Fix for 3000 - improve errors around credentials loading

Author: bgavrilMS

src/Microsoft.Identity.Web.Certificate/DefaultCredentialsLoader.cs

@@ -1,6 +1,7 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
+using System;
 using System.Collections.Concurrent;
 using System.Collections.Generic;
 using System.Threading;
@@ -10,11 +11,34 @@
 
 namespace Microsoft.Identity.Web
 {
+
     /// <summary>
     /// Default credentials loader.
     /// </summary>
     public class DefaultCredentialsLoader : ICredentialsLoader
     {
+        /// <summary>
+        /// Logging infrastructure
+        /// </summary>
+        private static class Logger
+        {
+            public static void CredentialLoadingFailure(ILogger? logger, CredentialDescription cd, Exception? ex)
+            {
+                if (logger != null && logger.IsEnabled(LogLevel.Information))
+                {
+                    __CredentialLoadingFailure(logger, cd.Id, cd.CredentialType.ToString(), cd.Skip, ex);
+                }
+            }
+
+            private static readonly Action<ILogger, string, string, bool, Exception?> __CredentialLoadingFailure =
+                LoggerMessage.Define<string, string, bool>(
+                    LogLevel.Information,
+                    new EventId(
+                        7,
+                        nameof(CredentialLoadingFailure)),
+            "Failed to load credential {id} from source {sourceType}. Will it be skipped in the future ? {skip}.");
+        }
+
         ILogger<DefaultCredentialsLoader>? _logger;
         private readonly ConcurrentDictionary<string, SemaphoreSlim> _loadingSemaphores = new ConcurrentDictionary<string, SemaphoreSlim>();
 
@@ -32,7 +56,7 @@ public DefaultCredentialsLoader(ILogger<DefaultCredentialsLoader>? logger)
                 { CredentialSource.StoreWithThumbprint, new StoreWithThumbprintCertificateLoader() },
                 { CredentialSource.StoreWithDistinguishedName, new StoreWithDistinguishedNameCertificateLoader() },
                 { CredentialSource.Base64Encoded, new Base64EncodedCertificateLoader() },
-                { CredentialSource.SignedAssertionFromManagedIdentity, new SignedAssertionFromManagedIdentityCredentialLoader() },
+                { CredentialSource.SignedAssertionFromManagedIdentity, new SignedAssertionFromManagedIdentityCredentialLoader(_logger) },
                 { CredentialSource.SignedAssertionFilePath, new SignedAssertionFilePathCredentialsLoader(_logger) }
             };
         }
@@ -51,7 +75,8 @@ public DefaultCredentialsLoader() : this(null)
         public IDictionary<CredentialSource, ICredentialSourceLoader> CredentialSourceLoaders { get; }
 
         /// <inheritdoc/>
-        /// Load the credentials from the description, if needed.
+        /// Load the credentials from the description, if needed. 
+        /// Important: Ignores SKIP flag, propagates exceptions.
         public async Task LoadCredentialsIfNeededAsync(CredentialDescription credentialDescription, CredentialSourceLoaderParameters? parameters = null)
         {
             _ = Throws.IfNull(credentialDescription);
@@ -69,7 +94,17 @@ public async Task LoadCredentialsIfNeededAsync(CredentialDescription credentialD
                     if (credentialDescription.CachedValue == null)
                     {
                         if (CredentialSourceLoaders.TryGetValue(credentialDescription.SourceType, out ICredentialSourceLoader? loader))
-                            await loader.LoadIfNeededAsync(credentialDescription, parameters);
+                        {
+                            try
+                            {
+                                await loader.LoadIfNeededAsync(credentialDescription, parameters);
+                            }
+                            catch (Exception ex)
+                            {
+                                Logger.CredentialLoadingFailure(_logger, credentialDescription, ex);
+                                throw;
+                            }
+                        }
                     }
                 }
                 finally
@@ -81,11 +116,18 @@ public async Task LoadCredentialsIfNeededAsync(CredentialDescription credentialD
         }
 
         /// <inheritdoc/>
-        public async Task<CredentialDescription?> LoadFirstValidCredentialsAsync(IEnumerable<CredentialDescription> credentialDescriptions, CredentialSourceLoaderParameters? parameters = null)
+        /// Loads first valid credential which is not marked as Skipped. 
+        public async Task<CredentialDescription?> LoadFirstValidCredentialsAsync(
+            IEnumerable<CredentialDescription> credentialDescriptions, 
+            CredentialSourceLoaderParameters? parameters = null)
         {
             foreach (var credentialDescription in credentialDescriptions)
             {
                 await LoadCredentialsIfNeededAsync(credentialDescription, parameters);
+
+                // TODO:  Exceptions which occur in trying various credentials are logged and ignored.
+                // is this really intended behavior? This is different from WithClientCredentialsAsync
+
                 if (!credentialDescription.Skip)
                 {
                     return credentialDescription;
@@ -107,6 +149,5 @@ public void ResetCredentials(IEnumerable<CredentialDescription> credentialDescri
                 }
             }
         }
-
     }
 }

src/Microsoft.Identity.Web.Certificate/SignedAssertionFilePathCredentialsLoader.cs

@@ -36,13 +36,14 @@ public async Task LoadIfNeededAsync(CredentialDescription credentialDescription,
                 {
                     // Given that managed identity can be not available locally, we need to try to get a
                     // signed assertion, and if it fails, move to the next credentials
-                    _= await signedAssertion!.GetSignedAssertionAsync(null);
+                    _ = await signedAssertion!.GetSignedAssertionAsync(null);
                     credentialDescription.CachedValue = signedAssertion;
                 }
                 catch (Exception)
                 {
                     credentialDescription.Skip = true;
-                }
+                    throw;
+                }                
             }
         }
     }

src/Microsoft.Identity.Web.Certificate/SignedAssertionFromManagedIdentityCredentialLoader.cs

@@ -4,12 +4,21 @@
 using System.Threading;
 using System.Threading.Tasks;
 using Azure.Identity;
+using Microsoft.Extensions.Logging;
 using Microsoft.Identity.Abstractions;
+using Microsoft.Identity.Client;
 
 namespace Microsoft.Identity.Web
 {
     internal class SignedAssertionFromManagedIdentityCredentialLoader : ICredentialSourceLoader
     {
+        private ILogger<DefaultCredentialsLoader>? _logger;
+
+        public SignedAssertionFromManagedIdentityCredentialLoader(ILogger<DefaultCredentialsLoader>? logger)
+        {
+            _logger = logger;
+        }
+
         public CredentialSource CredentialSource => CredentialSource.SignedAssertionFromManagedIdentity;
 
         public async Task LoadIfNeededAsync(CredentialDescription credentialDescription, CredentialSourceLoaderParameters? credentialSourceLoaderParameters)
@@ -19,16 +28,19 @@ public async Task LoadIfNeededAsync(CredentialDescription credentialDescription,
                 ManagedIdentityClientAssertion? managedIdentityClientAssertion = credentialDescription.CachedValue as ManagedIdentityClientAssertion;
                 if (credentialDescription.CachedValue == null)
                 {
-                    managedIdentityClientAssertion = new ManagedIdentityClientAssertion(credentialDescription.ManagedIdentityClientId, credentialDescription.TokenExchangeUrl);
+                    managedIdentityClientAssertion = new ManagedIdentityClientAssertion(
+                        credentialDescription.ManagedIdentityClientId, 
+                        credentialDescription.TokenExchangeUrl,
+                        _logger);
                 }
                 try
                 {
                     // Given that managed identity can be not available locally, we need to try to get a
                     // signed assertion, and if it fails, move to the next credentials
-                    _= await managedIdentityClientAssertion!.GetSignedAssertionAsync(null);
+                    _ = await managedIdentityClientAssertion!.GetSignedAssertionAsync(null);
                     credentialDescription.CachedValue = managedIdentityClientAssertion;
                 }
-                catch (AuthenticationFailedException)
+                catch (MsalServiceException)
                 {
                     credentialDescription.Skip = true;
                     throw;

src/Microsoft.Identity.Web.Certificateless/ManagedIdentityClientAssertion.cs

@@ -3,6 +3,7 @@
 
 using System.Threading;
 using System.Threading.Tasks;
+using Microsoft.Extensions.Logging;
 using Microsoft.Identity.Client;
 using Microsoft.Identity.Client.AppConfig;
 using Microsoft.Identity.Web.Certificateless;
@@ -16,21 +17,27 @@ public class ManagedIdentityClientAssertion : ClientAssertionProviderBase
     {
         IManagedIdentityApplication _managedIdentityApplication;
         private readonly string _tokenExchangeUrl;
+        private readonly ILogger? _logger;
 
         /// <summary>
         /// See https://aka.ms/ms-id-web/certificateless.
         /// </summary>
         /// <param name="managedIdentityClientId">Optional ClientId of the Managed Identity</param>
-        public ManagedIdentityClientAssertion(string? managedIdentityClientId)
+        public ManagedIdentityClientAssertion(string? managedIdentityClientId) : 
+            this (managedIdentityClientId, null)
         {
-            var id = ManagedIdentityId.SystemAssigned;
-            if (!string.IsNullOrEmpty(managedIdentityClientId))
-            {
-                id = ManagedIdentityId.WithUserAssignedClientId(managedIdentityClientId);
-            }
+           
+        }
 
-            _managedIdentityApplication = ManagedIdentityApplicationBuilder.Create(id).Build();           
-            _tokenExchangeUrl = CertificatelessConstants.DefaultTokenExchangeUrl;
+        /// <summary>
+        /// See https://aka.ms/ms-id-web/certificateless.
+        /// </summary>
+        /// <param name="managedIdentityClientId">Optional ClientId of the Managed Identity</param>
+        /// <param name="tokenExchangeUrl">Optional audience of the token to be requested from Managed Identity. Default value is "api://AzureADTokenExchange". 
+        /// This value is different on clouds other than Azure Public</param>
+        public ManagedIdentityClientAssertion(string? managedIdentityClientId, string? tokenExchangeUrl) : 
+            this (managedIdentityClientId, tokenExchangeUrl, null)
+        {
         }
 
         /// <summary>
@@ -39,9 +46,26 @@ public ManagedIdentityClientAssertion(string? managedIdentityClientId)
         /// <param name="managedIdentityClientId">Optional ClientId of the Managed Identity</param>
         /// <param name="tokenExchangeUrl">Optional audience of the token to be requested from Managed Identity. Default value is "api://AzureADTokenExchange". 
         /// This value is different on clouds other than Azure Public</param>
-        public ManagedIdentityClientAssertion(string? managedIdentityClientId, string? tokenExchangeUrl) : this (managedIdentityClientId)
+        /// <param name="logger">A logger</param>
+        public ManagedIdentityClientAssertion(string? managedIdentityClientId, string? tokenExchangeUrl, ILogger? logger)          
         {
             _tokenExchangeUrl = tokenExchangeUrl ?? CertificatelessConstants.DefaultTokenExchangeUrl;
+            _logger = logger;
+
+            var id = ManagedIdentityId.SystemAssigned;
+            if (!string.IsNullOrEmpty(managedIdentityClientId))
+            {
+                id = ManagedIdentityId.WithUserAssignedClientId(managedIdentityClientId);
+            }
+            var builder = ManagedIdentityApplicationBuilder.Create(id);
+            if (_logger != null)
+            {
+                builder.WithLogging(Log, ConvertMicrosoftExtensionsLogLevelToMsal(_logger));
+                _logger?.LogInformation($"ManagedIdentityClientAssertion with tokenExchangeUrl={_tokenExchangeUrl}");
+            }
+
+            _managedIdentityApplication = builder.Build();
+            _tokenExchangeUrl = CertificatelessConstants.DefaultTokenExchangeUrl;
         }
 
         /// <summary>
@@ -52,11 +76,62 @@ public ManagedIdentityClientAssertion(string? managedIdentityClientId, string? t
         protected override async Task<ClientAssertion> GetClientAssertionAsync(AssertionRequestOptions? assertionRequestOptions)
         {
             var result = await _managedIdentityApplication
-                .AcquireTokenForManagedIdentity(_tokenExchangeUrl)
+                .AcquireTokenForManagedIdentity(_tokenExchangeUrl)                
                 .ExecuteAsync(assertionRequestOptions?.CancellationToken ?? CancellationToken.None)
                 .ConfigureAwait(false);
 
             return new ClientAssertion(result.AccessToken, result.ExpiresOn);
         }
+
+        private void Log(
+         Client.LogLevel level,
+         string message,
+         bool containsPii)
+        {
+            switch (level)
+            {
+                case Client.LogLevel.Always:
+                    _logger.LogInformation(message);
+                    break;
+                case Client.LogLevel.Error:
+                    _logger.LogError(message);
+                    break;
+                case Client.LogLevel.Warning:
+                    _logger.LogWarning(message);
+                    break;
+                case Client.LogLevel.Info:
+                    _logger.LogInformation(message);
+                    break;
+                case Client.LogLevel.Verbose:
+                    _logger.LogDebug(message);
+                    break;
+            }
+        }
+
+        private Client.LogLevel? ConvertMicrosoftExtensionsLogLevelToMsal(ILogger logger)
+        {
+            if (logger.IsEnabled(Microsoft.Extensions.Logging.LogLevel.Debug)
+                || logger.IsEnabled(Microsoft.Extensions.Logging.LogLevel.Trace))
+            {
+                return Client.LogLevel.Verbose;
+            }
+            else if (logger.IsEnabled(Microsoft.Extensions.Logging.LogLevel.Information))
+            {
+                return Client.LogLevel.Info;
+            }
+            else if (logger.IsEnabled(Microsoft.Extensions.Logging.LogLevel.Warning))
+            {
+                return Client.LogLevel.Warning;
+            }
+            else if (logger.IsEnabled(Microsoft.Extensions.Logging.LogLevel.Error)
+                || logger.IsEnabled(Microsoft.Extensions.Logging.LogLevel.Critical))
+            {
+                return Client.LogLevel.Error;
+            }
+            else
+            {
+                return null;
+            }
+        }
     }
 }

src/Microsoft.Identity.Web.TokenAcquisition/ConfidentialClientApplicationBuilderExtension.Logger.cs

@@ -3,6 +3,7 @@
 
 using System;
 using Microsoft.Extensions.Logging;
+using Microsoft.Identity.Abstractions;
 
 namespace Microsoft.Identity.Web
 {
@@ -40,6 +41,62 @@ internal static class Logger
                     LoggingEventId.UsingCertThumbprint,
                     "[MsIdWeb] Using certificate Thumbprint={certThumbprint} as client credentials. ");
 
+            private static readonly Action<ILogger, string, string, Exception?> s_credentialAttempt =
+                LoggerMessage.Define<string, string>(
+                    LogLevel.Information,
+                    LoggingEventId.CredentialLoadAttempt,
+                    "[MsIdWeb] Attempting to load the credential from the CredentialDescription with Id={Id} and Skip={Skip} . ");
+
+            private static readonly Action<ILogger, string, string, Exception?> s_credentialAttemptFailed =
+                LoggerMessage.Define<string, string>(
+                LogLevel.Information,
+                LoggingEventId.CredentialLoadAttemptFailed,
+                "[MsIdWeb] Loading the credential from CredentialDescription Id={Id} failed. Will the credential be re-attempted? - {Skip}.");
+
+            /// <summary>
+            /// Logger for attempting to use a CredentialDescription with MSAL
+            /// </summary>
+            /// <param name="logger"></param>
+            /// <param name="certificateDescription"></param>
+            /// <param name="ex"></param>
+            public static void AttemptToLoadCredentialsFailed(
+                ILogger logger,
+                CredentialDescription certificateDescription, 
+                Exception ex) =>
+                    s_credentialAttemptFailed(
+                        logger,
+                        certificateDescription.Id,
+                        certificateDescription.Skip.ToString(),
+                        ex);
+
+            /// <summary>
+            /// Logger for attempting to use a CredentialDescription with MSAL
+            /// </summary>
+            /// <param name="logger"></param>
+            /// <param name="certificateDescription"></param>
+            public static void AttemptToLoadCredentials(
+                ILogger logger,
+                CredentialDescription certificateDescription) => 
+                    s_credentialAttempt(
+                        logger, 
+                        certificateDescription.Id, 
+                        certificateDescription.Skip.ToString(), 
+                        default!);
+
+            /// <summary>
+            /// Logger for attempting to use a CredentialDescription with MSAL
+            /// </summary>
+            /// <param name="logger"></param>
+            /// <param name="certificateDescription"></param>
+            public static void FailedToLoadCredentials(
+                ILogger logger,
+                CredentialDescription certificateDescription) =>
+                    s_credentialAttemptFailed(
+                        logger,
+                        certificateDescription.Id,
+                        certificateDescription.Skip.ToString(),
+                        default!);
+
             /// <summary>
             /// Logger for handling information specific to ConfidentialClientApplicationBuilderExtension.
             /// </summary>