From 3cd64f9bcf283001ed59582f94695879b2ea81b9 Mon Sep 17 00:00:00 2001
From: Long Hao <haolong@microsoft.com>
Date: Tue, 21 Apr 2026 05:01:53 +0000
Subject: [PATCH] fix: allow clientSecretCertificateKeyVaultReference in AAD
 auth schema (#944)

The staticwebapp.config.json schema for azureActiveDirectory.registration required clientSecretSettingName and did not allow clientSecretCertificateKeyVaultReference, causing 'swa deploy' to reject the documented cert-based auth shape (see Microsoft Learn: Custom authentication in Azure Static Web Apps).  Changes: - Add clientSecretCertificateKeyVaultReference property. - Remove clientSecretSettingName from unconditional 'required'. - Add oneOf requiring exactly one of the two credentials, so validation still enforces that a credential is configured.  Guidance from @Timothyw0 on the issue pointed to this exact schema location.
---
 schema/staticwebapp.config.json | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/schema/staticwebapp.config.json b/schema/staticwebapp.config.json
index 3d36c64fb..0ceb7dc5a 100644
--- a/schema/staticwebapp.config.json
+++ b/schema/staticwebapp.config.json
@@ -81,7 +81,7 @@
                 },
                 "registration": {
                   "type": "object",
-                  "required": ["openIdIssuer", "clientSecretSettingName"],
+                  "required": ["openIdIssuer"],
                   "properties": {
                     "openIdIssuer": {
                       "type": "string",
@@ -93,9 +93,17 @@
                     },
                     "clientSecretSettingName": {
                       "type": "string",
-                      "description": "The name of the application setting containing the client secret for the Azure AD app registration"
+                      "description": "The name of the application setting containing the client secret for the Azure AD app registration. Mutually exclusive with clientSecretCertificateKeyVaultReference."
+                    },
+                    "clientSecretCertificateKeyVaultReference": {
+                      "type": "string",
+                      "description": "A Key Vault reference to a certificate used as the client credential for the Azure AD app registration. Use this instead of clientSecretSettingName when authenticating with a certificate stored in Key Vault. See https://aka.ms/swa-authentication-custom"
                     }
                   },
+                  "oneOf": [
+                    { "required": ["clientSecretSettingName"] },
+                    { "required": ["clientSecretCertificateKeyVaultReference"] }
+                  ],
                   "additionalProperties": false
                 },
                 "login": {