Client Secret Value is Logged in Plaintext when loading credential

[MarcelMichau]

Microsoft.Identity.Web Library

Microsoft.Identity.Web

Microsoft.Identity.Web version

3.5.0

Web app

Not Applicable

Web API

Protected web APIs call downstream web APIs

Token cache serialization

Not Applicable

Description

Hi

Looking at the logs generated by MS.Id.Web in Application Insights, it seems that the value of the Client Secret is logged in plaintext when building a confidential client using a client secret.

Log Message (note starting characters):

App Registration secrets:

This can be confirmed as a real secret as we were able to copy the secret value from the ClientSecret__XXX log message & use it to request a token.

From what I can gather, this logging was introduced as part of this commit.

Reproduction steps

1. Configure an app with AzureAd:ClientSecret set
2. Use IAuthorizationHeaderProvider.CreateAuthorizationHeaderForUserAsync() when calling a protected downstream API
3. Observe logging output when token is requested

Error message

No response

Id Web logs

No response

Relevant code snippets

internal class ApiService(IAuthorizationHeaderProvider provider)
{
    private async Task<string> GetAuthHeaderForUserAsync(CancellationToken cancellationToken)
    {
        try
        {
            var apiScopes = "...";

            var authHeader =
                await provider.CreateAuthorizationHeaderForUserAsync(
                    apiScopes,
                    cancellationToken: cancellationToken);

            return authHeader;
        }
        catch (Exception ex)
        {
            logger.LogError(ex, "An error occurred while acquiring a token for a user from Entra ID");
            throw;
        }
    }
}

Regression

3.1.0

Expected behavior

Client Secret should not be included in the log message