Update Authorization Code client_secret kwarg usage (#34862)

* fix client_secret
- use from get_token method if present
- use from init if not in get_token

* consume client_secret kwarg

* fix lint errors.

* test client secret.

* remove client_secret from get_token
- client_secret should be utilized from within the constructor instead of the method call

* add client_secret to get_token method.

* lint

Author: Darkbat91

sdk/identity/azure-identity/azure/identity/_credentials/authorization_code.py

@@ -86,7 +86,9 @@ def get_token(
           ``response`` attribute.
         """
         # pylint:disable=useless-super-delegation
-        return super(AuthorizationCodeCredential, self).get_token(*scopes, claims=claims, tenant_id=tenant_id, **kwargs)
+        return super(AuthorizationCodeCredential, self).get_token(
+            *scopes, claims=claims, tenant_id=tenant_id, client_secret=self._client_secret, **kwargs
+        )
 
     def _acquire_token_silently(self, *scopes: str, **kwargs) -> Optional[AccessToken]:
         return self._client.get_cached_access_token(scopes, **kwargs)

sdk/identity/azure-identity/azure/identity/_internal/aad_client_base.py

@@ -302,6 +302,9 @@ def _get_refresh_token_request(self, scopes: Iterable[str], refresh_token: str,
             "client_id": self._client_id,
             "client_info": 1,  # request Microsoft Entra ID include home_account_id in its response
         }
+        client_secret = kwargs.pop("client_secret", None)
+        if client_secret:
+            data["client_secret"] = client_secret
 
         claims = _merge_claims_challenge_and_capabilities(
             ["CP1"] if kwargs.get("enable_cae") else [], kwargs.get("claims")

sdk/identity/azure-identity/azure/identity/aio/_credentials/authorization_code.py

@@ -92,7 +92,9 @@ async def get_token(
           attribute gives a reason. Any error response from Microsoft Entra ID is available as the error's
           ``response`` attribute.
         """
-        return await super().get_token(*scopes, claims=claims, tenant_id=tenant_id, **kwargs)
+        return await super(AuthorizationCodeCredential, self).get_token(
+            *scopes, claims=claims, tenant_id=tenant_id, client_secret=self._client_secret, **kwargs
+        )
 
     async def _acquire_token_silently(self, *scopes: str, **kwargs: Any) -> Optional[AccessToken]:
         return self._client.get_cached_access_token(scopes, **kwargs)

sdk/identity/azure-identity/tests/test_auth_code.py

@@ -78,6 +78,7 @@ def test_tenant_id():
 
 def test_auth_code_credential():
     client_id = "client id"
+    secret = "fake-client-secret"
     tenant_id = "tenant"
     expected_code = "auth code"
     redirect_uri = "https://localhost"
@@ -92,6 +93,7 @@ def test_auth_code_credential():
                 url_substring=tenant_id,
                 required_data={
                     "client_id": client_id,
+                    "client_secret": secret,
                     "code": expected_code,
                     "grant_type": "authorization_code",
                     "redirect_uri": redirect_uri,
@@ -102,6 +104,7 @@ def test_auth_code_credential():
                 url_substring=tenant_id,
                 required_data={
                     "client_id": client_id,
+                    "client_secret": secret,
                     "grant_type": "refresh_token",
                     "refresh_token": expected_refresh_token,
                     "scope": expected_scope,
@@ -114,6 +117,7 @@ def test_auth_code_credential():
 
     credential = AuthorizationCodeCredential(
         client_id=client_id,
+        client_secret=secret,
         tenant_id=tenant_id,
         authorization_code=expected_code,
         redirect_uri=redirect_uri,

sdk/identity/azure-identity/tests/test_auth_code_async.py

@@ -102,6 +102,7 @@ async def test_tenant_id():
 
 async def test_auth_code_credential():
     client_id = "client id"
+    secret = "fake-client-secret"
     tenant_id = "tenant"
     expected_code = "auth code"
     redirect_uri = "https://localhost"
@@ -116,6 +117,7 @@ async def test_auth_code_credential():
                 url_substring=tenant_id,
                 required_data={
                     "client_id": client_id,
+                    "client_secret": secret,
                     "code": expected_code,
                     "grant_type": "authorization_code",
                     "redirect_uri": redirect_uri,
@@ -126,6 +128,7 @@ async def test_auth_code_credential():
                 url_substring=tenant_id,
                 required_data={
                     "client_id": client_id,
+                    "client_secret": secret,
                     "grant_type": "refresh_token",
                     "refresh_token": expected_refresh_token,
                     "scope": expected_scope,
@@ -138,6 +141,7 @@ async def test_auth_code_credential():
 
     credential = AuthorizationCodeCredential(
         client_id=client_id,
+        client_secret=secret,
         tenant_id=tenant_id,
         authorization_code=expected_code,
         redirect_uri=redirect_uri,