Prepare Identity for release with bugfix (#47753)

Author: christothes

eng/Packages.Data.props

@@ -164,9 +164,9 @@
     <!-- Other approved packages -->
     <PackageReference Update="Microsoft.Azure.Amqp" Version="2.6.9" />
     <PackageReference Update="Microsoft.Azure.WebPubSub.Common" Version="1.4.0" />
-    <PackageReference Update="Microsoft.Identity.Client" Version="4.66.1" />
-    <PackageReference Update="Microsoft.Identity.Client.Extensions.Msal" Version="4.66.1" />
-    <PackageReference Update="Microsoft.Identity.Client.Broker" Version="4.66.1" />
+    <PackageReference Update="Microsoft.Identity.Client" Version="4.67.2" />
+    <PackageReference Update="Microsoft.Identity.Client.Extensions.Msal" Version="4.67.2" />
+    <PackageReference Update="Microsoft.Identity.Client.Broker" Version="4.67.2" />
 
     <!-- TODO: Make sure this package is arch-board approved -->
     <PackageReference Update="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="6.35.0" />

sdk/identity/Azure.Identity/CHANGELOG.md

@@ -1,18 +1,13 @@
 # Release History
 
-## 1.14.0-beta.1 (Unreleased)
-
-### Features Added
-
-### Breaking Changes
+## 1.13.2 (2025-01-14)
 
 ### Bugs Fixed
 
 - Fixed an issue where setting `DefaultAzureCredentialOptions.TenantId` twice throws an `InvalidOperationException` ([#47035](https://github.com/Azure/azure-sdk-for-net/issues/47035))
 - Fixed an issue where `ManagedIdentityCredential` does not honor the `CancellationToken` passed to `GetToken` and `GetTokenAsync`. ([#47156](https://github.com/Azure/azure-sdk-for-net/issues/47156))
 - Fixed an issue where some credentials in `DefaultAzureCredential` would not fall through to the next credential in the chain under certain exception conditions.
-
-### Other Changes
+- Fixed a regression in `ManagedIdentityCredential` when used in a `ChainedTokenCredential` where the invalid json responses do not fall through to the next credential in the chain. ([#47470](https://github.com/Azure/azure-sdk-for-net/issues/47470))
 
 ## 1.13.1 (2024-10-24)
 

sdk/identity/Azure.Identity/src/Azure.Identity.csproj

@@ -2,7 +2,7 @@
   <PropertyGroup>
     <Description>This is the implementation of the Azure SDK Client Library for Azure Identity</Description>
     <AssemblyTitle>Microsoft Azure.Identity Component</AssemblyTitle>
-    <Version>1.14.0-beta.1</Version>
+    <Version>1.13.2</Version>
     <!--The ApiCompatVersion is managed automatically and should not generally be modified manually.-->
     <ApiCompatVersion>1.13.1</ApiCompatVersion>
     <PackageTags>Microsoft Azure Identity;$(PackageCommonTags)</PackageTags>

sdk/identity/Azure.Identity/src/Credentials/ManagedIdentityCredential.cs

@@ -8,6 +8,7 @@
 using Azure.Core.Pipeline;
 using System.Linq;
 using System.ComponentModel;
+using Microsoft.Identity.Client;
 
 namespace Azure.Identity
 {
@@ -150,6 +151,13 @@ private async ValueTask<AccessToken> GetTokenImplAsync(bool async, TokenRequestC
                 }
                 return scope.Succeeded(result);
             }
+            // The managed_identity_response_parse_failure error is thrown when the response from the managed identity endpoint cannot be parsed.
+            // Since for non-DAC invocations of the credential, we do not participate in parsing the raw response, we rely on this error to indicate
+            // that the response was not valid JSON.
+            catch (MsalServiceException e) when (e.ErrorCode == MsalError.ManagedIdentityResponseParseFailure)
+            {
+                throw scope.FailWrapAndThrow(new CredentialUnavailableException(MsiUnavailableError, e), Troubleshooting);
+            }
             catch (Exception e)
             {
                 // This exception pattern indicates that the MI endpoint is not available after exhausting all retries.

sdk/identity/Azure.Identity/tests/ManagedIdentityCredentialTests.cs

@@ -863,7 +863,8 @@ public async Task VerifyClientAuthenticateThrows()
         }
 
         [Test]
-        public async Task VerifyClientAuthenticateReturnsInvalidJsonOnSuccess([Values(200)] int status)
+        [NonParallelizable]
+        public async Task VerifyClientAuthenticateReturnsInvalidJsonOnSuccess([Values(true, false)] bool isChained)
         {
             using var environment = new TestEnvVar(
                 new()
@@ -874,15 +875,20 @@ public async Task VerifyClientAuthenticateReturnsInvalidJsonOnSuccess([Values(20
                     { "IDENTITY_HEADER", null },
                     { "AZURE_POD_IDENTITY_AUTHORITY_HOST", null }
                 });
-            var mockTransport = new MockTransport(request => CreateInvalidJsonResponse(status));
-            var options = new TokenCredentialOptions() { Transport = mockTransport, IsChainedCredential = true };
+            var mockTransport = new MockTransport(request => CreateInvalidJsonResponse(200));
+            var options = new TokenCredentialOptions() { Transport = mockTransport, IsChainedCredential = isChained };
             options.Retry.MaxDelay = TimeSpan.Zero;
             var pipeline = CredentialPipeline.GetInstance(options);
 
-            ManagedIdentityCredential credential = InstrumentClient(new ManagedIdentityCredential("mock-client-id", pipeline, options));
+            ManagedIdentityCredential credential = InstrumentClient(new ManagedIdentityCredential(
+                new ManagedIdentityClient(
+                    new ManagedIdentityClientOptions() { Pipeline = pipeline, ManagedIdentityId = ManagedIdentityId.FromUserAssignedClientId("mock-client-id"), IsForceRefreshEnabled = true, Options = options })));
 
             var ex = Assert.ThrowsAsync<CredentialUnavailableException>(async () => await credential.GetTokenAsync(new TokenRequestContext(MockScopes.Default)));
-            Assert.IsInstanceOf(typeof(System.Text.Json.JsonException), ex.InnerException);
+            if (isChained)
+            {
+                Assert.IsInstanceOf(typeof(System.Text.Json.JsonException), ex.InnerException);
+            }
             await Task.CompletedTask;
         }