[Bug] MSAL raises exception with message ' either empty or could not be parsed' for 429s from the managed identity code path of Service Fabric.

[gladjohn]

Library version used

latest

.NET version

Net 8

Scenario

ManagedIdentityClient - managed identity

Is this a new or an existing app?

The app is in production, and I have upgraded to a new version of MSAL

Issue description and reproduction steps

MSAL .Net raises below exception encountering HTTP 429 from the managed identity code path of Service Fabric making it non-retriable:

"Azure.Identity.AuthenticationFailedException: ManagedIdentityCredential authentication failed: [Managed Identity] The error response was either empty or could not be parsed.. Error response received from the server: The request was throttled locally; the service allows 30 requests per 10s; retry after 4s.

See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/managedidentitycredential/troubleshoot

---> MSAL.NetCore.4.66.0.0.MsalServiceException:

        ErrorCode: managed_identity_request_failed

Microsoft.Identity.Client.MsalServiceException: [Managed Identity] The error response was either empty or could not be parsed.. Error response received from the server: The request was throttled locally; the service allows 30 requests per 10s; retry after 4s.

at Microsoft.Identity.Client.ManagedIdentity.AbstractManagedIdentity.HandleResponseAsync(AcquireTokenForManagedIdentityParameters parameters, HttpResponse response, CancellationToken cancellationToken)

at Microsoft.Identity.Client.ManagedIdentity.AbstractManagedIdentity.AuthenticateAsync(AcquireTokenForManagedIdentityParameters parameters, CancellationToken cancellationToken)

at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.SendTokenRequestForManagedIdentityAsync(ILoggerAdapter logger, CancellationToken cancellationToken)

Can the team confirm that the exception seen in this case is getting treated as ‘429’ and is actually getting retried? Following are the reasons for us to have some questions around it:

• Error message has substring saying ‘empty or could not be parsed’ indicating MSAL isn’t able to classify it as standard throttling and hence won’t retry?

“Azure.Identity.AuthenticationFailedException: ManagedIdentityCredential authentication failed: [Managed Identity] The error response was either empty or could not be parsed.. Error response received from the server: The request was throttled locally; the service allows 30 requests per 10s; retry after 4s”

• I tried overriding the retry policy of ManagementIdentityCredential and even that didn’t help or change the observed exception rate indicating the underlying MSAL/MI layer not treating this exception as retriable:

var tokenCredentialOptions = new TokenCredentialOptions()

        {

            RetryPolicy = new RetryPolicy(

                maxRetries: 6,

                DelayStrategy.CreateExponentialDelayStrategy(

                    initialDelay: TimeSpan.FromSeconds(1),

                    maxDelay: TimeSpan.FromMinutes(1))),

        };



        return new ManagedIdentityCredential(clientId: null, options: tokenCredentialOptions);

Microsoft.Identity.Client 4.66.0

                  Azure.Identity 1.13.0

Relevant code snippets

Expected behavior

No response

Identity provider

Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)

Regression

No response

Solution and workarounds

No response

[neha-bhargava]

This seems like duplicate for what @Robbie-Microsoft is working on: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/pull/5231/files#diff-32e09f25b95bf3daf56d00b9a2ac273bf973befc522da328823f687744a6473e by adding a retry-header to pause for retry.

The first part of this bug will be resolved with #5220 when Azure SDK updates to pass the Http client with the validation callback.