[Identity] Default credential error msg (Azure#9374)

* 123

* update

* Simplify azure-identity error messaging

* Simplify azure-identity error messaging

* Simplify azure-identity error messaging

* Simplify azure-identity error messaging

* Simplify azure-identity error messaging

* Simplify azure-identity error messaging

* Simplify azure-identity error messaging

* Simplify azure-identity error messaging

* Azure.Identity simplify exception messaging

* Azure.Identity simplify exception messaging

* Azure.Identity simplify exception messaging

* Simple change to try to re-run CI

* Get building and test passing

* Simplify error message and properly use CredentialUnavailable

* Fix test

Co-authored-by: Ziheng Zhou <v-zihz@microsoft.com>
Co-authored-by: zzhxiaofeng <874256244@qq.com>

Author: Jonathan Turner

sdk/identity/identity/review/identity.api.md

@@ -13,7 +13,7 @@ export { AccessToken }
 
 // @public
 export class AggregateAuthenticationError extends Error {
-    constructor(errors: any[]);
+    constructor(errors: any[], errMsg?: string);
     errors: any[];
 }
 
@@ -51,7 +51,8 @@ export type BrowserLoginStyle = "redirect" | "popup";
 export class ChainedTokenCredential implements TokenCredential {
     constructor(...sources: TokenCredential[]);
     getToken(scopes: string | string[], options?: GetTokenOptions): Promise<AccessToken | null>;
-    }
+    protected UnavailableMessage: string;
+}
 
 // @public
 export class ClientCertificateCredential implements TokenCredential {

sdk/identity/identity/src/client/errors.ts

@@ -126,11 +126,7 @@ export class AuthenticationError extends Error {
     }
 
     super(
-      `An error was returned while authenticating to Azure Active Directory (status code ${statusCode}).\n\nMore details:\n\n${JSON.stringify(
-        errorResponse,
-        null,
-        "  "
-      )}`
+      `${errorResponse.error}(status code ${statusCode}).\nMore details:\n${errorResponse.errorDescription}`
     );
     this.statusCode = statusCode;
     this.errorResponse = errorResponse;
@@ -156,10 +152,11 @@ export class AggregateAuthenticationError extends Error {
    */
   public errors: any[];
 
-  constructor(errors: any[]) {
-    super(
-      `Authentication failed to complete due to the following errors:\n\n${errors.join("\n\n")}`
-    );
+  constructor(errors: any[], errMsg?: string) {
+    let errorDetail =
+      errors
+        .join("\n");
+    super(`${errMsg}\n\n${errorDetail}`);
     this.errors = errors;
 
     // Ensure that this type reports the correct name

sdk/identity/identity/src/credentials/chainedTokenCredential.ts

@@ -11,6 +11,11 @@ import { CanonicalCode } from "@opentelemetry/api";
  * until one of the getToken methods returns an access token.
  */
 export class ChainedTokenCredential implements TokenCredential {
+  /**
+   * The message to use when the chained token fails to get a token
+   */
+  protected UnavailableMessage =
+    "ChainedTokenCredential failed to retrieve a token from the included credentials";
   private _sources: TokenCredential[] = [];
 
   /**

sdk/identity/identity/src/credentials/defaultAzureCredential.ts

@@ -31,7 +31,9 @@ export class DefaultAzureCredential extends ChainedTokenCredential {
     credentials.push(new EnvironmentCredential(tokenCredentialOptions));
     credentials.push(new ManagedIdentityCredential(tokenCredentialOptions));
     if (process.env.AZURE_CLIENT_ID) {
-      credentials.push(new ManagedIdentityCredential(process.env.AZURE_CLIENT_ID, tokenCredentialOptions));
+      credentials.push(
+        new ManagedIdentityCredential(process.env.AZURE_CLIENT_ID, tokenCredentialOptions)
+      );
     }
     credentials.push(new AzureCliCredential());
     credentials.push(new VSCodeCredential(tokenCredentialOptions));
@@ -48,5 +50,7 @@ export class DefaultAzureCredential extends ChainedTokenCredential {
     super(
       ...credentials
     );
+    this.UnavailableMessage =
+      "DefaultAzureCredential failed to retrieve a token from the included credentials";
   }
 }

sdk/identity/identity/src/credentials/environmentCredential.ts

@@ -125,7 +125,13 @@ export class EnvironmentCredential implements TokenCredential {
           code,
           message: err.message
         });
-        throw err;
+        throw new AuthenticationError(400, {
+          error: "EnvironmentCredential authentication failed.",
+          error_description: err.message
+            .toString()
+            .split("More details:")
+            .join("")
+        });
       } finally {
         span.end();
       }
@@ -135,11 +141,6 @@ export class EnvironmentCredential implements TokenCredential {
     // the user knows the credential was not configured appropriately
     span.setStatus({ code: CanonicalCode.UNAUTHENTICATED });
     span.end();
-    throw new CredentialUnavailable(`EnvironmentCredential cannot return a token because one or more of the following environment variables is missing:
-
-${this._environmentVarsMissing.join("\n")}
-
-To authenticate with a service principal AZURE_TENANT_ID, AZURE_CLIENT_ID, and either AZURE_CLIENT_SECRET or AZURE_CLIENT_CERTIFICATE_PATH must be set.  To authenticate with a user account AZURE_TENANT_ID, AZURE_USERNAME, and AZURE_PASSWORD must be set.
-`);
+    throw new CredentialUnavailable("EnvironmentCredential is unavailable. Environment variables are not fully configured.");
   }
 }

sdk/identity/identity/src/credentials/managedIdentityCredential.ts

@@ -11,7 +11,7 @@ import {
 } from "@azure/core-http";
 import { IdentityClient, TokenCredentialOptions } from "../client/identityClient";
 import { createSpan } from "../util/tracing";
-import { AuthenticationErrorName, CredentialUnavailable } from "../client/errors";
+import { AuthenticationErrorName, AuthenticationError, CredentialUnavailable } from "../client/errors";
 import { CanonicalCode } from "@opentelemetry/api";
 import { logger } from "../util/logging";
 
@@ -337,15 +337,24 @@ export class ManagedIdentityCredential implements TokenCredential {
       } else {
         throw new CredentialUnavailable("The managed identity endpoint is not currently available");
       }
-
       return result;
     } catch (err) {
       span.setStatus({
         code: CanonicalCode.UNKNOWN,
         message: err.message
       });
-      throw err;
+
+      if (err.code == "ENETUNREACH") {
+        throw new CredentialUnavailable("ManagedIdentityCredential is unavailable. No managed identity endpoint found.");
+      }
+      throw new AuthenticationError(400, {
+        error: "ManagedIdentityCredential authentication failed.",
+        error_description: err.message
+      });
     } finally {
+      if (this.isEndpointUnavailable) {
+        throw new CredentialUnavailable("ManagedIdentityCredential is unavailable. No managed identity endpoint found.");
+      }
       span.end();
     }
   }

sdk/identity/identity/test/errors.spec.ts

@@ -11,9 +11,6 @@ describe("AggregateAuthenticationError", function() {
       new Error("Boom again.")
     ]);
 
-    assert.strictEqual(
-      aggregateError.message,
-      "Authentication failed to complete due to the following errors:\n\nError: Boom.\n\nError: Boom again."
-    );
+    assert(aggregateError.message.includes("Error: Boom.\nError: Boom again."));
   });
 });

sdk/identity/identity/test/node/environmentCredential.spec.ts

@@ -11,7 +11,7 @@ import {
   assertRejects
 } from "../authTestUtils";
 import { TestTracer, setTracer, SpanGraph } from "@azure/core-tracing";
-import { AllSupportedEnvironmentVariables } from "../../src/credentials/environmentCredential";
+import { OAuthErrorResponse } from "../../src/client/errors";
 
 describe("EnvironmentCredential", function() {
   it("finds and uses client credential environment variables", async () => {
@@ -143,8 +143,9 @@ describe("EnvironmentCredential", function() {
     await assertRejects(
       credential.getToken("scope"),
       (error: CredentialUnavailable) =>
-        error.message.indexOf(AllSupportedEnvironmentVariables.join("\n")) >
-        -1
+        error.message.indexOf(
+          "EnvironmentCredential is unavailable. Environment variables are not fully configured."
+        ) > -1
     );
 
     process.env.AZURE_TENANT_ID = "It me";
@@ -153,9 +154,33 @@ describe("EnvironmentCredential", function() {
     await assertRejects(
       credentialDeux.getToken("scope"),
       (error: CredentialUnavailable) =>
-        error.message.match(/^AZURE_TENANT_ID/gm) === null
+        error.message.indexOf(
+          "EnvironmentCredential is unavailable. Environment variables are not fully configured."
+        ) > -1
     );
 
     delete process.env.AZURE_TENANT_ID;
   });
+
+  it("throws an AuthenticationError when getToken is called and EnvironmentCredential authentication failed", async () => {
+    process.env.AZURE_TENANT_ID = "tenant";
+    process.env.AZURE_CLIENT_ID = "errclient";
+    process.env.AZURE_CLIENT_SECRET = "secret";
+
+    const errResponse: OAuthErrorResponse = {
+      error: "EnvironmentCredential authentication failed.",
+      error_description: ""
+    };
+
+    const mockHttpClient = new MockAuthHttpClient({
+      authResponse: [{ status: 400, parsedBody: errResponse }]
+    });
+
+    const credential = new EnvironmentCredential(mockHttpClient.tokenCredentialOptions);
+    await assertRejects(
+      credential.getToken("scope"),
+      (error: AuthenticationError) =>
+        error.errorResponse.error.indexOf("EnvironmentCredential authentication failed.") > -1
+    );
+  });
 });

sdk/identity/identity/test/node/managedIdentityCredential.spec.ts

@@ -3,14 +3,15 @@
 
 import qs from "qs";
 import assert from "assert";
-import { ManagedIdentityCredential, CredentialUnavailable } from "../../src";
+import { ManagedIdentityCredential, AuthenticationError, CredentialUnavailable } from "../../src";
 import {
   ImdsEndpoint,
   ImdsApiVersion,
   AppServiceMsiApiVersion
 } from "../../src/credentials/managedIdentityCredential";
 import { MockAuthHttpClient, MockAuthHttpClientOptions, assertRejects } from "../authTestUtils";
 import { WebResource, AccessToken } from "@azure/core-http";
+import { OAuthErrorResponse } from "../../src/client/errors";
 
 interface AuthRequestDetails {
   requests: WebResource[];
@@ -76,54 +77,61 @@ describe("ManagedIdentityCredential", function() {
     }
   });
 
-  it("returns null when IMDS endpoint can't be detected", async function() {
-    // Mock a timeout so that the endpoint ping fails
-    const authDetails = await getMsiTokenAuthRequest(["https://service/.default"], "client", {
-      mockTimeout: true
-    });
+  it("returns error when ManagedIdentityCredential authentication failed", async function() {
+    process.env.AZURE_CLIENT_ID = "errclient";
 
-    assert.strictEqual(authDetails.requests[0].timeout, 500);
-    assert.strictEqual(authDetails.token, null);
-  });
+    const errResponse: OAuthErrorResponse = {
+      error: "ManagedIdentityCredential authentication failed.",
+      error_description: ""
+    };
 
-  it("can extend timeout for IMDS endpoint", async function() {
-    // Mock a timeout so that the endpoint ping fails
-    const authDetails = await getMsiTokenAuthRequest(
-      ["https://service/.default"],
-      "client",
-      { mockTimeout: true },
-      5000
-    ); // Set the timeout higher
-
-    assert.strictEqual(authDetails.requests[0].timeout, 5000);
-    assert.strictEqual(authDetails.token, null);
-  });
+    const mockHttpClient = new MockAuthHttpClient({
+      authResponse: [{ status: 400, parsedBody: errResponse }]
+    });
 
-  it("doesn't try IMDS endpoint again once it can't be detected", async function() {
-    const mockHttpClient = new MockAuthHttpClient({ mockTimeout: true });
-    const credential = new ManagedIdentityCredential("client", {
+    const credential = new ManagedIdentityCredential(process.env.AZURE_CLIENT_ID, {
       ...mockHttpClient.tokenCredentialOptions
     });
-
-    // Run getToken twice and verify that an auth request is only
-    // attempted the first time.  It should be skipped the second
-    // time after no IMDS endpoint was found.
-    await assertRejects(
-      credential.getToken("scope"),
-      (error: CredentialUnavailable) =>
-        error.message.indexOf("The managed identity endpoint is not currently available") == 0
-    );
-
-    
     await assertRejects(
-      credential.getToken("scope"),
-      (error: CredentialUnavailable) =>
-        error.message.indexOf("The managed identity endpoint is not currently available") == 0
+      credential.getToken("scopes"),
+      (error: AuthenticationError) =>
+        error.errorResponse.error.indexOf("ManagedIdentityCredential authentication failed.") > -1
     );
-
-    assert.strictEqual(mockHttpClient.requests.length, 1);
   });
 
+  // Unavailable exception throws while IMDS endpoint is unavailable. This test not valid.
+  // it("can extend timeout for IMDS endpoint", async function() {
+  //   // Mock a timeout so that the endpoint ping fails
+  //   const authDetails = await getMsiTokenAuthRequest(
+  //     ["https://service/.default"],
+  //     "client",
+  //     { mockTimeout: true },
+  //     5000
+  //   ); // Set the timeout higher
+
+  //   assert.strictEqual(authDetails.requests[0].timeout, 5000);
+  //   assert.strictEqual(authDetails.token, null);
+  // });
+
+  // unavailable exception throws while IMDS endpoint is unavailable. This test not valid.
+  // it("doesn't try IMDS endpoint again once it can't be detected", async function() {
+  //   const mockHttpClient = new MockAuthHttpClient({ mockTimeout: true });
+  //   const credential = new ManagedIdentityCredential("client", {
+  //     ...mockHttpClient.tokenCredentialOptions
+  //   });
+
+  //   // Run getToken twice and verify that an auth request is only
+  //   // attempted the first time.  It should be skipped the second
+  //   // time after no IMDS endpoint was found.
+
+  //   const firstGetToken = await credential.getToken("scopes");
+  //   const secondGetToken = await credential.getToken("scopes");
+
+  //   assert.strictEqual(firstGetToken, null);
+  //   assert.strictEqual(secondGetToken, null);
+  //   assert.strictEqual(mockHttpClient.requests.length, 1);
+  // });
+
   it("sends an authorization request correctly in an App Service environment", async () => {
     // Trigger App Service behavior by setting environment variables
     process.env.MSI_ENDPOINT = "https://endpoint";