From 12e07499d718096ea2c6eaf69e843aa120a3f5c6 Mon Sep 17 00:00:00 2001
From: Charles Lowell <10964656+chlowell@users.noreply.github.com>
Date: Fri, 19 Jan 2024 18:28:43 -0800
Subject: [PATCH] Broaden special case for 403 responses from IMDS

---
 sdk/azidentity/CHANGELOG.md                    | 3 +++
 sdk/azidentity/managed_identity_client.go      | 2 +-
 sdk/azidentity/managed_identity_client_test.go | 5 +++++
 3 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/sdk/azidentity/CHANGELOG.md b/sdk/azidentity/CHANGELOG.md
index 0c4a643217bf..98f29d2e33af 100644
--- a/sdk/azidentity/CHANGELOG.md
+++ b/sdk/azidentity/CHANGELOG.md
@@ -7,6 +7,9 @@
 ### Breaking Changes
 
 ### Bugs Fixed
+* Fixed more cases in which credential chains like `DefaultAzureCredential`
+  should try their next credential after attempting managed identity
+  authentication in a Docker Desktop container
 
 ### Other Changes
 
diff --git a/sdk/azidentity/managed_identity_client.go b/sdk/azidentity/managed_identity_client.go
index 7c25cb8bdd55..9c0522541bda 100644
--- a/sdk/azidentity/managed_identity_client.go
+++ b/sdk/azidentity/managed_identity_client.go
@@ -209,7 +209,7 @@ func (c *managedIdentityClient) authenticate(ctx context.Context, id ManagedIDKi
 			// Docker Desktop runs a proxy that responds 403 to IMDS token requests. If we get that response,
 			// we return credentialUnavailableError so credential chains continue to their next credential
 			body, err := runtime.Payload(resp)
-			if err == nil && strings.Contains(string(body), "A socket operation was attempted to an unreachable network") {
+			if err == nil && strings.Contains(string(body), "unreachable") {
 				return azcore.AccessToken{}, newCredentialUnavailableError(credNameManagedIdentity, fmt.Sprintf("unexpected response %q", string(body)))
 			}
 		}
diff --git a/sdk/azidentity/managed_identity_client_test.go b/sdk/azidentity/managed_identity_client_test.go
index 293dd4715629..56ef2340941f 100644
--- a/sdk/azidentity/managed_identity_client_test.go
+++ b/sdk/azidentity/managed_identity_client_test.go
@@ -93,6 +93,11 @@ func TestManagedIdentityClient_IMDSErrors(t *testing.T) {
 			code: http.StatusForbidden,
 			body: "connecting to 169.254.169.254:80: connecting to 169.254.169.254:80: dial tcp 169.254.169.254:80: connectex: A socket operation was attempted to an unreachable network.",
 		},
+		{
+			desc: "Docker Desktop",
+			code: http.StatusForbidden,
+			body: "connecting to 169.254.169.254:80: connecting to 169.254.169.254:80: dial tcp 169.254.169.254:80: connectex: A socket operation was attempted to an unreachable host.",
+		},
 	} {
 		t.Run(fmt.Sprint(test.code), func(t *testing.T) {
 			srv, close := mock.NewServer(mock.WithTransformAllRequestsToTestServerUrl())