MSAL.NET pattern: hardcode LAB_APP_CLIENT_ID in source, remove from YAML

Client ID for RequestMSIDLAB app is not a secret — hardcode it directly
in tests/lab_config.py as LAB_APP_CLIENT_ID, matching MSAL.NET's approach
(see build/template-install-keyvault-secrets.yaml in that repo).

- lab_config.py: add LAB_APP_CLIENT_ID constant, export it, use it in
  _get_credential() instead of reading from env var
- test_e2e.py: import LAB_APP_CLIENT_ID from lab_config, replace all
  os.getenv/clean_env calls, guard on cert path only
- template-pipeline-stages.yml: remove variables block and env entry
  for LAB_APP_CLIENT_ID — only cert path comes from pipeline

Author: RyAuld

.Pipelines/template-pipeline-stages.yml

@@ -122,11 +122,6 @@ stages:
       eq(dependencies.PreBuildCheck.result, 'Succeeded'),
       in(dependencies.Validate.result, 'Succeeded', 'Skipped')
     )
-  variables:
-    # RequestMSIDLAB — the MSID Lab confidential client app used for Key Vault
-    # access and as a test subject. Matches usage in MSAL.js and MSAL Java pipelines.
-    # See https://docs.msidlab.com/accounts/confidentialclient.html
-    LAB_APP_CLIENT_ID: 'f62c5ae3-bf3a-4af5-afa8-a68b800396e9'
   jobs:
   - job: Test
     displayName: 'Run unit tests'
@@ -185,7 +180,6 @@ stages:
         pytest -vv --junitxml=test-results/junit.xml 2>&1 | tee test-results/pytest.log
       displayName: 'Run tests'
       env:
-        LAB_APP_CLIENT_ID: $(LAB_APP_CLIENT_ID)
         LAB_APP_CLIENT_CERT_PFX_PATH: $(LAB_APP_CLIENT_CERT_PFX_PATH)
 
     - task: PublishTestResults@2

tests/lab_config.py

@@ -20,7 +20,6 @@
     app = get_app_config(AppSecrets.PCA_CLIENT)
 
 Environment Variables:
-    LAB_APP_CLIENT_ID: Client ID for Key Vault authentication (required)
     LAB_APP_CLIENT_CERT_PFX_PATH: Path to .pfx certificate file (required)
 """
 
@@ -43,6 +42,7 @@
     "UserConfig",
     "AppConfig",
     # Functions
+    "LAB_APP_CLIENT_ID",
     "get_secret",
     "get_user_config",
     "get_app_config",
@@ -57,6 +57,12 @@
 _MSID_LAB_VAULT = "https://msidlabs.vault.azure.net"
 _MSAL_TEAM_VAULT = "https://id4skeyvault.vault.azure.net"
 
+# Client ID for the RequestMSIDLAB app used to authenticate against the lab
+# Key Vaults. Hardcoded here following the same pattern as MSAL.NET
+# (see build/template-install-keyvault-secrets.yaml in that repo).
+# See https://docs.msidlab.com/accounts/confidentialclient.html
+LAB_APP_CLIENT_ID = "f62c5ae3-bf3a-4af5-afa8-a68b800396e9"
+
 # =============================================================================
 # Secret Name Constants
 # =============================================================================
@@ -192,19 +198,14 @@ def _get_credential():
     Raises:
         EnvironmentError: If required environment variables are not set.
     """
-    client_id = _clean_env("LAB_APP_CLIENT_ID")
     cert_path = _clean_env("LAB_APP_CLIENT_CERT_PFX_PATH")
     tenant_id = "72f988bf-86f1-41af-91ab-2d7cd011db47"  # Microsoft tenant
-    
-    if not client_id:
-        raise EnvironmentError(
-            "LAB_APP_CLIENT_ID environment variable is required for Key Vault access")
-    
+
     if cert_path:
         logger.debug("Using certificate credential for Key Vault access")
         return CertificateCredential(
             tenant_id=tenant_id,
-            client_id=client_id,
+            client_id=LAB_APP_CLIENT_ID,
             certificate_path=cert_path,
             send_certificate_chain=True,
         )

tests/test_e2e.py

@@ -1,5 +1,4 @@
 """If the following ENV VAR were available, many end-to-end test cases would run.
-LAB_APP_CLIENT_ID=...
 LAB_APP_CLIENT_CERT_PFX_PATH=...
 """
 try:
@@ -29,7 +28,7 @@
 from tests.broker_util import is_pymsalruntime_installed
 from tests.lab_config import (
     get_user_config, get_app_config, get_user_password, get_secret,
-    UserSecrets, AppSecrets,
+    UserSecrets, AppSecrets, LAB_APP_CLIENT_ID,
 )
 
 
@@ -348,14 +347,13 @@ def test_access_token_should_be_obtained_for_a_supported_scope(self):
 class PublicCloudScenariosTestCase(E2eTestCase):
     # Historically this class was driven by tests/config.json for semi-automated runs.
     # It now uses lab config + env vars so it can run automatically on any CI
-    # (including Azure DevOps) as long as LAB_APP_CLIENT_ID and
-    # LAB_APP_CLIENT_CERT_PFX_PATH are set.
+    # (including Azure DevOps) as long as LAB_APP_CLIENT_CERT_PFX_PATH is set.
 
     @classmethod
     def setUpClass(cls):
-        if not _clean_env("LAB_APP_CLIENT_ID"):
+        if not _clean_env("LAB_APP_CLIENT_CERT_PFX_PATH"):
             raise unittest.SkipTest(
-                "LAB_APP_CLIENT_ID not set; skipping PublicCloud e2e tests")
+                "LAB_APP_CLIENT_CERT_PFX_PATH not set; skipping PublicCloud e2e tests")
         pca_app = get_app_config(AppSecrets.PCA_CLIENT)
         user = get_user_config(UserSecrets.PUBLIC_CLOUD)
         cls.config = {
@@ -436,13 +434,11 @@ def test_client_secret(self):
 
     def test_subject_name_issuer_authentication(self):
         from tests.lab_config import get_client_certificate
-
-        client_id = os.getenv("LAB_APP_CLIENT_ID")
-        if not client_id:
-            self.skipTest("LAB_APP_CLIENT_ID environment variable is required")
+        if not _clean_env("LAB_APP_CLIENT_CERT_PFX_PATH"):
+            self.skipTest("LAB_APP_CLIENT_CERT_PFX_PATH not set")
 
         self.app = msal.ConfidentialClientApplication(
-            client_id,
+            LAB_APP_CLIENT_ID,
             authority="https://login.microsoftonline.com/microsoft.onmicrosoft.com",
             client_credential=get_client_certificate(),
             http_client=MinimalHttpClient())
@@ -467,23 +463,22 @@ def manual_test_device_flow(self):
 
 
 def get_lab_app(
-        env_client_id="LAB_APP_CLIENT_ID",
         env_client_cert_path="LAB_APP_CLIENT_CERT_PFX_PATH",
         authority="https://login.microsoftonline.com/"
             "72f988bf-86f1-41af-91ab-2d7cd011db47",  # Microsoft tenant ID
         timeout=None,
         **kwargs):
     """Returns the lab app as an MSAL confidential client.
 
-    Get it from environment variables if defined, otherwise fall back to use MSI.
+    Uses the hardcoded lab app client ID (RequestMSIDLAB) and a certificate
+    from the LAB_APP_CLIENT_CERT_PFX_PATH env var.
     """
     logger.info(
-        "Reading ENV variables %s and %s for lab app defined at "
+        "Reading ENV variable %s for lab app defined at "
         "https://docs.msidlab.com/accounts/confidentialclient.html",
-        env_client_id, env_client_cert_path)
-    client_id = _clean_env(env_client_id)
+        env_client_cert_path)
     cert_path = _clean_env(env_client_cert_path)
-    if client_id and cert_path:
+    if cert_path:
         # id came from https://docs.msidlab.com/accounts/confidentialclient.html
         client_credential = {
             "private_key_pfx_path":
@@ -496,7 +491,7 @@ def get_lab_app(
         # See also https://microsoft.sharepoint-df.com/teams/MSIDLABSExtended/SitePages/Programmatically-accessing-LAB-API's.aspx
         raise unittest.SkipTest("MSI-based mechanism has not been implemented yet")
     return msal.ConfidentialClientApplication(
-            client_id,
+            LAB_APP_CLIENT_ID,
             client_credential=client_credential,
             authority=authority,
             http_client=MinimalHttpClient(timeout=timeout),
@@ -1183,15 +1178,13 @@ def _test_acquire_token_for_client(self, configured_region, expected_region):
         import os
         from tests.lab_config import get_client_certificate
 
-        # Get client ID from environment and certificate from lab_config
-        client_id = os.getenv("LAB_APP_CLIENT_ID")
-        if not client_id:
-            self.skipTest("LAB_APP_CLIENT_ID environment variable is required")
-        
+        # Get client ID from lab_config constant and certificate from lab_config
+        if not _clean_env("LAB_APP_CLIENT_CERT_PFX_PATH"):
+            self.skipTest("LAB_APP_CLIENT_CERT_PFX_PATH is required")
         client_credential = get_client_certificate()
 
         self.app = msal.ConfidentialClientApplication(
-            client_id,
+            LAB_APP_CLIENT_ID,
             client_credential=client_credential,
             authority="https://login.microsoftonline.com/microsoft.onmicrosoft.com",
             azure_region=configured_region,