diff --git a/sdk/identity/azure-identity/azure/identity/_credentials/on_behalf_of.py b/sdk/identity/azure-identity/azure/identity/_credentials/on_behalf_of.py index c2010ad01ff4..28d368413d3b 100644 --- a/sdk/identity/azure-identity/azure/identity/_credentials/on_behalf_of.py +++ b/sdk/identity/azure-identity/azure/identity/_credentials/on_behalf_of.py @@ -28,7 +28,7 @@ class OnBehalfOfCredential(MsalCredential, GetTokenMixin): description of the on-behalf-of flow. :param str tenant_id: ID of the service principal's tenant. Also called its "directory" ID. - :param str client_id: The service principal's client ID + :param str client_id: The service principal's client ID. :keyword str client_secret: Optional. A client secret to authenticate the service principal. One of **client_secret**, **client_certificate**, or **client_assertion_func** must be provided. :keyword bytes client_certificate: Optional. The bytes of a certificate in PEM or PKCS12 format including @@ -39,7 +39,7 @@ class OnBehalfOfCredential(MsalCredential, GetTokenMixin): return a valid assertion for the target resource. :paramtype client_assertion_func: Callable[[], str] :keyword str user_assertion: Required. The access token the credential will use as the user assertion when - requesting on-behalf-of tokens + requesting on-behalf-of tokens. :keyword str authority: Authority of a Microsoft Entra endpoint, for example "login.microsoftonline.com", the authority for Azure Public Cloud (which is the default). :class:`~azure.identity.AzureAuthorityHosts` @@ -87,7 +87,8 @@ def __init__( if client_assertion_func: if client_certificate or client_secret: raise ValueError( - 'Specifying both "client_assertion_func" and "client_certificate" or "client_secret" is not valid.' + "It is invalid to specify more than one of the following: " + '"client_assertion_func", "client_certificate" or "client_secret".' ) credential: Union[str, Dict[str, Any]] = { "client_assertion": client_assertion_func, diff --git a/sdk/identity/azure-identity/azure/identity/aio/_credentials/on_behalf_of.py b/sdk/identity/azure-identity/azure/identity/aio/_credentials/on_behalf_of.py index 2f111a5d9bff..55dd007458db 100644 --- a/sdk/identity/azure-identity/azure/identity/aio/_credentials/on_behalf_of.py +++ b/sdk/identity/azure-identity/azure/identity/aio/_credentials/on_behalf_of.py @@ -25,7 +25,7 @@ class OnBehalfOfCredential(AsyncContextManager, GetTokenMixin): description of the on-behalf-of flow. :param str tenant_id: ID of the service principal's tenant. Also called its "directory" ID. - :param str client_id: The service principal's client ID + :param str client_id: The service principal's client ID. :keyword str client_secret: Optional. A client secret to authenticate the service principal. One of **client_secret**, **client_certificate**, or **client_assertion_func** must be provided. :keyword bytes client_certificate: Optional. The bytes of a certificate in PEM or PKCS12 format including @@ -36,7 +36,7 @@ class OnBehalfOfCredential(AsyncContextManager, GetTokenMixin): return a valid assertion for the target resource. :paramtype client_assertion_func: Callable[[], str] :keyword str user_assertion: Required. The access token the credential will use as the user assertion when - requesting on-behalf-of tokens + requesting on-behalf-of tokens. :keyword str authority: Authority of a Microsoft Entra endpoint, for example "login.microsoftonline.com", the authority for Azure Public Cloud (which is the default). :class:`~azure.identity.AzureAuthorityHosts` @@ -80,7 +80,8 @@ def __init__( if client_assertion_func: if client_certificate or client_secret: raise ValueError( - 'Specifying both "client_assertion_func" and "client_certificate" or "client_secret" is not valid.' + "It is invalid to specify more than one of the following: " + '"client_assertion_func", "client_certificate" or "client_secret".' ) self._client_credential: Union[str, AadClientCertificate, Dict[str, Any]] = { "client_assertion": client_assertion_func, diff --git a/sdk/identity/azure-identity/tests/test_obo.py b/sdk/identity/azure-identity/tests/test_obo.py index 1b42cdad814c..ea369310877b 100644 --- a/sdk/identity/azure-identity/tests/test_obo.py +++ b/sdk/identity/azure-identity/tests/test_obo.py @@ -266,3 +266,16 @@ def send(request, **kwargs): access_token = credential.get_token("scope") assert access_token.token == expected_token assert func_call_count == 1 + + +def test_client_assertion_func_with_client_certificate(): + """The credential should raise ValueError when ctoring with both client_assertion_func and client_certificate""" + with pytest.raises(ValueError) as ex: + credential = OnBehalfOfCredential( + "tenant-id", + "client-id", + client_assertion_func=lambda: "client-assertion", + client_certificate=b"certificate", + user_assertion="assertion", + ) + assert "It is invalid to specify more than one of the following" in str(ex.value) diff --git a/sdk/identity/azure-identity/tests/test_obo_async.py b/sdk/identity/azure-identity/tests/test_obo_async.py index 84956c2fb427..f9d80323e84f 100644 --- a/sdk/identity/azure-identity/tests/test_obo_async.py +++ b/sdk/identity/azure-identity/tests/test_obo_async.py @@ -343,3 +343,17 @@ async def send(request, **kwargs): token = await credential.get_token("scope") assert token.token == expected_token assert func_call_count == 1 + + +@pytest.mark.asyncio +async def test_client_assertion_func_with_client_certificate(): + """The credential should raise when given both client_assertion_func and client_certificate""" + with pytest.raises(ValueError) as ex: + OnBehalfOfCredential( + "tenant-id", + "client-id", + client_assertion_func=lambda: "client-assertion", + client_certificate=b"cert", + user_assertion="assertion", + ) + assert "It is invalid to specify more than one of the following" in str(ex.value)