Skip to content

Improved OBO logging and added OBO observability to SESSION_CONTEXT#3192

Open
anushakolan wants to merge 3 commits intomainfrom
dev/anushakolan/obo-correlation
Open

Improved OBO logging and added OBO observability to SESSION_CONTEXT#3192
anushakolan wants to merge 3 commits intomainfrom
dev/anushakolan/obo-correlation

Conversation

@anushakolan
Copy link
Contributor

@anushakolan anushakolan commented Mar 4, 2026
edited
Loading

Why make this change?

Closes #3125

  1. Adds OBO (On-Behalf-Of) observability improvements for debugging and auditing user-delegated authentication flows.
  2. Enables end-to-end tracing from DAB application logs to SQL Server queries using OpenTelemetry correlation IDs.
  3. Provides SQL-side visibility into which user and tenant executed a query when using user-delegated auth.

What is this change?

  1. Enhanced OBO Token Logging (OboSqlTokenProvider.cs)
  • Added structured logging with EventType field for easier log filtering and analysis
  • Included traceId in all OBO-related log messages to enable correlation with distributed traces
  • Event types added: OboValidationFailed, OboTokenCacheMiss, OboTokenAcquired, OboTokenCacheHit
  1. SESSION_CONTEXT Observability Values (MsSqlQueryExecutor.cs)
    Added the following values to SQL Server SESSION_CONTEXT when set-session-context is enabled:
  • dab.trace_id - OpenTelemetry TraceId (set when Activity is present)
  • dab.span_id - OpenTelemetry SpanId (set when Activity is present)
  • dab.auth_type - Auth type indicator, value: obo (set when user-delegated auth is enabled)
  • dab.user_id - User identifier from oid claim, falls back to sub claim (set when user-delegated auth is enabled)
  • dab.tenant_id - Azure AD tenant ID from tid claim (set when user-delegated auth is enabled)

How was this tested?

Unit Tests

  1. GetSessionParamsQuery_IncludesAllObservabilityValues_WhenActivityAndOboEnabled
  2. GetSessionParamsQuery_ExcludesCorrelationIds_WhenNoActivity

Manual E2E Testing

  • Deployed to Azure Container App with Azure SQL Database
  • Verified OBO token logging in container logs with traceId correlation
  • Verified SESSION_CONTEXT values via stored procedure (dbo.GetSessionContext)
  • Confirmed correlation between container logs and SQL SESSION_CONTEXT values

@anushakolan anushakolan marked this pull request as ready for review March 5, 2026 00:03
Copilot AI review requested due to automatic review settings March 5, 2026 00:03
@anushakolan
Copy link
Contributor Author

anushakolan commented Mar 5, 2026

/azp run

@azure-pipelines
Copy link

azure-pipelines bot commented Mar 5, 2026

Azure Pipelines successfully started running 6 pipeline(s).

Copilot AI reviewed Mar 5, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR improves observability for user-delegated (OBO) authentication by enhancing OBO token acquisition logging and by adding OpenTelemetry correlation + OBO identity details into SQL Server SESSION_CONTEXT when set-session-context is enabled.

Changes:

  • Add structured OBO token logging in OboSqlTokenProvider with event types and traceId correlation.
  • Extend MsSqlQueryExecutor.GetSessionParamsQuery to set dab.trace_id, dab.span_id, dab.auth_type, dab.user_id, and dab.tenant_id in SESSION_CONTEXT.
  • Add unit tests validating inclusion/exclusion of correlation IDs and OBO observability session-context values.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
src/Service.Tests/UnitTests/SqlQueryExecutorUnitTests.cs Adds unit tests for new session-context observability values and Activity correlation behavior.
src/Core/Resolvers/OboSqlTokenProvider.cs Adds structured log fields (EventType + traceId) for OBO validation/cache/acquisition events.
src/Core/Resolvers/MsSqlQueryExecutor.cs Writes OpenTelemetry correlation IDs and OBO identity markers into SQL Server SESSION_CONTEXT.

@anushakolan
Update src/Service.Tests/UnitTests/SqlQueryExecutorUnitTests.cs
aceafbd 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@anushakolan
Copy link
Contributor Author

anushakolan commented Mar 5, 2026

/azp run

@azure-pipelines
Copy link

azure-pipelines bot commented Mar 5, 2026

Azure Pipelines successfully started running 6 pipeline(s).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@Aniruddh25 Aniruddh25 Awaiting requested review from Aniruddh25 Aniruddh25 is a code owner

@aaronburtle aaronburtle Awaiting requested review from aaronburtle aaronburtle is a code owner

@JerryNixon JerryNixon Awaiting requested review from JerryNixon JerryNixon is a code owner

@RubenCerna2079 RubenCerna2079 Awaiting requested review from RubenCerna2079 RubenCerna2079 is a code owner

@souvikghosh04 souvikghosh04 Awaiting requested review from souvikghosh04 souvikghosh04 is a code owner

@sourabh1007 sourabh1007 Awaiting requested review from sourabh1007 sourabh1007 is a code owner

@vadeveka vadeveka Awaiting requested review from vadeveka vadeveka is a code owner

@Alekhya-Polavarapu Alekhya-Polavarapu Awaiting requested review from Alekhya-Polavarapu Alekhya-Polavarapu is a code owner

@rusamant rusamant Awaiting requested review from rusamant rusamant is a code owner

@stuartpa stuartpa Awaiting requested review from stuartpa stuartpa is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[OBO] OBO Logging & Correlation

2 participants

@anushakolan