fix: allow clientSecretCertificateKeyVaultReference in AAD auth schema (#944)

LongOddCode · LongOddCode · commit 3cd64f9bcf28 · 2026-04-21T05:01:53.000Z
The staticwebapp.config.json schema for azureActiveDirectory.registration required clientSecretSettingName and did not allow clientSecretCertificateKeyVaultReference, causing 'swa deploy' to reject the documented cert-based auth shape (see Microsoft Learn: Custom authentication in Azure Static Web Apps). Changes: - Add clientSecretCertificateKeyVaultReference property. - Remove clientSecretSettingName from unconditional 'required'. - Add oneOf requiring exactly one of the two credentials, so validation still enforces that a credential is configured. Guidance from @Timothyw0 on the issue pointed to this exact schema location.
diff --git a/schema/staticwebapp.config.json b/schema/staticwebapp.config.json
@@ -81,7 +81,7 @@
                 },
                 "registration": {
                   "type": "object",
-                  "required": ["openIdIssuer", "clientSecretSettingName"],
+                  "required": ["openIdIssuer"],
                   "properties": {
                     "openIdIssuer": {
                       "type": "string",
@@ -93,9 +93,17 @@
                     },
                     "clientSecretSettingName": {
                       "type": "string",
-                      "description": "The name of the application setting containing the client secret for the Azure AD app registration"
+                      "description": "The name of the application setting containing the client secret for the Azure AD app registration. Mutually exclusive with clientSecretCertificateKeyVaultReference."
+                    },
+                    "clientSecretCertificateKeyVaultReference": {
+                      "type": "string",
+                      "description": "A Key Vault reference to a certificate used as the client credential for the Azure AD app registration. Use this instead of clientSecretSettingName when authenticating with a certificate stored in Key Vault. See https://aka.ms/swa-authentication-custom"
                     }
                   },
+                  "oneOf": [
+                    { "required": ["clientSecretSettingName"] },
+                    { "required": ["clientSecretCertificateKeyVaultReference"] }
+                  ],
                   "additionalProperties": false
                 },
                 "login": {
