[BUG] Identity SDK 1.14.0 regression with Postges

[ccjernigan]

Describe the bug
Migrating from Azure identity Java SDK 1.13.3 to 1.14.0 breaks for Postgres (Azure Cosmos DB for Postgres) when using App Service default identity credentials. Other services, such as Redis, OpenAI, and AI Search continue to work.

Exception or Stack Trace

org.postgresql.util.PSQLException: FATAL: The access token does not have a valid audience claim. Please acquire a new token for the resource "%s".
    at org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:711)
    at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:213)
    at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:268)
    at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:54)
    at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:273)
    at org.postgresql.Driver.makeConnection(Driver.java:446)
    at org.postgresql.Driver.connect(Driver.java:298)
    at com.zaxxer.hikari.util.DriverDataSource.getConnection(DriverDataSource.java:139)
    at com.zaxxer.hikari.pool.PoolBase.newConnection(PoolBase.java:362)
    at com.zaxxer.hikari.pool.PoolBase.newPoolEntry(PoolBase.java:203)
    at com.zaxxer.hikari.pool.HikariPool.createPoolEntry(HikariPool.java:479)
    at com.zaxxer.hikari.pool.HikariPool.checkFailFast(HikariPool.java:568)
    at com.zaxxer.hikari.pool.HikariPool.<init>(HikariPool.java:99)
    at com.zaxxer.hikari.HikariDataSource.getConnection(HikariDataSource.java:111)
    at org.jetbrains.exposed.sql.Database$Companion.connect$lambda$7(Database.kt:196)
    at org.jetbrains.exposed.sql.Database$Companion.doConnect$lambda$3(Database.kt:170)
    at org.jetbrains.exposed.sql.transactions.ThreadLocalTransactionManager$ThreadLocalTransaction.connectio

To Reproduce
Steps to reproduce the behavior:

Code Snippet
// Configure finding the authentication plugin

HikariDataSource().apply {
    driverClassName = "org.postgresql.Driver"
    jdbcUrl = "jdbc:postgresql://$host:$port/$database"
    username = "$entraUserName"
    addDataSourceProperty("authenticationPluginClassName", AzureManagedAuthenticationPlugin::class.java.name)
    addDataSourceProperty("prepareThreshold", 0)
}

class AzureManagedAuthenticationPlugin : AuthenticationPlugin {

    override fun getPassword(type: AuthenticationRequestType?): CharArray {
        val tokenRequestContext =
            TokenRequestContext().apply {
                addScopes(*listOf("https://token.postgres.cosmos.azure.com/.default").toTypedArray())
            }

        val defaultAzureCredential = DefaultAzureCredentialBuilder().build()

        return defaultAzureCredential.getTokenSync(tokenRequestContext).token.toCharArray()
    }
}

Expected behavior
Able to connect to database successfully.

Setup (please complete the following information):

• OS: Linux Docker image
• Library/Libraries: com.azure:azure-identity:1.14.0
• Java version: 21
• App Server/Environment: Kotlin 2.0.21
• Frameworks: Ktor 3.0

Additional context
Rolling back to identity SDK 1.13.3 works around the issue.

I'm unable to reproduce when running locally with the Azure CLI credential. It only appears to reproduce in the App Service environment.

Information Checklist
Kindly make sure that you have added all the following information above and checkoff the required fields otherwise we will treat the issuer as an incomplete report

• Bug Description Added
• Repro Steps Added
• Setup information Added

[github-actions]

@billwert @g2vinay

[github-actions]

Thank you for your feedback. Tagging and routing to the team member best able to assist.

[g2vinay]

Thank you @ccjernigan for reporting this issue.
Will update here with the findings, as we investigate further.