Azure access token is returned even with an invalid secret when run in a multithreaded environment.
I've got an integration test that checks to see that an invalid client secret won't pass when getting an Azure access token.
When run in isolation the test passes every time, meaning that an invalid client secret does not return an Azure access token.
However, when run with other integration tests (on multiple threads) this function returns an access token even with an obviously invalid client secret.
I don't see any legitimate reason this would be a cached token for the client id even when specifying a totally invalid client secret.
Note, this behavior does not happen when the client id is invalid.
Is there an explanation for this behavior?
private async Task<string> GetAccessToken(string authority, string resource, string scope)
{
var clientCredential = new ClientCredential(clientId, clientSecret);
var context = new AuthenticationContext(authority, TokenCache.DefaultShared);
var result = await context.AcquireTokenAsync(resource, clientCredential);
Debug.WriteLine("----------------------------------");
Debug.WriteLine(clientId);
Debug.WriteLine(clientSecret);
Debug.WriteLine(result.AccessToken);
return result.AccessToken;
}
The debug output is
Debug Trace:
----------------------------------
<...client id...>
invalid secret
<...valid token...>