Skip to content

Improved OBO logging and added OBO observability to SESSION_CONTEXT#3192

Open
anushakolan wants to merge 11 commits intomainfrom
dev/anushakolan/obo-correlation
Open

Improved OBO logging and added OBO observability to SESSION_CONTEXT#3192
anushakolan wants to merge 11 commits intomainfrom
dev/anushakolan/obo-correlation

Conversation

@anushakolan
Copy link
Contributor

@anushakolan anushakolan commented Mar 4, 2026
edited
Loading

Why make this change?

Closes #3125

  1. Adds OBO (On-Behalf-Of) observability improvements for debugging and auditing user-delegated authentication flows.
  2. Enables end-to-end tracing from DAB application logs to SQL Server queries using OpenTelemetry correlation IDs.
  3. Provides SQL-side visibility into which user and tenant executed a query when using user-delegated auth.

What is this change?

  1. Enhanced OBO Token Logging (OboSqlTokenProvider.cs)
  • Added structured logging with EventType field for easier log filtering and analysis
  • Included traceId in all OBO-related log messages to enable correlation with distributed traces
  • Event types added: OboValidationFailed, OboTokenCacheMiss, OboTokenAcquired, OboTokenCacheHit
  1. SESSION_CONTEXT Observability Values (MsSqlQueryExecutor.cs)
    Added the following values to SQL Server SESSION_CONTEXT when set-session-context is enabled:
  • dab.trace_id - OpenTelemetry TraceId (set when Activity is present)
  • dab.span_id - OpenTelemetry SpanId (set when Activity is present)
  • dab.auth_type - Auth type indicator, value: obo (set when user-delegated auth is enabled)
  • dab.user_id - User identifier from oid claim, falls back to sub claim (set when user-delegated auth is enabled)
  • dab.tenant_id - Azure AD tenant ID from tid claim (set when user-delegated auth is enabled)
image

How was this tested?

Unit Tests

  1. GetSessionParamsQuery_IncludesAllObservabilityValues_WhenActivityAndOboEnabled
  2. GetSessionParamsQuery_ExcludesCorrelationIds_WhenNoActivity

Manual E2E Testing

  • Deployed to Azure Container App with Azure SQL Database
  • Verified OBO token logging in container logs with traceId correlation
  • Verified SESSION_CONTEXT values via stored procedure (dbo.GetSessionContext)
  • Confirmed correlation between container logs and SQL SESSION_CONTEXT values
image

@anushakolan anushakolan marked this pull request as ready for review March 5, 2026 00:03
Copilot AI review requested due to automatic review settings March 5, 2026 00:03
@anushakolan
Copy link
Contributor Author

anushakolan commented Mar 5, 2026

/azp run

@azure-pipelines
Copy link

azure-pipelines bot commented Mar 5, 2026

Azure Pipelines successfully started running 6 pipeline(s).

Copilot AI reviewed Mar 5, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR improves observability for user-delegated (OBO) authentication by enhancing OBO token acquisition logging and by adding OpenTelemetry correlation + OBO identity details into SQL Server SESSION_CONTEXT when set-session-context is enabled.

Changes:

  • Add structured OBO token logging in OboSqlTokenProvider with event types and traceId correlation.
  • Extend MsSqlQueryExecutor.GetSessionParamsQuery to set dab.trace_id, dab.span_id, dab.auth_type, dab.user_id, and dab.tenant_id in SESSION_CONTEXT.
  • Add unit tests validating inclusion/exclusion of correlation IDs and OBO observability session-context values.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
src/Service.Tests/UnitTests/SqlQueryExecutorUnitTests.cs Adds unit tests for new session-context observability values and Activity correlation behavior.
src/Core/Resolvers/OboSqlTokenProvider.cs Adds structured log fields (EventType + traceId) for OBO validation/cache/acquisition events.
src/Core/Resolvers/MsSqlQueryExecutor.cs Writes OpenTelemetry correlation IDs and OBO identity markers into SQL Server SESSION_CONTEXT.

@anushakolan
Update src/Service.Tests/UnitTests/SqlQueryExecutorUnitTests.cs
aceafbd 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@anushakolan
Copy link
Contributor Author

anushakolan commented Mar 5, 2026

/azp run

@azure-pipelines
Copy link

azure-pipelines bot commented Mar 5, 2026

Azure Pipelines successfully started running 6 pipeline(s).

Aniruddh25
Aniruddh25 reviewed Mar 11, 2026
View reviewed changes
Aniruddh25
Aniruddh25 reviewed Mar 11, 2026
View reviewed changes
Aniruddh25
Aniruddh25 requested changes Mar 11, 2026
View reviewed changes
Copy link
Collaborator

@Aniruddh25 Aniruddh25 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OBO should trace irrespective of set-session-context values.

@anushakolan
Copy link
Contributor Author

anushakolan commented Mar 18, 2026

/azp run

@azure-pipelines
Copy link

azure-pipelines bot commented Mar 18, 2026

Azure Pipelines successfully started running 6 pipeline(s).

@anushakolan anushakolan added the obo These tasks are related to DAB OBO Delegated Identity implmentation. label Mar 18, 2026
@github-project-automation github-project-automation bot moved this to Review In Progress in Data API builder Mar 18, 2026
@anushakolan anushakolan added this to the March 2026 milestone Mar 18, 2026
@souvikghosh04 souvikghosh04 self-assigned this Mar 19, 2026
aaronburtle
aaronburtle reviewed Mar 19, 2026
View reviewed changes
src/Core/Resolvers/OboSqlTokenProvider.cs
{
_logger.LogWarning("Cannot acquire OBO token: ClaimsPrincipal is null.");
_logger.LogWarning(
"{EventType}: Cannot acquire OBO token - ClaimsPrincipal is null (traceId: {TraceId}).",
Copy link
Contributor

@aaronburtle aaronburtle Mar 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we use an enum for the EventType instead of just providing a string?

@aaronburtle
Copy link
Contributor

aaronburtle commented Mar 19, 2026

DAB currently has its own correlation system, which adds a correlation ID to the DAB logs. So if a user were to get say a 500 error on a REST call they would have in the DAB logs a correlation id associated with the error. The dab logs would also show the Obo Token being acquired with a separate traceid. But in the SQL Server session context, there will only be the trace id, not the dab correlation id.

So in order to connect the dab error log to the SQL audit, the user would have to go through some sort of APM tool to match the requests by timestamp, or theyd need to know that both IDs belong to the same http request.

If the dab.correlation_id was also included in the SESSION_CONTEXT, then the user could directly join the SQL audit log to the DAB error log without needing to use any other tools. This might be particularly useful if there are different people or teams looking at the different logs.

Not a blocker, but something I think we should consider.

aaronburtle
aaronburtle reviewed Mar 19, 2026
View reviewed changes
src/Core/Resolvers/MsSqlQueryExecutor.cs
if (currentActivity is not null)
{
string traceIdParamName = $"{SESSION_PARAM_NAME}{counter.Next()}";
parameters.Add(traceIdParamName, new(currentActivity.TraceId.ToString()));
Copy link
Contributor

@aaronburtle aaronburtle Mar 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because of our retry policy in query executor, a transient fault may end up trying to re-add params that already exist in this dictionary, which would error out. This is an already existing issue however, and I dont think Ive seen this show up yet, but figured it is worth flagging, and i think can be fixed by changing from .add to using an indexer; parameters[traceIdParamName]=foo

aaronburtle
aaronburtle approved these changes Mar 19, 2026
View reviewed changes
Copy link
Contributor

@aaronburtle aaronburtle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! Couple comments, but no blockers.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@Aniruddh25 Aniruddh25 Aniruddh25 approved these changes

@aaronburtle aaronburtle aaronburtle approved these changes

@JerryNixon JerryNixon Awaiting requested review from JerryNixon JerryNixon is a code owner

@RubenCerna2079 RubenCerna2079 Awaiting requested review from RubenCerna2079 RubenCerna2079 is a code owner

@souvikghosh04 souvikghosh04 Awaiting requested review from souvikghosh04 souvikghosh04 is a code owner

@sourabh1007 sourabh1007 Awaiting requested review from sourabh1007 sourabh1007 is a code owner

@vadeveka vadeveka Awaiting requested review from vadeveka vadeveka is a code owner

@Alekhya-Polavarapu Alekhya-Polavarapu Awaiting requested review from Alekhya-Polavarapu Alekhya-Polavarapu is a code owner

@rusamant rusamant Awaiting requested review from rusamant rusamant is a code owner

@stuartpa stuartpa Awaiting requested review from stuartpa stuartpa is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees

@Aniruddh25 Aniruddh25

@anushakolan anushakolan

@aaronburtle aaronburtle

@souvikghosh04 souvikghosh04

Labels

obo These tasks are related to DAB OBO Delegated Identity implmentation.

Projects

Data API builder
Status: Review In Progress

Milestone

March 2026

Development

Successfully merging this pull request may close these issues.

[OBO] OBO Logging & Correlation

5 participants

@anushakolan @aaronburtle @Aniruddh25 @souvikghosh04