Skip to content

Throw InvalidOperationException with actionable message when custom credential not registered #3626

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Throw InvalidOperationException with actionable message when custom credential not registered #3626

wants to merge 4 commits into from

Conversation

Copy link
Contributor

Copilot AI commented Nov 24, 2025
edited
Loading

Throw InvalidOperationException with actionable message when custom credential not registered

  • You've read the Contributor Guide and Code of Conduct.
  • You've included unit or integration tests for your change, where applicable.
  • You've included inline docs for your change, where applicable.
  • There's an open issue for the PR that you are making. If you'd like to propose a new feature or change, please open an issue to discuss the change or find an existing issue.

Throw InvalidOperationException when custom credential not wired up

Description

Previously, forgetting to register a custom signed assertion provider (e.g., not calling services.AddOidcFic()) would log an error but continue execution, eventually causing MSAL to be called with WithClientAssertion(null) and throwing an obscure "Delegate is null" exception.

Now throws InvalidOperationException immediately with actionable guidance:

Before:

Delegate is null

After:

IDW10113: You configured a custom signed assertion with provider name 'OidcFic' but it was not found. 
Did you register it in the service collection? You need to add a reference to the credential package 
and call the appropriate registration method, e.g., services.AddOidcFic() or services.AddFmiSignedAssertion().

Changes

  • DefaultCredentialsLoader.CustomSignedAssertion.cs: Throw InvalidOperationException after logging when providers not registered, provider name missing, or provider not found
  • CertificateErrorMessage.cs: Enhanced error messages (IDW10112, IDW10113, IDW10114) with specific registration examples
  • CustomSignedAssertionProviderTests.cs: Updated 7 existing tests to validate exception throwing behavior
  • InternalAPI.Unshipped.txt: Documented changed internal API constants

Fixes #3652

Original prompt

This section details on the original issue you should resolve

<issue_title>Misleading exception when app developer forgets to wire up a custom credential</issue_title>
<issue_description>### Microsoft.Identity.Web Library

Microsoft.Identity.Web

Microsoft.Identity.Web version

3.x

Web app

Not Applicable

Web API

Not Applicable

Token cache serialization

Not Applicable

Description

When using a custom credential that has not been wired up, Microsoft.Identity.Web logs an error but proceeds further. This leads to a situation where an obscure exception occurs "Delegate is null". This is because ID.web eventually calls MSAL with WithClientAssertion(null)

It would be better to throw a meaningful exception instead.

The code is here:

microsoft-identity-web/src/Microsoft.Identity.Web.Certificate/DefaultCredentialsLoader.CustomSignedAssertion.cs

Line 46 in 3ec9ba8

private async Task ProcessCustomSignedAssertionAsync(CredentialDescription credentialDescription, CredentialSourceLoaderParameters? parameters)
- instead of logging, throw ex

Reproduction steps

  1. Configure a custom credential in appsetttings.config, e.g. FmiSignedAssertion or OidcFicAssertion
  2. Forget to wire up the credential, e.g. AddOidcFic()
  3. GetAuthorizationHeader

Actual: a "Delegate is null" exception is thrown
Expected: an exception with a message like "You configured a custom assertion but did not load it. Custom assertion name: OidcFic. You need to add a reference to the credential package and call services.AddXYZ, e.g. services.AddOidcFic"

Error message

No response

Id Web logs

No response

Relevant code snippets

n

Regression

No response

Expected behavior

throw better ex</issue_description>

<agent_instructions>Help me investigate and create a PR for this bug. At the end we would have custom exception and a unit test to validate that. Utilize any existing test classes to add a test case. The additions should be concise and not update anything else other than the fix and test. Thanks</agent_instructions>

Comments on the Issue (you are @copilot in this section)

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI changed the title [WIP] Fix misleading exception for missing custom credential Throw InvalidOperationException with actionable message when custom credential not registered Nov 24, 2025
Copilot AI requested a review from neha-bhargava November 24, 2025 19:23
Copilot finished work on behalf of neha-bhargava November 24, 2025 19:23
@neha-bhargava neha-bhargava marked this pull request as ready for review December 2, 2025 19:07
@neha-bhargava neha-bhargava requested a review from a team as a code owner December 2, 2025 19:07
neha-bhargava
neha-bhargava approved these changes Dec 2, 2025
View reviewed changes
Copy link
Contributor

@neha-bhargava neha-bhargava left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The changes looks good to me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bgavrilMS bgavrilMS bgavrilMS approved these changes

+1 more reviewer

@neha-bhargava neha-bhargava neha-bhargava approved these changes

Reviewers whose approvals may not affect merge requirements

At least 2 approving reviews are required to merge this pull request.

Assignees

@neha-bhargava neha-bhargava

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Misleading exception when app developer forgets to wire up a custom credential

3 participants

@bgavrilMS @neha-bhargava