Improve AzurePipelinesCredential errors (Azure#22958)

Author: chlowell

sdk/azidentity/CHANGELOG.md

@@ -11,6 +11,7 @@
 ### Bugs Fixed
 
 ### Other Changes
+* Added more details to `AzurePipelinesCredential` error messages
 
 ## 1.6.0-beta.4 (2024-05-14)
 

sdk/azidentity/azure_pipelines_credential.go

@@ -98,27 +98,33 @@ func (a *AzurePipelinesCredential) getAssertion(ctx context.Context) (string, er
 	url := a.oidcURI + "?api-version=" + oidcAPIVersion + "&serviceConnectionId=" + a.connectionID
 	url, err := runtime.EncodeQueryParams(url)
 	if err != nil {
-		return "", err
+		return "", newAuthenticationFailedError(credNameAzurePipelines, "couldn't encode OIDC URL: "+err.Error(), nil, nil)
 	}
 	req, err := http.NewRequestWithContext(ctx, http.MethodPost, url, nil)
 	if err != nil {
-		return "", err
+		return "", newAuthenticationFailedError(credNameAzurePipelines, "couldn't create OIDC token request: "+err.Error(), nil, nil)
 	}
 	req.Header.Set("Authorization", "Bearer "+a.systemAccessToken)
 	res, err := doForClient(a.cred.client.azClient, req)
 	if err != nil {
-		return "", err
+		return "", newAuthenticationFailedError(credNameAzurePipelines, "couldn't send OIDC token request: "+err.Error(), nil, nil)
+	}
+	if res.StatusCode != http.StatusOK {
+		msg := res.Status + " response from the OIDC endpoint. Check service connection ID and Pipeline configuration"
+		// include the response because its body, if any, probably contains an error message.
+		// OK responses aren't included with errors because they probably contain secrets
+		return "", newAuthenticationFailedError(credNameAzurePipelines, msg, res, nil)
 	}
 	b, err := runtime.Payload(res)
 	if err != nil {
-		return "", err
+		return "", newAuthenticationFailedError(credNameAzurePipelines, "couldn't read OIDC response content: "+err.Error(), nil, nil)
 	}
 	var r struct {
 		OIDCToken string `json:"oidcToken"`
 	}
 	err = json.Unmarshal(b, &r)
 	if err != nil {
-		return "", err
+		return "", newAuthenticationFailedError(credNameAzurePipelines, "unexpected response from OIDC endpoint", nil, nil)
 	}
 	return r.OIDCToken, nil
 }

sdk/azidentity/errors.go

@@ -53,7 +53,7 @@ func (e *AuthenticationFailedError) Error() string {
 		return e.credType + ": " + e.message
 	}
 	msg := &bytes.Buffer{}
-	fmt.Fprintf(msg, e.credType+" authentication failed\n")
+	fmt.Fprintf(msg, "%s authentication failed. %s\n", e.credType, e.message)
 	if e.RawResponse.Request != nil {
 		fmt.Fprintf(msg, "%s %s://%s%s\n", e.RawResponse.Request.Method, e.RawResponse.Request.URL.Scheme, e.RawResponse.Request.URL.Host, e.RawResponse.Request.URL.Path)
 	} else {

sdk/azidentity/managed_identity_client.go

@@ -238,7 +238,7 @@ func (c *managedIdentityClient) authenticate(ctx context.Context, id ManagedIDKi
 		}
 	}
 
-	return azcore.AccessToken{}, newAuthenticationFailedError(credNameManagedIdentity, "authentication failed", resp, nil)
+	return azcore.AccessToken{}, newAuthenticationFailedError(credNameManagedIdentity, "", resp, nil)
 }
 
 func (c *managedIdentityClient) createAccessToken(res *http.Response) (azcore.AccessToken, error) {