Skip to content

Improve IDW10109 error handling for credential loading failures#3946

Merged
Avery-Dunn merged 3 commits into
masterfrom
avdunn/idw10109-error-handling
Jul 15, 2026
Merged

Improve IDW10109 error handling for credential loading failures#3946
Avery-Dunn merged 3 commits into
masterfrom
avdunn/idw10109-error-handling

Conversation

@Avery-Dunn

Copy link
Copy Markdown
Contributor

When credential loading fails in CredentialsProvider (e.g., a Federated Identity Credential exchange returns an AADSTS error), the original exception is discarded. The thrown ArgumentException (IDW10109) includes the exception text in its message string but does not set InnerException, so callers cannot programmatically inspect the original error. The error text also implies the root cause is about the certificate and Managed Identity scenarios, but the exception catches a much broader range of errors (such as FIC/signed assertion scenarios).

Additionally, a catch (ArgumentException ex) when (ex.Message == ...) guard in TokenAcquisition.BuildConfidentialClientApplicationAsync used exact string equality against an IDW10109 error message constant. Because CredentialsProvider appends detail text and ArgumentException adds a parameter name suffix, the guard never matched, making it dead code. The outer catch (Exception ex) already logs and rethrows all errors from this method, so if it wasn't dead code it'd be logged twice unnecessarily.

Changes

Inner exception preservation (CredentialsProvider.cs)

Caught exceptions are now collected and passed as the InnerException when throwing IDW10109:

  • Single failure: InnerException is the original exception directly
  • Multiple failures: InnerException is an AggregateException containing all originals

Updated error text (IDWebErrorMessage.cs)

IDW10109 now mentions FIC/signed assertion scenarios and directs developers to check the inner exception for service-level error details such as AADSTS error codes.

Removed dead catch block (TokenAcquisition.cs)

Removed the inner catch (ArgumentException ex) when (...) block that was unreachable dead code. The outer catch (Exception ex) at the method level already provides equivalent logging via Logger.TokenAcquisitionError.

Removed unused duplicate (CertificateErrorMessage.cs)

Removed CertificateErrorMessage.ClientCertificatesHaveExpiredOrCannotBeLoaded, a duplicate IDW10109 definition with different wording that had zero references in source.

.gitignore: ignore MSBuild temp files

Added Temp/ to .gitignore. The .NET 9+ SDK writes MSBuild temp files to a Temp/ folder inside the repo root, which showed up as untracked files.

Tests

Two new tests in WithClientCredentialsTests.cs:

Test Verifies
AllCredentialsFail_SingleFailure_PreservesInnerExceptionAndErrorText MsalServiceException is set as InnerException with AADSTS error code accessible; error text includes FIC guidance
AllCredentialsFail_MultipleFailures_PreservesAllExceptionsViaAggregateException Multiple failures produce AggregateException inner containing all original exceptions

@Avery-Dunn Avery-Dunn requested a review from a team as a code owner July 14, 2026 18:19

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR improves debuggability of IDW10109 (“No credential could be loaded”) by preserving the original credential-loading exception(s) as InnerException (or AggregateException) so callers can programmatically inspect MSAL/AADSTS failures, and removes now-redundant logging logic.

Changes:

  • Preserve original credential-loading failures as InnerException when throwing IDW10109 from CredentialsProvider.
  • Update IDW10109 text to cover signed assertion/FIC scenarios; remove dead catch in TokenAcquisition and an unused duplicate error constant.
  • Add unit tests for single vs. multiple failures; ignore repo-root Temp/ MSBuild temp output via .gitignore.

Reviewed changes

Copilot reviewed 5 out of 6 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
tests/Microsoft.Identity.Web.Test/Certificates/WithClientCredentialsTests.cs Adds tests asserting IDW10109 preserves inner exception(s) and includes updated guidance text.
src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquisition.cs Removes unreachable IDW10109-specific catch/logging to avoid dead code and double logging.
src/Microsoft.Identity.Web.TokenAcquisition/IDWebErrorMessage.cs Updates the IDW10109 message to cover signed assertion/FIC failures and point to inner exception details.
src/Microsoft.Identity.Web.TokenAcquisition/CredentialsProvider.cs Collects credential-loading exceptions and attaches them as InnerException (or AggregateException) on IDW10109.
src/Microsoft.Identity.Web.Certificate/CertificateErrorMessage.cs Removes an unused duplicate IDW10109 constant.
.gitignore Ignores repo-root Temp/ directory created by newer SDK/MSBuild temp output.

Comment thread src/Microsoft.Identity.Web.TokenAcquisition/IDWebErrorMessage.cs
@Avery-Dunn Avery-Dunn merged commit e2a28b8 into master Jul 15, 2026
7 checks passed
@Avery-Dunn Avery-Dunn deleted the avdunn/idw10109-error-handling branch July 15, 2026 20:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants