Hide id_token_claims from event log

Author: rayluo

msal/token_cache.py

@@ -113,6 +113,7 @@ def wipe(dictionary, sensitive_fields):  # Masks sensitive info
             return self.__add(event, now=now)
         finally:
             wipe(event.get("response", {}), (  # These claims were useful during __add()
+                "id_token_claims",  # Provided by broker
                 "access_token", "refresh_token", "id_token", "username"))
             wipe(event, ["username"])  # Needed for federated ROPC
             logger.debug("event=%s", json.dumps(
@@ -151,7 +152,7 @@ def __add(self, event, now=None):
         id_token_claims = (
             decode_id_token(id_token, client_id=event["client_id"])
             if id_token
-            else response.get("id_token_claims", {}))  # Mid-tier would provide id_token_claims
+            else response.get("id_token_claims", {}))  # Broker would provide id_token_claims
         client_info, home_account_id = self.__parse_account(response, id_token_claims)
 
         target = ' '.join(event.get("scope") or [])  # Per schema, we don't sort it