From 3f42530afd6ed1a61e23af5dfb9e18c2b625939d Mon Sep 17 00:00:00 2001
From: tomaioo <hongsaygio.com@gmail.com>
Date: Tue, 14 Apr 2026 23:14:57 -0700
Subject: [PATCH] fix(security): sensitive response data may be exposed through
 exc

The SDK embeds raw server response content directly into exception messages (`HTTPError.message` includes `response_body`, and `OktaAPIError.message` includes server-provided summaries/causes). If these exceptions are logged or surfaced to clients, they can leak sensitive details such as tokens, identifiers, internal error context, or PII returned by upstream services.

Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
---
 okta/errors/http_error.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/okta/errors/http_error.py b/okta/errors/http_error.py
index 9d0bfca6..3505279c 100644
--- a/okta/errors/http_error.py
+++ b/okta/errors/http_error.py
@@ -17,5 +17,6 @@ def __init__(self, url, response_details, response_body):
         self.url = url
         self.response_headers = response_details.headers
         self.stack = ""
-        self.message = f"HTTP {self.status} {response_body}"
+        self.response_body = response_body
+        self.message = f"HTTP {self.status}"
         super().__init__(self.message)