Trigger metadata refresh for token decryption errors

src/Microsoft.IdentityModel.JsonWebTokens/JsonWebTokenHandler.ValidateToken.Internal.cs

@@ -129,7 +129,7 @@ await ValidateJWEAsync(jsonWebToken, validationParameters, currentConfiguration,
                 return result;
             }
 
-            if (TokenUtilities.IsRecoverableExceptionType(result.UnwrapError().ExceptionType))
+            if (TokenUtilities.IsRecoverableExceptionType(result.UnwrapError().ExceptionType, (currentConfiguration != null && currentConfiguration.TokenDecryptionKeys.Count > 0)))
             {
                 // If we were still unable to validate, attempt to refresh the configuration and validate using it
                 // but ONLY if the currentConfiguration is not null. We want to avoid refreshing the configuration on

src/Microsoft.IdentityModel.JsonWebTokens/JsonWebTokenHandler.ValidateToken.cs

@@ -511,7 +511,7 @@ await ValidateJWEAsync(jsonWebToken, validationParameters, currentConfiguration)
 
                     return tokenValidationResult;
                 }
-                else if (TokenUtilities.IsRecoverableException(tokenValidationResult.Exception))
+                else if (TokenUtilities.IsRecoverableException(tokenValidationResult.Exception, (currentConfiguration != null && currentConfiguration.TokenDecryptionKeys.Count > 0)))
                 {
                     // If we were still unable to validate, attempt to refresh the configuration and validate using it
                     // but ONLY if the currentConfiguration is not null. We want to avoid refreshing the configuration on

src/Microsoft.IdentityModel.Tokens/Exceptions/SecurityTokenEncryptionKeyNotFoundException.cs

@@ -24,7 +24,7 @@ public SecurityTokenEncryptionKeyNotFoundException()
         /// <summary>
         /// Initializes a new instance of the <see cref="SecurityTokenEncryptionKeyNotFoundException"/> class.
         /// </summary>
-        /// <param name="message">Addtional information to be included in the exception and displayed to user.</param>
+        /// <param name="message">Additional information to be included in the exception and displayed to user.</param>
         public SecurityTokenEncryptionKeyNotFoundException(string message)
             : base(message)
         {
@@ -33,7 +33,7 @@ public SecurityTokenEncryptionKeyNotFoundException(string message)
         /// <summary>
         /// Initializes a new instance of the <see cref="SecurityTokenEncryptionKeyNotFoundException"/> class.
         /// </summary>
-        /// <param name="message">Addtional information to be included in the exception and displayed to user.</param>
+        /// <param name="message">Additional information to be included in the exception and displayed to user.</param>
         /// <param name="innerException">A <see cref="Exception"/> that represents the root cause of the exception.</param>
         public SecurityTokenEncryptionKeyNotFoundException(string message, Exception innerException)
             : base(message, innerException)

src/Microsoft.IdentityModel.Tokens/Exceptions/SecurityTokenSignatureKeyNotFoundException.cs

@@ -23,7 +23,7 @@ public SecurityTokenSignatureKeyNotFoundException()
         /// <summary>
         /// Initializes a new instance of the <see cref="SecurityTokenSignatureKeyNotFoundException"/> class.
         /// </summary>
-        /// <param name="message">Addtional information to be included in the exception and displayed to user.</param>
+        /// <param name="message">Additional information to be included in the exception and displayed to user.</param>
         public SecurityTokenSignatureKeyNotFoundException(string message)
             : base(message)
         {
@@ -32,7 +32,7 @@ public SecurityTokenSignatureKeyNotFoundException(string message)
         /// <summary>
         /// Initializes a new instance of the <see cref="SecurityTokenSignatureKeyNotFoundException"/> class.
         /// </summary>
-        /// <param name="message">Addtional information to be included in the exception and displayed to user.</param>
+        /// <param name="message">Additional information to be included in the exception and displayed to user.</param>
         /// <param name="innerException">A <see cref="Exception"/> that represents the root cause of the exception.</param>
         public SecurityTokenSignatureKeyNotFoundException(string message, Exception innerException)
             : base(message, innerException)

src/Microsoft.IdentityModel.Tokens/InternalAPI.Unshipped.txt

@@ -50,6 +50,8 @@ override Microsoft.IdentityModel.Tokens.ValidatedTokenType.GetHashCode() -> int
 override Microsoft.IdentityModel.Tokens.ValidatedTokenType.ToString() -> string
 static Microsoft.IdentityModel.Telemetry.TelemetryDataRecorder.IncrementBackgroundConfigurationRefreshFailureCounter(in System.Diagnostics.TagList tagList) -> void
 static Microsoft.IdentityModel.Tokens.AppContextSwitches.UpdateConfigAsBlocking.get -> bool
+static Microsoft.IdentityModel.Tokens.TokenUtilities.IsRecoverableException(System.Exception exception, bool configContainsDecryptionKeys) -> bool
+static Microsoft.IdentityModel.Tokens.TokenUtilities.IsRecoverableExceptionType(System.Type exceptionType, bool configContainsDecryptionKeys) -> bool
 static Microsoft.IdentityModel.Tokens.ValidatedIssuer.operator !=(Microsoft.IdentityModel.Tokens.ValidatedIssuer left, Microsoft.IdentityModel.Tokens.ValidatedIssuer right) -> bool
 static Microsoft.IdentityModel.Tokens.ValidatedIssuer.operator ==(Microsoft.IdentityModel.Tokens.ValidatedIssuer left, Microsoft.IdentityModel.Tokens.ValidatedIssuer right) -> bool
 static Microsoft.IdentityModel.Tokens.ValidatedLifetime.operator !=(Microsoft.IdentityModel.Tokens.ValidatedLifetime left, Microsoft.IdentityModel.Tokens.ValidatedLifetime right) -> bool
@@ -63,4 +65,4 @@ static readonly Microsoft.IdentityModel.Telemetry.TelemetryDataRecorder.Backgrou
 static readonly Microsoft.IdentityModel.Tokens.IssuerValidationSource.IssuerMatchedConfiguration -> Microsoft.IdentityModel.Tokens.IssuerValidationSource
 static readonly Microsoft.IdentityModel.Tokens.IssuerValidationSource.IssuerMatchedValidationParameters -> Microsoft.IdentityModel.Tokens.IssuerValidationSource
 static readonly Microsoft.IdentityModel.Tokens.IssuerValidationSource.NotValidated -> Microsoft.IdentityModel.Tokens.IssuerValidationSource
-virtual Microsoft.IdentityModel.Tokens.ValidationError.CreateException() -> System.Exception
+virtual Microsoft.IdentityModel.Tokens.ValidationError.CreateException() -> System.Exception

src/Microsoft.IdentityModel.Tokens/TokenUtilities.cs

@@ -245,14 +245,17 @@ internal static IEnumerable<Claim> MergeClaims(IEnumerable<Claim> claims, IEnume
 
         /// <summary>
         /// Check whether the given exception type is recoverable by LKG.
+        /// Decryption error is only recoverable, if the configuration has decryption keys in it.
         /// </summary>
         /// <param name="exception">The exception to check.</param>
+        /// <param name="configContainsDecryptionKeys">Whether the configuration contains decryption keys.</param>
         /// <returns><c>true</c> if the exception is certain types of exceptions otherwise, <c>false</c>.</returns>
-        internal static bool IsRecoverableException(Exception exception)
+        internal static bool IsRecoverableException(Exception exception, bool configContainsDecryptionKeys)
         {
             return exception is SecurityTokenInvalidSignatureException
                   || exception is SecurityTokenInvalidIssuerException
-                  || exception is SecurityTokenSignatureKeyNotFoundException;
+                  || exception is SecurityTokenSignatureKeyNotFoundException
+                  || (exception is SecurityTokenDecryptionFailedException && configContainsDecryptionKeys);
         }
 
         /// <summary>
@@ -292,12 +295,14 @@ internal static bool IsRecoverableConfiguration(string kid, BaseConfiguration cu
         /// Check whether the given exception type is recoverable by LKG.
         /// </summary>
         /// <param name="exceptionType">The exception type to check</param>
+        /// <param name="configContainsDecryptionKeys">Whether the configuration contains decryption keys.</param>
         /// <returns><c>true</c> if the exception is certain types of exceptions otherwise, <c>false</c>.</returns>
-        internal static bool IsRecoverableExceptionType(Type exceptionType)
+        internal static bool IsRecoverableExceptionType(Type exceptionType, bool configContainsDecryptionKeys)
         {
             return exceptionType == typeof(SecurityTokenInvalidSignatureException) ||
                 exceptionType == typeof(SecurityTokenInvalidIssuerException) ||
-                exceptionType == typeof(SecurityTokenSignatureKeyNotFoundException);
+                exceptionType == typeof(SecurityTokenSignatureKeyNotFoundException) ||
+                (exceptionType == typeof(SecurityTokenDecryptionFailedException) && configContainsDecryptionKeys);
         }
 
         /// <summary>

src/System.IdentityModel.Tokens.Jwt/JwtSecurityTokenHandler.cs

@@ -883,7 +883,7 @@ private ClaimsPrincipal ValidateToken(string token, JwtSecurityToken outerToken,
 
                     return claimsPrincipal;
                 }
-                else if (TokenUtilities.IsRecoverableException(exceptionThrown.SourceException))
+                else if (TokenUtilities.IsRecoverableException(exceptionThrown.SourceException, (currentConfiguration != null && currentConfiguration.TokenDecryptionKeys.Count > 0)))
                 {
                     // If we were still unable to validate, attempt to refresh the configuration and validate using it
                     // but ONLY if the currentConfiguration is not null. We want to avoid refreshing the configuration on