SignedHttpRequest: Result-Based Validation Pipeline

[westin-m]

Goals

• Eliminate the per-claim throw new SignedHttpRequestInvalid*ClaimException in SignedHttpRequestHandler.
• Provide a non-throwing path returning ValidationResult<ValidatedSignedHttpRequest, ValidationError>.
• Keep SignedHttpRequestValidationResult as the public return type.

Work

• Add src/Microsoft.IdentityModel.Protocols.SignedHttpRequest/Experimental/SignedHttpRequestHandler.ValidateSignedHttpRequest.Internal.cs returning ValidationResult<ValidatedSignedHttpRequest, ValidationError> (introduces ValidatedSignedHttpRequest with PopKey + validated access token claims).
• Add SHR-specific ValidationError subclasses (one per existing exception type): SignedHttpRequestSignatureValidationError, SignedHttpRequestClaimValidationError parameterized by claim name (at, b, cnf, h, m, nonce, p, q, ts, u), SignedHttpRequestPopKeyValidationError.
• Convert each ValidateAtClaim, ValidateBClaim, …, ValidateSignatureAsync, ResolvePopKeyAsync to return ValidationResult<…, ValidationError> instead of throwing. Keep originals as legacy wrappers that call result.UnwrapOrThrow().
• Switch ValidateAccessTokenAsync to call IResultBasedValidation.ValidateTokenAsync once Issue 2 ships; until then, keep the legacy call but already return a ValidationResult to the new pipeline.
• Add SignedHttpRequestValidationParameters.TokenHandler overload (experimental) that accepts an IResultBasedValidation-capable handler.
• Update InternalAPI.Unshipped.txt.

Tests

• Mirror the existing SignedHttpRequestHandlerTests per-claim cases; assert result.UnwrapError() is SignedHttpRequestClaimValidationError && error.ClaimName == "".
• Cross-test: failing input produces a ValidationError whose GetException() matches the existing exception type (e.g., SignedHttpRequestInvalidNonceClaimException).

Acceptance

• Existing SignedHttpRequestValidationResult.IsValid / Exception semantics unchanged.
• New result-based entry point covered by tests; legacy entry point routes through it.