Pop client_secret to protect pipeline (#36947)

xiangyan99 · web-flow · commit 8a6980ca8858 · 2024-08-20T07:41:08.000-07:00
diff --git a/sdk/identity/azure-identity/azure/identity/_internal/aad_client.py b/sdk/identity/azure-identity/azure/identity/_internal/aad_client.py
@@ -68,6 +68,7 @@ def _run_pipeline(self, request: HttpRequest, **kwargs: Any) -> AccessToken:
         # tenant_id is already part of `request` at this point
         kwargs.pop("tenant_id", None)
         kwargs.pop("claims", None)
+        kwargs.pop("client_secret", None)
         enable_cae = kwargs.pop("enable_cae", False)
         now = int(time.time())
         response = self._pipeline.run(request, retry_on_methods=self._POST, **kwargs)
diff --git a/sdk/identity/azure-identity/azure/identity/aio/_internal/aad_client.py b/sdk/identity/azure-identity/azure/identity/aio/_internal/aad_client.py
@@ -88,6 +88,7 @@ async def _run_pipeline(self, request: HttpRequest, **kwargs) -> AccessToken:
         # tenant_id is already part of `request` at this point
         kwargs.pop("tenant_id", None)
         kwargs.pop("claims", None)
+        kwargs.pop("client_secret", None)
         enable_cae = kwargs.pop("enable_cae", False)
         now = int(time.time())
         response = await self._pipeline.run(request, retry_on_methods=self._POST, **kwargs)
diff --git a/sdk/identity/azure-identity/tests/test_aad_client.py b/sdk/identity/azure-identity/tests/test_aad_client.py
@@ -107,6 +107,9 @@ def send(request, **_):
     client.obtain_token_by_authorization_code("scope", "code", "uri")
     client.obtain_token_by_refresh_token("scope", "refresh token")
 
+    # obtain_token_by_refresh_token is client_secret safe
+    client.obtain_token_by_refresh_token("scope", "refresh token", client_secret="secret")
+
     # authority can be configured via environment variable
     with patch.dict("os.environ", {EnvironmentVariables.AZURE_AUTHORITY_HOST: authority}, clear=True):
         client = AadClient(tenant_id=tenant_id, client_id="client id", transport=Mock(send=send))
diff --git a/sdk/identity/azure-identity/tests/test_aad_client_async.py b/sdk/identity/azure-identity/tests/test_aad_client_async.py
@@ -179,6 +179,9 @@ async def send(request, **_):
     await client.obtain_token_by_authorization_code("scope", "code", "uri")
     await client.obtain_token_by_refresh_token("scope", "refresh token")
 
+    # obtain_token_by_refresh_token is client_secret safe
+    client.obtain_token_by_refresh_token("scope", "refresh token", client_secret="secret")
+
     # authority can be configured via environment variable
     with patch.dict("os.environ", {EnvironmentVariables.AZURE_AUTHORITY_HOST: authority}, clear=True):
         client = AadClient(tenant_id=tenant_id, client_id="client id", transport=Mock(send=send))
