|
| 1 | +// Copyright (c) Microsoft Corporation. All rights reserved. |
| 2 | +// Licensed under the MIT License. |
| 3 | + |
| 4 | +using System; |
| 5 | +using System.Threading.Tasks; |
| 6 | +using Azure.Core; |
| 7 | +using Azure.Core.Pipeline; |
| 8 | +using Azure.Identity; |
| 9 | + |
| 10 | +namespace Azure.Data.AppConfiguration |
| 11 | +{ |
| 12 | + /// <summary> |
| 13 | + /// Pipeline policy that inspects <see cref="AuthenticationFailedException"/> instances for the Entra ID token audience error code (AADSTS500011) and rethrows a new exception with clearer guidance. |
| 14 | + /// </summary> |
| 15 | + internal class AudienceErrorHandlingPolicy : HttpPipelinePolicy |
| 16 | + { |
| 17 | + private bool _isAudienceConfigured; |
| 18 | + private const string AadAudienceErrorCode = "AADSTS500011"; |
| 19 | + private const string NoAudienceErrorMessage = "Unable to authenticate to Azure App Configuration. No authentication token audience was provided. Please set ConfigurationClientOptions.Audience to the appropriate audience for the target cloud. For details on how to configure the authentication token audience visit https://aka.ms/appconfig/client-token-audience."; |
| 20 | + private const string WrongAudienceErrorMessage = "Unable to authenticate to Azure App Configuration. An incorrect token audience was provided. Please set ConfigurationClientOptions.Audience to the appropriate audience for the target cloud. For details on how to configure the authentication token audience visit https://aka.ms/appconfig/client-token-audience."; |
| 21 | + |
| 22 | + public AudienceErrorHandlingPolicy(bool isAudienceConfigured) |
| 23 | + { |
| 24 | + _isAudienceConfigured = isAudienceConfigured; |
| 25 | + } |
| 26 | + |
| 27 | + public override void Process(HttpMessage message, ReadOnlyMemory<HttpPipelinePolicy> pipeline) |
| 28 | + { |
| 29 | + try |
| 30 | + { |
| 31 | + ProcessNext(message, pipeline); |
| 32 | + } |
| 33 | + catch (AuthenticationFailedException ex) |
| 34 | + { |
| 35 | + HandleAuthenticationAudienceError(ex); |
| 36 | + throw; |
| 37 | + } |
| 38 | + } |
| 39 | + |
| 40 | + public override async ValueTask ProcessAsync(HttpMessage message, ReadOnlyMemory<HttpPipelinePolicy> pipeline) |
| 41 | + { |
| 42 | + try |
| 43 | + { |
| 44 | + await ProcessNextAsync(message, pipeline).ConfigureAwait(false); |
| 45 | + } |
| 46 | + catch (AuthenticationFailedException ex) |
| 47 | + { |
| 48 | + HandleAuthenticationAudienceError(ex); |
| 49 | + throw; |
| 50 | + } |
| 51 | + } |
| 52 | + |
| 53 | + private void HandleAuthenticationAudienceError(AuthenticationFailedException ex) |
| 54 | + { |
| 55 | + // Message string matching is used because AAD error codes are embedded in the exception message. |
| 56 | + if (!ex.Message.Contains(AadAudienceErrorCode, StringComparison.OrdinalIgnoreCase)) |
| 57 | + { |
| 58 | + return; |
| 59 | + } |
| 60 | + |
| 61 | + string message = _isAudienceConfigured ? WrongAudienceErrorMessage : NoAudienceErrorMessage; |
| 62 | + throw new AuthenticationFailedException(message, ex); |
| 63 | + } |
| 64 | + } |
| 65 | +} |
0 commit comments