AzureAD · keegan-caruso · Jul 23, 2025 · Jul 21, 2025 · Jul 21, 2025 · Jul 21, 2025
@@ -1,6 +1,7 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
+using System;
 using System.Security.Cryptography.X509Certificates;
 using Microsoft.Identity.Abstractions;
 
@@ -46,6 +47,11 @@ public class CertificateChangeEventArg
         /// Credential description
         /// </summary>
         public CredentialDescription? CredentialDescription { get; set; }
+
+        /// <summary>
+        /// Gets the exception thrown during the certificate selection or deselection.
+        /// </summary>
+        public Exception? ThrownException { get; set; } 
     }
 
     /// <summary>

@@ -1,3 +1,5 @@
 #nullable enable
 Microsoft.Identity.Web.IAuthenticationSchemeInformationProvider
 Microsoft.Identity.Web.IAuthenticationSchemeInformationProvider.GetEffectiveAuthenticationScheme(string? authenticationScheme) -> string!
+Microsoft.Identity.Web.Experimental.CertificateChangeEventArg.ThrownException.get -> System.Exception?
+Microsoft.Identity.Web.Experimental.CertificateChangeEventArg.ThrownException.set -> void
@@ -1,3 +1,5 @@
 #nullable enable
 Microsoft.Identity.Web.IAuthenticationSchemeInformationProvider
 Microsoft.Identity.Web.IAuthenticationSchemeInformationProvider.GetEffectiveAuthenticationScheme(string? authenticationScheme) -> string!
+Microsoft.Identity.Web.Experimental.CertificateChangeEventArg.ThrownException.get -> System.Exception?
+Microsoft.Identity.Web.Experimental.CertificateChangeEventArg.ThrownException.set -> void
@@ -1,3 +1,5 @@
 #nullable enable
 Microsoft.Identity.Web.IAuthenticationSchemeInformationProvider
 Microsoft.Identity.Web.IAuthenticationSchemeInformationProvider.GetEffectiveAuthenticationScheme(string? authenticationScheme) -> string!
+Microsoft.Identity.Web.Experimental.CertificateChangeEventArg.ThrownException.get -> System.Exception?
+Microsoft.Identity.Web.Experimental.CertificateChangeEventArg.ThrownException.set -> void
@@ -1,3 +1,5 @@
 #nullable enable
 Microsoft.Identity.Web.IAuthenticationSchemeInformationProvider
 Microsoft.Identity.Web.IAuthenticationSchemeInformationProvider.GetEffectiveAuthenticationScheme(string? authenticationScheme) -> string!
+Microsoft.Identity.Web.Experimental.CertificateChangeEventArg.ThrownException.get -> System.Exception?
+Microsoft.Identity.Web.Experimental.CertificateChangeEventArg.ThrownException.set -> void
@@ -1,3 +1,5 @@
 #nullable enable
 Microsoft.Identity.Web.IAuthenticationSchemeInformationProvider
 Microsoft.Identity.Web.IAuthenticationSchemeInformationProvider.GetEffectiveAuthenticationScheme(string? authenticationScheme) -> string!
+Microsoft.Identity.Web.Experimental.CertificateChangeEventArg.ThrownException.get -> System.Exception?
+Microsoft.Identity.Web.Experimental.CertificateChangeEventArg.ThrownException.set -> void
@@ -1,3 +1,5 @@
 #nullable enable
 Microsoft.Identity.Web.IAuthenticationSchemeInformationProvider
 Microsoft.Identity.Web.IAuthenticationSchemeInformationProvider.GetEffectiveAuthenticationScheme(string? authenticationScheme) -> string!
+Microsoft.Identity.Web.Experimental.CertificateChangeEventArg.ThrownException.get -> System.Exception?
+Microsoft.Identity.Web.Experimental.CertificateChangeEventArg.ThrownException.set -> void
@@ -1,3 +1,5 @@
 #nullable enable
 Microsoft.Identity.Web.IAuthenticationSchemeInformationProvider
 Microsoft.Identity.Web.IAuthenticationSchemeInformationProvider.GetEffectiveAuthenticationScheme(string? authenticationScheme) -> string!
+Microsoft.Identity.Web.Experimental.CertificateChangeEventArg.ThrownException.get -> System.Exception?
+Microsoft.Identity.Web.Experimental.CertificateChangeEventArg.ThrownException.set -> void
@@ -183,7 +183,7 @@ public async Task<AcquireTokenResult> AddAccountToCacheFromAuthorizationCodeAsyn
             }
             catch (MsalServiceException exMsal) when (IsInvalidClientCertificateOrSignedAssertionError(exMsal))
             {
-                NotifyCertificateSelection(mergedOptions, application!, CerticateObserverAction.Deselected);
+                NotifyCertificateSelection(mergedOptions, application!, CerticateObserverAction.Deselected, exMsal);
                 DefaultCertificateLoader.ResetCertificates(mergedOptions.ClientCredentials);
                 _applicationsByAuthorityClientId[GetApplicationKey(mergedOptions)] = null;
 
@@ -302,7 +302,7 @@ public async Task<AuthenticationResult> GetAuthenticationResultForUserAsync(
             }
             catch (MsalServiceException exMsal) when (IsInvalidClientCertificateOrSignedAssertionError(exMsal))
             {
-                NotifyCertificateSelection(mergedOptions, application, CerticateObserverAction.Deselected);
+                NotifyCertificateSelection(mergedOptions, application, CerticateObserverAction.Deselected, exMsal);
                 DefaultCertificateLoader.ResetCertificates(mergedOptions.ClientCredentials);
                 _applicationsByAuthorityClientId[GetApplicationKey(mergedOptions)] = null;
 
@@ -620,7 +620,7 @@ public async Task<AuthenticationResult> GetAuthenticationResultForAppAsync(
             }
             catch (MsalServiceException exMsal) when (IsInvalidClientCertificateOrSignedAssertionError(exMsal))
             {
-                NotifyCertificateSelection(mergedOptions, application, CerticateObserverAction.Deselected);
+                NotifyCertificateSelection(mergedOptions, application, CerticateObserverAction.Deselected, exMsal);
                 DefaultCertificateLoader.ResetCertificates(mergedOptions.ClientCredentials);
                 _applicationsByAuthorityClientId[GetApplicationKey(mergedOptions)] = null;
 
@@ -935,7 +935,7 @@ await builder.WithClientCredentialsAsync(
 
                 // If the client application has set certificate observer,
                 // fire the event to notify the client app that a certificate was selected.
-                NotifyCertificateSelection(mergedOptions, app, CerticateObserverAction.Selected);
+                NotifyCertificateSelection(mergedOptions, app, CerticateObserverAction.Selected, null);
 
                 // Initialize token cache providers
                 if (!(_tokenCacheProvider is MsalMemoryTokenCacheProvider))
@@ -962,7 +962,12 @@ await builder.WithClientCredentialsAsync(
         /// <param name="mergedOptions"></param>
         /// <param name="app"></param>
         /// <param name="action"></param>
-        private void NotifyCertificateSelection(MergedOptions mergedOptions, IConfidentialClientApplication app, CerticateObserverAction action)
+        /// <param name="exception">The thrown exception, if any.</param>
+        private void NotifyCertificateSelection(
+            MergedOptions mergedOptions,
+            IConfidentialClientApplication app,
+            CerticateObserverAction action,
+            Exception? exception)
         {
             X509Certificate2 selectedCertificate = app.AppConfig.ClientCredentialCertificate;
             if (_certificatesObserver != null
@@ -973,7 +978,8 @@ private void NotifyCertificateSelection(MergedOptions mergedOptions, IConfidenti
                     {
                         Action = action,
                         Certificate = app.AppConfig.ClientCredentialCertificate,
-                        CredentialDescription = mergedOptions.ClientCredentials?.FirstOrDefault(c => c.Certificate == selectedCertificate)
+                        CredentialDescription = mergedOptions.ClientCredentials?.FirstOrDefault(c => c.Certificate == selectedCertificate),
+                        ThrownException = exception,
                     });
             }
         }