In authernticatingClient doAuthenticate(), we return a generic error string when there's an authentication error:

if authDetails, err = c.authMode.Auth(c.creds); err != nil {
return gooseerrors.Newf(err, "authentication failed")
}

And also further down in the method when there's other types of error, eg

if err := c.createServiceURLs(); err != nil {
return gooseerrors.Newf(err, "cannot create service URLs")
}

This makes it hard for callers (eg juju) to distinguish between auth errors and other errors. goose does have an UnauthorisedError code so that should be used where appropriate.