Adding debug flag doesn't redact id_token

[MIchaelMainer]

Describe the bug Run a command with the debug flag. Most information is redacted. The id_token (jwt) is not and does contain sensitive information.

To Reproduce Steps to reproduce the behavior:

1. Install the CLI.
2. Run a command with the debug flag: mg applications application list --select "DisplayName, Appid, SignInAudience" --debug
3. Scroll down through the output and observe id_token.

Expected behavior id_token is redacted like access token and other data.

AB#9371

[jobala]

This is what is in the id_token payload, do you have any specific concerns about any property in the payload that would warrant deduction.

Prioritizing as P2 for now.

{
  "aud": "888bce95-fde5-40f8-a7d4-2debf0f96f4c",
  "iss": "https://login.microsoftonline.com/f2cdc659-fdf0-4448-b036-55ec469d1f71/v2.0",
  "iat": 1620810996,
  "nbf": 1620810996,
  "exp": 1620814896,
  "name": "MOD Administrator",
  "oid": "ce68603c-2a23-4f54-9891-5e465525244f",
  "preferred_username": "admin@M365x487013.onmicrosoft.com",
  "rh": "0.AVIAWcbN8vD9SESwNlXsRp0fcZXOi4jl_fhAp9Qt6_D5b0xSAJ4.",
  "sub": "9cpvm2xcZ1zXgkg4awMqT7sxp7KT3KPaVXo_6xnqV2k",
  "tid": "f2cdc659-fdf0-4448-b036-55ec469d1f71",
  "uti": "Bt72hg--I02mSDvRPotsAA",
  "ver": "2.0"
}

[MIchaelMainer]

It contains user identifiable information, and it may not be clear to customers that it does. I'd prefer that we default to less information to start with, and ideally, let the user opt-in for disclosing more information.

[jobala]

This is logged from msal. I asked them about it in this issue

[rayluo]

FYI: @jobala you probably notice that the issue you opened on MSAL Python repo has now been fixed and even released.