jwtauthccl: check HTTP status code in getHttpResponse

[vxtls]

check HTTP status in getHttpResponse and include body snippet

Epic: None

Overview

Previously, getHttpResponse ignored non-2xx HTTP responses.
As a result, JWKS/userinfo/discovery requests could return 4xx or 5xx pages,
and the caller would only fail when JSON parsing encountered an error.
This made it difficult to quickly identify the root cause of HTTP failures.

What this change does

• Adds a check for non-2xx HTTP status codes.
• Returns a clear error including:
  • HTTP status
  • Requested URL
  • Up to 200 bytes of the response body for context
• Maintains existing behavior for successful 2xx responses.

Example

A 403 Forbidden response will now return an error like:
GET https://issuer.example.com/.well-known/jwks returned 403 Forbidden: <body snippet>

Testing

• Added TestGetHTTPResponseNon2xx to cover non-2xx responses.
• Verified that errors include both status and body snippet.
• Ran existing tests to ensure no regressions.

Why this is useful

This change improves debuggability and observability for JWT authentication issues.
Telemetry and logs will now clearly show the actual HTTP failure instead of failing later in JSON parsing.

[blathers-crl]

Thank you for contributing to CockroachDB. Please ensure you have followed the guidelines for creating a PR.

Before a member of our team reviews your PR, I have some potential action items for you:

• Please ensure your git commit message contains a release note.
• When CI has completed, please ensure no errors have appeared.

_{🦉 Hoot! I am a Blathers, a bot for CockroachDB. My owner is dev-inf.}

[cockroach-teamcity]

This change is 

[cockroachlabs-cla-agent]

All committers have signed the CLA.

[pritesh-lahoti]

Thanks for this contribution and apologies for the delay, @vxtls! This is a really clean change and the PR description is excellent -- the "before and after" is very clear.

The logic looks correct to me, and CI is fully green. A couple of small notes:

1. Rebase needed: It looks like there are merge conflicts with master. Could you rebase your branch so we can get this mergeable?

2. Release note: The commit will need a release note line. I'm happy to add that myself when we merge, so don't worry about it unless you'd like to write one.

3. I left one inline suggestion about the error construction pattern -- not a blocker, and I can amend it myself if you'd prefer.

Really appreciate you improving the debuggability here. The old behavior of silently passing non-2xx responses through to JSON parsing was a real pain point.

@pritesh-lahoti reviewed 2 files and all commit messages, and made 2 comments.
Reviewable status: complete! 0 of 0 LGTMs obtained (waiting on vxtls).

---

pkg/ccl/jwtauthccl/authentication_jwt.go line 524 at r1 (raw file):

			bodySnippet = bodySnippet[:200] + "..."
		}
		return nil, errors.Newf("GET %s returned %s: %s", url, resp.Status, bodySnippet)

nit (happy to fix this myself before merging): The rest of this file uses errors.WithDetailf to keep internal details (like URLs and response content) in the error detail rather than the top-level error message. That pattern keeps those details out of client-facing error surfaces while still making them available in logs. Something like:

return nil, errors.WithDetailf(
    errors.Newf("JWT authentication: HTTP request failed"),
    "GET %s returned %s: %s", url, resp.Status, bodySnippet,
)

This would be consistent with how the callers in ValidateJWTLogin and VerifyAndExtractIssuer handle errors from this function. Not a blocker -- I can amend this when merging if you'd like.

[blathers-crl]

Thank you for updating your pull request.

Before a member of our team reviews your PR, I have some potential action items for you:

• We notice you have more than one commit in your PR. We try break logical changes into separate commits, but commits such as "fix typo" or "address review commits" should be squashed into one commit and pushed with --force
• Please ensure your git commit message contains a release note.
• When CI has completed, please ensure no errors have appeared.

_{🦉 Hoot! I am a Blathers, a bot for CockroachDB. My owner is dev-inf.}

[vxtls]

@pritesh-lahoti
CI appears to have failed, but this seems to be an issue with the CI environment (permission denied).
sample:

INFO: From GoMockReflectProgOnlyGen pkg/ccl/changefeedccl/mocks/kafka_admin_v2_generated_gomock_prog.go [for tool]:
2026/03/02 19:53:50 failed to create modcache index dir: mkdir /home/roach: permission denied
INFO: From GoMockReflectProgOnlyGen pkg/cmd/tef/planners/mock_plan_executor_gomock_prog.go [for tool]:
2026/03/02 19:53:50 failed to create modcache index dir: mkdir /home/roach: permission denied

[pritesh-lahoti]

Squashed the commits and added the release note.
Will merge once the CI passes now (seemed to be flaky earlier).

Thanks again, @vxtls !

[pritesh-lahoti]

/trunk merge

[trunk-io]

😎 Merged directly without going through the merge queue, as the queue was empty and the PR was up to date with the target branch - details.