AzureAD · Copilot · Sep 22, 2025 · Sep 22, 2025 · Sep 22, 2025 · Sep 22, 2025
@@ -52,6 +52,27 @@ public DefaultCertificateLoader(IEnumerable<ICustomSignedAssertionProvider> cust
         {
         }
 
+        /// <summary>
+        /// Constructor with a logger and custom credential source loaders.
+        /// </summary>
+        /// <param name="logger">Logger instance</param>
+        /// <param name="credentialSourceLoaders">Additional credential source loaders. Can override built-in loaders.</param>
+        public DefaultCertificateLoader(
+            ILogger<DefaultCertificateLoader>? logger,
+            IEnumerable<ICredentialSourceLoader>? credentialSourceLoaders) : base(logger, credentialSourceLoaders)
+        {
+        }
+
+        /// <summary>
+        /// Constructor with both custom signed assertion providers and custom credential source loaders.
+        /// </summary>
+        /// <param name="customSignedAssertionProviders">List of providers of custom signed assertions</param>
+        /// <param name="logger">ILogger.</param>
+        /// <param name="credentialSourceLoaders">Additional credential source loaders. Can override built-in loaders.</param>
+        public DefaultCertificateLoader(IEnumerable<ICustomSignedAssertionProvider> customSignedAssertionProviders, ILogger<DefaultCertificateLoader>? logger, IEnumerable<ICredentialSourceLoader>? credentialSourceLoaders) : base(customSignedAssertionProviders, logger, credentialSourceLoaders)
+        {
+        }
+
         /// <summary>
         ///  This default is overridable at the level of the credential description (for the certificate from KeyVault).
         /// </summary>

@@ -37,6 +37,32 @@ public DefaultCredentialsLoader(IEnumerable<ICustomSignedAssertionProvider> cust
             CustomSignedAssertionCredentialSourceLoaders = sourceLoaderDict;
         }
 
+        /// <summary>
+        /// Constructor for DefaultCredentialsLoader with both custom signed assertion providers and custom credential source loaders.
+        /// </summary>
+        /// <param name="customSignedAssertionProviders">Set of custom signed assertion providers.</param>
+        /// <param name="logger">ILogger.</param>
+        /// <param name="credentialSourceLoaders">Additional credential source loaders. Can override built-in loaders.</param>
+        public DefaultCredentialsLoader(IEnumerable<ICustomSignedAssertionProvider> customSignedAssertionProviders, ILogger<DefaultCredentialsLoader>? logger, IEnumerable<ICredentialSourceLoader>? credentialSourceLoaders) : this(logger, credentialSourceLoaders)
+        {
+            _ = Throws.IfNull(customSignedAssertionProviders);
+            var sourceLoaderDict = new Dictionary<string, ICustomSignedAssertionProvider>();
+
+            foreach (ICustomSignedAssertionProvider provider in customSignedAssertionProviders)
+            {
+                string providerName = provider.Name ?? provider.GetType().FullName!;
+                if (sourceLoaderDict.ContainsKey(providerName))
+                {
+                    _logger.LogWarning(CertificateErrorMessage.CustomProviderNameAlreadyExists, providerName);
+                }
+                else
+                {
+                    sourceLoaderDict.Add(providerName, provider);
+                }
+            }
+            CustomSignedAssertionCredentialSourceLoaders = sourceLoaderDict;
+        }
+
         /// <summary>
         /// Dictionary of custom signed assertion credential source loaders, by name (either ICustomSignedAssertionProvider.Name or the fully qualified type name).
         /// The application can add more to process additional credential sources.

@@ -40,6 +40,25 @@ public DefaultCredentialsLoader(ILogger<DefaultCredentialsLoader>? logger)
             };
         }
 
+        /// <summary>
+        /// Constructor with a logger and custom credential source loaders
+        /// </summary>
+        /// <param name="logger">Logger instance</param>
+        /// <param name="credentialSourceLoaders">Additional credential source loaders. Can override built-in loaders.</param>
+        public DefaultCredentialsLoader(
+            ILogger<DefaultCredentialsLoader>? logger,
+            IEnumerable<ICredentialSourceLoader>? credentialSourceLoaders) : this(logger)
+        {
+            // Add additional/extensible loaders (can override built-ins)
+            if (credentialSourceLoaders != null)
+            {
+                foreach (var loader in credentialSourceLoaders)
+                {
+                    CredentialSourceLoaders[loader.CredentialSource] = loader;
+                }
+            }
+        }
+
         /// <summary>
         /// Default constructor (for backward compatibility)
         /// </summary>

@@ -19,6 +19,8 @@ Microsoft.Identity.Web.DefaultCertificateLoader
 Microsoft.Identity.Web.DefaultCertificateLoader.DefaultCertificateLoader() -> void
 Microsoft.Identity.Web.DefaultCertificateLoader.DefaultCertificateLoader(Microsoft.Extensions.Logging.ILogger<Microsoft.Identity.Web.DefaultCertificateLoader!>? logger) -> void
 Microsoft.Identity.Web.DefaultCertificateLoader.DefaultCertificateLoader(System.Collections.Generic.IEnumerable<Microsoft.Identity.Abstractions.ICustomSignedAssertionProvider!>! customSignedAssertionProviders, Microsoft.Extensions.Logging.ILogger<Microsoft.Identity.Web.DefaultCertificateLoader!>? logger) -> void
+Microsoft.Identity.Web.DefaultCertificateLoader.DefaultCertificateLoader(Microsoft.Extensions.Logging.ILogger<Microsoft.Identity.Web.DefaultCertificateLoader!>? logger, System.Collections.Generic.IEnumerable<Microsoft.Identity.Abstractions.ICredentialSourceLoader!>? credentialSourceLoaders) -> void
+Microsoft.Identity.Web.DefaultCertificateLoader.DefaultCertificateLoader(System.Collections.Generic.IEnumerable<Microsoft.Identity.Abstractions.ICustomSignedAssertionProvider!>! customSignedAssertionProviders, Microsoft.Extensions.Logging.ILogger<Microsoft.Identity.Web.DefaultCertificateLoader!>? logger, System.Collections.Generic.IEnumerable<Microsoft.Identity.Abstractions.ICredentialSourceLoader!>? credentialSourceLoaders) -> void
 Microsoft.Identity.Web.DefaultCertificateLoader.LoadIfNeeded(Microsoft.Identity.Web.CertificateDescription! certificateDescription) -> void
 Microsoft.Identity.Web.DefaultCertificateLoader.LoadIfNeededAsync(Microsoft.Identity.Web.CertificateDescription! certificateDescription) -> System.Threading.Tasks.Task!
 Microsoft.Identity.Web.DefaultCredentialsLoader
@@ -27,6 +29,8 @@ Microsoft.Identity.Web.DefaultCredentialsLoader.CustomSignedAssertionCredentialS
 Microsoft.Identity.Web.DefaultCredentialsLoader.DefaultCredentialsLoader() -> void
 Microsoft.Identity.Web.DefaultCredentialsLoader.DefaultCredentialsLoader(Microsoft.Extensions.Logging.ILogger<Microsoft.Identity.Web.DefaultCredentialsLoader!>? logger) -> void
 Microsoft.Identity.Web.DefaultCredentialsLoader.DefaultCredentialsLoader(System.Collections.Generic.IEnumerable<Microsoft.Identity.Abstractions.ICustomSignedAssertionProvider!>! customSignedAssertionProviders, Microsoft.Extensions.Logging.ILogger<Microsoft.Identity.Web.DefaultCredentialsLoader!>? logger) -> void
+Microsoft.Identity.Web.DefaultCredentialsLoader.DefaultCredentialsLoader(Microsoft.Extensions.Logging.ILogger<Microsoft.Identity.Web.DefaultCredentialsLoader!>? logger, System.Collections.Generic.IEnumerable<Microsoft.Identity.Abstractions.ICredentialSourceLoader!>? credentialSourceLoaders) -> void
+Microsoft.Identity.Web.DefaultCredentialsLoader.DefaultCredentialsLoader(System.Collections.Generic.IEnumerable<Microsoft.Identity.Abstractions.ICustomSignedAssertionProvider!>! customSignedAssertionProviders, Microsoft.Extensions.Logging.ILogger<Microsoft.Identity.Web.DefaultCredentialsLoader!>? logger, System.Collections.Generic.IEnumerable<Microsoft.Identity.Abstractions.ICredentialSourceLoader!>? credentialSourceLoaders) -> void
 Microsoft.Identity.Web.DefaultCredentialsLoader.LoadCredentialsIfNeededAsync(Microsoft.Identity.Abstractions.CredentialDescription! credentialDescription, Microsoft.Identity.Abstractions.CredentialSourceLoaderParameters? parameters = null) -> System.Threading.Tasks.Task!
 Microsoft.Identity.Web.DefaultCredentialsLoader.LoadFirstValidCredentialsAsync(System.Collections.Generic.IEnumerable<Microsoft.Identity.Abstractions.CredentialDescription!>! credentialDescriptions, Microsoft.Identity.Abstractions.CredentialSourceLoaderParameters? parameters = null) -> System.Threading.Tasks.Task<Microsoft.Identity.Abstractions.CredentialDescription?>!
 Microsoft.Identity.Web.DefaultCredentialsLoader.ResetCredentials(System.Collections.Generic.IEnumerable<Microsoft.Identity.Abstractions.CredentialDescription!>! credentialDescriptions) -> void

@@ -4,6 +4,9 @@
 using System.Collections.Generic;
 using System.Linq;
 using System.Security.Cryptography.X509Certificates;
+using System.Threading.Tasks;
+using Microsoft.Extensions.Logging;
+using Microsoft.Identity.Abstractions;
 using Microsoft.Identity.Web.Test.Common;
 using Xunit;
 
@@ -110,5 +113,210 @@
             Assert.NotNull(certificateDescription.Certificate);
             Assert.True(certificateDescription.Certificate.HasPrivateKey);
         }
+
+        [Fact]
+        public void TestDefaultCredentialsLoaderWithCustomLoaders()
+        {
+            // Arrange
+            var customLoaders = new List<ICredentialSourceLoader>
+            {
+                new MockCredentialSourceLoader(CredentialSource.Base64Encoded, "custom-mock")
+            };
+
+            // Act
+            var loader = new DefaultCredentialsLoader(null, customLoaders);
+
+            // Assert
+            Assert.NotNull(loader.CredentialSourceLoaders);
+            Assert.True(loader.CredentialSourceLoaders.ContainsKey(CredentialSource.Base64Encoded));
+
+            // Verify the custom loader overrode the built-in one
+            var customLoader = loader.CredentialSourceLoaders[CredentialSource.Base64Encoded] as MockCredentialSourceLoader;
+            Assert.NotNull(customLoader);
+            Assert.Equal("custom-mock", customLoader.TestValue);
+        }
+
+        [Fact]
+        public void TestDefaultCertificateLoaderWithCustomLoaders()
+        {
+            // Arrange
+            var customLoaders = new List<ICredentialSourceLoader>
+            {
+                new MockCredentialSourceLoader(CredentialSource.Path, "certificate-mock")
+            };
+
+            // Act
+            var loader = new DefaultCertificateLoader(null, customLoaders);
+
+            // Assert
+            Assert.NotNull(loader.CredentialSourceLoaders);
+            Assert.True(loader.CredentialSourceLoaders.ContainsKey(CredentialSource.Path));
+
+            // Verify the custom loader overrode the built-in one
+            var customLoader = loader.CredentialSourceLoaders[CredentialSource.Path] as MockCredentialSourceLoader;
+            Assert.NotNull(customLoader);
+            Assert.Equal("certificate-mock", customLoader.TestValue);
+        }
+
+        [Fact]
+        public async Task TestCustomLoaderIsUsed()
+        {
+            // Arrange
+            var customLoaders = new List<ICredentialSourceLoader>
+            {
+                new MockCredentialSourceLoader(CredentialSource.StoreWithThumbprint, "used-custom-loader")
+            };
+            var loader = new DefaultCredentialsLoader(null, customLoaders);
+            var credentialDescription = new CredentialDescription
+            {
+                SourceType = CredentialSource.StoreWithThumbprint
+            };
+
+            // Act
+            await loader.LoadCredentialsIfNeededAsync(credentialDescription);
+
+            // Assert
+            Assert.Equal("used-custom-loader", credentialDescription.CachedValue);
+        }
+
+        [Fact]
+        public void TestConstructorWithNullCustomLoaders()
+        {
+            // Arrange & Act
+            var loader = new DefaultCredentialsLoader(null, null);
+
+            // Assert - should still have built-in loaders
+            Assert.NotNull(loader.CredentialSourceLoaders);
+            Assert.True(loader.CredentialSourceLoaders.ContainsKey(CredentialSource.KeyVault));
+            Assert.True(loader.CredentialSourceLoaders.ContainsKey(CredentialSource.Base64Encoded));
+        }
+
+        [Fact]
+        public void TestBackwardCompatibilityExistingConstructors()
+        {
+            // Test that existing constructors still work
+            var loader1 = new DefaultCredentialsLoader();
+            var loader2 = new DefaultCredentialsLoader(null);
+            var loader3 = new DefaultCertificateLoader();
+            var loader4 = new DefaultCertificateLoader(null);
+
+            // All should have built-in loaders
+            Assert.NotNull(loader1.CredentialSourceLoaders);
+            Assert.NotNull(loader2.CredentialSourceLoaders);
+            Assert.NotNull(loader3.CredentialSourceLoaders);
+            Assert.NotNull(loader4.CredentialSourceLoaders);
+
+            Assert.True(loader1.CredentialSourceLoaders.Count >= 7); // Should have at least 7 built-in loaders
+            Assert.True(loader2.CredentialSourceLoaders.Count >= 7);
+            Assert.True(loader3.CredentialSourceLoaders.Count >= 7);
+            Assert.True(loader4.CredentialSourceLoaders.Count >= 7);
+        }
+
+        [Fact]
+        public void TestCustomLoaderWithNonConflictingCredentialSources()
+        {
+            // Arrange - Use a custom loader that doesn't override any built-in loader
+            var customLoaders = new List<ICredentialSourceLoader>
+            {
+                new MockCredentialSourceLoader(CredentialSource.Certificate, "custom-certificate")
+            };
+
+            // Act
+            var loader = new DefaultCredentialsLoader(null, customLoaders);
+
+            // Assert - should have all built-in loaders plus the custom one
+            Assert.NotNull(loader.CredentialSourceLoaders);
+            Assert.True(loader.CredentialSourceLoaders.Count >= 8); // 7 built-in + 1 custom
+
+            // Verify built-in loaders are still present
+            Assert.True(loader.CredentialSourceLoaders.ContainsKey(CredentialSource.KeyVault));
+            Assert.True(loader.CredentialSourceLoaders.ContainsKey(CredentialSource.Base64Encoded));
+            Assert.True(loader.CredentialSourceLoaders.ContainsKey(CredentialSource.Path));
+
+            // Verify custom loader is added
+            Assert.True(loader.CredentialSourceLoaders.ContainsKey(CredentialSource.Certificate));
+            var customLoader = loader.CredentialSourceLoaders[CredentialSource.Certificate] as MockCredentialSourceLoader;
+            Assert.NotNull(customLoader);
+            Assert.Equal("custom-certificate", customLoader.TestValue);
+        }
+
+        [Fact]
+        public void TestConstructorWithBothCustomSignedAssertionProvidersAndCredentialSourceLoaders()
+        {
+            // Arrange
+            var customSignedAssertionProviders = new List<ICustomSignedAssertionProvider>
+            {
+                new MockCustomSignedAssertionProvider("test-provider")
+            };
+            var customLoaders = new List<ICredentialSourceLoader>
+            {
+                new MockCredentialSourceLoader(CredentialSource.Path, "combined-test")
+            };
+
+            // Act - Test DefaultCredentialsLoader comprehensive constructor
+            var credentialsLoader = new DefaultCredentialsLoader(customSignedAssertionProviders, null, customLoaders);
+
+            // Assert
+            Assert.NotNull(credentialsLoader.CredentialSourceLoaders);
+            Assert.NotNull(credentialsLoader.CustomSignedAssertionCredentialSourceLoaders);
+
+            // Verify custom credential source loader is present
+            Assert.True(credentialsLoader.CredentialSourceLoaders.ContainsKey(CredentialSource.Path));
+            var customLoader = credentialsLoader.CredentialSourceLoaders[CredentialSource.Path] as MockCredentialSourceLoader;
+            Assert.NotNull(customLoader);
+            Assert.Equal("combined-test", customLoader.TestValue);
+
+            // Verify custom signed assertion provider is present
+            Assert.True(credentialsLoader.CustomSignedAssertionCredentialSourceLoaders.ContainsKey("test-provider"));
+
+            // Act - Test DefaultCertificateLoader comprehensive constructor
+            var certificateLoader = new DefaultCertificateLoader(customSignedAssertionProviders, null, customLoaders);
+
+            // Assert
+            Assert.NotNull(certificateLoader.CredentialSourceLoaders);
+            Assert.NotNull(certificateLoader.CustomSignedAssertionCredentialSourceLoaders);
+        }
+
+        /// <summary>
+        /// Mock credential source loader for testing
+        /// </summary>
+        internal class MockCredentialSourceLoader : ICredentialSourceLoader
+        {
+            public CredentialSource CredentialSource { get; }
+            public string TestValue { get; }
+
+            public MockCredentialSourceLoader(CredentialSource credentialSource, string testValue = "mock")
+            {
+                CredentialSource = credentialSource;
+                TestValue = testValue;
+            }
+
+            public Task LoadIfNeededAsync(CredentialDescription credentialDescription, CredentialSourceLoaderParameters? parameters = null)
+            {
+                // Mock implementation - just mark that this loader was used
+                credentialDescription.CachedValue = TestValue;
+                return Task.CompletedTask;
+            }
+        }
+
+        /// <summary>
+        /// Mock custom signed assertion provider for testing
+        /// </summary>
+        internal class MockCustomSignedAssertionProvider : ICustomSignedAssertionProvider
+        {
+            public CredentialSource CredentialSource => CredentialSource.CustomSignedAssertion;
+            public string Name { get; }
+
+            public MockCustomSignedAssertionProvider(string name)
+            {
+                Name = name;
+            }
+
+            public Task LoadIfNeededAsync(CredentialDescription credentialDescription, CredentialSourceLoaderParameters? parameters = null)
+            {
+                credentialDescription.CachedValue = $"mock-assertion-{Name}";
+                return Task.CompletedTask;
+            }
+        }
     }
 }