[Feature Request] Reload certificates for all client credential based issues

[tlupes]

Is your feature request related to a problem? Please describe.

The current behavior of the library is to reload and retry certificates in the event that the certificate fails for one of the following two issues:

• The certificate has been revoked.
• The certificate has expired.

There is a great many other reasons that authentication can fail that fall outside of these two scenarios. If any of those additional scenarios occur the certificate will never be reloaded.

As a result, if a bad certificate is installed on the machine and picked up, and subsequently rotated, a service restart is needed for the new certificate to be used.

microsoft-identity-web/src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquisition.cs

Line 812 in deedd9d

private bool IsInvalidClientCertificateOrSignedAssertionError(MsalServiceException exMsal)

Describe the solution you'd like

I would like any issue with the certificate to trigger a reload, so that a new certificate can be selected. This can be done by just checking if the error code is invalid_client.

Describe alternatives you've considered

Adding more reasons to the acceptable list of reasons. While this would work for known reasons, it is far safer to just retry for everything in case additional things are added or cases are missed.

[tlupes]

If this is fine I will make the PR myself as it solely consists of deleting code :)

[jmprieur]

yes it is, @tlupes. We just need to make sure the end to end tests are not broken