Skip to content

Fix KeyNotFoundException during retry when headers lack correlation ID #5617

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
bgavrilMS merged 3 commits into from
Dec 16, 2025
Merged

Fix KeyNotFoundException during retry when headers lack correlation ID #5617

bgavrilMS merged 3 commits into from
Dec 16, 2025

Conversation

Copy link
Contributor

Copilot AI commented Dec 10, 2025
edited
Loading

Changes proposed in this request

The retry logic in HttpManager.SendRequestAsync accessed headers[OAuth2Header.CorrelationId] before checking key existence, throwing KeyNotFoundException when headers were present but lacked the correlation ID (e.g., during Managed Identity token requests).

// Before: KeyNotFoundException when key missing
var correlationId = headers[OAuth2Header.CorrelationId];
string correlationIdMsg = headers.ContainsKey(OAuth2Header.CorrelationId) ? 
    $" CorrelationId: {correlationId}" : string.Empty;

// After: Use TryGetValue in condition for efficient single lookup
if (headers != null && headers.Count > 0 && 
    headers.TryGetValue(OAuth2Header.CorrelationId, out var correlationId))
{
    var ex = new MsalServiceException(
        MsalError.RequestTimeout,
        msg + $" CorrelationId: {correlationId}",
        timeoutException)
    {
        CorrelationId = correlationId
    };
    throw ex;
}

Core changes:

  • HttpManager.cs: Use TryGetValue in the condition check to verify existence and retrieve value in a single dictionary lookup, creating only one exception object per code path
  • HttpManagerTests.cs: Add regression test TestRetryOnTimeoutWithHeadersButNoCorrelationIdAsync validating timeout with headers but no correlation ID

Testing

Added regression test that simulates retry timeout with headers that don't contain correlation ID. All existing HttpManagerTests (20 tests) pass.

Performance impact

Optimized to use a single TryGetValue call in the condition, eliminating redundant dictionary lookups and avoiding creation of unnecessary exception objects in the timeout path.

Documentation

  • All relevant documentation is updated.
Original prompt

This section details on the original issue you should resolve

<issue_title>[Bug] KeyNotFoundException during retry for getting Managed Identity token</issue_title>
<issue_description>### Library version used

4.78.0

.NET version

.NET 9.0 SDK
.NET 8.0 Target Framework

Scenario

ManagedIdentityClient - managed identity

Is this a new or an existing app?

The app is in production, I haven't upgraded MSAL, but started seeing this issue

Issue description and reproduction steps

We are seeing in our logging: KeyNotFoundExceptions with the retry mechanisme for aquiring token from the Managed Identity endpoint.

The error messages/stack traces:

False MSAL 4.76.0.0 MSAL.NetCore .NET 8.0.21 Linux [2025-12-09 07:00:33Z - eba86310-d513-4244-b369-c2b97226fa48] [Managed Identity] Exception: The given key 'client-request-id' was not present in the dictionary.

False MSAL 4.76.0.0 MSAL.NetCore .NET 8.0.21 Linux [2025-12-09 07:00:33Z - eba86310-d513-4244-b369-c2b97226fa48] Exception type: Microsoft.Identity.Client.MsalServiceException
, ErrorCode: managed_identity_request_failed
HTTP StatusCode 0
CorrelationId eba86310-d513-4244-b369-c2b97226fa48
---> Inner Exception Details
Exception type: System.Collections.Generic.KeyNotFoundException
To see full exception details, enable PII Logging. See https://aka.ms/msal-net-logging
at System.Collections.Generic.Dictionary`2.get_Item(TKey key)
at Microsoft.Identity.Client.Http.HttpManager.SendRequestAsync(Uri endpoint, IDictionary`2 headers, HttpContent body, HttpMethod method, ILoggerAdapter logger, Boolean doNotThrow, X509Certificate2 bindingCertificate, Func`5 validateServerCert, CancellationToken cancellationToken, IRetryPolicy retryPolicy, Int32 retryCount)
at Microsoft.Identity.Client.ManagedIdentity.AbstractManagedIdentity.AuthenticateAsync(AcquireTokenForManagedIdentityParameters parameters, CancellationToken cancellationToken)

=== End of inner exception stack trace ===
To see full exception details, enable PII Logging. See https://aka.ms/msal-net-logging
at Microsoft.Identity.Client.ManagedIdentity.AbstractManagedIdentity.CreateAndThrowException(String errorCode, String errorMessage, Exception innerException, ManagedIdentitySource source)
at Microsoft.Identity.Client.ManagedIdentity.AbstractManagedIdentity.HandleException(Exception ex, ManagedIdentitySource managedIdentitySource, String additionalInfo)
at Microsoft.Identity.Client.ManagedIdentity.AbstractManagedIdentity.AuthenticateAsync(AcquireTokenForManagedIdentityParameters parameters, CancellationToken cancellationToken)
at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.SendTokenRequestForManagedIdentityAsync(ILoggerAdapter logger, CancellationToken cancellationToken)
at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.GetAccessTokenAsync(CancellationToken cancellationToken, ILoggerAdapter logger)
at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.ExecuteAsync(CancellationToken cancellationToken)
at Microsoft.Identity.Client.Internal.Requests.RequestBase.<>c__DisplayClass11_1.<<RunAsync>b__1>d.MoveNext()
--- End of stack trace from previous location ---
at Microsoft.Identity.Client.Utils.StopwatchService.MeasureCodeBlockAsync(Func`1 codeBlock)
at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)

Relevant code snippets

Could this line of code the cause of KeyNotFoundException and fail the retry mechanisme?

                    var correlationId = headers[OAuth2Header.CorrelationId];
                    string correlationIdMsg = headers.ContainsKey(OAuth2Header.CorrelationId) ?
                                                $" CorrelationId: {correlationId}" :
                                                string.Empty;

...

https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/blob/964a07449f9d5183828fbd0e1e9d4d3e9b6d80c7/src/client/Microsoft.Identity.Client/Http/HttpManager.cs#L143C20-L143C77

Expected behavior

No response

Identity provider

Other

Regression

No response

Solution and workarounds

-</issue_description>

<agent_instructions>The problem is in HttpManager, when trying to read headers[OAuth2Header.CorrelationId]

Make sure to add a regression test for this.</agent_instructions>

Comments on the Issue (you are @copilot in this section)

@bgavrilMS Yes, thanks for raising. Looks like a recent change https://github.com//pull/5364 where we were trying to include correlation id.

We will get it fixed, but please note that error would still occur.</comment_new>

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI changed the title [WIP] Fix KeyNotFoundException during retry for Managed Identity token Fix KeyNotFoundException during retry when headers lack correlation ID Dec 10, 2025
Copilot AI requested a review from bgavrilMS December 10, 2025 12:35
@bgavrilMS bgavrilMS marked this pull request as ready for review December 11, 2025 16:09
@bgavrilMS bgavrilMS requested a review from a team as a code owner December 11, 2025 16:09
gladjohn
gladjohn reviewed Dec 11, 2025
View reviewed changes
@bgavrilMS bgavrilMS force-pushed the copilot/fix-key-not-found-exception branch from 2fe9b8a to 92c33ec Compare December 15, 2025 13:27
@bgavrilMS
Copy link
Member

bgavrilMS commented Dec 15, 2025

@copilot - don't perform 2 dictionary lookups. use TryGetValue instead

Copilot AI requested a review from bgavrilMS December 15, 2025 13:34
Copy link
Contributor Author

Copilot AI commented Dec 15, 2025

@copilot - don't perform 2 dictionary lookups. use TryGetValue instead

Optimized to use a single TryGetValue call in the condition check, avoiding multiple dictionary lookups and creating only one exception object. Fixed in commit 6677719.

@bgavrilMS bgavrilMS force-pushed the copilot/fix-key-not-found-exception branch from 6677719 to 08a82e1 Compare December 16, 2025 13:21
@bgavrilMS bgavrilMS enabled auto-merge (squash) December 16, 2025 13:21
@bgavrilMS bgavrilMS merged commit 287ef02 into main Dec 16, 2025
11 checks passed
@bgavrilMS bgavrilMS deleted the copilot/fix-key-not-found-exception branch December 16, 2025 13:49
This was referenced Jan 8, 2026
Closed
Closed
This was referenced Jan 9, 2026
Closed
Closed
Closed
Merged
Merged
Merged
Open
Merged
Closed
Closed
Closed
Closed
Open
Closed
Merged
Merged
Open
Open
Closed
Closed
This was referenced Jan 21, 2026
Closed
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gladjohn gladjohn gladjohn approved these changes

@4gust 4gust 4gust approved these changes

+1 more reviewer

@bgavrilMS bgavrilMS bgavrilMS approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@bgavrilMS bgavrilMS

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug] KeyNotFoundException during retry for getting Managed Identity token

4 participants

@bgavrilMS @gladjohn @4gust