[Bug] MSAL raises exception with message ' either empty or could not be parsed' for 429s from the managed identity code path of Service Fabric. #5178
Description
Library version used
latest
.NET version
Net 8
Scenario
ManagedIdentityClient - managed identity
Is this a new or an existing app?
The app is in production, and I have upgraded to a new version of MSAL
Issue description and reproduction steps
MSAL .Net raises below exception encountering HTTP 429 from the managed identity code path of Service Fabric making it non-retriable:
"Azure.Identity.AuthenticationFailedException: ManagedIdentityCredential authentication failed: [Managed Identity] The error response was either empty or could not be parsed.. Error response received from the server: The request was throttled locally; the service allows 30 requests per 10s; retry after 4s.
See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/managedidentitycredential/troubleshoot
---> MSAL.NetCore.4.66.0.0.MsalServiceException:
ErrorCode: managed_identity_request_failed
Microsoft.Identity.Client.MsalServiceException: [Managed Identity] The error response was either empty or could not be parsed.. Error response received from the server: The request was throttled locally; the service allows 30 requests per 10s; retry after 4s.
at Microsoft.Identity.Client.ManagedIdentity.AbstractManagedIdentity.HandleResponseAsync(AcquireTokenForManagedIdentityParameters parameters, HttpResponse response, CancellationToken cancellationToken)
at Microsoft.Identity.Client.ManagedIdentity.AbstractManagedIdentity.AuthenticateAsync(AcquireTokenForManagedIdentityParameters parameters, CancellationToken cancellationToken)
at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.SendTokenRequestForManagedIdentityAsync(ILoggerAdapter logger, CancellationToken cancellationToken)
Can the team confirm that the exception seen in this case is getting treated as ‘429’ and is actually getting retried? Following are the reasons for us to have some questions around it:
• Error message has substring saying ‘empty or could not be parsed’ indicating MSAL isn’t able to classify it as standard throttling and hence won’t retry?
“Azure.Identity.AuthenticationFailedException: ManagedIdentityCredential authentication failed: [Managed Identity] The error response was either empty or could not be parsed.. Error response received from the server: The request was throttled locally; the service allows 30 requests per 10s; retry after 4s”
• I tried overriding the retry policy of ManagementIdentityCredential and even that didn’t help or change the observed exception rate indicating the underlying MSAL/MI layer not treating this exception as retriable:
var tokenCredentialOptions = new TokenCredentialOptions()
{
RetryPolicy = new RetryPolicy(
maxRetries: 6,
DelayStrategy.CreateExponentialDelayStrategy(
initialDelay: TimeSpan.FromSeconds(1),
maxDelay: TimeSpan.FromMinutes(1))),
};
return new ManagedIdentityCredential(clientId: null, options: tokenCredentialOptions);
Microsoft.Identity.Client 4.66.0
Azure.Identity 1.13.0
Relevant code snippets
Expected behavior
No response
Identity provider
Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)
Regression
No response
Solution and workarounds
No response
Sub-issues
Metadata
Metadata
Assignees
Type
Projects
Status