[Identity] Propagate send_certificate_chain in OBO (#36810)

Supports SNI scenarios.

Signed-off-by: Paul Van Eck <[email protected]>

Author: pvaneck

sdk/identity/azure-identity/CHANGELOG.md

@@ -8,6 +8,8 @@
 
 ### Bugs Fixed
 
+- Fixed an issue where the `send_certificate_chain` keyword argument was not being honored when using certs with the synchronous `OnBehalfOfCredential`. ([#36810](https://github.com/Azure/azure-sdk-for-python/pull/36810))
+
 ### Other Changes
 
 - `AzurePowerShellCredential` now supports using secure strings when authenticating with PowerShell. ([#36653](https://github.com/Azure/azure-sdk-for-python/pull/36653))

sdk/identity/azure-identity/azure/identity/_credentials/on_behalf_of.py

@@ -48,6 +48,9 @@ class OnBehalfOfCredential(MsalCredential, GetTokenMixin):
         is a unicode string, it will be encoded as UTF-8. If the certificate requires a different encoding, pass
         appropriately encoded bytes instead.
     :paramtype password: str or bytes
+    :keyword bool send_certificate_chain: If True when **client_certificate** is provided, the credential will send
+        the public certificate chain in the x5c header of each token request's JWT. This is required for Subject
+        Name/Issuer (SNI) authentication. Defaults to False.
     :keyword bool disable_instance_discovery: Determines whether or not instance discovery is performed when attempting
         to authenticate. Setting this to true will completely disable both instance discovery and authority validation.
         This functionality is intended for use in scenarios where the metadata endpoint cannot be reached, such as in
@@ -78,6 +81,8 @@ def __init__(
         client_secret: Optional[str] = None,
         client_assertion_func: Optional[Callable[[], str]] = None,
         user_assertion: str,
+        password: Optional[Union[bytes, str]] = None,
+        send_certificate_chain: bool = False,
         **kwargs: Any
     ) -> None:
         self._assertion = user_assertion
@@ -98,7 +103,10 @@ def __init__(
                 raise ValueError('Specifying both "client_certificate" and "client_secret" is not valid.')
             try:
                 credential = get_client_credential(
-                    certificate_path=None, password=kwargs.pop("password", None), certificate_data=client_certificate
+                    certificate_path=None,
+                    password=password,
+                    certificate_data=client_certificate,
+                    send_certificate_chain=send_certificate_chain,
                 )
             except ValueError as ex:
                 # client_certificate isn't a valid cert.

sdk/identity/azure-identity/azure/identity/aio/_credentials/on_behalf_of.py

@@ -68,6 +68,7 @@ def __init__(
         client_secret: Optional[str] = None,
         client_assertion_func: Optional[Callable[[], str]] = None,
         user_assertion: str,
+        password: Optional[Union[str, bytes]] = None,
         **kwargs: Any
     ) -> None:
         super().__init__()
@@ -90,7 +91,7 @@ def __init__(
             if client_secret:
                 raise ValueError('Specifying both "client_certificate" and "client_secret" is not valid.')
             try:
-                cert = get_client_credential(None, kwargs.pop("password", None), client_certificate)
+                cert = get_client_credential(None, password, client_certificate)
             except ValueError as ex:
                 message = '"client_certificate" is not a valid certificate in PEM or PKCS12 format'
                 raise ValueError(message) from ex

sdk/identity/azure-identity/tests/test_obo.py

@@ -279,3 +279,26 @@ def test_client_assertion_func_with_client_certificate():
             user_assertion="assertion",
         )
     assert "It is invalid to specify more than one of the following" in str(ex.value)
+
+
+def test_client_certificate_with_params():
+    """Ensure keyword arguments are passed to get_client_credential when client_certificate is provided"""
+    expected_send_certificate_chain = True
+
+    cert_path = os.path.join(os.path.dirname(__file__), "certificate-with-password.pem")
+    cert_password = "password"
+    with open(cert_path, "rb") as f:
+        cert_bytes = f.read()
+
+    credential = OnBehalfOfCredential(
+        "tenant-id",
+        "client-id",
+        client_certificate=cert_bytes,
+        password=cert_password,
+        send_certificate_chain=expected_send_certificate_chain,
+        user_assertion="assertion",
+    )
+
+    assert "passphrase" in credential._client_credential
+    assert credential._client_credential["passphrase"] == cert_password.encode("utf-8")
+    assert "public_certificate" in credential._client_credential