Parse azd JSON output for cleaner AzureDeveloperCliCredential error messages (Azure#37268)

Author: Copilot

sdk/identity/identity/CHANGELOG.md

@@ -10,6 +10,7 @@
 
 ### Bugs Fixed
 
+- Fixed an issue where `AzureDeveloperCliCredential` error messages included raw JSON output from `azd auth token` instead of clean, user-friendly messages. The credential now parses the JSON stderr output to extract and display only the error message. [#37268](https://github.com/Azure/azure-sdk-for-js/pull/37268)
 - Fixed an issue where `IdentityClient` does not pass response in expected format for MSAL in empty response situations with additional logging. [#36906](https://github.com/Azure/azure-sdk-for-js/pull/36906)
 
 ### Other Changes

sdk/identity/identity/src/credentials/azureDeveloperCliCredential.ts

@@ -35,6 +35,28 @@ export const azureDeveloperCliPublicErrorMessages = {
  * @internal
  */
 export const developerCliCredentialInternals = {
+  /**
+   * Parses azd stderr JSON output to extract the error message.
+   * azd outputs JSON like: \{"type":"consoleMessage","timestamp":"...","data":\{"message":"ERROR: ..."\}\}
+   * If parsing succeeds and .data.message exists, returns the trimmed message.
+   * Otherwise, returns the raw stderr.
+   * @param stderr - The stderr output from azd command
+   * @returns The parsed error message or raw stderr
+   * @internal
+   */
+  parseAzdStderr(stderr: string): string {
+    try {
+      const parsed = JSON.parse(stderr);
+      const message = parsed?.data?.message;
+      if (typeof message === "string" && message.trim().length > 0) {
+        return message.trim();
+      }
+    } catch {
+      // If JSON parsing fails, fall through to return raw stderr
+    }
+    return stderr;
+  },
+
   /**
    * @internal
    */
@@ -241,7 +263,8 @@ export class AzureDeveloperCliCredential implements TokenCredential {
           } as AccessToken;
         } catch (e: any) {
           if (obj.stderr) {
-            throw new CredentialUnavailableError(obj.stderr);
+            const errorMessage = developerCliCredentialInternals.parseAzdStderr(obj.stderr);
+            throw new CredentialUnavailableError(errorMessage);
           }
           throw e;
         }

sdk/identity/identity/test/internal/node/azureDeveloperCliCredential.spec.ts

@@ -1,7 +1,10 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT License.
 import { AzureDeveloperCliCredential } from "@azure/identity";
-import { azureDeveloperCliPublicErrorMessages } from "$internal/credentials/azureDeveloperCliCredential.js";
+import {
+  azureDeveloperCliPublicErrorMessages,
+  developerCliCredentialInternals,
+} from "$internal/credentials/azureDeveloperCliCredential.js";
 import type { GetTokenOptions } from "@azure/core-auth";
 import child_process, { type ChildProcess } from "node:child_process";
 import { describe, it, assert, expect, vi, beforeEach, afterEach } from "vitest";
@@ -272,4 +275,101 @@ describe("AzureDeveloperCliCredential (internal)", function () {
       );
     });
   }
+
+  describe("parseAzdStderr", () => {
+    it("parses valid JSON with data.message", () => {
+      const json = JSON.stringify({
+        type: "consoleMessage",
+        timestamp: "2024-01-01T00:00:00Z",
+        data: { message: "\nERROR: fetching token: authentication failed\n" },
+      });
+      const result = developerCliCredentialInternals.parseAzdStderr(json);
+      assert.equal(result, "ERROR: fetching token: authentication failed");
+    });
+
+    it("trims whitespace from data.message", () => {
+      const json = JSON.stringify({
+        type: "consoleMessage",
+        timestamp: "2024-01-01T00:00:00Z",
+        data: { message: "  \n  ERROR: test error  \n  " },
+      });
+      const result = developerCliCredentialInternals.parseAzdStderr(json);
+      assert.equal(result, "ERROR: test error");
+    });
+
+    it("returns raw stderr when JSON parsing fails", () => {
+      const invalidJson = "not valid json";
+      const result = developerCliCredentialInternals.parseAzdStderr(invalidJson);
+      assert.equal(result, "not valid json");
+    });
+
+    it("returns raw stderr when data.message is missing", () => {
+      const json = JSON.stringify({
+        type: "consoleMessage",
+        timestamp: "2024-01-01T00:00:00Z",
+        data: {},
+      });
+      const result = developerCliCredentialInternals.parseAzdStderr(json);
+      assert.equal(result, json);
+    });
+
+    it("returns raw stderr when data.message is empty", () => {
+      const json = JSON.stringify({
+        type: "consoleMessage",
+        timestamp: "2024-01-01T00:00:00Z",
+        data: { message: "" },
+      });
+      const result = developerCliCredentialInternals.parseAzdStderr(json);
+      assert.equal(result, json);
+    });
+
+    it("returns raw stderr when data.message is only whitespace", () => {
+      const json = JSON.stringify({
+        type: "consoleMessage",
+        timestamp: "2024-01-01T00:00:00Z",
+        data: { message: "   \n  \n  " },
+      });
+      const result = developerCliCredentialInternals.parseAzdStderr(json);
+      assert.equal(result, json);
+    });
+
+    it("returns raw stderr when data is missing", () => {
+      const json = JSON.stringify({
+        type: "consoleMessage",
+        timestamp: "2024-01-01T00:00:00Z",
+      });
+      const result = developerCliCredentialInternals.parseAzdStderr(json);
+      assert.equal(result, json);
+    });
+  });
+
+  describe("error message parsing integration", () => {
+    it("parses JSON error message from stderr", async () => {
+      stdout = "";
+      stderr = JSON.stringify({
+        type: "consoleMessage",
+        timestamp: "2024-01-01T00:00:00Z",
+        data: { message: "\nERROR: fetching token: authentication failed\n" },
+      });
+      const credential = new AzureDeveloperCliCredential();
+      try {
+        await credential.getToken("https://service/.default");
+        assert.fail("Expected error to be thrown");
+      } catch (error: any) {
+        assert.equal(error.message, "ERROR: fetching token: authentication failed");
+      }
+    });
+
+    it("uses raw stderr when JSON parsing fails", async () => {
+      stdout = "";
+      stderr = "plain text error message";
+      const credential = new AzureDeveloperCliCredential();
+      try {
+        await credential.getToken("https://service/.default");
+        assert.fail("Expected error to be thrown");
+      } catch (error: any) {
+        assert.equal(error.message, "plain text error message");
+      }
+    });
+  });
 });