feat: add client logging with slf4j

[zhumin8]

This is a draft pr for preview changes for adding client logging capability to auth.
see go/java-client-logging-design

Very limited testing added at this point.

changes includes:

• add slf4j dependency, introduce LoggingConfigs to enable logging only when GOOGLE_SDK_JAVA_LOGGING=true
• logging implementation depends on users binding added. If no binding, default to no-op.
• introduce LoggingUtils for helper method for logging. Add log for request and response made to auth endpoints for UserCredentials, ServiceAccountCredentials, ComputeEngineCredentials, ImpersonatedCredentials. For token values included, added hash in log.

Here is an example logging output for access token request from UserCredentials when DEBUG level is allowed.

{"@timestamp":"2024-12-04T21:10:48.596382834-05:00","@version":"1","message":"Sending auth request to refresh access token.","logger_name":"com.google.auth.oauth2.UserCredentials","thread_name":"main","severity":"DEBUG","level_value":10000,"request.method":"POST","request.headers":"{x-goog-api-client=gl-java/19.0.1 auth/${project.parent.version} cred-type/u, accept-encoding=[gzip]}","request.url":"https://foo.com/bar","request.payload":"{refresh_token=1/Tl6*****yGWY, grant_type=refresh_token, client_secret=jakua*****wZcu, client_id=ya29.1.AADtN_UtlxN3PuGAxrN2XQnZTVRvDyVWnYq4I6dws}"}
{"@timestamp":"2024-12-04T21:10:48.624914522-05:00","@version":"1","message":"Received auth respond for refresh access token.","logger_name":"com.google.auth.oauth2.UserCredentials","thread_name":"main","severity":"INFO","level_value":20000,"response.status":"200","response.headers":"{}"}
{"@timestamp":"2024-12-04T21:10:48.627483862-05:00","@version":"1","message":"Auth response payload.","logger_name":"com.google.auth.oauth2.UserCredentials","thread_name":"main","severity":"DEBUG","level_value":10000,"access_token":"1/MkS*****KPY2","refresh_token":"1/Tl6*****yGWY","token_type":"Bearer","expires_in":"3600"}

Update Dec 9: I added basic test coverage, not showcasing all the logging messages details. Will add that as followup task.

[zhumin8]

@lqiu96 I still have some trouble with the test env, but wanted to put it out there so you can get a preview of the changes. Can you take a quick look and let me know if you have any concerns.

[lqiu96]

nit: Could the message to be more descriptive? i.e. Signature to sign the blob or something that better describes this

[lqiu96]

why does this need to be cleared?

[zhumin8]

MDC carries contextual information in log messages. It is tied to thread, and is safer to clear it to avoid it be carried over to other log entries.

[lqiu96]

I see. Can you add that as a comment? Or a link to a guide that tells us clear it so future readers?

[lqiu96]

Can we move this to LoggingUtils since this seems to be used in the other credentials?

[zhumin8]

They are slightly different, but I will try to extract any useful shared logics into LoggingUtils.

[lqiu96]

Can you highlight the difference? From what I see, the other Credentials also end up calling GenericData responseData = response.parseAs(GenericData.class); but this is moved to a function.

Might be missing something, but I don't see what is preventing this from going into LoggingUtils.

[zhumin8]

for next release: this env var is probably only needed for LoggingTest.java class.

[zhumin8]

sonar has been failing since Dec 2. Filed
#1591

[blakeli0]

I think it would be good to duplicate information like request.method and request.url in message instead of always relying on MDC, as we discussed yesterday. It would be great if we can make this change in this release. However, if not, it should not be a blocker either, as adding these info later is not a breaking change.

[zhumin8]

It's already done. (9e20be9)
It is verified in LoggingTest (here you can see the message is parsed then verified. The test is not extensive in verifying information. )

[lqiu96]

Can you add a quick comment about why UrlEncodedContent is casted to GenericData? But JsonHttpContent (below) doesn't need to be?

[zhumin8]

added

[lqiu96]

nit: Can we change this to be something like logResponsePayload and parseResponsePayload so it's clearer as to what it's doing?

[lqiu96]

qq, isn't this the same thing as LoggingUtils.logGenericData()? I'm missing why this method needs to exist

[zhumin8]

This response.parseAs(GenericData.class); can only be parsed once. So this is a wrapper to parse the data, log and continue with whatever is to do with the genericData.

[lqiu96]

Apologies, I might be missing something obvious but I'm not see where it's parsed more than once and might as be missing why it's different for ServiceAccountCredentials.

What I see is that it's changed to be:

GenericData responseData = parseResponseAs(response);

but I think it could just be

GenericData responseData = response.parseAs(GenericData.class);
LoggingUtils.logGenericData(responseData, LOGGER, "Auth response payload");
...

which is the same as it is for the other Credential types (i.e.

google-auth-library-java/oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java

Lines 300 to 302 in 6485526

	GenericData responseData = response.parseAs(GenericData.class);
	LoggingUtils.logGenericData(
	responseData, SLF4JLOGGER, "Response from refresh access token payload");

)

[sonarqubecloud]

Quality Gate passed

Issues
6 New issues
0 Accepted issues

Measures
0 Security Hotspots
92.1% Coverage on New Code
0.5% Duplication on New Code

See analysis details on SonarQube Cloud

[blakeli0]

In general, I think we should not try to call these methods if logging is not enabled due to performance concerns, similar to the comment in sdk-platform-java.

[blakeli0]

Similar to the comment in sdk-platform-java, I think we should try to avoid doing these try catches or fail more gracefully.