Remove Headers from MsalServiceException.ToString() to prevent logging sensitive data

[Copilot]

Changes proposed in this request

STS response headers may contain sensitive information (auth tokens, API keys, etc.) that should not be logged. Removed Headers from MsalServiceException.ToString() to prevent accidental exposure.

• Modified MsalServiceException.ToString() to exclude Headers field from output
• Headers property remains publicly accessible for programmatic access (no breaking changes)
• Added test ServiceException_ToString_DoesNotIncludeHeaders() validating headers are excluded from string representation while remaining accessible via property

Before:

return base.ToString() + string.Format(
    CultureInfo.InvariantCulture,
    "\n\tStatusCode: {0} \n\tResponseBody: {1} \n\tHeaders: {2}",
    StatusCode, ResponseBody, Headers);

After:

return base.ToString() + string.Format(
    CultureInfo.InvariantCulture,
    "\n\tStatusCode: {0} \n\tResponseBody: {1}",
    StatusCode, ResponseBody);

Testing

• Added unit test verifying headers not present in ToString() output
• Validated Headers property remains accessible (existing test MsalServiceException_FromHttpResponse validates this)
• Manual testing confirms no regressions

Performance impact

None. Reduced string allocation in ToString().

Documentation

• All relevant documentation is updated.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[Bug] Remove Headers from exception ToString()</issue_title>
<issue_description>### Library version used

4.81.0

STS response headers can carry information that should not be logged. Remove it from exception toString() to avoid apps overlogging this.

Code is here: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/blob/main/src/client/Microsoft.Identity.Client/MsalServiceException.cs#L248
</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes [Bug] Remove Headers from exception ToString() #5641

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.