Allow multiple certificate observers

src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net462/InternalAPI.Unshipped.txt

@@ -1 +1,2 @@
 #nullable enable
+readonly Microsoft.Identity.Web.TokenAcquisition._certificatesObservers -> Microsoft.Identity.Web.Experimental.ICertificatesObserver![]!

src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net472/InternalAPI.Unshipped.txt

@@ -1 +1,2 @@
 #nullable enable
+readonly Microsoft.Identity.Web.TokenAcquisition._certificatesObservers -> Microsoft.Identity.Web.Experimental.ICertificatesObserver![]!

src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net8.0/InternalAPI.Unshipped.txt

@@ -1 +1,2 @@
 #nullable enable
+readonly Microsoft.Identity.Web.TokenAcquisition._certificatesObservers -> Microsoft.Identity.Web.Experimental.ICertificatesObserver![]!

src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net9.0/InternalAPI.Unshipped.txt

@@ -1 +1,2 @@
 #nullable enable
+readonly Microsoft.Identity.Web.TokenAcquisition._certificatesObservers -> Microsoft.Identity.Web.Experimental.ICertificatesObserver![]!

src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/netstandard2.0/InternalAPI.Unshipped.txt

@@ -1 +1,2 @@
 #nullable enable
+readonly Microsoft.Identity.Web.TokenAcquisition._certificatesObservers -> Microsoft.Identity.Web.Experimental.ICertificatesObserver![]!

src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquisition.cs

@@ -58,9 +58,12 @@ class OAuthConstants
         protected readonly IServiceProvider _serviceProvider;
         protected readonly ITokenAcquisitionHost _tokenAcquisitionHost;
         protected readonly ICredentialsLoader _credentialsLoader;
-        protected readonly ICertificatesObserver? _certificatesObserver;
+        protected readonly ICertificatesObserver[] _certificatesObservers;
         protected readonly IOptionsMonitor<TokenAcquisitionExtensionOptions>? tokenAcquisitionExtensionOptionsMonitor;
 
+        [Obsolete("Use _certificatesObservers instead.")]
+        protected readonly ICertificatesObserver? _certificatesObserver;
+
         /// <summary>
         /// Scopes which are already requested by MSAL.NET. They should not be re-requested;.
         /// </summary>
@@ -106,7 +109,10 @@ public TokenAcquisition(
             _serviceProvider = serviceProvider;
             _tokenAcquisitionHost = tokenAcquisitionHost;
             _credentialsLoader = credentialsLoader;
+            _certificatesObservers = [.. serviceProvider.GetServices<ICertificatesObserver>()];
+#pragma warning disable CS0618 // Type or member is obsolete. Setup for backward compatibility.
             _certificatesObserver = serviceProvider.GetService<ICertificatesObserver>();
+#pragma warning restore CS0618 // Type or member is obsolete
             tokenAcquisitionExtensionOptionsMonitor = serviceProvider.GetService<IOptionsMonitor<TokenAcquisitionExtensionOptions>>();
             _miHttpFactory = serviceProvider.GetService<IManagedIdentityTestHttpClientFactory>();
         }
@@ -1024,17 +1030,19 @@ private void NotifyCertificateSelection(
             Exception? exception)
         {
             X509Certificate2 selectedCertificate = app.AppConfig.ClientCredentialCertificate;
-            if (_certificatesObserver != null
-                && selectedCertificate != null)
+            if (selectedCertificate != null)
             {
-                _certificatesObserver.OnClientCertificateChanged(
-                    new CertificateChangeEventArg()
-                    {
-                        Action = action,
-                        Certificate = app.AppConfig.ClientCredentialCertificate,
-                        CredentialDescription = mergedOptions.ClientCredentials?.FirstOrDefault(c => c.Certificate == selectedCertificate),
-                        ThrownException = exception,
-                    });
+                for (int i = 0; i < _certificatesObservers.Length; i++)
+                {
+                    _certificatesObservers[i].OnClientCertificateChanged(
+                        new CertificateChangeEventArg()
+                        {
+                            Action = action,
+                            Certificate = app.AppConfig.ClientCredentialCertificate,
+                            CredentialDescription = mergedOptions.ClientCredentials?.FirstOrDefault(c => c.Certificate == selectedCertificate),
+                            ThrownException = exception,
+                        });
+                }
             }
         }