[Core] Unify ADAL and MSAL error handler

[jiasli]

Description

Refine the error message reported by #16209, #16641, #17142.

In the current code, wrapping adal.AdalError and rephrasing the error message actually doesn't provide more information. Instead, it leaves the original server error unexposed.

error code	CLI error	server error
AADSTS70008	Credentials have expired due to inactivity.	https://login.microsoftonline.com/error?code=70008
AADSTS50079	Configuration of your account was changed.	https://login.microsoftonline.com/error?code=50079
AADSTS50173	The credential data used by CLI has been expired because you might have changed or reset the password.	https://login.microsoftonline.com/error?code=50173

This PR

1. wraps adal.AdalError in AuthenticationError with the original server error unchanged
2. adds az login instruction as recommendation

Testing Guide

Test expired refresh token

1. Create a Conditional Access policy in AAD tenant to make the refresh token only valid for 1 hour.
   
2. az login with the user that is managed by the policy
3. After one hour, run az group list or az account get-access-token

Error message

> az group list
AADSTS70043: The refresh token has expired or is invalid due to sign-in frequency checks by conditional access. The token was issued on 2021-02-23T05:06:57.0691981Z and the maximum allowed lifetime for this request is 3600.
Trace ID: 4999f039-c867-4cc2-ab32-7dc259780c00
Correlation ID: 6517ef89-dd65-47e1-b5fa-7193461fb78a
Timestamp: 2021-02-24 07:13:32Z
To re-authenticate, please run `az login`. If the problem persists, please contact your tenant administrator.

> az account get-access-token
AADSTS70043: The refresh token has expired or is invalid due to sign-in frequency checks by conditional access. The token was issued on 2021-02-23T05:06:57.0691981Z and the maximum allowed lifetime for this request is 3600.
Trace ID: ab764987-048b-4745-bc32-ba7d16840b00
Correlation ID: a2d45c9f-41de-4e18-8bf5-8368975c7561
Timestamp: 2021-02-24 06:54:48Z
To re-authenticate, please run `az login`. If the problem persists, please contact your tenant administrator.

[jiasli]

Exposing the original error message is the same behavior as logging in in the browser.

For example, with invalid client_id:

- 04b07795-8ddb-461a-bbee-02f9e1bf7b46
+ 04b07795-8ddb-461a-bbee-02f9e1bf7b41
                                     ^

https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=04b07795-8ddb-461a-bbee-02f9e1bf7b41&redirect_uri=http://localhost:8400&state=vsjy0x6w4z3ojcnq1ezl&resource=https://management.core.windows.net/&prompt=select_account&sso_reload=true

[yonzhan]

Core

[jiasli]

The exposure of original AAD error paves the way for solving #16988 and #16989.

[fengzhou-msft]

Is it possible to use one of the new Error Types?

[jiasli]

This error is caused by a known unknown issue in ADAL (#15320). As we are migrating to MSAL, this ADAL issue is not planned to be investigated and fixed. @houk-ms which exception do you prefer to use?

[jiasli]

As discussed offline, raising UnknownError for now and also providing comment and a recommendation:

azure-cli/src/azure-cli-core/azure/cli/core/adal_authentication.py

Lines 255 to 259 in c62df4d

	# In case of AdalError created as
	# AdalError('More than one token matches the criteria. The result is ambiguous.')
	# https://github.com/Azure/azure-cli/issues/15320
	from azure.cli.core.azclierror import UnknownError
	raise UnknownError(str(err), recommendation="Please run `az account clear`, then `az login`.")