Refactor: Use authority._is_b2c and extract test constants

Copilot · bgavrilMS · Copilot · commit ba84c3cdfb63 · 2026-02-10T13:09:41.000Z
Co-authored-by: bgavrilMS &lt;12273384+bgavrilMS@users.noreply.github.com&gt;
diff --git a/msal/application.py b/msal/application.py
@@ -858,12 +858,9 @@ def _build_client(self, client_credential, authority, skip_regional_client=False
                 if sha256_thumbprint and sha1_thumbprint:
                     # Both thumbprints provided - choose based on authority type
                     # Use SHA256 for AAD (including B2C, CIAM), SHA1 for ADFS and generic
-                    from .authority import WELL_KNOWN_AUTHORITY_HOSTS, WELL_KNOWN_B2C_HOSTS, _CIAM_DOMAIN_SUFFIX
+                    from .authority import WELL_KNOWN_AUTHORITY_HOSTS
                     is_known_aad = authority.instance in WELL_KNOWN_AUTHORITY_HOSTS
-                    is_b2c_or_ciam = (
-                        authority.instance.endswith(_CIAM_DOMAIN_SUFFIX) or
-                        any(authority.instance.endswith("." + d) for d in WELL_KNOWN_B2C_HOSTS)
-                    )
+                    is_b2c_or_ciam = getattr(authority, '_is_b2c', False)
                     # Use SHA256 for known AAD, B2C, or CIAM; SHA1 for ADFS and generic
                     use_sha256 = (is_known_aad or is_b2c_or_ciam) and not authority.is_adfs
                 elif sha256_thumbprint:
diff --git a/tests/test_optional_thumbprint.py b/tests/test_optional_thumbprint.py
@@ -21,6 +21,11 @@ class TestClientCredentialWithOptionalThumbprint(unittest.TestCase):
 BAMMC0V4YW1wbGUgQ0EwHhcNMjQwMTAxMDAwMDAwWhcNMjUwMTAxMDAwMDAwWjAW
 -----END CERTIFICATE-----"""
 
+    # Test thumbprint values
+    test_sha1_thumbprint = "A1B2C3D4E5F6"
+    test_sha256_thumbprint = "A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4E5F6A1B2"
+
+
     def _setup_mocks(self, mock_authority_class, authority="https://login.microsoftonline.com/common"):
         """Helper to setup Authority mock"""
         # Setup Authority mock
@@ -119,12 +124,11 @@ def test_pem_with_manual_thumbprint_uses_sha1(
         self._setup_mocks(mock_authority_class, authority)
 
         # Create app with manual thumbprint (legacy approach)
-        manual_thumbprint = "A1B2C3D4E5F6"
         app = ConfidentialClientApplication(
             client_id="my_client_id",
             client_credential={
                 "private_key": self.test_private_key,
-                "thumbprint": manual_thumbprint,
+                "thumbprint": self.test_sha1_thumbprint,
                 # Note: NO public_certificate provided
             },
             authority=authority
@@ -135,7 +139,7 @@ def test_pem_with_manual_thumbprint_uses_sha1(
             mock_jwt_creator_class,
             expected_algorithm='RS256',
             expected_thumbprint_type='sha1',
-            expected_thumbprint_value=manual_thumbprint
+            expected_thumbprint_value=self.test_sha1_thumbprint
         )
 
     def test_pem_with_both_uses_manual_thumbprint_as_sha1(
@@ -145,12 +149,11 @@ def test_pem_with_both_uses_manual_thumbprint_as_sha1(
         self._setup_mocks(mock_authority_class, authority)
 
         # Create app with BOTH thumbprint and certificate
-        manual_thumbprint = "A1B2C3D4E5F6"
         app = ConfidentialClientApplication(
             client_id="my_client_id",
             client_credential={
                 "private_key": self.test_private_key,
-                "thumbprint": manual_thumbprint,
+                "thumbprint": self.test_sha1_thumbprint,
                 "public_certificate": self.test_certificate,
             },
             authority=authority
@@ -161,7 +164,7 @@ def test_pem_with_both_uses_manual_thumbprint_as_sha1(
             mock_jwt_creator_class,
             expected_algorithm='RS256',
             expected_thumbprint_type='sha1',
-            expected_thumbprint_value=manual_thumbprint,
+            expected_thumbprint_value=self.test_sha1_thumbprint,
             has_x5c=True  # x5c should still be present
         )
 
@@ -217,12 +220,11 @@ def test_pem_with_thumbprint_sha256_only_uses_sha256(
         self._setup_mocks(mock_authority_class, authority)
 
         # Create app with only SHA256 thumbprint
-        sha256_thumbprint = "A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4E5F6A1B2"
         app = ConfidentialClientApplication(
             client_id="my_client_id",
             client_credential={
                 "private_key": self.test_private_key,
-                "thumbprint_sha256": sha256_thumbprint,
+                "thumbprint_sha256": self.test_sha256_thumbprint,
             },
             authority=authority
         )
@@ -241,14 +243,12 @@ def test_pem_with_both_thumbprints_aad_uses_sha256(
         self._setup_mocks(mock_authority_class, authority)
 
         # Create app with BOTH thumbprints for AAD
-        sha1_thumbprint = "A1B2C3D4E5F6"
-        sha256_thumbprint = "A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4E5F6A1B2"
         app = ConfidentialClientApplication(
             client_id="my_client_id",
             client_credential={
                 "private_key": self.test_private_key,
-                "thumbprint": sha1_thumbprint,
-                "thumbprint_sha256": sha256_thumbprint,
+                "thumbprint": self.test_sha1_thumbprint,
+                "thumbprint_sha256": self.test_sha256_thumbprint,
             },
             authority=authority
         )
@@ -267,14 +267,12 @@ def test_pem_with_both_thumbprints_adfs_uses_sha1(
         self._setup_mocks(mock_authority_class, authority)
 
         # Create app with BOTH thumbprints for ADFS
-        sha1_thumbprint = "A1B2C3D4E5F6"
-        sha256_thumbprint = "A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4E5F6A1B2"
         app = ConfidentialClientApplication(
             client_id="my_client_id",
             client_credential={
                 "private_key": self.test_private_key,
-                "thumbprint": sha1_thumbprint,
-                "thumbprint_sha256": sha256_thumbprint,
+                "thumbprint": self.test_sha1_thumbprint,
+                "thumbprint_sha256": self.test_sha256_thumbprint,
             },
             authority=authority
         )
@@ -284,7 +282,7 @@ def test_pem_with_both_thumbprints_adfs_uses_sha1(
             mock_jwt_creator_class,
             expected_algorithm='RS256',
             expected_thumbprint_type='sha1',
-            expected_thumbprint_value=sha1_thumbprint
+            expected_thumbprint_value=self.test_sha1_thumbprint
         )
 
     def test_pem_with_both_thumbprints_b2c_uses_sha256(
@@ -297,14 +295,12 @@ def test_pem_with_both_thumbprints_b2c_uses_sha256(
         mock_authority._is_b2c = True
 
         # Create app with BOTH thumbprints for B2C
-        sha1_thumbprint = "A1B2C3D4E5F6"
-        sha256_thumbprint = "A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4E5F6A1B2"
         app = ConfidentialClientApplication(
             client_id="my_client_id",
             client_credential={
                 "private_key": self.test_private_key,
-                "thumbprint": sha1_thumbprint,
-                "thumbprint_sha256": sha256_thumbprint,
+                "thumbprint": self.test_sha1_thumbprint,
+                "thumbprint_sha256": self.test_sha256_thumbprint,
             },
             authority=authority
         )
@@ -323,14 +319,12 @@ def test_pem_with_both_thumbprints_ciam_uses_sha256(
         mock_authority = self._setup_mocks(mock_authority_class, authority)
 
         # Create app with BOTH thumbprints for CIAM
-        sha1_thumbprint = "A1B2C3D4E5F6"
-        sha256_thumbprint = "A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4E5F6A1B2"
         app = ConfidentialClientApplication(
             client_id="my_client_id",
             client_credential={
                 "private_key": self.test_private_key,
-                "thumbprint": sha1_thumbprint,
-                "thumbprint_sha256": sha256_thumbprint,
+                "thumbprint": self.test_sha1_thumbprint,
+                "thumbprint_sha256": self.test_sha256_thumbprint,
             },
             authority=authority
         )
@@ -353,14 +347,12 @@ def test_pem_with_both_thumbprints_generic_uses_sha1(
         mock_authority._is_b2c = False
 
         # Create app with BOTH thumbprints for generic authority
-        sha1_thumbprint = "A1B2C3D4E5F6"
-        sha256_thumbprint = "A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4E5F6A1B2"
         app = ConfidentialClientApplication(
             client_id="my_client_id",
             client_credential={
                 "private_key": self.test_private_key,
-                "thumbprint": sha1_thumbprint,
-                "thumbprint_sha256": sha256_thumbprint,
+                "thumbprint": self.test_sha1_thumbprint,
+                "thumbprint_sha256": self.test_sha256_thumbprint,
             },
             authority=authority
         )
@@ -370,7 +362,7 @@ def test_pem_with_both_thumbprints_generic_uses_sha1(
             mock_jwt_creator_class,
             expected_algorithm='RS256',
             expected_thumbprint_type='sha1',
-            expected_thumbprint_value=sha1_thumbprint
+            expected_thumbprint_value=self.test_sha1_thumbprint
         )
 
 
