Fix certificate reload logic to only trigger on certificate-specific errors

[Copilot]

Fix Certificate Reload Logic for Invalid Client Errors

Changes Made

• Fixed certificate reload logic to only trigger on certificate-specific errors
• Added comprehensive tests (18 test cases, all passing)
• Updated .NET Framework code to use IndexOf for case-insensitive string comparison
• Renamed CertificateNotWithinValidityPeriod to ClientAssertionContainsInvalidSignature

Latest Update

Renamed the constant CertificateNotWithinValidityPeriod to ClientAssertionContainsInvalidSignature to better reflect that AADSTS7000274 indicates an invalid signature in the client assertion, aligning with the naming convention used for other certificate-related error codes.

This ensures case-insensitive error code matching across all target frameworks and uses more accurate naming for the error codes.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Certificate reload logic triggers on all invalid_client errors, not just cert-related issues (regression from PR #3430)</issue_title>
<issue_description>### Microsoft.Identity.Web Library

Microsoft.Identity.Web.TokenAcquisition

Microsoft.Identity.Web version

4.x

Web app

Not Applicable

Web API

Not Applicable

Token cache serialization

Not Applicable

Description

The certificate reload logic triggers on all invalid_client errors, not just certificate-related issues. This means it attempts reloads for unrelated problems, such as when the client credentials are not a certificate (e.g., wrong client secret, wrong client ID, missing client ID, etc.), resulting in unnecessary reloads and confusing behavior. PR #3430 broadened the retry logic too far, causing this regression. The intended behavior should only reload certificates for error responses specifically related to certificates, such as certificate expiration or revocation, not in unrelated authentication failures.

❌This causes infinite loops in some cases, especially when used with Agent identities which chain several token acquisitions of signed assertions.

Reproduction steps

1. Configure an app with invalid client credentials that are NOT a certificate, e.g., wrong client secret or invalid client ID.
2. Observe that the certificate reload logic triggers and forcibly reloads, even though the error is unrelated certificates.
3. See unnecessary reloads and application retries that do not address the root cause.
4. If used .WithAgentIdentity(), observe a possible infinite loop / hang

Alternatively:

• Use a scenario where a wrong client secret is used and note that certificate reload still occurs.
• Inspect the changes from PR Reload certificates for all client credential based issues #3430 for details: Reload certificates for all client credential based issues #3430

Error message

Error example (not certificate related):
AADSTS7000215: Invalid client secret is provided.

Expected only certificate-related errors like:
AADSTS7000274: Certificate is not within its validity period.
AADSTS7000277: Certificate was revoked.

Id Web logs

No response

Relevant code snippets

// After PR AzureAD/microsoft-identity-web#3430, the check became:
private bool IsInvalidClientCertificateOrSignedAssertionError(MsalServiceException exMsal)
{
    return ! _retryClientCertificate &&
        string.Equals(exMsal.ErrorCode, Constants.InvalidClient, StringComparison.OrdinalIgnoreCase);
}

Previously, several error message checks ensured the retry was only for certificate-related causes. 

// Example error that wrongly triggers reload:
// This triggers a reload, but is unrelated to certificates.
MsalServiceException: 
❌ AADSTS7000215 - Invalid client secret (not certificate-related) 
❌ AADSTS700016 - Application not found / wrong Client ID 
❌ AADSTS7000222 - Invalid client secret provided (expired secret) 
❌ AADSTS50011 - Invalid reply address configured as cases where the reload should not be triggered?

and possibly AADSTS50012 - Invalid client credentials (various causes)

Regression

Last worked when error check was limited to certificate errors, before PR #3430.

Expected behavior

Certificate reload logic should ONLY be triggered for errors directly related to the certificate—such as revocation, expiration, or an invalid client assertion signature. It should NOT be triggered for generic invalid_client errors like wrong client secret, missing client ID, or misconfigured credentials. The error filtering must be precise to prevent incorrect reloads and unnecessary application retries.</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Certificate reload logic triggers on all invalid_client errors, not just cert-related issues (regression from PR #3430) #3652

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[bgavrilMS]

Do we have agreement from eSTS that the error codes are stable? Afaik, error codes are not part of the public contract between SDK and service. The existing logic is safer.

[bgavrilMS]

I recommend fixing the infinite loop instead. Retrying the cert once on a generic error seems ok.

[jmprieur]

Not instead. In addition: We got customer complains for retrying for a client secret.

[bgavrilMS]

@tlupes - is this change is compatible with the new credential? I am ok to sign off if this is true.

[jmprieur]

I recommend fixing the infinite loop instead. Retrying the cert once on a generic error seems ok.

There is a detailed issue for that.#3654