Added retry counter for acquire token and modified added a test with …

[4gust]

Fix Certificate Reload Infinite Recursion Bug
Description
Certificate reload logic was triggering for all invalid_client errors, not just certificate-related ones. This caused unnecessary retries for unrelated authentication failures like wrong passwords or missing app registrations.
Additionally, the shared _retryClientCertificate boolean flag had thread-safety issues in concurrent scenarios.
Solution
Restored specific error checking - Only reload certificates for actual cert errors:
• AADSTS700027 - Invalid key
• AADSTS700024 - Invalid time range
• AADSTS7000214 - Certificate revoked
• AADSTS1000502 - Certificate expired Replaced shared flag with per-call counter - Each call tracks its own retry count (max 1 retry),
preventing infinite loops and other conditions.
Fixes issues :
#3654

Changes
• Added MaxCertificateRetries = 1 constant
• Updated IsInvalidClientCertificateOrSignedAssertionError(MsalServiceException) to accept retryCount parameter
• Retry logic now distinguishes between legitimate cert errors (can retry) vs config errors (no retry)
• Added retry counter tracking through token acquisition call stack

[neha-bhargava]

This looks good. Another option would be to use the extensibility API https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/blob/main/src/client/Microsoft.Identity.Client/Extensibility/ConfidentialClientApplicationBuilderExtensions.cs#L123. This way you would just have to configure the retry in the callback. Add it to the CCA builder. @bgavrilMS thoughts? I think that would be a cleaner approach.

[neha-bhargava]

Approving if you would like to go with this approach.

[bgavrilMS]

This looks good. Another option would be to use the extensibility API https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/blob/main/src/client/Microsoft.Identity.Client/Extensibility/ConfidentialClientApplicationBuilderExtensions.cs#L123. This way you would just have to configure the retry in the callback. Add it to the CCA builder. @bgavrilMS thoughts? I think that would be a cleaner approach.

But in this case, the entire TokenAcquirer needs to be reset, so as to force a certificate re-load:

I don't think this can be done with OnMsalFailure, because you can't get a CCA instance which was created with WithCertificate to reload the cert. We'd have to move to use WithCertificate(() => x509) which is a lot of work.