AllowedHttpHeaders seems not respected for WorkloadIdentityCredential

[hestolz]

Describe the bug
Azure::Core::Credentials::TokenCredentialOptions has Log member, who in turn has member AllowedHttpHeaders. When I append to this list and pass to the WorkloadIdentityCredential constructor, it does not take effect; the logs for HTTP calls are still redacted.

To Reproduce
Steps to reproduce the behavior:
Compiled the below code. So, user-agent, x-ms-request-id, x-ms-client-request-id should not be redacted, yet they are:

2025-03-17T15:45:10.1816810Z: [Azure SDK] HTTP Request : POST https://login.microsoftonline.com/.../oauth2/v2.0/token
...
user-agent : REDACTED
x-ms-client-request-id : REDACTED

Code Snippet
Add the code snippet that causes the issue.

Azure::Core::Http::CurlTransportOptions curlOptions;
Azure::Core::Credentials::TokenCredentialOptions credentialOptions;
...
credentialOptions.Transport.Transport = std::make_shared<Azure::Core::Http::CurlTransport>(curlOptions);
credentialOptions.Log.AllowedHttpHeaders.insert({ "user-agent", "x-ms-request-id", "x-ms-client-request-id"});

_workloadIdentityCredential = std::make_shared<Azure::Identity::WorkloadIdentityCredential>(credentialOptions);
...
Azure::Core::Context context;
Azure::Core::Credentials::TokenRequestContext tokenRequestContext;
tokenRequestContext.Scopes = { _resource };

Azure::Core::Credentials::AccessToken token = _workloadIdentityCredential->GetToken(tokenRequestContext, context);

Expected behavior
I expected to see unredacted values for configured headers like user-agent.

Setup (please complete the following information):

• OS: Azure Linux 2
• IDE : vscode
• Compiler: g++
• Version of the Library used: 1.10.1

Information Checklist
Kindly make sure that you have added all the following information above and checkoff the required fields otherwise we will treat the issuer as an incomplete report

• Bug Description Added
• Repro Steps Added
• Setup information Added

[github-actions]

Thank you for your feedback. Tagging and routing to the team member best able to assist.

[antkmsft]

@hestolz, what package version/commit SHA are you using?
Because this is not what I am seeing - first of all, all these 3 headers should already be in the logging policy by default (

azure-sdk-for-cpp/sdk/core/azure-core/src/http/log_policy.cpp

Lines 71 to 102 in e05a886

	= {"Accept",
	"Accept-Ranges",
	"Cache-Control",
	"Connection",
	"Content-Length",
	"Content-Range",
	"Content-Type",
	"Date",
	"ETag",
	"Expires",
	"If-Match",
	"If-Modified-Since",
	"If-None-Match",
	"If-Unmodified-Since",
	"Last-Modified",
	"Pragma",
	"Range",
	"Request-Id",
	"Retry-After",
	"Server",
	"traceparent",
	"tracestate",
	"Transfer-Encoding",
	"User-Agent",
	"WWW-Authenticate",
	"x-ms-client-request-id",
	"x-ms-date",
	"x-ms-error-code",
	"x-ms-range",
	"x-ms-request-id",
	"x-ms-return-client-request-id",
	"x-ms-version"};

).

But when trying to reproduce, I did re-add them there just as you do, and also added "host" to the allowed headers, which is not there by default, and it does get unredacted for me.

[hestolz]

Hi @antkmsft , here's my vcpkg.json:

{
  "builtin-baseline": "80d54ff62d528339c626a6fbc3489a7f25956ade",
  "dependencies": [
    "azure-identity-cpp",
    "tinyxml2"
  ],
  "overrides": [
    {
      "name": "azure-identity-cpp",
      "version": "1.10.1"
    },
    {
      "name": "tinyxml2",
      "version": "10.0.0"
    }
  ]
}

One additional issue that may be relevant, I am setting a custom log handler for the SDK, like below. The call to Logger::ConfigureAzureSdkLogger() happens before the code snippet I included in my opening post. I'm unsure if this can interfere with the redaction setting; I couldn't find anything documenting such a conflict and a brief look at the redaction implementation didn't suggest any conflict.

void Logger::AzureSdkLogCallback(Azure::Core::Diagnostics::Logger::Level level, const std::string & message)
{
    switch (level)
    {
    case Azure::Core::Diagnostics::Logger::Level::Error:
        LOGGER_ERROR("[Azure SDK] " << message);
        break;
    case Azure::Core::Diagnostics::Logger::Level::Warning:
        LOGGER_WARN("[Azure SDK] " << message);
        break;
    case Azure::Core::Diagnostics::Logger::Level::Informational:
        LOGGER_INFO("[Azure SDK] " << message);
        break;
    case Azure::Core::Diagnostics::Logger::Level::Verbose:
        TRACE(Trace::Token, "[Azure SDK] " << message);
        break;
    default:
        break;
    }
}

void Logger::ConfigureAzureSdkLogger()
{
    if (TraceHelper::HasInterests(Trace::AzureSdk))
    {
        TRACE(Trace::AzureSdk, "Setting Azure SDK log level to verbose");
        Azure::Core::Diagnostics::Logger::SetLevel(Azure::Core::Diagnostics::Logger::Level::Verbose);
    }
    else
    {
        TRACE(Trace::AzureSdk, "Setting Azure SDK log level to info");
        Azure::Core::Diagnostics::Logger::SetLevel(Azure::Core::Diagnostics::Logger::Level::Informational);
    }
    Azure::Core::Diagnostics::Logger::SetListener(Logger::AzureSdkLogCallback);
}

[github-actions]

Hi @hestolz. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.