Add HTTP responses to authentication exceptions #17442
Conversation
chlowell
added
Client
|
I'm uncertain. A mock test of that scenario (specifically, "credential elicits an AAD error by presenting a refresh token") would be complex, fragile, and not representative because MSAL is responsible for all the HTTP requests in the real world. I actually wrote a recorded test for it, using CAE to invalidate a credential's refresh token. Having done that, I'm conflicted about what it means to "verify" the value of the response. It seems insufficient to simply assert that the exception carries a response, or that it carries any error response, but doing more requires having an opinion about the content of a "correct" response, which is really up to Azure AD to decide 😩 Writing that convinced me it's worth adding a recorded test for this, which can simply assert that the exception carries an OAuth 2 error response. I don't want to add it to this PR though, because I expect to make changes to how tests are recorded and this one wouldn't run anyway, lacking CAE support. |
My goal here is to add Azure AD's response to each exception raised due to an Azure AD authentication error. That's easy where an exception is raised by code that already has the response. Less so for a credential implemented with MSAL, because MSAL returns only the response's deserialized body to the credential. So, this PR has MsalClient hang on to the last auth error response it saw, and adds a method credentials can call to get that response.
This closes #16906 by giving applications all the information AAD provided when authentication failed, for example:
This PR removes the redundant
AuthenticationRequiredError.error_details, whose value was simplyerror_detailsfrom AAD's response. That value is usually incorporated into an exception's message, and its raw value is available in the response.