Validate clientSignedAssertionProvider delegate is non-null in WithClientAssertion (#5956)

* Initial plan

* Add null validation for clientSignedAssertionProvider in WithClientAssertion overload

Agent-Logs-Url: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/sessions/4fd64a97-abf2-426f-aade-9b0760d58220

Co-authored-by: gladjohn <90415114+gladjohn@users.noreply.github.com>

* Move null check before ValidateUseOfExperimentalFeature in WithClientAssertion

Agent-Logs-Url: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/sessions/8a0460fe-58a4-4df1-8ed6-c46df4c6da03

Co-authored-by: gladjohn <90415114+gladjohn@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: gladjohn <90415114+gladjohn@users.noreply.github.com>

Author: Copilot

src/client/Microsoft.Identity.Client/AppConfig/ConfidentialClientApplicationBuilder.cs

@@ -329,11 +329,17 @@ public ConfidentialClientApplicationBuilder WithClientAssertion(Func<AssertionRe
         /// langword="null"/>.</param>
         /// <returns>The <see cref="ConfidentialClientApplicationBuilder"/> instance configured with the specified client
         /// assertion.</returns>
-        /// <exception cref="MsalClientException">Thrown if <paramref name="clientSignedAssertionProvider"/> is <see langword="null"/>.</exception>
+        /// <exception cref="ArgumentNullException">Thrown if <paramref name="clientSignedAssertionProvider"/> is <see langword="null"/>.</exception>
         public ConfidentialClientApplicationBuilder WithClientAssertion(Func<AssertionRequestOptions,
             CancellationToken, Task<ClientSignedAssertion>> clientSignedAssertionProvider)
         {
+            if (clientSignedAssertionProvider == null)
+            {
+                throw new ArgumentNullException(nameof(clientSignedAssertionProvider));
+            }
+
             ValidateUseOfExperimentalFeature();
+
             return WithClientAssertionInternal(
                 clientSignedAssertionProvider: clientSignedAssertionProvider);
         }

tests/Microsoft.Identity.Test.Unit/PublicApiTests/ClientAssertionTests.cs

@@ -482,6 +482,29 @@ await AssertException.TaskThrowsAsync<MsalClientException>(() =>
                 .ConfigureAwait(false);
         }
 
+        [TestMethod]
+        public void ClientAssertion_NullClientSignedAssertionProvider_ThrowsArgumentNullException()
+        {
+            Func<AssertionRequestOptions, CancellationToken, Task<ClientSignedAssertion>> provider = null;
+
+            // Null check must occur before ValidateUseOfExperimentalFeature(), so passing null
+            // without enabling experimental features should still surface ArgumentNullException
+            // rather than MsalClientException.
+            var ex = AssertException.Throws<ArgumentNullException>(() =>
+                ConfidentialClientApplicationBuilder.Create(TestConstants.ClientId)
+                    .WithClientAssertion(provider));
+
+            Assert.AreEqual("clientSignedAssertionProvider", ex.ParamName);
+
+            // Also verify the same when experimental features are explicitly enabled.
+            var ex2 = AssertException.Throws<ArgumentNullException>(() =>
+                ConfidentialClientApplicationBuilder.Create(TestConstants.ClientId)
+                    .WithExperimentalFeatures(true)
+                    .WithClientAssertion(provider));
+
+            Assert.AreEqual("clientSignedAssertionProvider", ex2.ParamName);
+        }
+
         [TestMethod]
         public async Task ClientAssertion_CancellationTokenPropagatesAsync()
         {