From d91d1a21a20bb5a13fb9aba0703e2a499295171f Mon Sep 17 00:00:00 2001
From: Heath Stewart <heaths@microsoft.com>
Date: Tue, 2 Sep 2025 23:57:05 -0700
Subject: [PATCH] Unwrap error example

---
 .../examples/identity_source_error.rs         | 50 +++++++++++++++++++
 .../src/client_secret_credential.rs           |  6 ++-
 2 files changed, 54 insertions(+), 2 deletions(-)
 create mode 100644 sdk/identity/azure_identity/examples/identity_source_error.rs

diff --git a/sdk/identity/azure_identity/examples/identity_source_error.rs b/sdk/identity/azure_identity/examples/identity_source_error.rs
new file mode 100644
index 0000000000..d6b0f5858d
--- /dev/null
+++ b/sdk/identity/azure_identity/examples/identity_source_error.rs
@@ -0,0 +1,50 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+use azure_core::{credentials::Secret, error::ErrorKind};
+use azure_identity::ClientSecretCredential;
+use azure_security_keyvault_secrets::SecretClient;
+use std::{env, process::exit};
+
+#[tokio::main]
+async fn main() -> Result<(), Box<dyn std::error::Error>> {
+    let tenant_id = env::var("AZURE_TENANT_ID").expect("AZURE_TENANT_ID required");
+    let client_id = env::var("AZURE_CLIENT_ID").expect("AZURE_CLIENT_ID required");
+    let secret: Secret = env::var("AZURE_CLIENT_SECRET")
+        .expect("AZURE_CLIENT_SECRET required")
+        .into();
+    let vault_url = env::var("AZURE_KEYVAULT_URL").expect("AZURE_KEYVAULT_URL is required");
+
+    let credential = ClientSecretCredential::new(&tenant_id, client_id, secret, None)?;
+    let client = SecretClient::new(&vault_url, credential.clone(), None)?;
+    match client.get_secret("my-secret", "", None).await {
+        Ok(resp) => {
+            let secret = resp.into_body().await?;
+            println!("{}", secret.value.unwrap_or_else(|| "(none)".into()));
+        }
+        Err(err) => {
+            let mut next: Option<&dyn std::error::Error> = Some(&err);
+            while let Some(err) = next {
+                let Some(inner) = err.downcast_ref::<azure_core::Error>() else {
+                    break;
+                };
+
+                if let ErrorKind::HttpResponse {
+                    status,
+                    error_code: Some(message),
+                } = inner.kind()
+                {
+                    eprintln!("HTTP error {status}: {message}");
+                    exit(1);
+                }
+
+                next = err.source();
+            }
+
+            eprintln!("Error: {err:?}");
+            exit(1);
+        }
+    }
+
+    Ok(())
+}
diff --git a/sdk/identity/azure_identity/src/client_secret_credential.rs b/sdk/identity/azure_identity/src/client_secret_credential.rs
index 80a409d7d6..b783e57c73 100644
--- a/sdk/identity/azure_identity/src/client_secret_credential.rs
+++ b/sdk/identity/azure_identity/src/client_secret_credential.rs
@@ -88,7 +88,8 @@ impl ClientSecretCredential {
 
         let res = self.options.http_client().execute_request(&req).await?;
 
-        match res.status() {
+        let status_code = res.status();
+        match status_code {
             StatusCode::Ok => {
                 let token_response: EntraIdTokenResponse =
                     deserialize(CLIENT_SECRET_CREDENTIAL, res).await?;
@@ -108,7 +109,8 @@ impl ClientSecretCredential {
                         CLIENT_SECRET_CREDENTIAL, error_response.error_description
                     )
                 };
-                Err(Error::message(ErrorKind::Credential, message))
+                let err: Error = ErrorKind::http_response(status_code, Some(message)).into();
+                Err(Error::new(ErrorKind::Credential, err))
             }
         }
     }