DAC CredentialUnavailableException attempts to parse the message content (Azure#21827)

Author: christothes

sdk/identity/Azure.Identity/src/ImdsManagedIdentitySource.cs

@@ -111,6 +111,11 @@ protected override async ValueTask<AccessToken> HandleResponseAsync(bool async,
                     .CreateRequestFailedMessageAsync(response, IdentityUnavailableError, null, null, async)
                     .ConfigureAwait(false);
 
+                var errorContentMessage = await GetMessageFromResponse(response, async, cancellationToken).ConfigureAwait(false);
+                if (errorContentMessage != null)
+                {
+                    message = message + Environment.NewLine + errorContentMessage;
+                }
                 Interlocked.CompareExchange(ref _identityUnavailableErrorMessage, message, null);
                 throw new CredentialUnavailableException(message);
             }

sdk/identity/Azure.Identity/src/ManagedIdentitySource.cs

@@ -42,22 +42,49 @@ public virtual async ValueTask<AccessToken> AuthenticateAsync(bool async, TokenR
 
         protected virtual async ValueTask<AccessToken> HandleResponseAsync(bool async, TokenRequestContext context, Response response, CancellationToken cancellationToken)
         {
+            using JsonDocument json = async
+                ? await JsonDocument.ParseAsync(response.ContentStream, default, cancellationToken).ConfigureAwait(false)
+                : JsonDocument.Parse(response.ContentStream);
             if (response.Status == 200)
             {
-                using JsonDocument json = async
-                    ? await JsonDocument.ParseAsync(response.ContentStream, default, cancellationToken).ConfigureAwait(false)
-                    : JsonDocument.Parse(response.ContentStream);
-
                 return GetTokenFromResponse(json.RootElement);
             }
 
+            string message = GetMessageFromResponse(json.RootElement);
             throw async
-                ? await Pipeline.Diagnostics.CreateRequestFailedExceptionAsync(response).ConfigureAwait(false)
-                : Pipeline.Diagnostics.CreateRequestFailedException(response);
+                ? await Pipeline.Diagnostics.CreateRequestFailedExceptionAsync(response, message).ConfigureAwait(false)
+                : Pipeline.Diagnostics.CreateRequestFailedException(response, message);
         }
 
         protected abstract Request CreateRequest(string[] scopes);
 
+        protected static async Task<string> GetMessageFromResponse(Response response, bool async, CancellationToken cancellationToken)
+        {
+            if (response?.ContentStream == null)
+            {
+                return null;
+            }
+            response.ContentStream.Position = 0;
+            using JsonDocument json = async
+                ? await JsonDocument.ParseAsync(response.ContentStream, default, cancellationToken).ConfigureAwait(false)
+                : JsonDocument.Parse(response.ContentStream);
+
+            return GetMessageFromResponse(json.RootElement);
+        }
+
+        protected static string GetMessageFromResponse(in JsonElement root)
+        {
+            // Parse the error, if possible
+            foreach (var prop in root.EnumerateObject())
+            {
+                if (prop.Name == "Message")
+                {
+                    return prop.Value.GetString();
+                }
+            }
+            return null;
+        }
+
         private static AccessToken GetTokenFromResponse(in JsonElement root)
         {
             string accessToken = null;

sdk/identity/Azure.Identity/tests/ManagedIdentityCredentialTests.cs

@@ -51,6 +51,27 @@ public async Task VerifyImdsRequestWithClientIdMockAsync()
             }
         }
 
+        [NonParallelizable]
+        [Test]
+        public void VerifyImdsRequestFailurePopulatesExceptionMessage()
+        {
+            using (new TestEnvVar(new() { { "MSI_ENDPOINT", null }, { "MSI_SECRET", null } }))
+            {
+                var expectedMessage = "No MSI found for specified ClientId/ResourceId.";
+                var response = CreateErrorMockResponse(400, expectedMessage);
+                var mockTransport = new MockTransport(response);
+                var options = new TokenCredentialOptions() { Transport = mockTransport };
+                var pipeline = CredentialPipeline.GetInstance(options);
+
+                var client = new MockManagedIdentityClient(pipeline, "mock-client-id") { ManagedIdentitySourceFactory = () => new ImdsManagedIdentitySource(pipeline, "mock-client-id") };
+
+                ManagedIdentityCredential credential = InstrumentClient(new ManagedIdentityCredential(client));
+
+                var ex = Assert.ThrowsAsync<CredentialUnavailableException>(async () => await credential.GetTokenAsync(new TokenRequestContext(MockScopes.Default)));
+                Assert.That(ex.Message, Does.Contain(expectedMessage));
+            }
+        }
+
         [NonParallelizable]
         [Test]
         [TestCase(400)]
@@ -70,7 +91,7 @@ public void VerifyImdsRequestHandlesFailedRequestWithCredentialUnavailableExcept
 
                 var ex = Assert.ThrowsAsync<CredentialUnavailableException>(async () => await credential.GetTokenAsync(new TokenRequestContext(MockScopes.Default)));
 
-                Assert.That(ex.Message.Contains(ImdsManagedIdentitySource.IdentityUnavailableError));
+                Assert.That(ex.Message, Does.Contain(ImdsManagedIdentitySource.IdentityUnavailableError));
             }
         }
 
@@ -314,5 +335,12 @@ private MockResponse CreateMockResponse(int responseCode, string token)
             response.SetContent($"{{ \"access_token\": \"{token}\", \"expires_on\": \"3600\" }}");
             return response;
         }
+
+        private MockResponse CreateErrorMockResponse(int responseCode, string message)
+        {
+            var response = new MockResponse(responseCode);
+            response.SetContent($"{{\"StatusCode\":400,\"Message\":\"{message}\",\"CorrelationId\":\"f3c9aec0-7fa2-4184-ad0f-0c68ce5fc748\"}}");
+            return response;
+        }
     }
 }