Skip to content

Fail Fast when ClientCredentials in appsettings not in the correct format #3431

New issue
New issue
Open
Open
Fail Fast when ClientCredentials in appsettings not in the correct format#3431
Labels
enhancementNew feature or request✏️design proposal
@RyokaL

Description

@RyokaL
RyokaL
opened on Jul 23, 2025

I'm not super familiar with the Identity Web package code flow, so raising a proposal. Happy to look into it in slower time to understand it more.

Summary

When ClientCredentials aren't in the correct format in appsettings, the code should fail when registering Services rather than later on - in this case failing when trying to validate a received token.

Motivation and goals

Had an issue with a web app, only when deployed to Azure, that was getting to the auth endpoint, allowing sign in, and then throwing a MSALClientException: One client credential type required ...". This implies that it was reading the config and the client secret from the ClientCredentials section in order to get to the endpoint, but was unable to validate the returned token because the later code couldn't. The issue was I had the ClientCredentials section as an object and not an array of objects:
"ClientCredentials": { "SourceType": "ClientSecret", "ClientSecret": "" }

Instead of:

"ClientCredentials": [ { "SourceType": "ClientSecret", "ClientSecret": "" } ]

If the array is required, it should fail earlier as it was causing a lot of confusion that "No credential was available" despite requiring one to even reach the login endpoint. When not supplying a secret, but with the same format (object not array) I got the correct exception during service registration that "No Client Secret supplied". While this is a very minor issue, and could have been avoided with more careful config checking on my part, the different behaviour by different parts of the code made me assume it was potentially an Azure issue as it could clearly read the ClientCredential and reach the endpoint.

In scope

Throw exception when ClientCredentials is not an array with at least 1 item when trying to register IdentityWebAuthentication.

Out of scope

N/A

Risks / unknowns

N/A - should be a simple check when registering the configuration with no additional side effects.

Examples

Developer would get an exception when registering IdentityWebAuthentication or similar explaining the config is incorrect.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request✏️design proposal

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions