[BUG] Azure.Identity.ManagedIdentitySource throws ArgumentNullException

[pampua84]

Library name and version

Azure.Identity 1.13.2

Describe the bug

In my application, I'm trying to get a certificate from Azure Key Vault using this simple code:

var client = new CertificateClient(new Uri("uri"), new DefaultAzureCredential());
var response = client.GetCertificate("name");

However, I receive a 401 Unauthorized error without content in the Azure HTTP response, which raises the following exception:

Azure.Identity.AuthenticationFailedException: ManagedIdentityCredential authentication failed: Value cannot be null. (Parameter 'bytes')
See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/managedidentitycredential/troubleshoot
---> System.ArgumentNullException: Value cannot be null. (Parameter 'bytes')
at System.ArgumentNullException.Throw(String paramName)
at System.ArgumentNullException.ThrowIfNull(Void* argument, String paramName)
at System.Text.Encoding.GetString(Byte* bytes, Int32 byteCount)
at System.BinaryData.ToString()
at Azure.Identity.ManagedIdentitySource.HandleResponseAsync(Boolean async, TokenRequestContext context, HttpMessage message, CancellationToken cancellationToken)
at Azure.Identity.ImdsManagedIdentityProbeSource.HandleResponseAsync(Boolean async, TokenRequestContext context, HttpMessage message, CancellationToken cancellationToken)
at Azure.Identity.ManagedIdentitySource.AuthenticateAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
at Azure.Identity.ImdsManagedIdentityProbeSource.AuthenticateAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
at Azure.Identity.ManagedIdentityClient.AuthenticateCoreAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
at Azure.Identity.ManagedIdentityClient.AuthenticateAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
at Azure.Identity.ManagedIdentityCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)

It seems that the ToString() method is being called on a null Content object inside the library.

Expected behavior

In the case of 401 I expect a speaking message or at least only the value Unauthorized

Actual behavior

Currently the following message is returned:

ManagedIdentityCredential authentication failed: Value cannot be null. (Parameter 'bytes')

Reproduction Steps

Create simple unauthorided client to get certificate from Key Vault

var client = new CertificateClient(new Uri("uri"), new DefaultAzureCredential());
var response = client.GetCertificate("name");

Environment

.NET SDK:
Version: 9.0.101
Commit: eedb237549
Workload version: 9.0.100-manifests.4a280210
MSBuild version: 17.12.12+1cce77968

Runtime Environment:
OS Name: Windows
OS Version: 10.0.22621
OS Platform: Windows
RID: win-x64
Base Path: C:\Program Files\dotnet\sdk\9.0.101\

[github-actions]

Thank you for your feedback. Tagging and routing to the team member best able to assist.

[christothes]

Hi @pampua84 - Sorry you have hit this issue. Is this occurring locally in your development environment or when deployed?

Would you mind enabling logging to show what the 401 response body looks like as well as the request that generated it?

For console output, you would just need to add the following line to your program.

using AzureEventSourceListener listener = AzureEventSourceListener.CreateTraceLogger(EventLevel.Verbose);

If you need to log the output somewhere other than the console, this can be done as described in these docs.

For example:

using AzureEventSourceListener listener = new AzureEventSourceListener(
    (args, message) => myLogger.Log("[{0:HH:mm:ss:fff}][{1}] {2}", DateTimeOffset.Now, args.Level, message),
    level: EventLevel.Verbose);

[github-actions]

Hi @pampua84. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.

[pampua84]

H @christothes i, the issue occurred locally because when using the DefaultAzureCredential, the system tries to use the ManagedIdentity and I get a 401 error.
The problem, however, is due to receiving an unclear exception unless the AzureEventSourceListener is enabled as you specified. Could this be intentional?