AzureDeveloperCliCredential: parse new auth error formats

[JeffreyCA]

Packages impacted by this PR

• @azure/identity

Issues associated with this PR

Fixes Azure/azure-dev#7857 (parent: Azure/azure-dev#7728)

Describe the problem that is addressed by this PR

Starting with azd v1.23.7 (PR Azure/azure-dev#6827), azd auth token changed its stderr error format from the legacy consoleMessage JSON to a structured {"error":"..."} JSON object. The stderr output may also include an extraneous empty consoleMessage line preceding the error (fixed in v1.24.0 via Azure/azure-dev#7701).

This PR updates AzureDeveloperCliCredential error parsing to handle all three formats:

azd version	stderr format
pre-v1.23.7	{"type":"consoleMessage","data":{"message":"..."}}
v1.23.7 – v1.23.15	{"type":"consoleMessage",...}\n{"error":"..."} (two lines)
v1.24.0+	{"error":"..."} (single line)

AzureDeveloperCliCredential.parseAzdStderr previously only handled the legacy single-line consoleMessage shape. On azd v1.23.7+ it would fail to extract the message and surface the raw JSON blob in the credential's error message instead of the underlying AAD error.

The parser splits stderr by newline, prefers the structured error field, and falls back to the first non-empty data.message from a legacy consoleMessage line. If neither is found the raw text is returned unchanged, preserving existing behaviour for plain-text and malformed output.

What are the possible designs available to address the problem? If there are more than one possible design, why was the one in this PR chosen?

Considered approaches:

1. Single-pass split-by-newline parser (chosen). Splits stderr on \n, attempts JSON.parse per line, prefers the structured error field, and falls back to the first non-empty data.message. Handles all three formats in one pass with minimal allocations. Returns the raw stderr unchanged when neither field is present, preserving existing behaviour for plain-text/malformed output.
2. Try the new format only and drop legacy support. Rejected — @azure/identity supports users on older azd installs; silently regressing them is unacceptable.

The chosen design also matches the equivalent fixes in azure-sdk-for-go and azure-sdk-for-net, keeping behaviour consistent across the three SDKs.

Are there test cases added in this PR? (If not, why?)

Yes, added unit tests in sdk/identity/identity/test/internal/node/azureDeveloperCliCredential.spec.ts

Also manually validated with small Node sample app:

const credential = new AzureDeveloperCliCredential({
  // Well-formed UUID so client-side validation passes; AAD will reject it.
  tenantId: "00000000-0000-0000-0000-000000000001",
});

console.log("Requesting token for scope: https://management.azure.com/.default");

try {
  const token = await credential.getToken("https://management.azure.com/.default");
  console.log("Unexpected success:", token);
} catch (err) {
  console.log("---");
  console.log("Caught:", err.name);
  console.log(err.message);
}

Without changes (azd v1.23.7+)

Caught: CredentialUnavailableError
{"type":"consoleMessage","timestamp":"2026-05-04T16:48:58.6753928-07:00","data":{"message":"\n"}}
{"error":"fetching token: failed to authenticate:\n(invalid_tenant) AADSTS90002: Tenant '00000000-0000-0000-0000-000000000001' not found. Check to make sure you have the correct tenant ID and are signing into the correct cloud. Check with your subscription administrator, this may happen if there are no active subscriptions for the tenant. Trace ID: 7397ba12-327a-4555-8fa2-9accb81d9200 Correlation ID: c050f408-3a84-4359-b403-07f072c6e1b0 Timestamp: 2026-05-04 23:48:58Z\n","links":[{"title":"azd auth login reference","url":"https://learn.microsoft.com/azure/developer/azure-developer-cli/reference#azd-auth-login"}],"message":"Authentication with Azure failed.","suggestion":"Run 'azd auth login' to sign in again."}

With changes

Caught: CredentialUnavailableError
(invalid_tenant) AADSTS90002: Tenant '00000000-0000-0000-0000-000000000001' not found. Check to make sure you have the correct tenant ID and are signing into the correct cloud. Check with your subscription administrator, this may happen if there are no active subscriptions for the tenant. Trace ID: f8110e9d-7fe8-4367-9731-5c0c512daa00 Correlation ID: 65c635ef-5963-4d83-9cac-bd99197f1d0d Timestamp: 2026-05-04 23:47:44Z

Provide a list of related PRs (if any)

• Azure/azure-sdk-for-go#26590 — equivalent Go fix
• Azure/azure-sdk-for-net#58616 — equivalent .NET fix

Command used to generate this PR:**(Applicable only to SDK release request PRs)

N/A

Checklists

• Added impacted package name to the issue description
• Does this PR needs any fixes in the SDK Generator?** (If so, create an Issue in the Autorest/typescript repository and link it here) — N/A, hand-written client code, no codegen involved.
• Added a changelog (if necessary)

[Copilot]

Pull request overview

Updates @azure/identity’s AzureDeveloperCliCredential to correctly extract human-readable error text from newer Azure Developer CLI (azd) stderr JSON formats (introduced in azd v1.23.7), preventing raw JSON blobs from surfacing in thrown credential errors.

Changes:

• Enhanced parseAzdStderr to scan newline-delimited stderr, prefer a structured { "error": "..." } field, and fall back to the first non-empty legacy consoleMessage.data.message.
• Added unit tests covering all supported azd stderr formats, including the v1.23.7–v1.23.15 two-line case and the v1.24.0+ single-line structured error.
• Documented the fix in the @azure/identity changelog.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File	Description
sdk/identity/identity/src/credentials/azureDeveloperCliCredential.ts	Updates stderr parsing to support both legacy consoleMessage JSON and newer structured { error } JSON (including multi-line stderr).
sdk/identity/identity/test/internal/node/azureDeveloperCliCredential.spec.ts	Adds unit + integration-style tests validating correct message extraction across azd versions and precedence rules.
sdk/identity/identity/CHANGELOG.md	Records the bug fix in the unreleased 4.14.0-beta.4 notes.