Backport of Normalize error response messages when invalid credentials are provided into release/1.15.x

builtin/credential/approle/path_login.go

@@ -99,7 +99,7 @@ func (b *backend) pathLoginResolveRole(ctx context.Context, req *logical.Request
 		return nil, err
 	}
 	if roleIDIndex == nil {
-		return logical.ErrorResponse("invalid role ID"), nil
+		return logical.ErrorResponse("invalid role or secret ID"), nil
 	}
 
 	roleName := roleIDIndex.Name
@@ -113,7 +113,7 @@ func (b *backend) pathLoginResolveRole(ctx context.Context, req *logical.Request
 		return nil, err
 	}
 	if role == nil {
-		return logical.ErrorResponse("invalid role ID"), nil
+		return logical.ErrorResponse("invalid role or secret ID"), nil
 	}
 
 	return logical.ResolveRoleResponse(roleName)
@@ -134,7 +134,7 @@ func (b *backend) pathLoginUpdate(ctx context.Context, req *logical.Request, dat
 		return nil, err
 	}
 	if roleIDIndex == nil {
-		return logical.ErrorResponse("invalid role ID"), nil
+		return logical.ErrorResponse("invalid role or secret ID"), nil
 	}
 
 	roleName := roleIDIndex.Name
@@ -148,7 +148,7 @@ func (b *backend) pathLoginUpdate(ctx context.Context, req *logical.Request, dat
 		return nil, err
 	}
 	if role == nil {
-		return logical.ErrorResponse("invalid role ID"), nil
+		return logical.ErrorResponse("invalid role or secret ID"), nil
 	}
 
 	metadata := make(map[string]string)
@@ -184,7 +184,7 @@ func (b *backend) pathLoginUpdate(ctx context.Context, req *logical.Request, dat
 			return nil, err
 		}
 		if entry == nil {
-			return logical.ErrorResponse("invalid secret id"), logical.ErrInvalidCredentials
+			return logical.ErrorResponse("invalid role or secret ID"), logical.ErrInvalidCredentials
 		}
 
 		// If a secret ID entry does not have a corresponding accessor
@@ -204,7 +204,7 @@ func (b *backend) pathLoginUpdate(ctx context.Context, req *logical.Request, dat
 				return nil, err
 			}
 			if entry == nil {
-				return logical.ErrorResponse("invalid secret id"), nil
+				return logical.ErrorResponse("invalid role or secret ID"), nil
 			}
 
 			accessorEntry, err := b.secretIDAccessorEntry(ctx, req.Storage, entry.SecretIDAccessor, role.SecretIDPrefix)
@@ -217,7 +217,7 @@ func (b *backend) pathLoginUpdate(ctx context.Context, req *logical.Request, dat
 					return nil, fmt.Errorf("error deleting secret ID %q from storage: %w", secretIDHMAC, err)
 				}
 			}
-			return logical.ErrorResponse("invalid secret id"), nil
+			return logical.ErrorResponse("invalid role or secret ID"), nil
 		}
 
 		switch {

builtin/credential/approle/path_login_test.go

@@ -354,7 +354,7 @@ func TestAppRole_RoleDoesNotExist(t *testing.T) {
 		t.Fatal("Error not part of response.")
 	}
 
-	if !strings.Contains(errString, "invalid role ID") {
+	if !strings.Contains(errString, "invalid role or secret ID") {
 		t.Fatalf("Error was not due to invalid role ID. Error: %s", errString)
 	}
 }

changelog/23786.txt

@@ -0,0 +1,3 @@
+```release-note:change
+auth/approle: Normalized error response messages when invalid credentials are provided
+```