Fix for 5033 - MSI response json parse failure error code

bgavrilMS · bgavrilMS · commit 34601dc61963 · 2025-01-01T19:15:12.000Z
diff --git a/src/client/Microsoft.Identity.Client/ManagedIdentity/AbstractManagedIdentity.cs b/src/client/Microsoft.Identity.Client/ManagedIdentity/AbstractManagedIdentity.cs
@@ -12,6 +12,11 @@
 using System.Net;
 using Microsoft.Identity.Client.ApiConfig.Parameters;
 using System.Text;
+#if SUPPORTS_SYSTEM_TEXT_JSON
+using System.Text.Json;
+#else
+using Microsoft.Identity.Json;
+#endif
 
 namespace Microsoft.Identity.Client.ManagedIdentity
 {
@@ -29,7 +34,7 @@ protected AbstractManagedIdentity(RequestContext requestContext, ManagedIdentity
         }
 
         public virtual async Task<ManagedIdentityResponse> AuthenticateAsync(
-            AcquireTokenForManagedIdentityParameters parameters, 
+            AcquireTokenForManagedIdentityParameters parameters,
             CancellationToken cancellationToken)
         {
             if (cancellationToken.IsCancellationRequested)
@@ -107,7 +112,7 @@ protected virtual Task<ManagedIdentityResponse> HandleResponseAsync(
             }
 
             string message = GetMessageFromErrorResponse(response);
-                
+
             _requestContext.Logger.Error($"[Managed Identity] request failed, HttpStatusCode: {response.StatusCode} Error message: {message}");
 
             MsalException exception = MsalServiceExceptionFactory.CreateManagedIdentityException(
@@ -124,20 +129,39 @@ protected virtual Task<ManagedIdentityResponse> HandleResponseAsync(
 
         protected ManagedIdentityResponse GetSuccessfulResponse(HttpResponse response)
         {
-            ManagedIdentityResponse managedIdentityResponse = JsonHelper.DeserializeFromJson<ManagedIdentityResponse>(response.Body);
+            ManagedIdentityResponse managedIdentityResponse;
+            try
+            {
+                managedIdentityResponse = JsonHelper.DeserializeFromJson<ManagedIdentityResponse>(response.Body);
+            }
+            catch (JsonException ex)
+            {
+                _requestContext.Logger.Error("[Managed Identity] MSI json response failed to parse. " + ex);
 
-            if (managedIdentityResponse == null || managedIdentityResponse.AccessToken.IsNullOrEmpty() || managedIdentityResponse.ExpiresOn.IsNullOrEmpty())
+                var exception = MsalServiceExceptionFactory.CreateManagedIdentityException(
+                    MsalError.ManagedIdentityResponseParseFailure,
+                    MsalErrorMessage.ManagedIdentityJsonParseFailure,
+                    ex,
+                    _sourceType,
+                    (int)HttpStatusCode.OK);
+
+                throw exception;
+            }
+
+            if (managedIdentityResponse == null || 
+                managedIdentityResponse.AccessToken.IsNullOrEmpty() || 
+                managedIdentityResponse.ExpiresOn.IsNullOrEmpty())
             {
                 _requestContext.Logger.Error("[Managed Identity] Response is either null or insufficient for authentication.");
 
                 var exception = MsalServiceExceptionFactory.CreateManagedIdentityException(
                     MsalError.ManagedIdentityRequestFailed,
                     MsalErrorMessage.ManagedIdentityInvalidResponse,
-                    null, 
-                    _sourceType, 
-                    null); 
+                    null,
+                    _sourceType,
+                    (int)HttpStatusCode.OK);
 
-                    throw exception;
+                throw exception;
             }
 
             return managedIdentityResponse;
@@ -158,7 +182,7 @@ internal string GetMessageFromErrorResponse(HttpResponse response)
             catch
             {
                 return TryGetMessageFromNestedErrorResponse(response.Body);
-            } 
+            }
         }
 
         private string ExtractErrorMessageFromManagedIdentityErrorResponse(ManagedIdentityErrorResponse managedIdentityErrorResponse)
@@ -218,7 +242,8 @@ private string TryGetMessageFromNestedErrorResponse(string response)
                 {
                     return errorMessage.ToString();
                 }
-            } catch
+            }
+            catch
             {
                 // Ignore any exceptions that occur during parsing and send the error message.
             }
@@ -227,8 +252,8 @@ private string TryGetMessageFromNestedErrorResponse(string response)
             return $"{MsalErrorMessage.ManagedIdentityUnexpectedErrorResponse}. Error response received from the server: {response}.";
         }
 
-        private void HandleException(Exception ex, 
-            ManagedIdentitySource managedIdentitySource = ManagedIdentitySource.None, 
+        private void HandleException(Exception ex,
+            ManagedIdentitySource managedIdentitySource = ManagedIdentitySource.None,
             string additionalInfo = null)
         {
             ManagedIdentitySource source = managedIdentitySource != ManagedIdentitySource.None ? managedIdentitySource : _sourceType;
@@ -254,9 +279,9 @@ private void HandleException(Exception ex,
             }
         }
 
-        private static void CreateAndThrowException(string errorCode, 
-            string errorMessage, 
-            Exception innerException, 
+        private static void CreateAndThrowException(string errorCode,
+            string errorMessage,
+            Exception innerException,
             ManagedIdentitySource source)
         {
             MsalException exception = MsalServiceExceptionFactory.CreateManagedIdentityException(
diff --git a/src/client/Microsoft.Identity.Client/MsalError.cs b/src/client/Microsoft.Identity.Client/MsalError.cs
@@ -1101,6 +1101,11 @@ public static class MsalError
         /// </summary>
         public const string ManagedIdentityRequestFailed = "managed_identity_request_failed";
 
+        /// <summary>
+        /// Managed Identity error response was received.
+        /// </summary>
+        public const string ManagedIdentityResponseParseFailure = "managed_identity_response_parse_failure";
+
         /// <summary>
         /// Managed Identity endpoint is not reachable.
         /// </summary>
diff --git a/src/client/Microsoft.Identity.Client/MsalErrorMessage.cs b/src/client/Microsoft.Identity.Client/MsalErrorMessage.cs
@@ -412,6 +412,7 @@ public static string InvalidTokenProviderResponseValue(string invalidValueName)
 
         public const string ManagedIdentityNoResponseReceived = "[Managed Identity] Authentication unavailable. No response received from the managed identity endpoint.";
         public const string ManagedIdentityInvalidResponse = "[Managed Identity] Invalid response, the authentication response received did not contain the expected fields.";
+        public const string ManagedIdentityJsonParseFailure = "[Managed Identity] MSI returned 200 OK, but the response could not be parsed.";
         public const string ManagedIdentityUnexpectedResponse = "[Managed Identity] Unexpected exception occurred when parsing the response. See the inner exception for details.";
         public const string ManagedIdentityExactlyOneScopeExpected = "[Managed Identity] To acquire token for managed identity, exactly one scope must be passed.";
         public const string ManagedIdentityUnexpectedErrorResponse = "[Managed Identity] The error response was either empty or could not be parsed.";
diff --git a/tests/Microsoft.Identity.Test.Common/Core/Mocks/MockHelpers.cs b/tests/Microsoft.Identity.Test.Common/Core/Mocks/MockHelpers.cs
@@ -133,13 +133,10 @@ public static string GetMsiSuccessfulResponse(int expiresInHours = 1, bool useIs
           "\"Bearer\",\"client_id\":\"client_id\"}";
         }
 
-        public static string GetMsiImdsSuccessfulResponse()
+        public static string GetMsiErrorBadJson()
         {
-            string expiresOn = DateTimeHelpers.DateTimeToUnixTimestamp(DateTime.UtcNow.AddHours(1));
-            return
-          "{\"access_token\":\"" + TestConstants.ATSecret + "\",\"client_id\":\"client-id\"," +
-          "\"expires_in\":\"12345\",\"expires_on\":\"" + expiresOn + "\",\"resource\":\"https://management.azure.com/\"," +
-          "\"ext_expires_in\":\"12345\",\"token_type\":\"Bearer\"}";
+            string successResponse = GetMsiSuccessfulResponse();
+            return successResponse.Replace("{", "|");
         }
 
         public static string GetMsiErrorResponse(ManagedIdentitySource source)
diff --git a/tests/Microsoft.Identity.Test.Unit/ManagedIdentityTests/ManagedIdentityTests.cs b/tests/Microsoft.Identity.Test.Unit/ManagedIdentityTests/ManagedIdentityTests.cs
@@ -1073,5 +1073,43 @@ await AssertException.TaskThrowsAsync<TaskCanceledException>(
                         .WithForceRefresh(true)
                         .ExecuteAsync(tokenSource.Token)).ConfigureAwait(false);
         }
+
+        [DataTestMethod]
+        [DataRow(ManagedIdentitySource.Imds, ImdsEndpoint)]
+        [DataRow(ManagedIdentitySource.AppService, AppServiceEndpoint)]
+        [DataRow(ManagedIdentitySource.AzureArc, AzureArcEndpoint)]
+        [DataRow(ManagedIdentitySource.CloudShell, CloudShellEndpoint)]
+        [DataRow(ManagedIdentitySource.ServiceFabric, ServiceFabricEndpoint)]
+        public async Task InvalidJsonResponseHandling(ManagedIdentitySource managedIdentitySource, string endpoint)
+        {
+            using (new EnvVariableContext())
+            using (var httpManager = new MockHttpManager(isManagedIdentity: true))
+            {
+                SetEnvironmentVariables(managedIdentitySource, endpoint);
+
+                var miBuilder = ManagedIdentityApplicationBuilder
+                    .Create(ManagedIdentityId.SystemAssigned)
+                    .WithHttpManager(httpManager);
+
+                // Disabling shared cache options to avoid cross test pollution.
+                miBuilder.Config.AccessorOptions = null;
+
+                var mi = miBuilder.Build();
+
+                httpManager.AddManagedIdentityMockHandler(
+                     endpoint,
+                     "scope",
+                     MockHelpers.GetMsiErrorBadJson(),
+                     managedIdentitySource);
+
+                MsalServiceException ex = await Assert.ThrowsExceptionAsync<MsalServiceException>(async () =>
+                    await mi.AcquireTokenForManagedIdentity("scope")
+                    .ExecuteAsync().ConfigureAwait(false)).ConfigureAwait(false);
+
+                Assert.AreEqual(managedIdentitySource.ToString(), ex.AdditionalExceptionData[MsalException.ManagedIdentitySource]);
+                Assert.AreEqual(MsalError.ManagedIdentityResponseParseFailure, ex.ErrorCode);
+                Assert.AreEqual(MsalErrorMessage.ManagedIdentityJsonParseFailure, ex.Message);
+            }
+        }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -133,13 +133,10 @@ public static string GetMsiSuccessfulResponse(int expiresInHours = 1, bool useIs`
`133`	`133`	`"\"Bearer\",\"client_id\":\"client_id\"}";`
`134`	`134`	`}`
`135`	`135`
`136`		`- public static string GetMsiImdsSuccessfulResponse()`
	`136`	`+ public static string GetMsiErrorBadJson()`
`137`	`137`	`{`
`138`		`- string expiresOn = DateTimeHelpers.DateTimeToUnixTimestamp(DateTime.UtcNow.AddHours(1));`
`139`		`- return`
`140`		`- "{\"access_token\":\"" + TestConstants.ATSecret + "\",\"client_id\":\"client-id\"," +`
`141`		`- "\"expires_in\":\"12345\",\"expires_on\":\"" + expiresOn + "\",\"resource\":\"https://management.azure.com/\"," +`
`142`		`- "\"ext_expires_in\":\"12345\",\"token_type\":\"Bearer\"}";`
	`138`	`+ string successResponse = GetMsiSuccessfulResponse();`
	`139`	`+ return successResponse.Replace("{", "\|");`
`143`	`140`	`}`
`144`	`141`
`145`	`142`	`public static string GetMsiErrorResponse(ManagedIdentitySource source)`