Certificate reload logic triggers on all invalid_client errors, not just cert-related issues (regression from PR #3430) #3652
Description
Microsoft.Identity.Web Library
Microsoft.Identity.Web.TokenAcquisition
Microsoft.Identity.Web version
4.x
Web app
Not Applicable
Web API
Not Applicable
Token cache serialization
Not Applicable
Description
The certificate reload logic triggers on all invalid_client errors, not just certificate-related issues. This means it attempts reloads for unrelated problems, such as when the client credentials are not a certificate (e.g., wrong client secret, wrong client ID, missing client ID, etc.), resulting in unnecessary reloads and confusing behavior. PR #3430 broadened the retry logic too far, causing this regression. The intended behavior should only reload certificates for error responses specifically related to certificates, such as certificate expiration or revocation, not in unrelated authentication failures.
❌This causes infinite loops in some cases, especially when used with Agent identities which chain several token acquisitions of signed assertions.
Reproduction steps
- Configure an app with invalid client credentials that are NOT a certificate, e.g., wrong client secret or invalid client ID.
- Observe that the certificate reload logic triggers and forcibly reloads, even though the error is unrelated certificates.
- See unnecessary reloads and application retries that do not address the root cause.
- If used .WithAgentIdentity(), observe a possible infinite loop / hang
Alternatively:
- Use a scenario where a wrong client secret is used and note that certificate reload still occurs.
- Inspect the changes from PR Reload certificates for all client credential based issues #3430 for details: Reload certificates for all client credential based issues #3430
Error message
Error example (not certificate related):
AADSTS7000215: Invalid client secret is provided.
Expected only certificate-related errors like:
AADSTS7000274: Certificate is not within its validity period.
AADSTS7000277: Certificate was revoked.
Id Web logs
No response
Relevant code snippets
// After PR #3430, the check became:
private bool IsInvalidClientCertificateOrSignedAssertionError(MsalServiceException exMsal)
{
return ! _retryClientCertificate &&
string.Equals(exMsal.ErrorCode, Constants.InvalidClient, StringComparison.OrdinalIgnoreCase);
}
Previously, several error message checks ensured the retry was only for certificate-related causes.
// Example error that wrongly triggers reload:
// This triggers a reload, but is unrelated to certificates.
MsalServiceException:
❌ AADSTS7000215 - Invalid client secret (not certificate-related)
❌ AADSTS700016 - Application not found / wrong Client ID
❌ AADSTS7000222 - Invalid client secret provided (expired secret)
❌ AADSTS50011 - Invalid reply address configured as cases where the reload should not be triggered?
and possibly AADSTS50012 - Invalid client credentials (various causes)Regression
Last worked when error check was limited to certificate errors, before PR #3430.
Expected behavior
Certificate reload logic should ONLY be triggered for errors directly related to the certificate—such as revocation, expiration, or an invalid client assertion signature. It should NOT be triggered for generic invalid_client errors like wrong client secret, missing client ID, or misconfigured credentials. The error filtering must be precise to prevent incorrect reloads and unnecessary application retries.