Update Authorization Code client_secret kwarg usage (#34862)

* fix client_secret - use from get_token method if present - use from init if not in get_token * consume client_secret kwarg * fix lint errors. * test client secret. * remove client_secret from get_token - client_secret should be utilized from within the constructor instead of the method call * add client_secret to get_token method. * lint
Azure · Apr 1, 2024 · 66efa24 · 66efa24
1 parent efad456
commit 66efa24
Show file tree

Hide file tree

Showing 5 changed files with 17 additions and 2 deletions.
diff --git a/sdk/identity/azure-identity/azure/identity/_credentials/authorization_code.py b/sdk/identity/azure-identity/azure/identity/_credentials/authorization_code.py
@@ -86,7 +86,9 @@ def get_token(
           ``response`` attribute.
         """
         # pylint:disable=useless-super-delegation
-        return super(AuthorizationCodeCredential, self).get_token(*scopes, claims=claims, tenant_id=tenant_id, **kwargs)
+        return super(AuthorizationCodeCredential, self).get_token(
+            *scopes, claims=claims, tenant_id=tenant_id, client_secret=self._client_secret, **kwargs
+        )
 
     def _acquire_token_silently(self, *scopes: str, **kwargs) -> Optional[AccessToken]:
         return self._client.get_cached_access_token(scopes, **kwargs)

diff --git a/sdk/identity/azure-identity/azure/identity/_internal/aad_client_base.py b/sdk/identity/azure-identity/azure/identity/_internal/aad_client_base.py
@@ -302,6 +302,9 @@ def _get_refresh_token_request(self, scopes: Iterable[str], refresh_token: str,
             "client_id": self._client_id,
             "client_info": 1,  # request Microsoft Entra ID include home_account_id in its response
         }
+        client_secret = kwargs.pop("client_secret", None)
+        if client_secret:
+            data["client_secret"] = client_secret
 
         claims = _merge_claims_challenge_and_capabilities(
             ["CP1"] if kwargs.get("enable_cae") else [], kwargs.get("claims")

diff --git a/sdk/identity/azure-identity/azure/identity/aio/_credentials/authorization_code.py b/sdk/identity/azure-identity/azure/identity/aio/_credentials/authorization_code.py
@@ -92,7 +92,9 @@ async def get_token(
           attribute gives a reason. Any error response from Microsoft Entra ID is available as the error's
           ``response`` attribute.
         """
-        return await super().get_token(*scopes, claims=claims, tenant_id=tenant_id, **kwargs)
+        return await super(AuthorizationCodeCredential, self).get_token(
+            *scopes, claims=claims, tenant_id=tenant_id, client_secret=self._client_secret, **kwargs
+        )
 
     async def _acquire_token_silently(self, *scopes: str, **kwargs: Any) -> Optional[AccessToken]:
         return self._client.get_cached_access_token(scopes, **kwargs)

diff --git a/sdk/identity/azure-identity/tests/test_auth_code.py b/sdk/identity/azure-identity/tests/test_auth_code.py
@@ -78,6 +78,7 @@ def test_tenant_id():
 
 def test_auth_code_credential():
     client_id = "client id"
+    secret = "fake-client-secret"
     tenant_id = "tenant"
     expected_code = "auth code"
     redirect_uri = "https://localhost"
@@ -92,6 +93,7 @@ def test_auth_code_credential():
                 url_substring=tenant_id,
                 required_data={
                     "client_id": client_id,
+                    "client_secret": secret,
                     "code": expected_code,
                     "grant_type": "authorization_code",
                     "redirect_uri": redirect_uri,
@@ -102,6 +104,7 @@ def test_auth_code_credential():
                 url_substring=tenant_id,
                 required_data={
                     "client_id": client_id,
+                    "client_secret": secret,
                     "grant_type": "refresh_token",
                     "refresh_token": expected_refresh_token,
                     "scope": expected_scope,
@@ -114,6 +117,7 @@ def test_auth_code_credential():
 
     credential = AuthorizationCodeCredential(
         client_id=client_id,
+        client_secret=secret,
         tenant_id=tenant_id,
         authorization_code=expected_code,
         redirect_uri=redirect_uri,

diff --git a/sdk/identity/azure-identity/tests/test_auth_code_async.py b/sdk/identity/azure-identity/tests/test_auth_code_async.py
@@ -102,6 +102,7 @@ async def test_tenant_id():
 
 async def test_auth_code_credential():
     client_id = "client id"
+    secret = "fake-client-secret"
     tenant_id = "tenant"
     expected_code = "auth code"
     redirect_uri = "https://localhost"
@@ -116,6 +117,7 @@ async def test_auth_code_credential():
                 url_substring=tenant_id,
                 required_data={
                     "client_id": client_id,
+                    "client_secret": secret,
                     "code": expected_code,
                     "grant_type": "authorization_code",
                     "redirect_uri": redirect_uri,
@@ -126,6 +128,7 @@ async def test_auth_code_credential():
                 url_substring=tenant_id,
                 required_data={
                     "client_id": client_id,
+                    "client_secret": secret,
                     "grant_type": "refresh_token",
                     "refresh_token": expected_refresh_token,
                     "scope": expected_scope,
@@ -138,6 +141,7 @@ async def test_auth_code_credential():
 
     credential = AuthorizationCodeCredential(
         client_id=client_id,
+        client_secret=secret,
         tenant_id=tenant_id,
         authorization_code=expected_code,
         redirect_uri=redirect_uri,