Problem

Issue #944: swa deploy rejects the documented cert-based AAD custom-auth configuration with a schema validation error. The shape is published on Microsoft Learn (Custom authentication in Azure Static Web Apps) and uses clientSecretCertificateKeyVaultReference, but the CLI's staticwebapp.config.json schema does not allow it.

Root Cause

In schema/staticwebapp.config.json the azureActiveDirectory.registration object:

1. Declares clientSecretSettingName as unconditionally required.
2. Does not define clientSecretCertificateKeyVaultReference as an allowed property, so additionalProperties: false rejects it.

Both conditions together make the cert-based shape invalid. Maintainer @Timothyw0 confirmed on the issue that this exact file + line is where the change belongs.

Fix

The oneOf preserves the original intent — a credential must still be configured — while permitting either credential shape. additionalProperties: false is kept so unknown keys still fail validation.

Testing

• ✅ Existing shape with clientSecretSettingName still validates (covered by oneOf branch 1).
• ✅ New shape with clientSecretCertificateKeyVaultReference now validates (covered by oneOf branch 2).
• ✅ Missing both credentials fails validation (oneOf requires exactly one).
• ✅ Providing both credentials fails validation (oneOf rejects matches on both branches) — this is desirable because they are mutually exclusive at the platform level.
• ✅ Existing description text preserved; only the clientSecretSettingName description was extended to clarify mutual exclusion.

References

• Fixes Custom Cert Authentication not working with SWA deploy #944
• Docs: Custom authentication in Azure Static Web Apps
• Guidance comment: https://github.com/Azure/static-web-apps-cli/issues/944\#issuecomment pointer from @Timothyw0