[BUG] KeyVaultClient.getAccessToken() may generate NullPointerException

[ecnabogs]

Describe the bug
The private getAccessToken() method of the KeyVaultClient class generates a NullPointerException if it cannot get an access token. There is no protection against the use case where the HTTP request fails to fetch an access token, the code considers to get such an object whatever the HTTP response, as illustrated below:

    private String getAccessToken() {

        ... 

        accessToken = getAccessTokenByHttpRequest();

        return accessToken.getAccessToken();
    }

Exception or Stack Trace

Caused by: java.lang.NullPointerException: Cannot invoke "com.azure.security.keyvault.jca.implementation.model.AccessToken.getAccessToken()" because "this.accessToken" is null
        at com.azure.security.keyvault.jca.implementation.KeyVaultClient.getAccessToken(KeyVaultClient.java:178) ~[azure-security-keyvault-jca-2.10.0.jar:2.10.0]
        at com.azure.security.keyvault.jca.implementation.KeyVaultClient.getAliases(KeyVaultClient.java:226) ~[azure-security-keyvault-jca-2.10.0.jar:2.10.0]
        at com.azure.security.keyvault.jca.implementation.certificates.KeyVaultCertificates.refreshCertificates(KeyVaultCertificates.java:157) ~[azure-security-keyvault-jca-2.10.0.jar:2.10.0]
        at com.azure.security.keyvault.jca.implementation.certificates.KeyVaultCertificates.refreshCertificatesIfNeeded(KeyVaultCertificates.java:146) ~[azure-security-keyvault-jca-2.10.0.jar:2.10.0]
        at com.azure.security.keyvault.jca.implementation.certificates.KeyVaultCertificates.getAliases(KeyVaultCertificates.java:105) ~[azure-security-keyvault-jca-2.10.0.jar:2.10.0]
        at com.azure.security.keyvault.jca.KeyVaultKeyStore.<init>(KeyVaultKeyStore.java:151) ~[azure-security-keyvault-jca-2.10.0.jar:2.10.0]
        at java.base/jdk.internal.reflect.DirectConstructorHandleAccessor.newInstance(Unknown Source) ~[na:na]
        at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Unknown Source) ~[na:na]
        at java.base/java.lang.reflect.Constructor.newInstance(Unknown Source) ~[na:na]
        at java.base/java.security.Provider$Service.newInstanceOf(Unknown Source) ~[na:na]
        at java.base/java.security.Provider$Service.newInstanceUtil(Unknown Source) ~[na:na]
        ... 65 common frames omitted

To Reproduce
Any failure to contact the token endpoint or to get an access token due to insufficient rights leads to that unexpected and unintelligible error.

Code Snippet

            KeyVaultJcaProvider provider = new KeyVaultJcaProvider();
            Security.addProvider(provider);
            System.setProperty("azure.keyvault.uri", "...");
            System.setProperty("azure.keyvault.managed-identity", "my_managed_identity_with_insufficient_rights");
            KeyStore keyStore = KeyVaultKeyStore.getKeyVaultKeyStoreBySystemProperty();

Expected behavior
I would expect to get a specialized type of exception, giving the reason of the failure, rather than a very obscur NullPointerException from which we cannot recover.

Screenshots
N/A

Setup (please complete the following information):

• OS: Linux / MacOS
• IDE: IntelliJ
• Library/Libraries: com.azure:azure-security-keyvault-jca:2.10.0
• Java version: 21
• App Server/Environment: Embedded Tomcat
• Frameworks: Spring Boo 3.4.3

Additional context
N/A

Information Checklist
Kindly make sure that you have added all the following information above and checkoff the required fields otherwise we will treat the issuer as an incomplete report

• Bug Description Added
• Repro Steps Added
• Setup information Added

[joshfree]

@vcolin7 can you please follow up on this with @ecnabogs