From 6198eb16ee22bdacdd071d5075e81b03c2e8349c Mon Sep 17 00:00:00 2001 From: RadikHoroshev Date: Wed, 3 Jun 2026 19:57:56 +0300 Subject: [PATCH] [Key Vault] Remove stale no-op insecure_domain_change pop for parity with azure-core #45518 PR #45518 fixed the cross-domain redirect Authorization-header strip in azure-core by persisting the insecure_domain_change flag on request.context instead of the ephemeral request.context.options kwargs dict, and removed the now-obsolete request.context.options.pop("insecure_domain_change", False) line from azure-core's BearerTokenCredentialPolicy. The Key Vault packages carry independent forked copies of the challenge authentication policy that still contained that exact line. Since the flag now lives on request.context and .options is the stale kwargs dict, the pop is a no-op. This removes it (sync + async) across azure-keyvault-keys, -secrets, -certificates, -administration and -securitydomain for parity with the azure-core fix. No functional change. Co-Authored-By: Claude Opus 4.8 (1M context) --- sdk/keyvault/azure-keyvault-administration/CHANGELOG.md | 2 ++ .../administration/_internal/async_challenge_auth_policy.py | 4 ---- .../administration/_internal/challenge_auth_policy.py | 4 ---- sdk/keyvault/azure-keyvault-certificates/CHANGELOG.md | 2 ++ .../certificates/_shared/async_challenge_auth_policy.py | 4 ---- .../keyvault/certificates/_shared/challenge_auth_policy.py | 4 ---- sdk/keyvault/azure-keyvault-keys/CHANGELOG.md | 2 ++ .../keyvault/keys/_shared/async_challenge_auth_policy.py | 4 ---- .../azure/keyvault/keys/_shared/challenge_auth_policy.py | 4 ---- .../keyvault/secrets/_shared/async_challenge_auth_policy.py | 4 ---- .../azure/keyvault/secrets/_shared/challenge_auth_policy.py | 4 ---- sdk/keyvault/azure-keyvault-securitydomain/CHANGELOG.md | 2 ++ .../securitydomain/_internal/async_challenge_auth_policy.py | 4 ---- .../securitydomain/_internal/challenge_auth_policy.py | 4 ---- 14 files changed, 8 insertions(+), 40 deletions(-) diff --git a/sdk/keyvault/azure-keyvault-administration/CHANGELOG.md b/sdk/keyvault/azure-keyvault-administration/CHANGELOG.md index a9614600c1a8..26e6a8b873df 100644 --- a/sdk/keyvault/azure-keyvault-administration/CHANGELOG.md +++ b/sdk/keyvault/azure-keyvault-administration/CHANGELOG.md @@ -10,6 +10,8 @@ ### Other Changes +- Removed a stale, no-op line from the internal challenge authentication policy for parity with the `azure-core` fix in [#45518](https://github.com/Azure/azure-sdk-for-python/pull/45518). This is an internal cleanup with no functional impact. + ## 4.8.0b1 (2026-05-29) ### Features Added diff --git a/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/_internal/async_challenge_auth_policy.py b/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/_internal/async_challenge_auth_policy.py index 3e3ac1855178..e3ffb3d15fa6 100644 --- a/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/_internal/async_challenge_auth_policy.py +++ b/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/_internal/async_challenge_auth_policy.py @@ -135,10 +135,6 @@ async def handle_challenge_flow( request_authorized = await self.on_challenge(request, response) if request_authorized: - # if we receive a challenge response, we retrieve a new token - # which matches the new target. In this case, we don't want to remove - # token from the request so clear the 'insecure_domain_change' tag - request.context.options.pop("insecure_domain_change", False) try: response = await self.next.send(request) except Exception: # pylint:disable=broad-except diff --git a/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/_internal/challenge_auth_policy.py b/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/_internal/challenge_auth_policy.py index eb4073d0e699..cf84e2a0447c 100644 --- a/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/_internal/challenge_auth_policy.py +++ b/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/_internal/challenge_auth_policy.py @@ -148,10 +148,6 @@ def handle_challenge_flow( request_authorized = self.on_challenge(request, response) if request_authorized: - # if we receive a challenge response, we retrieve a new token - # which matches the new target. In this case, we don't want to remove - # token from the request so clear the 'insecure_domain_change' tag - request.context.options.pop("insecure_domain_change", False) try: response = self.next.send(request) except Exception: # pylint:disable=broad-except diff --git a/sdk/keyvault/azure-keyvault-certificates/CHANGELOG.md b/sdk/keyvault/azure-keyvault-certificates/CHANGELOG.md index 4c4842e0816c..cef1add5e125 100644 --- a/sdk/keyvault/azure-keyvault-certificates/CHANGELOG.md +++ b/sdk/keyvault/azure-keyvault-certificates/CHANGELOG.md @@ -10,6 +10,8 @@ ### Other Changes +- Removed a stale, no-op line from the internal challenge authentication policy for parity with the `azure-core` fix in [#45518](https://github.com/Azure/azure-sdk-for-python/pull/45518). This is an internal cleanup with no functional impact. + ## 4.11.1 (2026-04-29) ### Bugs Fixed diff --git a/sdk/keyvault/azure-keyvault-certificates/azure/keyvault/certificates/_shared/async_challenge_auth_policy.py b/sdk/keyvault/azure-keyvault-certificates/azure/keyvault/certificates/_shared/async_challenge_auth_policy.py index 0f84607e3ccd..d25bae371127 100644 --- a/sdk/keyvault/azure-keyvault-certificates/azure/keyvault/certificates/_shared/async_challenge_auth_policy.py +++ b/sdk/keyvault/azure-keyvault-certificates/azure/keyvault/certificates/_shared/async_challenge_auth_policy.py @@ -138,10 +138,6 @@ async def handle_challenge_flow( request_authorized = await self.on_challenge(request, response) if request_authorized: - # if we receive a challenge response, we retrieve a new token - # which matches the new target. In this case, we don't want to remove - # token from the request so clear the 'insecure_domain_change' tag - request.context.options.pop("insecure_domain_change", False) try: response = await self.next.send(request) except Exception: # pylint:disable=broad-except diff --git a/sdk/keyvault/azure-keyvault-certificates/azure/keyvault/certificates/_shared/challenge_auth_policy.py b/sdk/keyvault/azure-keyvault-certificates/azure/keyvault/certificates/_shared/challenge_auth_policy.py index eb4073d0e699..cf84e2a0447c 100644 --- a/sdk/keyvault/azure-keyvault-certificates/azure/keyvault/certificates/_shared/challenge_auth_policy.py +++ b/sdk/keyvault/azure-keyvault-certificates/azure/keyvault/certificates/_shared/challenge_auth_policy.py @@ -148,10 +148,6 @@ def handle_challenge_flow( request_authorized = self.on_challenge(request, response) if request_authorized: - # if we receive a challenge response, we retrieve a new token - # which matches the new target. In this case, we don't want to remove - # token from the request so clear the 'insecure_domain_change' tag - request.context.options.pop("insecure_domain_change", False) try: response = self.next.send(request) except Exception: # pylint:disable=broad-except diff --git a/sdk/keyvault/azure-keyvault-keys/CHANGELOG.md b/sdk/keyvault/azure-keyvault-keys/CHANGELOG.md index 513e58f6659b..445d57d4da5a 100644 --- a/sdk/keyvault/azure-keyvault-keys/CHANGELOG.md +++ b/sdk/keyvault/azure-keyvault-keys/CHANGELOG.md @@ -10,6 +10,8 @@ ### Other Changes +- Removed a stale, no-op line from the internal challenge authentication policy for parity with the `azure-core` fix in [#45518](https://github.com/Azure/azure-sdk-for-python/pull/45518). This is an internal cleanup with no functional impact. + ## 4.12.0b2 (2026-05-29) ### Features Added diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_shared/async_challenge_auth_policy.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_shared/async_challenge_auth_policy.py index 3e3ac1855178..e3ffb3d15fa6 100644 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_shared/async_challenge_auth_policy.py +++ b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_shared/async_challenge_auth_policy.py @@ -135,10 +135,6 @@ async def handle_challenge_flow( request_authorized = await self.on_challenge(request, response) if request_authorized: - # if we receive a challenge response, we retrieve a new token - # which matches the new target. In this case, we don't want to remove - # token from the request so clear the 'insecure_domain_change' tag - request.context.options.pop("insecure_domain_change", False) try: response = await self.next.send(request) except Exception: # pylint:disable=broad-except diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_shared/challenge_auth_policy.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_shared/challenge_auth_policy.py index eb4073d0e699..cf84e2a0447c 100644 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_shared/challenge_auth_policy.py +++ b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_shared/challenge_auth_policy.py @@ -148,10 +148,6 @@ def handle_challenge_flow( request_authorized = self.on_challenge(request, response) if request_authorized: - # if we receive a challenge response, we retrieve a new token - # which matches the new target. In this case, we don't want to remove - # token from the request so clear the 'insecure_domain_change' tag - request.context.options.pop("insecure_domain_change", False) try: response = self.next.send(request) except Exception: # pylint:disable=broad-except diff --git a/sdk/keyvault/azure-keyvault-secrets/azure/keyvault/secrets/_shared/async_challenge_auth_policy.py b/sdk/keyvault/azure-keyvault-secrets/azure/keyvault/secrets/_shared/async_challenge_auth_policy.py index 0f84607e3ccd..d25bae371127 100644 --- a/sdk/keyvault/azure-keyvault-secrets/azure/keyvault/secrets/_shared/async_challenge_auth_policy.py +++ b/sdk/keyvault/azure-keyvault-secrets/azure/keyvault/secrets/_shared/async_challenge_auth_policy.py @@ -138,10 +138,6 @@ async def handle_challenge_flow( request_authorized = await self.on_challenge(request, response) if request_authorized: - # if we receive a challenge response, we retrieve a new token - # which matches the new target. In this case, we don't want to remove - # token from the request so clear the 'insecure_domain_change' tag - request.context.options.pop("insecure_domain_change", False) try: response = await self.next.send(request) except Exception: # pylint:disable=broad-except diff --git a/sdk/keyvault/azure-keyvault-secrets/azure/keyvault/secrets/_shared/challenge_auth_policy.py b/sdk/keyvault/azure-keyvault-secrets/azure/keyvault/secrets/_shared/challenge_auth_policy.py index eb4073d0e699..cf84e2a0447c 100644 --- a/sdk/keyvault/azure-keyvault-secrets/azure/keyvault/secrets/_shared/challenge_auth_policy.py +++ b/sdk/keyvault/azure-keyvault-secrets/azure/keyvault/secrets/_shared/challenge_auth_policy.py @@ -148,10 +148,6 @@ def handle_challenge_flow( request_authorized = self.on_challenge(request, response) if request_authorized: - # if we receive a challenge response, we retrieve a new token - # which matches the new target. In this case, we don't want to remove - # token from the request so clear the 'insecure_domain_change' tag - request.context.options.pop("insecure_domain_change", False) try: response = self.next.send(request) except Exception: # pylint:disable=broad-except diff --git a/sdk/keyvault/azure-keyvault-securitydomain/CHANGELOG.md b/sdk/keyvault/azure-keyvault-securitydomain/CHANGELOG.md index 02f716920d76..0dfd97c8a56b 100644 --- a/sdk/keyvault/azure-keyvault-securitydomain/CHANGELOG.md +++ b/sdk/keyvault/azure-keyvault-securitydomain/CHANGELOG.md @@ -14,6 +14,8 @@ ### Other Changes +- Removed a stale, no-op line from the internal challenge authentication policy for parity with the `azure-core` fix in [#45518](https://github.com/Azure/azure-sdk-for-python/pull/45518). This is an internal cleanup with no functional impact. + - Key Vault API version `2025-07-01` is now the default ## 1.0.0b1 (2025-05-07) diff --git a/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/_internal/async_challenge_auth_policy.py b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/_internal/async_challenge_auth_policy.py index 3e3ac1855178..e3ffb3d15fa6 100644 --- a/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/_internal/async_challenge_auth_policy.py +++ b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/_internal/async_challenge_auth_policy.py @@ -135,10 +135,6 @@ async def handle_challenge_flow( request_authorized = await self.on_challenge(request, response) if request_authorized: - # if we receive a challenge response, we retrieve a new token - # which matches the new target. In this case, we don't want to remove - # token from the request so clear the 'insecure_domain_change' tag - request.context.options.pop("insecure_domain_change", False) try: response = await self.next.send(request) except Exception: # pylint:disable=broad-except diff --git a/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/_internal/challenge_auth_policy.py b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/_internal/challenge_auth_policy.py index eb4073d0e699..cf84e2a0447c 100644 --- a/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/_internal/challenge_auth_policy.py +++ b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/_internal/challenge_auth_policy.py @@ -148,10 +148,6 @@ def handle_challenge_flow( request_authorized = self.on_challenge(request, response) if request_authorized: - # if we receive a challenge response, we retrieve a new token - # which matches the new target. In this case, we don't want to remove - # token from the request so clear the 'insecure_domain_change' tag - request.context.options.pop("insecure_domain_change", False) try: response = self.next.send(request) except Exception: # pylint:disable=broad-except