Skip to content

Comments

Fix certificate reload logic to only trigger on certificate-specific errors#3653

Merged
bgavrilMS merged 16 commits intomasterfrom
copilot/fix-certificate-reload-logic
Jan 20, 2026
Merged

Fix certificate reload logic to only trigger on certificate-specific errors#3653
bgavrilMS merged 16 commits intomasterfrom
copilot/fix-certificate-reload-logic

Conversation

Copy link
Contributor

Copilot AI commented Dec 15, 2025
edited
Loading

Fix Certificate Reload Logic for Invalid Client Errors

Changes Made

  • Fixed certificate reload logic to only trigger on certificate-specific errors
  • Added comprehensive tests (18 test cases, all passing)
  • Updated .NET Framework code to use IndexOf for case-insensitive string comparison
  • Renamed CertificateNotWithinValidityPeriod to ClientAssertionContainsInvalidSignature

Latest Update

Renamed the constant CertificateNotWithinValidityPeriod to ClientAssertionContainsInvalidSignature to better reflect that AADSTS7000274 indicates an invalid signature in the client assertion, aligning with the naming convention used for other certificate-related error codes.

This ensures case-insensitive error code matching across all target frameworks and uses more accurate naming for the error codes.

Original prompt

This section details on the original issue you should resolve

<issue_title>Certificate reload logic triggers on all invalid_client errors, not just cert-related issues (regression from PR #3430)</issue_title>
<issue_description>### Microsoft.Identity.Web Library

Microsoft.Identity.Web.TokenAcquisition

Microsoft.Identity.Web version

4.x

Web app

Not Applicable

Web API

Not Applicable

Token cache serialization

Not Applicable

Description

The certificate reload logic triggers on all invalid_client errors, not just certificate-related issues. This means it attempts reloads for unrelated problems, such as when the client credentials are not a certificate (e.g., wrong client secret, wrong client ID, missing client ID, etc.), resulting in unnecessary reloads and confusing behavior. PR #3430 broadened the retry logic too far, causing this regression. The intended behavior should only reload certificates for error responses specifically related to certificates, such as certificate expiration or revocation, not in unrelated authentication failures.

❌This causes infinite loops in some cases, especially when used with Agent identities which chain several token acquisitions of signed assertions.

Reproduction steps

  1. Configure an app with invalid client credentials that are NOT a certificate, e.g., wrong client secret or invalid client ID.
  2. Observe that the certificate reload logic triggers and forcibly reloads, even though the error is unrelated certificates.
  3. See unnecessary reloads and application retries that do not address the root cause.
  4. If used .WithAgentIdentity(), observe a possible infinite loop / hang

Alternatively:

Error message

Error example (not certificate related):
AADSTS7000215: Invalid client secret is provided.

Expected only certificate-related errors like:
AADSTS7000274: Certificate is not within its validity period.
AADSTS7000277: Certificate was revoked.

Id Web logs

No response

Relevant code snippets

// After PR AzureAD/microsoft-identity-web#3430, the check became:
private bool IsInvalidClientCertificateOrSignedAssertionError(MsalServiceException exMsal)
{
    return ! _retryClientCertificate &&
        string.Equals(exMsal.ErrorCode, Constants.InvalidClient, StringComparison.OrdinalIgnoreCase);
}

Previously, several error message checks ensured the retry was only for certificate-related causes. 

// Example error that wrongly triggers reload:
// This triggers a reload, but is unrelated to certificates.
MsalServiceException: 
❌ AADSTS7000215 - Invalid client secret (not certificate-related)AADSTS700016 - Application not found / wrong Client ID 
❌ AADSTS7000222 - Invalid client secret provided (expired secret) 
❌ AADSTS50011 - Invalid reply address configured as cases where the reload should not be triggered?

and possibly AADSTS50012 - Invalid client credentials (various causes)

Regression

Last worked when error check was limited to certificate errors, before PR #3430.

Expected behavior

Certificate reload logic should ONLY be triggered for errors directly related to the certificate—such as revocation, expiration, or an invalid client assertion signature. It should NOT be triggered for generic invalid_client errors like wrong client secret, missing client ID, or misconfigured credentials. The error filtering must be precise to prevent incorrect reloads and unnecessary application retries.</issue_description>

Comments on the Issue (you are @copilot in this section)

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI changed the title [WIP] Fix certificate reload logic for specific invalid_client errors Fix certificate reload logic to only trigger on certificate-specific errors Dec 15, 2025
Copilot AI requested a review from jmprieur December 15, 2025 03:56
@jmprieur jmprieur marked this pull request as ready for review December 15, 2025 04:09
@jmprieur jmprieur requested a review from a team as a code owner December 15, 2025 04:09
bgavrilMS
bgavrilMS reviewed Dec 15, 2025
View reviewed changes
bgavrilMS
bgavrilMS reviewed Dec 15, 2025
View reviewed changes
bgavrilMS
bgavrilMS requested changes Dec 15, 2025
View reviewed changes
Copy link
Member

@bgavrilMS bgavrilMS left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we have agreement from eSTS that the error codes are stable? Afaik, error codes are not part of the public contract between SDK and service. The existing logic is safer.

tlupes
tlupes reviewed Dec 15, 2025
View reviewed changes
tlupes
tlupes reviewed Dec 15, 2025
View reviewed changes
bgavrilMS
bgavrilMS reviewed Dec 15, 2025
View reviewed changes
Copy link
Member

@bgavrilMS bgavrilMS left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I recommend fixing the infinite loop instead. Retrying the cert once on a generic error seems ok.

@jmprieur
Copy link
Collaborator

jmprieur commented Dec 15, 2025

Not instead. In addition: We got customer complains for retrying for a client secret.

@bgavrilMS
Copy link
Member

bgavrilMS commented Dec 15, 2025

@tlupes - is this change is compatible with the new credential? I am ok to sign off if this is true.

@jmprieur
Copy link
Collaborator

jmprieur commented Jan 9, 2026

I recommend fixing the infinite loop instead. Retrying the cert once on a generic error seems ok.

There is a detailed issue for that.#3654

Copilot AI requested a review from jmprieur January 9, 2026 20:37
@jmprieur
Refactor certificate error code checks to use centralized HashSet (Ce…
ef13e42 
…rtificateErrorCodes) for maintainability. Addresses PR feedback from Tom (#3653).
@jmprieur
Revert commit ef13e42.
36ef6f9
@jmprieur
Revert "Refactor certificate error code checks to use centralized Has…
1a34dbb 
…hSet (CertificateErrorCodes) for maintainability. Addresses PR feedback from Tom (#3653)."

This reverts commit ef13e42.
@4gust 4gust mentioned this pull request Jan 15, 2026
Closed
4 tasks
bgavrilMS
bgavrilMS approved these changes Jan 19, 2026
View reviewed changes
Copilot AI requested a review from bgavrilMS January 19, 2026 11:46
jmprieur
jmprieur reviewed Jan 20, 2026
View reviewed changes
Copy link
Collaborator

@jmprieur jmprieur left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot this is great.
Please rename CertificateNotWithinValidityPeriod to ClientAssertionContainsInvalidSignature (See https://github.com/AzureAD/microsoft-identity-web/pull/3653/changes#r2619663075 for context) and we will be done

Copy link
Contributor Author

Copilot AI commented Jan 20, 2026

@copilot this is great.
Please rename CertificateNotWithinValidityPeriod to ClientAssertionContainsInvalidSignature (See https://github.com/AzureAD/microsoft-identity-web/pull/3653/changes#r2619663075...

Renamed CertificateNotWithinValidityPeriod to ClientAssertionContainsInvalidSignature across all files including Constants.cs, PublicAPI files, and tests. Commit: 560638e

Copilot AI requested a review from jmprieur January 20, 2026 16:38
neha-bhargava
neha-bhargava approved these changes Jan 20, 2026
View reviewed changes
Copy link
Contributor

@neha-bhargava neha-bhargava left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. The new API/ Variable should only be added to the Unshipped file.

@bgavrilMS bgavrilMS merged commit 6bb13bd into master Jan 20, 2026
5 checks passed
@bgavrilMS bgavrilMS deleted the copilot/fix-certificate-reload-logic branch January 20, 2026 21:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@4gust 4gust 4gust left review comments

@neha-bhargava neha-bhargava neha-bhargava approved these changes

@bgavrilMS bgavrilMS Awaiting requested review from bgavrilMS

+2 more reviewers

@tlupes tlupes tlupes left review comments

@jmprieur jmprieur jmprieur approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@jmprieur jmprieur

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Certificate reload logic triggers on all invalid_client errors, not just cert-related issues (regression from PR #3430)

6 participants

@jmprieur @bgavrilMS @tlupes @neha-bhargava @4gust