[Identity] Adjust cache credential error behavior in DAC (#42934)

SharedTokenCacheCredential will now follow the similar pattern as other developer tool
credentials and raise CredentialUnavailableError when within DAC for most exceptions.


Signed-off-by: Paul Van Eck <[email protected]>

Author: pvaneck

sdk/identity/azure-identity/CHANGELOG.md

@@ -1,21 +1,21 @@
 # Release History
 
-## 1.24.1 (Unreleased)
+## 1.25.0 (2025-09-11)
 
 ### Features Added
 
 - `AzureDeveloperCliCredential` now supports `claims` in `get_token` and `get_token_info`. ([#42568](https://github.com/Azure/azure-sdk-for-python/pull/42568))
 - Added new keyword argument `require_envvar` to `DefaultAzureCredential` to enforce the presence of the `AZURE_TOKEN_CREDENTIALS` environment variable. ([#42660](https://github.com/Azure/azure-sdk-for-python/pull/42660))
 
-### Breaking Changes
-
 ### Bugs Fixed
 
 - Fixed an issue where `AzureDeveloperCliCredential` would time out during token requests when `azd` prompts for user interaction. This issue commonly occurred in environments where the `AZD_DEBUG` environment variable was set, causing the Azure Developer CLI to display additional prompts that interfered with automated token acquisition. ([#42535](https://github.com/Azure/azure-sdk-for-python/pull/42535))
 - Fixed an issue where credentials configured with a default tenant ID of "organizations" (such as `InteractiveBrowserCredential` and `DeviceCodeCredential`) would fail authentication when a specific tenant ID was provided in `get_token` or `get_token_info` method calls. ([#42721](https://github.com/Azure/azure-sdk-for-python/pull/42721))
 
 ### Other Changes
 
+- Updated `SharedTokenCacheCredential` to raise `CredentialUnavailableError` instead of `ClientAuthenticationError` during token refresh failures when within the context of `DefaultAzureCredential`. ([#42934](https://github.com/Azure/azure-sdk-for-python/pull/42934))
+
 ## 1.24.0 (2025-08-07)
 
 ### Bugs Fixed

sdk/identity/azure-identity/azure/identity/_credentials/shared_cache.py

@@ -8,7 +8,7 @@
 from .silent import SilentAuthenticationCredential
 from .. import CredentialUnavailableError
 from .._constants import DEVELOPER_SIGN_ON_CLIENT_ID
-from .._internal import AadClient, AadClientBase
+from .._internal import AadClient, AadClientBase, within_dac
 from .._internal.decorators import log_get_token
 from .._internal.shared_token_cache import NO_TOKEN, SharedTokenCacheBase
 
@@ -191,10 +191,17 @@ def _get_token_base(
 
         # try each refresh token, returning the first access token acquired
         for refresh_token in self._get_refresh_tokens(account, is_cae=is_cae):
-            token = cast(AadClient, self._client).obtain_token_by_refresh_token(
-                scopes, refresh_token, claims=claims, tenant_id=tenant_id, enable_cae=is_cae, **kwargs
-            )
-            return token
+            try:
+                token = cast(AadClient, self._client).obtain_token_by_refresh_token(
+                    scopes, refresh_token, claims=claims, tenant_id=tenant_id, enable_cae=is_cae, **kwargs
+                )
+                return token
+            except Exception as e:  # pylint: disable=broad-except
+                if within_dac.get():
+                    raise CredentialUnavailableError(  # pylint: disable=raise-missing-from
+                        message=getattr(e, "message", str(e)), response=getattr(e, "response", None)
+                    )
+                raise
 
         raise CredentialUnavailableError(message=NO_TOKEN.format(account.get("username")))
 

sdk/identity/azure-identity/azure/identity/_version.py

@@ -2,4 +2,4 @@
 # Copyright (c) Microsoft Corporation.
 # Licensed under the MIT License.
 # ------------------------------------
-VERSION = "1.24.1"
+VERSION = "1.25.0"

sdk/identity/azure-identity/azure/identity/aio/_credentials/shared_cache.py

@@ -8,6 +8,7 @@
 from ... import CredentialUnavailableError
 from ..._constants import DEVELOPER_SIGN_ON_CLIENT_ID
 from ..._internal.shared_token_cache import NO_TOKEN, SharedTokenCacheBase
+from ..._internal.utils import within_dac
 from .._internal import AsyncContextManager
 from .._internal.aad_client import AadClient
 from .._internal.decorators import log_get_token_async
@@ -143,11 +144,17 @@ async def _get_token_base(
 
         # try each refresh token, returning the first access token acquired
         for refresh_token in self._get_refresh_tokens(account, is_cae=is_cae):
-            token = await cast(AadClient, self._client).obtain_token_by_refresh_token(
-                scopes, refresh_token, claims=claims, tenant_id=tenant_id, enable_cae=is_cae, **kwargs
-            )
-            return token
-
+            try:
+                token = await cast(AadClient, self._client).obtain_token_by_refresh_token(
+                    scopes, refresh_token, claims=claims, tenant_id=tenant_id, enable_cae=is_cae, **kwargs
+                )
+                return token
+            except Exception as e:  # pylint: disable=broad-except
+                if within_dac.get():
+                    raise CredentialUnavailableError(  # pylint: disable=raise-missing-from
+                        message=getattr(e, "message", str(e)), response=getattr(e, "response", None)
+                    )
+                raise
         raise CredentialUnavailableError(message=NO_TOKEN.format(account.get("username")))
 
     def _get_auth_client(self, **kwargs: Any) -> AadClientBase:

sdk/identity/azure-identity/tests/test_shared_cache_credential.py

@@ -917,6 +917,36 @@ def send(request, **kwargs):
     within_dac.set(False)
 
 
+@pytest.mark.parametrize("get_token_method", GET_TOKEN_METHODS)
+def test_within_dac_refresh_token_error(get_token_method):
+    """When within DAC context and refresh token fails, should raise CredentialUnavailableError"""
+
+    upn = "[email protected]"
+    refresh_token = "invalid-refresh-token"
+    scope = "scope"
+    account = get_account_event(uid="uid_a", utid="utid", username=upn, refresh_token=refresh_token)
+    cache = populated_cache(account)
+
+    def send(request, **kwargs):
+        # Mock a token request that fails with invalid_grant (401/400 error)
+        if "refresh_token" in (request.data or {}):
+            return mock_response(
+                status_code=400, json_payload={"error": "invalid_grant", "error_description": "Refresh token expired"}
+            )
+        # Allow discovery requests to succeed
+        return get_discovery_response("https://localhost/tenant")
+
+    transport = Mock(send=send)
+    credential = SharedTokenCacheCredential(_cache=cache, transport=transport, username=upn)
+
+    within_dac.set(True)
+    try:
+        with pytest.raises(CredentialUnavailableError):
+            getattr(credential, get_token_method)(scope)
+    finally:
+        within_dac.set(False)
+
+
 @pytest.mark.parametrize("get_token_method", GET_TOKEN_METHODS)
 def test_claims_challenge(get_token_method):
     """get_token should pass any claims challenge to MSAL token acquisition APIs"""

sdk/identity/azure-identity/tests/test_shared_cache_credential_async.py

@@ -17,11 +17,19 @@
     NO_ACCOUNTS,
     NO_MATCHING_ACCOUNTS,
 )
+from azure.identity._internal import within_dac
 from azure.identity._internal.user_agent import USER_AGENT
 from msal import TokenCache
 import pytest
 
-from helpers import build_aad_response, id_token_claims, mock_response, Request, GET_TOKEN_METHODS
+from helpers import (
+    build_aad_response,
+    id_token_claims,
+    mock_response,
+    get_discovery_response,
+    Request,
+    GET_TOKEN_METHODS,
+)
 from helpers_async import async_validating_transport, AsyncMockTransport
 from test_shared_cache_credential import get_account_event, populated_cache
 
@@ -390,6 +398,38 @@ async def test_no_refresh_token(get_token_method):
         await getattr(credential, get_token_method)("scope")
 
 
+@pytest.mark.asyncio
+@pytest.mark.parametrize("get_token_method", GET_TOKEN_METHODS)
+async def test_within_dac_refresh_token_error(get_token_method):
+    """When within DAC context and refresh token fails, should raise CredentialUnavailableError"""
+
+    upn = "[email protected]"
+    refresh_token = "invalid-refresh-token"
+    scope = "scope"
+    account = get_account_event(uid="uid_a", utid="utid", username=upn, refresh_token=refresh_token)
+    cache = populated_cache(account)
+
+    async def send(request, **kwargs):
+        # Mock a token request that fails with invalid_grant (401/400 error)
+        if "refresh_token" in (request.data or {}):
+            return mock_response(
+                status_code=400, json_payload={"error": "invalid_grant", "error_description": "Refresh token expired"}
+            )
+        return get_discovery_response("https://localhost/tenant")
+
+    transport = AsyncMockTransport(send=send)
+    credential = SharedTokenCacheCredential(_cache=cache, transport=transport, username=upn)
+
+    # Set within_dac context to True
+    within_dac.set(True)
+    try:
+        # When within DAC context, should raise CredentialUnavailableError instead of ClientAuthenticationError
+        with pytest.raises(CredentialUnavailableError):
+            await getattr(credential, get_token_method)(scope)
+    finally:
+        within_dac.set(False)
+
+
 @pytest.mark.asyncio
 @pytest.mark.parametrize("get_token_method", GET_TOKEN_METHODS)
 async def test_two_accounts_no_username_or_tenant(get_token_method):