[Feature Request] Expose error_uri and include it in the non-PII logs for MSALServiceException #3017
Description
msal 4.37
error message from AAD
{
"error": "invalid_scope",
"error_description": "AADSTS70011: The provided value for the input parameter 'scope' is not valid. The scope https://example.contoso.com/activity.read is not valid.\r\nTrace ID: 255d1aef-8c98-452f-ac51-23d051240864\r\nCorrelation ID: fb3d2015-bc17-4bb9-bb85-30c5cf1aaaa7\r\nTimestamp: 2016-01-09 02:02:12Z",
"error_codes": [
70011
],
"timestamp": "2016-01-09 02:02:12Z",
"trace_id": "255d1aef-8c98-452f-ac51-23d051240864",
"correlation_id": "fb3d2015-bc17-4bb9-bb85-30c5cf1aaaa7",
"error_uri":https://login.microsoftonline.com/error?code=70011
}
Everything here is safe to log except for the error description, because it contains the scope, which can contain OIID (they can create the scope name).
Everything including the error messages is safe to show to the end user – it’s very important to do that if you’re not logging the error messages, since that gives the end user something to send back to you.
You can use the error_uri that’s included in many errors to get safe (information-stripped) error messages.
https://login.microsoftonline.com/error?code=500581 It’s currently manual today to prevent it from getting swamped.
Please never ever code against error messages (the specific code numbers) – we are constantly . Always do code against the error field, and the suberror that we include but do not yet document…
Lookup current error code information
Error codes and messages are subject to change. For the most current info, take a look at the https://login.microsoftonline.com/error page to find AADSTS error descriptions, fixes, and some suggested workarounds.
For example, if you received the error code "AADSTS50058" then do a search in https://login.microsoftonline.com/error for "50058". You can also link directly to a specific error by adding the error code number to the URL: https://login.microsoftonline.com/error?code=50058.