[Feature Request] When ESTS sends a 401 because a certificate is revoked due to a rotation, attempt to reload once (like when the certificate has expired)

[jmprieur]

Is your feature request related to a problem? Please describe.
Today, Microsoft identity web detects that a certificate has an invalid key or has expired (Constants.InvalidKeyError or Constants.SignedAssertionInvalidTimeRange), and retries to load the certificate from the certificate description.

See:

microsoft-identity-web/src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquisition.cs

Lines 546 to 556 in 767331f

	private bool IsInvalidClientCertificateOrSignedAssertionError(MsalServiceException exMsal)
	{
	return !_retryClientCertificate &&
	string.Equals(exMsal.ErrorCode, Constants.InvalidClient, StringComparison.OrdinalIgnoreCase) &&
	#if !NETSTANDARD2_0 && !NET462 && !NET472
	(exMsal.Message.Contains(Constants.InvalidKeyError, StringComparison.OrdinalIgnoreCase)
	|| exMsal.Message.Contains(Constants.SignedAssertionInvalidTimeRange, StringComparison.OrdinalIgnoreCase));
	#else
	(exMsal.Message.Contains(Constants.InvalidKeyError) || exMsal.Message.Contains(Constants.SignedAssertionInvalidTimeRange));
	#endif
	}

with:

microsoft-identity-web/src/Microsoft.Identity.Web.TokenAcquisition/Constants.cs

Lines 130 to 131 in 767331f

	internal const string InvalidKeyError = "AADSTS700027";
	internal const string SignedAssertionInvalidTimeRange = "AADSTS700024";

It does not look at the "certificate revoked" event ()

Describe the solution you'd like
Amend the IsInvalidClientCertificateOrSignedAssertionError method to add a test for AADSTS7000214: Certificate has been revoked.

[jennyf19]

https://github.com/AzureAD/microsoft-identity-web/releases/tag/2.13.4