Don't parse invalid json from failed MI responses (Azure#37194)

Author: christothes

sdk/identity/Azure.Identity/CHANGELOG.md

@@ -9,6 +9,7 @@
 ### Bugs Fixed
 - Fixed an issue with `TokenCachePersistenceOptions` where credentials in the same process would share the same cache, even if they had different configured names.
 - ManagedIdentityCredential now ignores empty ClientId values. [#37100](https://github.com/Azure/azure-sdk-for-net/issues/37100)
+- ManagedIdentityCredential will no longer attempt to parse invalid json payloads on responses from the managed identity endpoint.
 
 ### Other Changes
 - All developer credentials in the `DefaultAzureCredential` credential chain will fall through to the next credential in the chain on any failure. Previously, some exceptions would throw `AuthenticationFailedException`, which stops further progress in the chain.

sdk/identity/Azure.Identity/src/ManagedIdentityRequestFailedDetailsParser.cs

@@ -1,6 +1,7 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
+using System;
 using System.Collections.Generic;
 using System.Threading;
 using Azure.Core;
@@ -13,8 +14,17 @@ internal class ManagedIdentityRequestFailedDetailsParser : RequestFailedDetailsP
         public override bool TryParse(Response response, out ResponseError error, out IDictionary<string, string> data)
         {
             data = new Dictionary<string, string>();
+            error = null;
             try
             {
+                // The response content is buffered at this point.
+                string content = response.Content.ToString();
+
+                // Optimistic check for JSON object we expect
+                if (content == null || !content.StartsWith("{", StringComparison.OrdinalIgnoreCase))
+                {
+                    return false;
+                }
                 var message = ManagedIdentitySource.GetMessageFromResponse(response, false, CancellationToken.None).EnsureCompleted();
                 error = new ResponseError(null, message);
                 return true;

sdk/identity/Azure.Identity/src/ManagedIdentitySource.cs

@@ -49,11 +49,12 @@ protected virtual async ValueTask<AccessToken> HandleResponseAsync(
             Exception exception = null;
             try
             {
-                using JsonDocument json = async
-                    ? await JsonDocument.ParseAsync(response.ContentStream, default, cancellationToken).ConfigureAwait(false)
-                    : JsonDocument.Parse(response.ContentStream);
                 if (response.Status == 200)
                 {
+                    using JsonDocument json = async
+                    ? await JsonDocument.ParseAsync(response.ContentStream, default, cancellationToken).ConfigureAwait(false)
+                    : JsonDocument.Parse(response.ContentStream);
+
                     return GetTokenFromResponse(json.RootElement);
                 }
             }

sdk/identity/Azure.Identity/tests/ManagedIdentityCredentialTests.cs

@@ -767,7 +767,7 @@ public async Task VerifyClientAuthenticateThrows()
         }
 
         [Test]
-        public async Task VerifyClientAuthenticateReturnsInvalidJson([Values(200, 404, 403)] int status)
+        public async Task VerifyClientAuthenticateReturnsInvalidJsonOnSuccess([Values(200)] int status)
         {
             using var environment = new TestEnvVar(
                 new()
@@ -787,7 +787,30 @@ public async Task VerifyClientAuthenticateReturnsInvalidJson([Values(200, 404, 4
 
             var ex = Assert.ThrowsAsync<CredentialUnavailableException>(async () => await credential.GetTokenAsync(new TokenRequestContext(MockScopes.Default)));
             Assert.IsInstanceOf(typeof(System.Text.Json.JsonException), ex.InnerException);
-            Assert.That(ex.Message, Does.Contain(ManagedIdentitySource.UnexpectedResponse));
+            await Task.CompletedTask;
+        }
+
+        [Test]
+        public async Task VerifyClientAuthenticateReturnsInvalidJsonOnFailure([Values(404, 403, 429)] int status)
+        {
+            using var logger = AzureEventSourceListener.CreateConsoleLogger();
+            using var environment = new TestEnvVar(
+                new()
+                {
+                    { "MSI_ENDPOINT", null },
+                    { "MSI_SECRET", null },
+                    { "IDENTITY_ENDPOINT", null },
+                    { "IDENTITY_HEADER", null },
+                    { "AZURE_POD_IDENTITY_AUTHORITY_HOST", null }
+                });
+            var mockTransport = new MockTransport(request => CreateInvalidJsonResponse(status));
+            var options = new TokenCredentialOptions() { Transport = mockTransport };
+            options.Retry.MaxDelay = TimeSpan.Zero;
+            var pipeline = CredentialPipeline.GetInstance(options);
+
+            ManagedIdentityCredential credential = InstrumentClient(new ManagedIdentityCredential("mock-client-id", pipeline));
+
+            var ex = Assert.ThrowsAsync<AuthenticationFailedException>(async () => await credential.GetTokenAsync(new TokenRequestContext(MockScopes.Default)));
             await Task.CompletedTask;
         }