET Framework or .NET Core, you can still benefit from the detailed token cache logs by adding the following code:
// more code here
app.AddDistributedTokenCache(services =>
{
services.AddDistributedMemoryCache();
services.AddLogging(configure => configure.AddConsole())
.Configure<LoggerFilterOptions>(options => options.MinLevel = Microsoft.Extensions.Logging.LogLevel.Debug);
});
// more code here
Setting the LogLevel
to Debug
will provide you with the most verbose MSAL.NET and Microsoft Identity Web logs around the token cache.
Sample on using the Microsoft Identity Web token cache serializers.
Logs help understand MSAL .NET's behavior on the client side.
To understand what's happening on the service side, the team needs a correlation ID. This traces an authentication request through the various back-end services.
The correlation ID can be obtained in 3 ways:
- From a successful auth result
AuthenticationResult.CorrelationId
- From a service exception
MsalServiceException.CorrelationId
- Provide your own correlation ID (a GUID).
You can specify your own correlation ID in Microsoft.Identity.Web, in the TokenAcquisitionOptions
.
For example:
public async Task<ActionResult> Details(int id)
{
var value = await _downstreamWebApi.CallWebApiForUserAsync<object, Todo>(
ServiceName,
null,
options =>
{
options.HttpMethod = HttpMethod.Get;
options.RelativePath = $"api/todolist/{id}";
options.TokenAcquisitionOptions.CorrelationId = correlationId;
});
return View(value);
}
- Home
- Why use Microsoft Identity Web?
- Web apps
- Web APIs
- Using certificates
- Minimal support for .NET FW Classic
- Logging
- Azure AD B2C limitations
- Samples
- Web apps
- Web app samples
- Web app template
- Call an API from a web app
- Managing incremental consent and conditional access
- Web app troubleshooting
- Deploy to App Services Linux containers or with proxies
- SameSite cookies
- Hybrid SPA
- Web APIs
- Web API samples
- Web API template
- Call an API from a web API
- Token Decryption
- Web API troubleshooting
- web API protected by ACLs instead of app roles
- gRPC apps
- Azure Functions
- Long running processes in web APIs
- Authorization policies
- Generic API
- Customization
- Logging
- Calling graph with specific scopes/tenant
- Multiple Authentication Schemes
- Utility classes
- Setting FIC+MSI
- Mixing web app and web API
- Deploying to Azure App Services
- Azure AD B2C issuer claim support
- Performance
- specify Microsoft Graph scopes and app-permissions
- Integrate with Azure App Services authentication
- Ajax calls and incremental consent and conditional access
- Back channel proxys
- Client capabilities