Merge branch 'main' into bogavril/sjt

Author: bgavrilMS

build/template-python-config.yaml

@@ -2,13 +2,13 @@
 # Installs and updates PIP and ensures MSAL.Python PIP is properly installed on build machine.
 
 steps:
-- task: stevedower.python.PythonScript.PythonScript@1
+- task: stevedower.python.PythonScript.PythonScript@0
   displayName: 'Update PIP'
   condition: and(succeeded(), eq(variables['RunTests'], 'true'))
   inputs:
     arguments: '-m pip install --upgrade pip'
 
-- task: stevedower.python.PythonScript.PythonScript@1
+- task: stevedower.python.PythonScript.PythonScript@0
   displayName: 'Install MSAL.Python PIP'
   condition: and(succeeded(), eq(variables['RunTests'], 'true'))
   inputs:

src/client/Microsoft.Identity.Client/ApiConfig/AcquireTokenForClientParameterBuilder.cs

@@ -135,7 +135,8 @@ protected override void Validate()
             {
                 string authorityUri = ServiceBundle.Config.Authority.AuthorityInfo.CanonicalAuthority.AbsoluteUri;
 
-                if (ServiceBundle.Config.Authority.AuthorityInfo.AuthorityType != AuthorityType.Aad)
+                if (ServiceBundle.Config.Authority.AuthorityInfo.AuthorityType != AuthorityType.Aad && 
+                    ServiceBundle.Config.Authority.AuthorityInfo.AuthorityType != AuthorityType.Dsts)
                 {
                     throw new MsalClientException(
                         MsalError.InvalidAuthorityType,
@@ -149,7 +150,9 @@ protected override void Validate()
                         MsalErrorMessage.MtlsNonTenantedAuthorityNotAllowedMessage);
                 }
 
-                if (string.IsNullOrEmpty(ServiceBundle.Config.AzureRegion))
+                // Check for Azure region only if the authority is AAD
+                if (ServiceBundle.Config.Authority.AuthorityInfo.AuthorityType == AuthorityType.Aad &&
+                    string.IsNullOrEmpty(ServiceBundle.Config.AzureRegion))
                 {
                     throw new MsalClientException(
                         MsalError.MtlsPopWithoutRegion,

src/client/Microsoft.Identity.Client/ManagedIdentity/AbstractManagedIdentity.cs

@@ -12,6 +12,11 @@
 using System.Net;
 using Microsoft.Identity.Client.ApiConfig.Parameters;
 using System.Text;
+#if SUPPORTS_SYSTEM_TEXT_JSON
+using System.Text.Json;
+#else
+using Microsoft.Identity.Json;
+#endif
 
 namespace Microsoft.Identity.Client.ManagedIdentity
 {
@@ -29,7 +34,7 @@ protected AbstractManagedIdentity(RequestContext requestContext, ManagedIdentity
         }
 
         public virtual async Task<ManagedIdentityResponse> AuthenticateAsync(
-            AcquireTokenForManagedIdentityParameters parameters, 
+            AcquireTokenForManagedIdentityParameters parameters,
             CancellationToken cancellationToken)
         {
             if (cancellationToken.IsCancellationRequested)
@@ -107,7 +112,7 @@ protected virtual Task<ManagedIdentityResponse> HandleResponseAsync(
             }
 
             string message = GetMessageFromErrorResponse(response);
-                
+
             _requestContext.Logger.Error($"[Managed Identity] request failed, HttpStatusCode: {response.StatusCode} Error message: {message}");
 
             MsalException exception = MsalServiceExceptionFactory.CreateManagedIdentityException(
@@ -124,20 +129,39 @@ protected virtual Task<ManagedIdentityResponse> HandleResponseAsync(
 
         protected ManagedIdentityResponse GetSuccessfulResponse(HttpResponse response)
         {
-            ManagedIdentityResponse managedIdentityResponse = JsonHelper.DeserializeFromJson<ManagedIdentityResponse>(response.Body);
+            ManagedIdentityResponse managedIdentityResponse;
+            try
+            {
+                managedIdentityResponse = JsonHelper.DeserializeFromJson<ManagedIdentityResponse>(response.Body);
+            }
+            catch (JsonException ex)
+            {
+                _requestContext.Logger.Error("[Managed Identity] MSI json response failed to parse. " + ex);
 
-            if (managedIdentityResponse == null || managedIdentityResponse.AccessToken.IsNullOrEmpty() || managedIdentityResponse.ExpiresOn.IsNullOrEmpty())
+                var exception = MsalServiceExceptionFactory.CreateManagedIdentityException(
+                    MsalError.ManagedIdentityResponseParseFailure,
+                    MsalErrorMessage.ManagedIdentityJsonParseFailure,
+                    ex,
+                    _sourceType,
+                    (int)HttpStatusCode.OK);
+
+                throw exception;
+            }
+
+            if (managedIdentityResponse == null || 
+                managedIdentityResponse.AccessToken.IsNullOrEmpty() || 
+                managedIdentityResponse.ExpiresOn.IsNullOrEmpty())
             {
                 _requestContext.Logger.Error("[Managed Identity] Response is either null or insufficient for authentication.");
 
                 var exception = MsalServiceExceptionFactory.CreateManagedIdentityException(
                     MsalError.ManagedIdentityRequestFailed,
                     MsalErrorMessage.ManagedIdentityInvalidResponse,
-                    null, 
-                    _sourceType, 
-                    null); 
+                    null,
+                    _sourceType,
+                    (int)HttpStatusCode.OK);
 
-                    throw exception;
+                throw exception;
             }
 
             return managedIdentityResponse;
@@ -158,7 +182,7 @@ internal string GetMessageFromErrorResponse(HttpResponse response)
             catch
             {
                 return TryGetMessageFromNestedErrorResponse(response.Body);
-            } 
+            }
         }
 
         private string ExtractErrorMessageFromManagedIdentityErrorResponse(ManagedIdentityErrorResponse managedIdentityErrorResponse)
@@ -218,7 +242,8 @@ private string TryGetMessageFromNestedErrorResponse(string response)
                 {
                     return errorMessage.ToString();
                 }
-            } catch
+            }
+            catch
             {
                 // Ignore any exceptions that occur during parsing and send the error message.
             }
@@ -227,8 +252,8 @@ private string TryGetMessageFromNestedErrorResponse(string response)
             return $"{MsalErrorMessage.ManagedIdentityUnexpectedErrorResponse}. Error response received from the server: {response}.";
         }
 
-        private void HandleException(Exception ex, 
-            ManagedIdentitySource managedIdentitySource = ManagedIdentitySource.None, 
+        private void HandleException(Exception ex,
+            ManagedIdentitySource managedIdentitySource = ManagedIdentitySource.None,
             string additionalInfo = null)
         {
             ManagedIdentitySource source = managedIdentitySource != ManagedIdentitySource.None ? managedIdentitySource : _sourceType;
@@ -254,9 +279,9 @@ private void HandleException(Exception ex,
             }
         }
 
-        private static void CreateAndThrowException(string errorCode, 
-            string errorMessage, 
-            Exception innerException, 
+        private static void CreateAndThrowException(string errorCode,
+            string errorMessage,
+            Exception innerException,
             ManagedIdentitySource source)
         {
             MsalException exception = MsalServiceExceptionFactory.CreateManagedIdentityException(

src/client/Microsoft.Identity.Client/MsalError.cs

@@ -1110,6 +1110,11 @@ public static class MsalError
         /// </summary>
         public const string ManagedIdentityRequestFailed = "managed_identity_request_failed";
 
+        /// <summary>
+        /// Managed Identity error response was received.
+        /// </summary>
+        public const string ManagedIdentityResponseParseFailure = "managed_identity_response_parse_failure";
+
         /// <summary>
         /// Managed Identity endpoint is not reachable.
         /// </summary>

src/client/Microsoft.Identity.Client/MsalErrorMessage.cs

@@ -414,6 +414,7 @@ public static string InvalidTokenProviderResponseValue(string invalidValueName)
 
         public const string ManagedIdentityNoResponseReceived = "[Managed Identity] Authentication unavailable. No response received from the managed identity endpoint.";
         public const string ManagedIdentityInvalidResponse = "[Managed Identity] Invalid response, the authentication response received did not contain the expected fields.";
+        public const string ManagedIdentityJsonParseFailure = "[Managed Identity] MSI returned 200 OK, but the response could not be parsed.";
         public const string ManagedIdentityUnexpectedResponse = "[Managed Identity] Unexpected exception occurred when parsing the response. See the inner exception for details.";
         public const string ManagedIdentityExactlyOneScopeExpected = "[Managed Identity] To acquire token for managed identity, exactly one scope must be passed.";
         public const string ManagedIdentityUnexpectedErrorResponse = "[Managed Identity] The error response was either empty or could not be parsed.";

src/client/Microsoft.Identity.Client/PublicApi/net462/PublicAPI.Unshipped.txt

@@ -1,3 +1,4 @@
+const Microsoft.Identity.Client.MsalError.ManagedIdentityResponseParseFailure = "managed_identity_response_parse_failure" -> string
 Microsoft.Identity.Client.AbstractConfidentialClientAcquireTokenParameterBuilder<T>.WithSignedHttpRequestProofOfPossession(Microsoft.Identity.Client.AppConfig.PoPAuthenticationConfiguration popAuthenticationConfiguration) -> T
 Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder.WithMtlsProofOfPossession() -> Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder
 const Microsoft.Identity.Client.MsalError.MissingTenantedAuthority = "missing_tenanted_authority" -> string

src/client/Microsoft.Identity.Client/PublicApi/net472/PublicAPI.Unshipped.txt

@@ -1,3 +1,4 @@
+const Microsoft.Identity.Client.MsalError.ManagedIdentityResponseParseFailure = "managed_identity_response_parse_failure" -> string
 Microsoft.Identity.Client.AbstractConfidentialClientAcquireTokenParameterBuilder<T>.WithSignedHttpRequestProofOfPossession(Microsoft.Identity.Client.AppConfig.PoPAuthenticationConfiguration popAuthenticationConfiguration) -> T
 Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder.WithMtlsProofOfPossession() -> Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder
 const Microsoft.Identity.Client.MsalError.MissingTenantedAuthority = "missing_tenanted_authority" -> string

src/client/Microsoft.Identity.Client/PublicApi/net8.0-android/PublicAPI.Unshipped.txt

@@ -1,3 +1,4 @@
+const Microsoft.Identity.Client.MsalError.ManagedIdentityResponseParseFailure = "managed_identity_response_parse_failure" -> string
 Microsoft.Identity.Client.AbstractConfidentialClientAcquireTokenParameterBuilder<T>.WithSignedHttpRequestProofOfPossession(Microsoft.Identity.Client.AppConfig.PoPAuthenticationConfiguration popAuthenticationConfiguration) -> T
 Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder.WithMtlsProofOfPossession() -> Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder
 const Microsoft.Identity.Client.MsalError.MissingTenantedAuthority = "missing_tenanted_authority" -> string

src/client/Microsoft.Identity.Client/PublicApi/net8.0-ios/PublicAPI.Unshipped.txt

@@ -1,3 +1,4 @@
+const Microsoft.Identity.Client.MsalError.ManagedIdentityResponseParseFailure = "managed_identity_response_parse_failure" -> string
 Microsoft.Identity.Client.AbstractConfidentialClientAcquireTokenParameterBuilder<T>.WithSignedHttpRequestProofOfPossession(Microsoft.Identity.Client.AppConfig.PoPAuthenticationConfiguration popAuthenticationConfiguration) -> T
 Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder.WithMtlsProofOfPossession() -> Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder
 const Microsoft.Identity.Client.MsalError.MissingTenantedAuthority = "missing_tenanted_authority" -> string

src/client/Microsoft.Identity.Client/PublicApi/net8.0/PublicAPI.Unshipped.txt

@@ -1,3 +1,4 @@
+const Microsoft.Identity.Client.MsalError.ManagedIdentityResponseParseFailure = "managed_identity_response_parse_failure" -> string
 Microsoft.Identity.Client.AbstractConfidentialClientAcquireTokenParameterBuilder<T>.WithSignedHttpRequestProofOfPossession(Microsoft.Identity.Client.AppConfig.PoPAuthenticationConfiguration popAuthenticationConfiguration) -> T
 Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder.WithMtlsProofOfPossession() -> Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder
 const Microsoft.Identity.Client.MsalError.MissingTenantedAuthority = "missing_tenanted_authority" -> string