Updated the request header sent to the OIDC endpoint so it doesn't result in a redirect response when an invalid system access token is provided. (Azure#46135)

* Updated the request header sent to the OIDC endpoint in so it doesn't
result in a redirect response when an invalid system access token is
provided.

* Fix typo in header name and update test name.

* Update TSG wording to match error, and fix assert.

* Change the test back to returning void.

* Update wording in TSG to reset CI.

Author: ahsonkhan

sdk/identity/Azure.Identity/CHANGELOG.md

@@ -8,6 +8,8 @@
 
 ### Bugs Fixed
 
+- Fixed the request sent in `AzurePipelinesCredential` so it doesn't result in a redirect response when an invalid system access token is provided.
+
 ### Other Changes
 
 ## 1.13.0-beta.2 (2024-09-17)

sdk/identity/Azure.Identity/TROUBLESHOOTING.md

@@ -386,7 +386,7 @@ You may also log in another MSA account by selecting "Microsoft account":
 | --- | --- | --- |
 | AADSTS900023: Specified tenant identifier `<some tenant ID>` is neither a valid DNS name, nor a valid external domain. | The tenant ID passed to the credential is invalid. | Verify the tenant ID is valid. If the service connection was configured via a user-assigned managed identity, the tenant will be the one in which managed identity was registered. If the service connection is configured via a service principal, the tenant should be the one in which the Service Principal is registered.                                                                             |
 | No service connection found with identifier `<GUID>` | The service connection ID provided is incorrect. | Verify the serviceConnectionId provided. This parameter refers to the `resourceId` of the Azure Service Connection. It can also be found in the query string of the respective Service Connection's configuration page in Azure DevOps. More information about service connections can be found [here](https://learn.microsoft.com/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml) |
-| AzurePipelinesCredential: Authentication Failed. oidcToken field not detected in the response. Response = Object moved to here. Status Code: 302. | The system access token seems to be malformed when passing in as a parameter to the credential. | `System.AccessToken` is a required system variable in the Azure Pipelines task and should be provided in the pipeline task, [as mentioned in the docs](https://learn.microsoft.com/azure/devops/pipelines/build/variables?view=azure-devops&tabs=yaml#systemaccesstoken). Verify that the system access token value provided is the predefined variable in Azure Pipelines and isn't malformed. |
+| AzurePipelinesCredential: Authentication Failed. OIDC token not found in response. Status Code: 401 (Unauthorized). | The system access token seems to be malformed when passed in as a parameter to the credential. | `System.AccessToken` is a required system variable in the Azure Pipelines task and should be provided in the pipeline task, [as mentioned in the docs](https://learn.microsoft.com/azure/devops/pipelines/build/variables?view=azure-devops&tabs=yaml#systemaccesstoken). Verify that the system access token value provided is the predefined variable in Azure Pipelines and isn't malformed. |
 | AzurePipelinesCredential: Authentication Failed. oidcToken field not detected in the response. Response = {"$id":"1","innerException":null,"message":"`<ACTUAL ERROR MESSAGE>`","typeName":"Microsoft.VisualStudio.Services.WebApi.VssInvalidPreviewVersionException, Microsoft.VisualStudio.Services.WebApi","typeKey":"VssInvalidPreviewVersionException","errorCode":0} | When the OIDC token request fails, the OIDC token api throws an error. More details about the specific error are specified in the "message" field of the Response as shown above. | Mitigation will usually depend on the scenario based on what [error message](https://learn.microsoft.com/azure/devops/pipelines/release/troubleshoot-workload-identity?view=azure-devops#error-messages) is being thrown. Make sure you use the [recommended Azure Pipelines task](https://learn.microsoft.com/azure/devops/pipelines/release/troubleshoot-workload-identity?view=azure-devops#review-pipeline-tasks). |
 | CredentialUnavailableError: AzurePipelinesCredential is not available: Ensure that you're running this task in an Azure Pipeline so that following missing system variable(s) can be defined: SYSTEM_OIDCREQUESTURI is not set. | This code is not running inside of the Azure Pipelines Environment. You may be running this code locally or on some other environment.                                             | This credential is only designed to run from inside the Azure Pipelines environment for the federated identity to work. |
 | AuthenticationRequiredError: unauthorized_client: 700016 - AADSTS700016: Application with identifier 'clientId' was not found in the directory 'Microsoft'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.| The `clientId` provided is invalid. | Verify the client ID argument is valid. If the service connection's federated identity was registered via a user-assigned managed identity, the client ID of the managed identity should be provided. If the service connection's federated identity is registered via a Service Principal, the Application (client) ID from your app registration should be provided. |

sdk/identity/Azure.Identity/src/Credentials/AzurePipelinesCredential.cs

@@ -116,6 +116,8 @@ internal HttpMessage CreateOidcRequestMessage(AzurePipelinesCredentialOptions op
             message.Request.Uri.Reset(requestUri);
             message.Request.Headers.SetValue(HttpHeader.Names.Authorization, $"Bearer {systemToken}");
             message.Request.Headers.SetValue(HttpHeader.Names.ContentType, "application/json");
+            // Prevents the service from responding with a redirect HTTP status code (useful for automation).
+            message.Request.Headers.SetValue("X-TFS-FedAuthRedirect", "Suppress");
             message.Request.Method = RequestMethod.Post;
             return message;
         }

sdk/identity/Azure.Identity/tests/AzurePipelinesCredentialLiveTests.cs

@@ -44,5 +44,33 @@ public async Task AzurePipelineCredentialLiveTest_GetToken()
 
             Assert.IsNotNull(token.Token);
         }
+
+        [Test]
+        [LiveOnly]
+        public void AzurePipelineCredentialLiveTest_GetToken_InvalidSystemAccessToken()
+        {
+            string systemAccessToken = "invalidSystemAccessToken";
+            var tenantId = Environment.GetEnvironmentVariable("AZURE_SERVICE_CONNECTION_TENANT_ID");
+            var clientId = Environment.GetEnvironmentVariable("AZURE_SERVICE_CONNECTION_CLIENT_ID");
+            var serviceConnectionId = Environment.GetEnvironmentVariable("AZURE_SERVICE_CONNECTION_ID");
+
+            if (string.IsNullOrEmpty(tenantId) || string.IsNullOrEmpty(clientId) || string.IsNullOrEmpty(serviceConnectionId))
+            {
+                var envVars = Environment.GetEnvironmentVariables();
+                StringBuilder sb = new StringBuilder();
+                foreach (var key in envVars.Keys)
+                {
+                    sb.AppendLine($"{key}: {envVars[key]}");
+                }
+                Console.WriteLine(sb);
+                Assert.Fail($"{sb} SYSTEM_ACCESSTOKEN: {systemAccessToken}, AZURE_SERVICE_CONNECTION_TENANT_ID: {tenantId}, AZURE_SERVICE_CONNECTION_CLIENT_ID: {clientId}, AZURE_SERVICE_CONNECTION_ID: {serviceConnectionId}");
+                Assert.Ignore("AzurePipelinesCredentialLiveTests disabled because required environment variables are not set");
+            }
+
+            var cred = new AzurePipelinesCredential(tenantId, clientId, serviceConnectionId, systemAccessToken);
+
+            var ex = Assert.ThrowsAsync<AuthenticationFailedException>(async () => await cred.GetTokenAsync(new TokenRequestContext(new[] { "https://management.azure.com//.default" }), CancellationToken.None));
+            Assert.That(ex.Message, Does.Contain("not authorized"));
+        }
     }
 }