Throw different 401 error message

Author: terencefan

src/Microsoft.Azure.SignalR.Common/Auth/MicrosoftEntra/MicrosoftEntraAccessKey.cs

@@ -38,8 +38,6 @@ internal class MicrosoftEntraAccessKey : IAccessKey
 
     private static readonly TimeSpan GetAccessKeyIntervalWhenUnauthorized = TimeSpan.FromMinutes(5);
 
-    private static readonly TimeSpan GetAccessKeyRetryInterval = TimeSpan.FromSeconds(3);
-
     private readonly TaskCompletionSource<object?> _initializedTcs = new TaskCompletionSource<object?>(TaskCreationOptions.RunContinuationsAsynchronously);
 
     private readonly IHttpClientFactory _httpClientFactory;
@@ -48,6 +46,10 @@ internal class MicrosoftEntraAccessKey : IAccessKey
 
     private DateTime _lastUpdatedTime = DateTime.MinValue;
 
+    private volatile string? _kid;
+
+    private volatile byte[]? _keyBytes;
+
     public bool IsAuthorized
     {
         get => _isAuthorized;
@@ -66,23 +68,21 @@ private set
 
     public TokenCredential TokenCredential { get; }
 
-    internal Exception? LastException { get; private set; }
-
-    internal string GetAccessKeyUrl { get; }
+    public string Kid => _kid ?? throw new ArgumentNullException(nameof(Kid));
 
-    internal bool HasExpired => DateTime.UtcNow - _lastUpdatedTime > TimeSpan.FromMinutes(GetAccessKeyIntervalInMinute * 2);
+    public byte[] KeyBytes => _keyBytes ?? throw new ArgumentNullException(nameof(KeyBytes));
 
-    private Task<object?> InitializedTask => _initializedTcs.Task;
+    public Uri Endpoint { get; }
 
-    private volatile string? _kid;
+    internal Exception? LastException { get; private set; }
 
-    private volatile byte[]? _keyBytes;
+    internal string GetAccessKeyUrl { get; }
 
-    public string Kid => _kid ?? throw new ArgumentNullException(nameof(Kid));
+    internal bool HasExpired => DateTime.UtcNow - _lastUpdatedTime > TimeSpan.FromMinutes(GetAccessKeyIntervalInMinute * 2);
 
-    public byte[] KeyBytes => _keyBytes ?? throw new ArgumentNullException(nameof(KeyBytes));
+    internal TimeSpan GetAccessKeyRetryInterval { get; set; } = TimeSpan.FromSeconds(3);
 
-    public Uri Endpoint { get; }
+    private Task<object?> InitializedTask => _initializedTcs.Task;
 
     public MicrosoftEntraAccessKey(Uri endpoint,
                                    TokenCredential credential,
@@ -189,7 +189,7 @@ internal async Task UpdateAccessKeyAsync(CancellationToken ctoken = default)
         IsAuthorized = false;
     }
 
-    private static async Task ThrowExceptionOnResponseFailureAsync(HttpResponseMessage response)
+    private static async Task ThrowExceptionOnResponseFailureAsync(HttpRequestMessage request, HttpResponseMessage response)
     {
         if (response.IsSuccessStatusCode)
         {
@@ -208,11 +208,12 @@ private static async Task ThrowExceptionOnResponseFailureAsync(HttpResponseMessa
             $"Response status code does not indicate success: {(int)response.StatusCode} ({response.ReasonPhrase})");
 #endif
 
-        var requestUri = response.RequestMessage?.RequestUri?.ToString();
+        var requestUri = request.RequestUri?.ToString();
+        var jwtToken = request.Headers.Authorization?.Parameter ?? null;
         throw response.StatusCode switch
         {
             HttpStatusCode.BadRequest => new AzureSignalRInvalidArgumentException(requestUri, innerException, content),
-            HttpStatusCode.Unauthorized => new AzureSignalRUnauthorizedException(requestUri, innerException),
+            HttpStatusCode.Unauthorized => new AzureSignalRUnauthorizedException(requestUri, innerException, jwtToken),
             HttpStatusCode.NotFound => new AzureSignalRInaccessibleEndpointException(requestUri, innerException),
             _ => new AzureSignalRRuntimeException(requestUri, innerException, response.StatusCode, content),
         };
@@ -231,7 +232,7 @@ private async Task UpdateAccessKeyInternalAsync(CancellationToken ctoken)
 
         await HandleHttpResponseAsync(response);
 
-        await ThrowExceptionOnResponseFailureAsync(response);
+        await ThrowExceptionOnResponseFailureAsync(request, response);
     }
 
     private async Task<bool> HandleHttpResponseAsync(HttpResponseMessage response)

src/Microsoft.Azure.SignalR.Common/Exceptions/AzureSignalRRuntimeException.cs

@@ -14,7 +14,7 @@ public class AzureSignalRRuntimeException : AzureSignalRException
 {
     internal const string ErrorMessage = "Azure SignalR service runtime error.";
 
-    internal const string NetworkErrorMessage = "403 Forbidden, please check your service Networking settings.";
+    internal const string NetworkErrorMessage = "please check your service Networking settings.";
 
     internal HttpStatusCode StatusCode { get; private set; } = HttpStatusCode.InternalServerError;
 
@@ -39,7 +39,8 @@ private static string GetExceptionMessage(HttpStatusCode statusCode, string? req
 
     private static string GetForbiddenReason(string content)
     {
-        return content.Contains("nginx") ? NetworkErrorMessage : content;
+        var reason = content.Contains("nginx") ? NetworkErrorMessage : content;
+        return $"403 Forbidden, {reason}";
     }
 
 #if NET8_0_OR_GREATER

src/Microsoft.Azure.SignalR.Common/Exceptions/AzureSignalRUnauthorizedException.cs

@@ -6,24 +6,33 @@
 
 namespace Microsoft.Azure.SignalR.Common;
 
+#nullable enable
+
 [Serializable]
 public class AzureSignalRUnauthorizedException : AzureSignalRException
 {
-    /// <summary>
-    /// TODO: Try parse token issuer to identify the possible cause of 401
-    /// </summary>
+    [Obsolete]
     internal const string ErrorMessage = $"401 Unauthorized. If you were using AccessKey, {ErrorMessageLocalAuth}. If you were using Microsoft Entra authentication, {ErrorMessageMicrosoftEntra}";
 
     internal const string ErrorMessageLocalAuth = "please check the connection string and see if the AccessKey is correct.";
 
     internal const string ErrorMessageMicrosoftEntra = "please check if you set the AzureAuthorityHosts properly in your TokenCredentialOptions, see \"https://learn.microsoft.com/en-us/dotnet/api/azure.identity.azureauthorityhosts\".";
 
-    public AzureSignalRUnauthorizedException(string requestUri, Exception innerException) : base(string.IsNullOrEmpty(requestUri) ? ErrorMessage : $"{ErrorMessage} Request Uri: {requestUri}", innerException)
+    [Obsolete]
+    public AzureSignalRUnauthorizedException(string? requestUri, Exception innerException) : base(string.IsNullOrEmpty(requestUri) ? ErrorMessage : $"{ErrorMessage} Request Uri: {requestUri}", innerException)
+    {
+    }
+
+    internal AzureSignalRUnauthorizedException(string? requestUri, Exception innerException, string? jwtToken) : base(GetExceptionMessage(jwtToken, requestUri), innerException)
     {
     }
 
-    internal AzureSignalRUnauthorizedException(Exception innerException) : base(ErrorMessage, innerException)
+    private static string GetExceptionMessage(string? jwtToken, string? requestUri)
     {
+        var message = TokenUtilities.TryParseIssuer(jwtToken, out var iss)
+            ? Constants.AsrsTokenIssuer.Equals(iss) ? ErrorMessageLocalAuth : ErrorMessageMicrosoftEntra
+            : ErrorMessageLocalAuth;
+        return string.IsNullOrEmpty(requestUri) ? $"401 Unauthorized, {message}" : $"401 Unauthorized, {message} Request Uri: {requestUri}";
     }
 
 #if NET8_0_OR_GREATER

src/Microsoft.Azure.SignalR.Common/Exceptions/ExceptionExtensions.cs

@@ -4,22 +4,23 @@
 using System;
 using System.Net.WebSockets;
 
-namespace Microsoft.Azure.SignalR.Common
+namespace Microsoft.Azure.SignalR.Common;
+
+#nullable enable
+
+internal static class ExceptionExtensions
 {
-    internal static class ExceptionExtensions
+    internal static Exception WrapAsAzureSignalRException(this Exception e, string? jwtToken)
     {
-        internal static Exception WrapAsAzureSignalRException(this Exception e)
+        switch (e)
         {
-            switch (e)
-            {
-                case WebSocketException webSocketException:
-                    if (e.Message.StartsWith("The server returned status code \"401\""))
-                    {
-                        return new AzureSignalRUnauthorizedException(webSocketException);
-                    }
-                    return e;
-                default: return e;
-            }
+            case WebSocketException webSocketException:
+                if (e.Message.StartsWith("The server returned status code \"401\""))
+                {
+                    return new AzureSignalRUnauthorizedException(null, webSocketException, jwtToken);
+                }
+                return e;
+            default: return e;
         }
     }
 }