Misleading exception when app developer forgets to wire up a custom credential

[bgavrilMS]

Microsoft.Identity.Web Library

Microsoft.Identity.Web

Microsoft.Identity.Web version

3.x

Web app

Not Applicable

Web API

Not Applicable

Token cache serialization

Not Applicable

Description

When using a custom credential that has not been wired up, Microsoft.Identity.Web logs an error but proceeds further. This leads to a situation where an obscure exception occurs "Delegate is null". This is because ID.web eventually calls MSAL with WithClientAssertion(null)

It would be better to throw a meaningful exception instead.

The code is here:

microsoft-identity-web/src/Microsoft.Identity.Web.Certificate/DefaultCredentialsLoader.CustomSignedAssertion.cs

Line 46 in 3ec9ba8

private async Task ProcessCustomSignedAssertionAsync(CredentialDescription credentialDescription, CredentialSourceLoaderParameters? parameters)

- instead of logging, throw ex

Reproduction steps

1. Configure a custom credential in appsetttings.config, e.g. FmiSignedAssertion or OidcFicAssertion
2. Forget to wire up the credential, e.g. AddOidcFic()
3. GetAuthorizationHeader

Actual: a "Delegate is null" exception is thrown
Expected: an exception with a message like "You configured a custom assertion but did not load it. Custom assertion name: OidcFic. You need to add a reference to the credential package and call services.AddXYZ, e.g. services.AddOidcFic"

Error message

No response

Id Web logs

No response

Relevant code snippets

n

Regression

No response

Expected behavior

throw better ex