Improve authentication error logging and retry handling

Enhanced error logging and retry logic for authentication failures to
provide better visibility into transient server errors and improve
resilience against flaky authentication endpoints.

Changes:
- Enhanced AuthorizationException.getMessage() to include HTTP status
  code and error description in a structured format
- Added AuthorizationException.isRetriable() method to identify
  transient errors that should be retried:
  * All 5xx server errors (500, 502, 503, 504, etc.)
  * 400 errors with retry hints ("retry your request", "unknown_error")
  * 429 rate limit errors
- Updated FormCommand to handle 5xx errors as AuthorizationException
  instead of IOException for consistent retry handling
- Modified retry policy in DataCloudTokenProvider to retry retriable
  AuthorizationExceptions while failing fast on permanent auth errors
- Added comprehensive retry logging:
  * WARN logs on each retry attempt with attempt number and error details
  * ERROR logs when all retries are exhausted
- Improved error logging in getWithRetry() to extract and log full
  error details including HTTP codes and error descriptions

This improves debugging of authentication issues and makes the driver
more resilient to transient server-side failures commonly seen in
test environments.

Author: KaviarasuSakthivadivel

integration-test/src/test/java/com/salesforce/datacloud/jdbc/integration/ShadedJarIntegrationTest.java

@@ -68,6 +68,13 @@ void testDriverLoading() throws Exception {
     /**
      * Test 2: Verify connection and query execution (tests gRPC NameResolver and end-to-end functionality)
      * This is the critical test that would have caught the service file regression
+     *
+     * Note: This test requires credentials to be provided via system properties:
+     * - test.connection.url (optional, defaults to test2.pc-rnd.salesforce.com)
+     * - test.connection.userName
+     * - test.connection.password
+     * - test.connection.clientId
+     * - test.connection.clientSecret
      */
     @Test
     @Order(2)

jdbc-http/src/main/java/com/salesforce/datacloud/jdbc/auth/DataCloudTokenProvider.java

@@ -200,18 +200,84 @@ private <T extends AuthenticationResponseWithError> T getWithRetry(CheckedSuppli
         try {
             return Failsafe.with(this.exponentialBackOffPolicy).get(response);
         } catch (FailsafeException ex) {
-            if (ex.getCause() != null) {
-                throw new SQLException(ex.getCause().getMessage(), "28000", ex);
+            Throwable cause = ex.getCause();
+            if (cause instanceof AuthorizationException) {
+                AuthorizationException authEx = (AuthorizationException) cause;
+                String errorMessage = authEx.getMessage();
+                log.error(
+                        "Authorization failed - Error Code: {}, Error Description: {}, Message: {}",
+                        authEx.getErrorCode(),
+                        authEx.getErrorDescription(),
+                        errorMessage);
+                throw new SQLException(errorMessage, "28000", authEx);
+            } else if (cause != null) {
+                String causeMessage = cause.getMessage();
+                if (causeMessage == null || causeMessage.isEmpty()) {
+                    causeMessage = cause.getClass().getSimpleName() + " occurred during authentication";
+                }
+                log.error("Authentication failed: {}", causeMessage, cause);
+                throw new SQLException(causeMessage, "28000", cause);
+            } else {
+                String exMessage = ex.getMessage();
+                if (exMessage == null || exMessage.isEmpty()) {
+                    exMessage = "Authentication failed with unknown error";
+                }
+                log.error("Authentication failed: {}", exMessage, ex);
+                throw new SQLException(exMessage, "28000", ex);
             }
-            throw new SQLException(ex.getMessage(), "28000", ex);
         }
     }
 
     private static RetryPolicy<AuthenticationResponseWithError> buildExponentialBackoffRetryPolicy(int maxRetries) {
         return RetryPolicy.<AuthenticationResponseWithError>builder()
                 .withMaxRetries(maxRetries)
                 .withBackoff(1, 30, ChronoUnit.SECONDS)
-                .handleIf(e -> !(e instanceof AuthorizationException))
+                .handleIf(e -> {
+                    // Retry on AuthorizationException only if it's retriable (transient errors)
+                    if (e instanceof AuthorizationException) {
+                        return ((AuthorizationException) e).isRetriable();
+                    }
+                    // Retry on other exceptions (IOExceptions, etc.)
+                    return true;
+                })
+                .onRetry(event -> {
+                    Throwable lastException = event.getLastException();
+                    if (lastException != null) {
+                        if (lastException instanceof AuthorizationException) {
+                            AuthorizationException authEx = (AuthorizationException) lastException;
+                            log.warn(
+                                    "Authentication retry attempt {}/{} for HTTP {} error: {}",
+                                    event.getAttemptCount(),
+                                    maxRetries + 1,
+                                    authEx.getErrorCode(),
+                                    authEx.getErrorDescription());
+                        } else {
+                            log.warn(
+                                    "Authentication retry attempt {}/{} for error: {}",
+                                    event.getAttemptCount(),
+                                    maxRetries + 1,
+                                    lastException.getMessage());
+                        }
+                    }
+                })
+                .onRetriesExceeded(event -> {
+                    Throwable lastException = event.getException();
+                    if (lastException != null) {
+                        if (lastException instanceof AuthorizationException) {
+                            AuthorizationException authEx = (AuthorizationException) lastException;
+                            log.error(
+                                    "Authentication failed after {} retry attempts. HTTP {} error: {}",
+                                    maxRetries,
+                                    authEx.getErrorCode(),
+                                    authEx.getErrorDescription());
+                        } else {
+                            log.error(
+                                    "Authentication failed after {} retry attempts. Error: {}",
+                                    maxRetries,
+                                    lastException.getMessage());
+                        }
+                    }
+                })
                 .build();
     }
 }

jdbc-http/src/main/java/com/salesforce/datacloud/jdbc/auth/errors/AuthorizationException.java

@@ -13,4 +13,71 @@ public class AuthorizationException extends Exception {
     private final String message;
     private final String errorCode;
     private final String errorDescription;
+
+    @Override
+    public String getMessage() {
+        return buildDetailedMessage();
+    }
+
+    private String buildDetailedMessage() {
+        StringBuilder sb = new StringBuilder();
+        if (message != null && !message.isEmpty()) {
+            sb.append(message);
+        } else {
+            sb.append("Authorization failed");
+        }
+
+        if (errorCode != null && !errorCode.isEmpty()) {
+            sb.append(" (HTTP ").append(errorCode).append(")");
+        }
+
+        if (errorDescription != null && !errorDescription.isEmpty()) {
+            sb.append(": ").append(errorDescription);
+        }
+
+        return sb.toString();
+    }
+
+    /**
+     * Determines if this exception represents a transient error that should be retried.
+     * Retries are appropriate for:
+     * - 5xx server errors (500, 502, 503, 504)
+     * - 400 errors with retry hints in the error description (e.g., "retry your request", "unknown_error")
+     *
+     * @return true if this exception should be retried, false otherwise
+     */
+    public boolean isRetriable() {
+        if (errorCode == null || errorCode.isEmpty()) {
+            return false;
+        }
+
+        try {
+            int httpCode = Integer.parseInt(errorCode);
+
+            // Retry on 5xx server errors (transient server issues)
+            if (httpCode >= 500 && httpCode < 600) {
+                return true;
+            }
+
+            // Retry on 429 (Too Many Requests) - always retriable
+            if (httpCode == 429) {
+                return true;
+            }
+
+            // Retry on 400 errors that indicate transient issues
+            if (httpCode == 400) {
+                String description = errorDescription != null ? errorDescription.toLowerCase() : "";
+                // Check for retry hints in the error description
+                return description.contains("retry")
+                        || description.contains("unknown_error")
+                        || description.contains("temporary")
+                        || description.contains("rate limit")
+                        || description.contains("throttle");
+            }
+
+            return false;
+        } catch (NumberFormatException e) {
+            return false;
+        }
+    }
 }

jdbc-http/src/main/java/com/salesforce/datacloud/jdbc/http/FormCommand.java

@@ -17,6 +17,7 @@
 import lombok.NonNull;
 import lombok.Singular;
 import lombok.Value;
+import lombok.extern.slf4j.Slf4j;
 import lombok.val;
 import okhttp3.FormBody;
 import okhttp3.Headers;
@@ -25,6 +26,7 @@
 import okhttp3.Request;
 import okhttp3.Response;
 
+@Slf4j
 @Value
 @Builder(builderClassName = "Builder")
 public class FormCommand {
@@ -76,12 +78,43 @@ private static <T> T executeRequest(@NonNull OkHttpClient client, Request reques
             throws SQLException, AuthorizationException {
         try (Response response = client.newCall(request).execute()) {
             if (!response.isSuccessful()) {
-                if (response.code() >= 400 && response.code() < 500) {
-                    throw AuthorizationException.builder()
+                int statusCode = response.code();
+                String responseBody = "";
+                try {
+                    val responseBodyObj = response.body();
+                    if (responseBodyObj != null) {
+                        responseBody = responseBodyObj.string();
+                    }
+                } catch (IOException e) {
+                    // If we can't read the body, continue with empty string
+                }
+
+                // Handle 4xx and 5xx errors as AuthorizationException for consistent retry handling
+                if (statusCode >= 400 && statusCode < 600) {
+                    AuthorizationException authEx = AuthorizationException.builder()
                             .message(response.message())
-                            .errorCode(String.valueOf(response.code()))
-                            .errorDescription(response.body().string())
+                            .errorCode(String.valueOf(statusCode))
+                            .errorDescription(responseBody)
                             .build();
+
+                    // Log the error details for debugging
+                    if (authEx.isRetriable()) {
+                        log.warn(
+                                "HTTP {} error from {} (retriable): {} - Response body: {}",
+                                statusCode,
+                                request.url(),
+                                response.message(),
+                                responseBody);
+                    } else {
+                        log.error(
+                                "HTTP {} error from {}: {} - Response body: {}",
+                                statusCode,
+                                request.url(),
+                                response.message(),
+                                responseBody);
+                    }
+
+                    throw authEx;
                 }
                 throw new IOException("Unexpected code " + response);
             }

jdbc-http/src/test/java/com/salesforce/datacloud/jdbc/auth/DataCloudTokenProviderTest.java

@@ -104,6 +104,72 @@ void retryPolicyDoesntRetryOnAuthorizationException() {
         }
     }
 
+    @SneakyThrows
+    @Test
+    void retryPolicyRetriesOnRetriableAuthorizationException() {
+        val properties = propertiesForPassword("un", "pw");
+        properties.setProperty(HttpClientProperties.HTTP_MAX_RETRIES, "2");
+        val expectedTriesCount = 3; // initial + 2 retries
+        try (val server = new MockWebServer()) {
+            server.start();
+            // Simulate HTTP 500 errors (retriable) that eventually succeed
+            for (int i = 0; i < expectedTriesCount - 1; i++) {
+                server.enqueue(new MockResponse().setResponseCode(500).setBody("Internal Server Error"));
+            }
+            // Last request succeeds
+            val mapper = new ObjectMapper();
+            val oAuthTokenResponse = new OAuthTokenResponse();
+            oAuthTokenResponse.setToken(FAKE_TOKEN);
+            oAuthTokenResponse.setInstanceUrl(server.url("").toString());
+            server.enqueue(new MockResponse()
+                    .setBody(mapper.writeValueAsString(oAuthTokenResponse))
+                    .setResponseCode(200));
+
+            val loginUrl = server.url("").uri();
+            HttpClientProperties clientProperties = HttpClientProperties.ofDestructive(properties);
+            SalesforceAuthProperties authProperties = SalesforceAuthProperties.ofDestructive(loginUrl, properties);
+            val token =
+                    DataCloudTokenProvider.of(clientProperties, authProperties).getOAuthToken();
+            assertThat(token.getToken()).isEqualTo(FAKE_TOKEN);
+            assertThat(server.getRequestCount()).isEqualTo(expectedTriesCount);
+            server.shutdown();
+        }
+    }
+
+    @SneakyThrows
+    @Test
+    void retryPolicyRetriesOn400WithRetryHint() {
+        val properties = propertiesForPassword("un", "pw");
+        properties.setProperty(HttpClientProperties.HTTP_MAX_RETRIES, "2");
+        val expectedTriesCount = 3; // initial + 2 retries
+        try (val server = new MockWebServer()) {
+            server.start();
+            // Simulate HTTP 400 with retry hint (retriable)
+            for (int i = 0; i < expectedTriesCount - 1; i++) {
+                server.enqueue(new MockResponse()
+                        .setResponseCode(400)
+                        .setBody("{\"error\":\"unknown_error\",\"error_description\":\"retry your request\"}"));
+            }
+            // Last request succeeds
+            val mapper = new ObjectMapper();
+            val oAuthTokenResponse = new OAuthTokenResponse();
+            oAuthTokenResponse.setToken(FAKE_TOKEN);
+            oAuthTokenResponse.setInstanceUrl(server.url("").toString());
+            server.enqueue(new MockResponse()
+                    .setBody(mapper.writeValueAsString(oAuthTokenResponse))
+                    .setResponseCode(200));
+
+            val loginUrl = server.url("").uri();
+            HttpClientProperties clientProperties = HttpClientProperties.ofDestructive(properties);
+            SalesforceAuthProperties authProperties = SalesforceAuthProperties.ofDestructive(loginUrl, properties);
+            val token =
+                    DataCloudTokenProvider.of(clientProperties, authProperties).getOAuthToken();
+            assertThat(token.getToken()).isEqualTo(FAKE_TOKEN);
+            assertThat(server.getRequestCount()).isEqualTo(expectedTriesCount);
+            server.shutdown();
+        }
+    }
+
     @SneakyThrows
     @Test
     void oauthTokenRetrieved() {