feat: add request response logging to auth (#1678)

* feat: add functionality to hash data (#1677)

* feat: add functionality to hash data

* change sensitive fields to private

* update to sha512

* update docstring

* 🦉 Updates from OwlBot post-processor

See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md

* chore: add request-response log helpers (#1685)

* chore: add request-response log helpers

* fix presubmit

* 🦉 Updates from OwlBot post-processor

See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md

* feat: opt-in logging support for request / response (#1686)

* feat: opt-in logging support for request/response

* add pragma no cover

* add test coverage for request/response

* add code coverage

* 🦉 Updates from OwlBot post-processor

See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md

* chore: remove logging for async requests (#1698)

* chore: remove logging for async requests

* change Dict to Mapping

* fix mypy and lint issues

* address PR feedback

* link issue

* feat: parse request/response for logging (#1696)

* feat: parse request/response for logging

* add test case for list

* address PR comments

* address PR feedback

* fix typo

* add test coverage

* add code coverage

* feat: hash sensitive info in logs (#1700)

* feat: hash sensitive info in logs

* make helper private

* add code coverage

* address PR feedback

* fix mypy type issue

* 🦉 Updates from OwlBot post-processor

See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md

* feat: add support for async response log (#1733)

* feat: add support for async response log

* fix whitespace

* add await

* add code coverage

* fix lint

* fix lint issues

* address PR feedback

* address PR feedback

* link issue

* feat: add request response logs for sync api calls (#1747)

* fix: remove dependency on api-core for logging (#1748)

* fix: remove dep on api-core for logging

* disable propagation to the root logger

* update async helpers tests

* fix lint issue

---------

Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>

Author: ohmayr

google/auth/_helpers.py

@@ -18,15 +18,38 @@
 import calendar
 import datetime
 from email.message import Message
+import hashlib
+import json
+import logging
 import sys
+from typing import Any, Dict, Mapping, Optional, Union
 import urllib
 
 from google.auth import exceptions
 
+
+# _BASE_LOGGER_NAME is the base logger for all google-based loggers.
+_BASE_LOGGER_NAME = "google"
+
+# _LOGGING_INITIALIZED ensures that base logger is only configured once
+# (unless already configured by the end-user).
+_LOGGING_INITIALIZED = False
+
+
 # The smallest MDS cache used by this library stores tokens until 4 minutes from
 # expiry.
 REFRESH_THRESHOLD = datetime.timedelta(minutes=3, seconds=45)
 
+# TODO(https://github.com/googleapis/google-auth-library-python/issues/1684): Audit and update the list below.
+_SENSITIVE_FIELDS = {
+    "accessToken",
+    "access_token",
+    "id_token",
+    "client_id",
+    "refresh_token",
+    "client_secret",
+}
+
 
 def copy_docstring(source_class):
     """Decorator that copies a method's docstring from another class.
@@ -271,3 +294,220 @@ def is_python_3():
         bool: True if the Python interpreter is Python 3 and False otherwise.
     """
     return sys.version_info > (3, 0)
+
+
+def _hash_sensitive_info(data: Union[dict, list]) -> Union[dict, list, str]:
+    """
+    Hashes sensitive information within a dictionary.
+
+    Args:
+        data: The dictionary containing data to be processed.
+
+    Returns:
+        A new dictionary with sensitive values replaced by their SHA512 hashes.
+        If the input is a list, returns a list with each element recursively processed.
+        If the input is neither a dict nor a list, returns the type of the input as a string.
+
+    """
+    if isinstance(data, dict):
+        hashed_data: Dict[Any, Union[Optional[str], dict, list]] = {}
+        for key, value in data.items():
+            if key in _SENSITIVE_FIELDS and not isinstance(value, (dict, list)):
+                hashed_data[key] = _hash_value(value, key)
+            elif isinstance(value, (dict, list)):
+                hashed_data[key] = _hash_sensitive_info(value)
+            else:
+                hashed_data[key] = value
+        return hashed_data
+    elif isinstance(data, list):
+        hashed_list = []
+        for val in data:
+            hashed_list.append(_hash_sensitive_info(val))
+        return hashed_list
+    else:
+        # TODO(https://github.com/googleapis/google-auth-library-python/issues/1701):
+        # Investigate and hash sensitive info before logging when the data type is
+        # not a dict or a list.
+        return str(type(data))
+
+
+def _hash_value(value, field_name: str) -> Optional[str]:
+    """Hashes a value and returns a formatted hash string."""
+    if value is None:
+        return None
+    encoded_value = str(value).encode("utf-8")
+    hash_object = hashlib.sha512()
+    hash_object.update(encoded_value)
+    hex_digest = hash_object.hexdigest()
+    return f"hashed_{field_name}-{hex_digest}"
+
+
+def _logger_configured(logger: logging.Logger) -> bool:
+    """Determines whether `logger` has non-default configuration
+
+    Args:
+      logger: The logger to check.
+
+    Returns:
+      bool: Whether the logger has any non-default configuration.
+    """
+    return (
+        logger.handlers != [] or logger.level != logging.NOTSET or not logger.propagate
+    )
+
+
+def is_logging_enabled(logger: logging.Logger) -> bool:
+    """
+    Checks if debug logging is enabled for the given logger.
+
+    Args:
+        logger: The logging.Logger instance to check.
+
+    Returns:
+        True if debug logging is enabled, False otherwise.
+    """
+    # NOTE: Log propagation to the root logger is disabled unless
+    # the base logger i.e. logging.getLogger("google") is
+    # explicitly configured by the end user. Ideally this
+    # needs to happen in the client layer (already does for GAPICs).
+    # However, this is implemented here to avoid logging
+    # (if a root logger is configured) when a version of google-auth
+    # which supports logging is used with:
+    #  - an older version of a GAPIC which does not support logging.
+    #  - Apiary client which does not support logging.
+    global _LOGGING_INITIALIZED
+    if not _LOGGING_INITIALIZED:
+        base_logger = logging.getLogger(_BASE_LOGGER_NAME)
+        if not _logger_configured(base_logger):
+            base_logger.propagate = False
+        _LOGGING_INITIALIZED = True
+
+    return logger.isEnabledFor(logging.DEBUG)
+
+
+def request_log(
+    logger: logging.Logger,
+    method: str,
+    url: str,
+    body: Optional[bytes],
+    headers: Optional[Mapping[str, str]],
+) -> None:
+    """
+    Logs an HTTP request at the DEBUG level if logging is enabled.
+
+    Args:
+        logger: The logging.Logger instance to use.
+        method: The HTTP method (e.g., "GET", "POST").
+        url: The URL of the request.
+        body: The request body (can be None).
+        headers: The request headers (can be None).
+    """
+    if is_logging_enabled(logger):
+        content_type = (
+            headers["Content-Type"] if headers and "Content-Type" in headers else ""
+        )
+        json_body = _parse_request_body(body, content_type=content_type)
+        logged_body = _hash_sensitive_info(json_body)
+        logger.debug(
+            "Making request...",
+            extra={
+                "httpRequest": {
+                    "method": method,
+                    "url": url,
+                    "body": logged_body,
+                    "headers": headers,
+                }
+            },
+        )
+
+
+def _parse_request_body(body: Optional[bytes], content_type: str = "") -> Any:
+    """
+    Parses a request body, handling bytes and string types, and different content types.
+
+    Args:
+        body (Optional[bytes]): The request body.
+        content_type (str): The content type of the request body, e.g., "application/json",
+            "application/x-www-form-urlencoded", or "text/plain". If empty, attempts
+            to parse as JSON.
+
+    Returns:
+        Parsed body (dict, str, or None).
+        - JSON: Decodes if content_type is "application/json" or None (fallback).
+        - URL-encoded: Parses if content_type is "application/x-www-form-urlencoded".
+        - Plain text: Returns string if content_type is "text/plain".
+        - None: Returns if body is None, UTF-8 decode fails, or content_type is unknown.
+    """
+    if body is None:
+        return None
+    try:
+        body_str = body.decode("utf-8")
+    except (UnicodeDecodeError, AttributeError):
+        return None
+    content_type = content_type.lower()
+    if not content_type or "application/json" in content_type:
+        try:
+            return json.loads(body_str)
+        except (json.JSONDecodeError, TypeError):
+            return body_str
+    if "application/x-www-form-urlencoded" in content_type:
+        parsed_query = urllib.parse.parse_qs(body_str)
+        result = {k: v[0] for k, v in parsed_query.items()}
+        return result
+    if "text/plain" in content_type:
+        return body_str
+    return None
+
+
+def _parse_response(response: Any) -> Any:
+    """
+    Parses a response, attempting to decode JSON.
+
+    Args:
+        response: The response object to parse. This can be any type, but
+            it is expected to have a `json()` method if it contains JSON.
+
+    Returns:
+        The parsed response. If the response contains valid JSON, the
+        decoded JSON object (e.g., a dictionary or list) is returned.
+        If the response does not have a `json()` method or if the JSON
+        decoding fails, None is returned.
+    """
+    try:
+        json_response = response.json()
+        return json_response
+    except Exception:
+        # TODO(https://github.com/googleapis/google-auth-library-python/issues/1744):
+        # Parse and return response payload as json based on different content types.
+        return None
+
+
+def _response_log_base(logger: logging.Logger, parsed_response: Any) -> None:
+    """
+    Logs a parsed HTTP response at the DEBUG level.
+
+    This internal helper function takes a parsed response and logs it
+    using the provided logger. It also applies a hashing function to
+    potentially sensitive information before logging.
+
+    Args:
+        logger: The logging.Logger instance to use for logging.
+        parsed_response: The parsed HTTP response object (e.g., a dictionary,
+            list, or the original response if parsing failed).
+    """
+
+    logged_response = _hash_sensitive_info(parsed_response)
+    logger.debug("Response received...", extra={"httpResponse": logged_response})
+
+
+def response_log(logger: logging.Logger, response: Any) -> None:
+    """
+    Logs an HTTP response at the DEBUG level if logging is enabled.
+
+    Args:
+        logger: The logging.Logger instance to use.
+        response: The HTTP response object to log.
+    """
+    if is_logging_enabled(logger):
+        json_response = _parse_response(response)
+        _response_log_base(logger, json_response)

google/auth/aio/_helpers.py

@@ -0,0 +1,57 @@
+# Copyright 2025 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Helper functions for commonly used utilities."""
+
+
+import logging
+from typing import Any
+
+from google.auth import _helpers
+
+
+async def _parse_response_async(response: Any) -> Any:
+    """
+    Parses an async response, attempting to decode JSON.
+
+    Args:
+        response: The response object to parse. This can be any type, but
+            it is expected to have a `json()` method if it contains JSON.
+
+    Returns:
+        The parsed response. If the response contains valid JSON, the
+        decoded JSON object (e.g., a dictionary) is returned.
+        If the response does not have a `json()` method or if the JSON
+        decoding fails, None is returned.
+    """
+    try:
+        json_response = await response.json()
+        return json_response
+    except Exception:
+        # TODO(https://github.com/googleapis/google-auth-library-python/issues/1745):
+        # Parse and return response payload as json based on different content types.
+        return None
+
+
+async def response_log_async(logger: logging.Logger, response: Any) -> None:
+    """
+    Logs an Async HTTP response at the DEBUG level if logging is enabled.
+
+    Args:
+        logger: The logging.Logger instance to use.
+        response: The HTTP response object to log.
+    """
+    if _helpers.is_logging_enabled(logger):
+        json_response = await _parse_response_async(response)
+        _helpers._response_log_base(logger, json_response)

google/auth/aio/transport/aiohttp.py

@@ -16,6 +16,7 @@
 """
 
 import asyncio
+import logging
 from typing import AsyncGenerator, Mapping, Optional
 
 try:
@@ -27,8 +28,11 @@
 
 from google.auth import _helpers
 from google.auth import exceptions
+from google.auth.aio import _helpers as _helpers_async
 from google.auth.aio import transport
 
+_LOGGER = logging.getLogger(__name__)
+
 
 class Response(transport.Response):
     """
@@ -155,6 +159,7 @@ async def __call__(
                 self._session = aiohttp.ClientSession()
 
             client_timeout = aiohttp.ClientTimeout(total=timeout)
+            _helpers.request_log(_LOGGER, method, url, body, headers)
             response = await self._session.request(
                 method,
                 url,
@@ -163,6 +168,7 @@ async def __call__(
                 timeout=client_timeout,
                 **kwargs,
             )
+            await _helpers_async.response_log_async(_LOGGER, response)
             return Response(response)
 
         except aiohttp.ClientError as caught_exc:

google/auth/transport/_aiohttp_requests.py

@@ -22,14 +22,20 @@
 
 import asyncio
 import functools
+import logging
 
 import aiohttp  # type: ignore
 import urllib3  # type: ignore
 
+from google.auth import _helpers
 from google.auth import exceptions
 from google.auth import transport
+from google.auth.aio import _helpers as _helpers_async
 from google.auth.transport import requests
 
+
+_LOGGER = logging.getLogger(__name__)
+
 # Timeout can be re-defined depending on async requirement. Currently made 60s more than
 # sync timeout.
 _DEFAULT_TIMEOUT = 180  # in seconds
@@ -182,10 +188,11 @@ async def __call__(
                 self.session = aiohttp.ClientSession(
                     auto_decompress=False
                 )  # pragma: NO COVER
-            requests._LOGGER.debug("Making request: %s %s", method, url)
+            _helpers.request_log(_LOGGER, method, url, body, headers)
             response = await self.session.request(
                 method, url, data=body, headers=headers, timeout=timeout, **kwargs
             )
+            await _helpers_async.response_log_async(_LOGGER, response)
             return _CombinedResponse(response)
 
         except aiohttp.ClientError as caught_exc: