[Identity] SharedTokenCredential in DAC update

pvaneck · pvaneck · commit 67f2e45b5429 · 2025-09-10T07:30:21.000Z
Signed-off-by: Paul Van Eck &lt;paulvaneck@microsoft.com&gt;
diff --git a/sdk/identity/azure-identity/CHANGELOG.md b/sdk/identity/azure-identity/CHANGELOG.md
@@ -16,6 +16,9 @@
 
 ### Other Changes
 
+- Updated `SharedTokenCacheCredential` to raise `CredentialUnavailableError` instead of `ClientAuthenticationError` during token refresh failures when within the context of `DefaultAzureCredential`. ([#42934](https://github.com/Azure/azure-sdk-for-python/pull/42934))
+
+
 ## 1.24.0 (2025-08-07)
 
 ### Bugs Fixed
diff --git a/sdk/identity/azure-identity/azure/identity/_credentials/shared_cache.py b/sdk/identity/azure-identity/azure/identity/_credentials/shared_cache.py
@@ -4,11 +4,12 @@
 # ------------------------------------
 from typing import Any, Optional, TypeVar, cast
 from azure.core.credentials import AccessToken, TokenRequestOptions, AccessTokenInfo, SupportsTokenInfo, TokenCredential
+from azure.core.exceptions import ClientAuthenticationError
 
 from .silent import SilentAuthenticationCredential
 from .. import CredentialUnavailableError
 from .._constants import DEVELOPER_SIGN_ON_CLIENT_ID
-from .._internal import AadClient, AadClientBase
+from .._internal import AadClient, AadClientBase, within_dac
 from .._internal.decorators import log_get_token
 from .._internal.shared_token_cache import NO_TOKEN, SharedTokenCacheBase
 
@@ -191,9 +192,16 @@ def _get_token_base(
 
         # try each refresh token, returning the first access token acquired
         for refresh_token in self._get_refresh_tokens(account, is_cae=is_cae):
-            token = cast(AadClient, self._client).obtain_token_by_refresh_token(
-                scopes, refresh_token, claims=claims, tenant_id=tenant_id, enable_cae=is_cae, **kwargs
-            )
+            try:
+                token = cast(AadClient, self._client).obtain_token_by_refresh_token(
+                    scopes, refresh_token, claims=claims, tenant_id=tenant_id, enable_cae=is_cae, **kwargs
+                )
+            except ClientAuthenticationError as e:
+                if within_dac.get():
+                    raise CredentialUnavailableError(  # pylint: disable=raise-missing-from
+                        message=e.message, response=e.response
+                    )
+                raise
             return token
 
         raise CredentialUnavailableError(message=NO_TOKEN.format(account.get("username")))
diff --git a/sdk/identity/azure-identity/azure/identity/aio/_credentials/shared_cache.py b/sdk/identity/azure-identity/azure/identity/aio/_credentials/shared_cache.py
@@ -4,10 +4,12 @@
 # ------------------------------------
 from typing import Any, Optional, cast
 from azure.core.credentials import AccessToken, AccessTokenInfo, TokenRequestOptions
+from azure.core.exceptions import ClientAuthenticationError
 from ..._internal.aad_client import AadClientBase
 from ... import CredentialUnavailableError
 from ..._constants import DEVELOPER_SIGN_ON_CLIENT_ID
 from ..._internal.shared_token_cache import NO_TOKEN, SharedTokenCacheBase
+from ..._internal.utils import within_dac
 from .._internal import AsyncContextManager
 from .._internal.aad_client import AadClient
 from .._internal.decorators import log_get_token_async
@@ -143,10 +145,17 @@ async def _get_token_base(
 
         # try each refresh token, returning the first access token acquired
         for refresh_token in self._get_refresh_tokens(account, is_cae=is_cae):
-            token = await cast(AadClient, self._client).obtain_token_by_refresh_token(
-                scopes, refresh_token, claims=claims, tenant_id=tenant_id, enable_cae=is_cae, **kwargs
-            )
-            return token
+            try:
+                token = await cast(AadClient, self._client).obtain_token_by_refresh_token(
+                    scopes, refresh_token, claims=claims, tenant_id=tenant_id, enable_cae=is_cae, **kwargs
+                )
+                return token
+            except ClientAuthenticationError as e:
+                if within_dac.get():
+                    raise CredentialUnavailableError(  # pylint: disable=raise-missing-from
+                        message=e.message, response=e.response
+                    )
+                raise
 
         raise CredentialUnavailableError(message=NO_TOKEN.format(account.get("username")))
 
diff --git a/sdk/identity/azure-identity/tests/test_shared_cache_credential.py b/sdk/identity/azure-identity/tests/test_shared_cache_credential.py
@@ -917,6 +917,36 @@ def send(request, **kwargs):
     within_dac.set(False)
 
 
+@pytest.mark.parametrize("get_token_method", GET_TOKEN_METHODS)
+def test_within_dac_refresh_token_error(get_token_method):
+    """When within DAC context and refresh token fails, should raise CredentialUnavailableError"""
+
+    upn = "test@example.com"
+    refresh_token = "invalid-refresh-token"
+    scope = "scope"
+    account = get_account_event(uid="uid_a", utid="utid", username=upn, refresh_token=refresh_token)
+    cache = populated_cache(account)
+
+    def send(request, **kwargs):
+        # Mock a token request that fails with invalid_grant (401/400 error)
+        if "refresh_token" in (request.data or {}):
+            return mock_response(
+                status_code=400, json_payload={"error": "invalid_grant", "error_description": "Refresh token expired"}
+            )
+        # Allow discovery requests to succeed
+        return get_discovery_response("https://localhost/tenant")
+
+    transport = Mock(send=send)
+    credential = SharedTokenCacheCredential(_cache=cache, transport=transport, username=upn)
+
+    within_dac.set(True)
+    try:
+        with pytest.raises(CredentialUnavailableError):
+            getattr(credential, get_token_method)(scope)
+    finally:
+        within_dac.set(False)
+
+
 @pytest.mark.parametrize("get_token_method", GET_TOKEN_METHODS)
 def test_claims_challenge(get_token_method):
     """get_token should pass any claims challenge to MSAL token acquisition APIs"""
diff --git a/sdk/identity/azure-identity/tests/test_shared_cache_credential_async.py b/sdk/identity/azure-identity/tests/test_shared_cache_credential_async.py
@@ -17,6 +17,7 @@
     NO_ACCOUNTS,
     NO_MATCHING_ACCOUNTS,
 )
+from azure.identity._internal import within_dac
 from azure.identity._internal.user_agent import USER_AGENT
 from msal import TokenCache
 import pytest
@@ -390,6 +391,41 @@ async def test_no_refresh_token(get_token_method):
         await getattr(credential, get_token_method)("scope")
 
 
+@pytest.mark.asyncio
+@pytest.mark.parametrize("get_token_method", GET_TOKEN_METHODS)
+async def test_within_dac_refresh_token_error(get_token_method):
+    """When within DAC context and refresh token fails, should raise CredentialUnavailableError"""
+
+    upn = "test@example.com"
+    refresh_token = "invalid-refresh-token"
+    scope = "scope"
+    account = get_account_event(uid="uid_a", utid="utid", username=upn, refresh_token=refresh_token)
+    cache = populated_cache(account)
+
+    async def send(request, **kwargs):
+        # Mock a token request that fails with invalid_grant (401/400 error)
+        if "refresh_token" in (request.data or {}):
+            return mock_response(
+                status_code=400, json_payload={"error": "invalid_grant", "error_description": "Refresh token expired"}
+            )
+        # Allow discovery requests to succeed
+        from helpers import get_discovery_response
+
+        return get_discovery_response("https://localhost/tenant")
+
+    transport = AsyncMockTransport(send=send)
+    credential = SharedTokenCacheCredential(_cache=cache, transport=transport, username=upn)
+
+    # Set within_dac context to True
+    within_dac.set(True)
+    try:
+        # When within DAC context, should raise CredentialUnavailableError instead of ClientAuthenticationError
+        with pytest.raises(CredentialUnavailableError):
+            await getattr(credential, get_token_method)(scope)
+    finally:
+        within_dac.set(False)
+
+
 @pytest.mark.asyncio
 @pytest.mark.parametrize("get_token_method", GET_TOKEN_METHODS)
 async def test_two_accounts_no_username_or_tenant(get_token_method):
