@azure/msal-browser 4.25.1 → 4.26.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (322) hide show
  1. package/dist/app/IPublicClientApplication.mjs +1 -1
  2. package/dist/app/PublicClientApplication.mjs +1 -1
  3. package/dist/app/PublicClientNext.mjs +1 -1
  4. package/dist/broker/nativeBroker/NativeStatusCodes.mjs +1 -1
  5. package/dist/broker/nativeBroker/PlatformAuthDOMHandler.mjs +1 -1
  6. package/dist/broker/nativeBroker/PlatformAuthExtensionHandler.mjs +1 -1
  7. package/dist/broker/nativeBroker/PlatformAuthProvider.mjs +1 -1
  8. package/dist/cache/AccountManager.mjs +1 -1
  9. package/dist/cache/AsyncMemoryStorage.mjs +1 -1
  10. package/dist/cache/BrowserCacheManager.d.ts +64 -7
  11. package/dist/cache/BrowserCacheManager.d.ts.map +1 -1
  12. package/dist/cache/BrowserCacheManager.mjs +400 -141
  13. package/dist/cache/BrowserCacheManager.mjs.map +1 -1
  14. package/dist/cache/CacheHelpers.mjs +1 -1
  15. package/dist/cache/CacheKeys.d.ts +3 -3
  16. package/dist/cache/CacheKeys.mjs +4 -4
  17. package/dist/cache/CookieStorage.mjs +1 -1
  18. package/dist/cache/DatabaseStorage.mjs +1 -1
  19. package/dist/cache/EncryptedData.mjs +1 -1
  20. package/dist/cache/IWindowStorage.d.ts +1 -1
  21. package/dist/cache/IWindowStorage.d.ts.map +1 -1
  22. package/dist/cache/LocalStorage.d.ts +1 -1
  23. package/dist/cache/LocalStorage.d.ts.map +1 -1
  24. package/dist/cache/LocalStorage.mjs +21 -12
  25. package/dist/cache/LocalStorage.mjs.map +1 -1
  26. package/dist/cache/MemoryStorage.mjs +1 -1
  27. package/dist/cache/SessionStorage.mjs +1 -1
  28. package/dist/cache/TokenCache.d.ts.map +1 -1
  29. package/dist/cache/TokenCache.mjs +14 -13
  30. package/dist/cache/TokenCache.mjs.map +1 -1
  31. package/dist/config/Configuration.mjs +1 -1
  32. package/dist/controllers/ControllerFactory.mjs +1 -1
  33. package/dist/controllers/NestedAppAuthController.d.ts.map +1 -1
  34. package/dist/controllers/NestedAppAuthController.mjs +3 -3
  35. package/dist/controllers/NestedAppAuthController.mjs.map +1 -1
  36. package/dist/controllers/StandardController.d.ts.map +1 -1
  37. package/dist/controllers/StandardController.mjs +3 -3
  38. package/dist/controllers/StandardController.mjs.map +1 -1
  39. package/dist/controllers/UnknownOperatingContextController.mjs +1 -1
  40. package/dist/crypto/BrowserCrypto.mjs +1 -1
  41. package/dist/crypto/CryptoOps.mjs +1 -1
  42. package/dist/crypto/PkceGenerator.mjs +1 -1
  43. package/dist/crypto/SignedHttpRequest.mjs +1 -1
  44. package/dist/custom-auth-path/app/PublicClientApplication.mjs +1 -1
  45. package/dist/custom-auth-path/broker/nativeBroker/NativeStatusCodes.mjs +1 -1
  46. package/dist/custom-auth-path/broker/nativeBroker/PlatformAuthDOMHandler.mjs +1 -1
  47. package/dist/custom-auth-path/broker/nativeBroker/PlatformAuthExtensionHandler.mjs +1 -1
  48. package/dist/custom-auth-path/broker/nativeBroker/PlatformAuthProvider.mjs +1 -1
  49. package/dist/custom-auth-path/cache/AccountManager.mjs +1 -1
  50. package/dist/custom-auth-path/cache/AsyncMemoryStorage.mjs +1 -1
  51. package/dist/custom-auth-path/cache/BrowserCacheManager.d.ts +64 -7
  52. package/dist/custom-auth-path/cache/BrowserCacheManager.d.ts.map +1 -1
  53. package/dist/custom-auth-path/cache/BrowserCacheManager.mjs +400 -141
  54. package/dist/custom-auth-path/cache/BrowserCacheManager.mjs.map +1 -1
  55. package/dist/custom-auth-path/cache/CacheHelpers.mjs +1 -1
  56. package/dist/custom-auth-path/cache/CacheKeys.d.ts +3 -3
  57. package/dist/custom-auth-path/cache/CacheKeys.mjs +4 -4
  58. package/dist/custom-auth-path/cache/CookieStorage.mjs +1 -1
  59. package/dist/custom-auth-path/cache/DatabaseStorage.mjs +1 -1
  60. package/dist/custom-auth-path/cache/EncryptedData.mjs +1 -1
  61. package/dist/custom-auth-path/cache/IWindowStorage.d.ts +1 -1
  62. package/dist/custom-auth-path/cache/IWindowStorage.d.ts.map +1 -1
  63. package/dist/custom-auth-path/cache/LocalStorage.d.ts +1 -1
  64. package/dist/custom-auth-path/cache/LocalStorage.d.ts.map +1 -1
  65. package/dist/custom-auth-path/cache/LocalStorage.mjs +21 -12
  66. package/dist/custom-auth-path/cache/LocalStorage.mjs.map +1 -1
  67. package/dist/custom-auth-path/cache/MemoryStorage.mjs +1 -1
  68. package/dist/custom-auth-path/cache/SessionStorage.mjs +1 -1
  69. package/dist/custom-auth-path/cache/TokenCache.d.ts.map +1 -1
  70. package/dist/custom-auth-path/cache/TokenCache.mjs +14 -13
  71. package/dist/custom-auth-path/cache/TokenCache.mjs.map +1 -1
  72. package/dist/custom-auth-path/config/Configuration.mjs +1 -1
  73. package/dist/custom-auth-path/controllers/ControllerFactory.mjs +1 -1
  74. package/dist/custom-auth-path/controllers/NestedAppAuthController.d.ts.map +1 -1
  75. package/dist/custom-auth-path/controllers/StandardController.d.ts.map +1 -1
  76. package/dist/custom-auth-path/controllers/StandardController.mjs +3 -3
  77. package/dist/custom-auth-path/controllers/StandardController.mjs.map +1 -1
  78. package/dist/custom-auth-path/crypto/BrowserCrypto.mjs +1 -1
  79. package/dist/custom-auth-path/crypto/CryptoOps.mjs +1 -1
  80. package/dist/custom-auth-path/crypto/PkceGenerator.mjs +1 -1
  81. package/dist/custom-auth-path/custom_auth/CustomAuthConstants.d.ts +1 -1
  82. package/dist/custom-auth-path/custom_auth/CustomAuthConstants.mjs +1 -1
  83. package/dist/custom-auth-path/custom_auth/CustomAuthPublicClientApplication.mjs +1 -1
  84. package/dist/custom-auth-path/custom_auth/controller/CustomAuthStandardController.mjs +1 -1
  85. package/dist/custom-auth-path/custom_auth/core/CustomAuthAuthority.mjs +1 -1
  86. package/dist/custom-auth-path/custom_auth/core/auth_flow/AuthFlowErrorBase.mjs +1 -1
  87. package/dist/custom-auth-path/custom_auth/core/auth_flow/AuthFlowResultBase.mjs +1 -1
  88. package/dist/custom-auth-path/custom_auth/core/auth_flow/AuthFlowState.mjs +1 -1
  89. package/dist/custom-auth-path/custom_auth/core/auth_flow/AuthFlowStateTypes.mjs +1 -1
  90. package/dist/custom-auth-path/custom_auth/core/auth_flow/jit/error_type/AuthMethodRegistrationError.mjs +1 -1
  91. package/dist/custom-auth-path/custom_auth/core/auth_flow/jit/result/AuthMethodRegistrationChallengeMethodResult.mjs +1 -1
  92. package/dist/custom-auth-path/custom_auth/core/auth_flow/jit/result/AuthMethodRegistrationSubmitChallengeResult.mjs +1 -1
  93. package/dist/custom-auth-path/custom_auth/core/auth_flow/jit/state/AuthMethodRegistrationCompletedState.mjs +1 -1
  94. package/dist/custom-auth-path/custom_auth/core/auth_flow/jit/state/AuthMethodRegistrationFailedState.mjs +1 -1
  95. package/dist/custom-auth-path/custom_auth/core/auth_flow/jit/state/AuthMethodRegistrationState.mjs +1 -1
  96. package/dist/custom-auth-path/custom_auth/core/auth_flow/mfa/error_type/MfaError.mjs +1 -1
  97. package/dist/custom-auth-path/custom_auth/core/auth_flow/mfa/result/MfaRequestChallengeResult.mjs +1 -1
  98. package/dist/custom-auth-path/custom_auth/core/auth_flow/mfa/result/MfaSubmitChallengeResult.mjs +1 -1
  99. package/dist/custom-auth-path/custom_auth/core/auth_flow/mfa/state/MfaCompletedState.mjs +1 -1
  100. package/dist/custom-auth-path/custom_auth/core/auth_flow/mfa/state/MfaFailedState.mjs +1 -1
  101. package/dist/custom-auth-path/custom_auth/core/auth_flow/mfa/state/MfaState.mjs +1 -1
  102. package/dist/custom-auth-path/custom_auth/core/error/CustomAuthApiError.mjs +1 -1
  103. package/dist/custom-auth-path/custom_auth/core/error/CustomAuthError.mjs +1 -1
  104. package/dist/custom-auth-path/custom_auth/core/error/HttpError.mjs +1 -1
  105. package/dist/custom-auth-path/custom_auth/core/error/HttpErrorCodes.mjs +1 -1
  106. package/dist/custom-auth-path/custom_auth/core/error/InvalidArgumentError.mjs +1 -1
  107. package/dist/custom-auth-path/custom_auth/core/error/InvalidConfigurationError.mjs +1 -1
  108. package/dist/custom-auth-path/custom_auth/core/error/InvalidConfigurationErrorCodes.mjs +1 -1
  109. package/dist/custom-auth-path/custom_auth/core/error/MethodNotImplementedError.mjs +1 -1
  110. package/dist/custom-auth-path/custom_auth/core/error/MsalCustomAuthError.mjs +1 -1
  111. package/dist/custom-auth-path/custom_auth/core/error/NoCachedAccountFoundError.mjs +1 -1
  112. package/dist/custom-auth-path/custom_auth/core/error/ParsedUrlError.mjs +1 -1
  113. package/dist/custom-auth-path/custom_auth/core/error/ParsedUrlErrorCodes.mjs +1 -1
  114. package/dist/custom-auth-path/custom_auth/core/error/UnexpectedError.mjs +1 -1
  115. package/dist/custom-auth-path/custom_auth/core/error/UnsupportedEnvironmentError.mjs +1 -1
  116. package/dist/custom-auth-path/custom_auth/core/error/UserAccountAttributeError.mjs +1 -1
  117. package/dist/custom-auth-path/custom_auth/core/error/UserAlreadySignedInError.mjs +1 -1
  118. package/dist/custom-auth-path/custom_auth/core/interaction_client/CustomAuthInteractionClientBase.mjs +1 -1
  119. package/dist/custom-auth-path/custom_auth/core/interaction_client/CustomAuthInterationClientFactory.mjs +1 -1
  120. package/dist/custom-auth-path/custom_auth/core/interaction_client/jit/JitClient.mjs +1 -1
  121. package/dist/custom-auth-path/custom_auth/core/interaction_client/jit/result/JitActionResult.mjs +1 -1
  122. package/dist/custom-auth-path/custom_auth/core/interaction_client/mfa/MfaClient.mjs +1 -1
  123. package/dist/custom-auth-path/custom_auth/core/interaction_client/mfa/result/MfaActionResult.mjs +1 -1
  124. package/dist/custom-auth-path/custom_auth/core/network_client/custom_auth_api/BaseApiClient.mjs +1 -1
  125. package/dist/custom-auth-path/custom_auth/core/network_client/custom_auth_api/CustomAuthApiClient.mjs +1 -1
  126. package/dist/custom-auth-path/custom_auth/core/network_client/custom_auth_api/CustomAuthApiEndpoint.mjs +1 -1
  127. package/dist/custom-auth-path/custom_auth/core/network_client/custom_auth_api/RegisterApiClient.mjs +1 -1
  128. package/dist/custom-auth-path/custom_auth/core/network_client/custom_auth_api/ResetPasswordApiClient.mjs +1 -1
  129. package/dist/custom-auth-path/custom_auth/core/network_client/custom_auth_api/SignInApiClient.mjs +1 -1
  130. package/dist/custom-auth-path/custom_auth/core/network_client/custom_auth_api/SignupApiClient.mjs +1 -1
  131. package/dist/custom-auth-path/custom_auth/core/network_client/custom_auth_api/types/ApiErrorCodes.mjs +1 -1
  132. package/dist/custom-auth-path/custom_auth/core/network_client/custom_auth_api/types/ApiSuberrors.mjs +1 -1
  133. package/dist/custom-auth-path/custom_auth/core/network_client/http_client/FetchHttpClient.mjs +1 -1
  134. package/dist/custom-auth-path/custom_auth/core/network_client/http_client/IHttpClient.mjs +1 -1
  135. package/dist/custom-auth-path/custom_auth/core/telemetry/PublicApiId.mjs +1 -1
  136. package/dist/custom-auth-path/custom_auth/core/utils/ArgumentValidator.mjs +1 -1
  137. package/dist/custom-auth-path/custom_auth/core/utils/UrlUtils.mjs +1 -1
  138. package/dist/custom-auth-path/custom_auth/get_account/auth_flow/CustomAuthAccountData.mjs +1 -1
  139. package/dist/custom-auth-path/custom_auth/get_account/auth_flow/error_type/GetAccountError.mjs +1 -1
  140. package/dist/custom-auth-path/custom_auth/get_account/auth_flow/result/GetAccessTokenResult.mjs +1 -1
  141. package/dist/custom-auth-path/custom_auth/get_account/auth_flow/result/GetAccountResult.mjs +1 -1
  142. package/dist/custom-auth-path/custom_auth/get_account/auth_flow/result/SignOutResult.mjs +1 -1
  143. package/dist/custom-auth-path/custom_auth/get_account/auth_flow/state/GetAccessTokenState.mjs +1 -1
  144. package/dist/custom-auth-path/custom_auth/get_account/auth_flow/state/GetAccountState.mjs +1 -1
  145. package/dist/custom-auth-path/custom_auth/get_account/auth_flow/state/SignOutState.mjs +1 -1
  146. package/dist/custom-auth-path/custom_auth/get_account/interaction_client/CustomAuthSilentCacheClient.mjs +1 -1
  147. package/dist/custom-auth-path/custom_auth/index.mjs +1 -1
  148. package/dist/custom-auth-path/custom_auth/operating_context/CustomAuthOperatingContext.mjs +1 -1
  149. package/dist/custom-auth-path/custom_auth/reset_password/auth_flow/error_type/ResetPasswordError.mjs +1 -1
  150. package/dist/custom-auth-path/custom_auth/reset_password/auth_flow/result/ResetPasswordResendCodeResult.mjs +1 -1
  151. package/dist/custom-auth-path/custom_auth/reset_password/auth_flow/result/ResetPasswordStartResult.mjs +1 -1
  152. package/dist/custom-auth-path/custom_auth/reset_password/auth_flow/result/ResetPasswordSubmitCodeResult.mjs +1 -1
  153. package/dist/custom-auth-path/custom_auth/reset_password/auth_flow/result/ResetPasswordSubmitPasswordResult.mjs +1 -1
  154. package/dist/custom-auth-path/custom_auth/reset_password/auth_flow/state/ResetPasswordCodeRequiredState.mjs +1 -1
  155. package/dist/custom-auth-path/custom_auth/reset_password/auth_flow/state/ResetPasswordCompletedState.mjs +1 -1
  156. package/dist/custom-auth-path/custom_auth/reset_password/auth_flow/state/ResetPasswordFailedState.mjs +1 -1
  157. package/dist/custom-auth-path/custom_auth/reset_password/auth_flow/state/ResetPasswordPasswordRequiredState.mjs +1 -1
  158. package/dist/custom-auth-path/custom_auth/reset_password/auth_flow/state/ResetPasswordState.mjs +1 -1
  159. package/dist/custom-auth-path/custom_auth/reset_password/interaction_client/ResetPasswordClient.mjs +1 -1
  160. package/dist/custom-auth-path/custom_auth/sign_in/auth_flow/SignInScenario.mjs +1 -1
  161. package/dist/custom-auth-path/custom_auth/sign_in/auth_flow/error_type/SignInError.mjs +1 -1
  162. package/dist/custom-auth-path/custom_auth/sign_in/auth_flow/result/SignInResendCodeResult.mjs +1 -1
  163. package/dist/custom-auth-path/custom_auth/sign_in/auth_flow/result/SignInResult.mjs +1 -1
  164. package/dist/custom-auth-path/custom_auth/sign_in/auth_flow/result/SignInSubmitCodeResult.mjs +1 -1
  165. package/dist/custom-auth-path/custom_auth/sign_in/auth_flow/result/SignInSubmitPasswordResult.mjs +1 -1
  166. package/dist/custom-auth-path/custom_auth/sign_in/auth_flow/state/SignInCodeRequiredState.mjs +1 -1
  167. package/dist/custom-auth-path/custom_auth/sign_in/auth_flow/state/SignInCompletedState.mjs +1 -1
  168. package/dist/custom-auth-path/custom_auth/sign_in/auth_flow/state/SignInContinuationState.mjs +1 -1
  169. package/dist/custom-auth-path/custom_auth/sign_in/auth_flow/state/SignInFailedState.mjs +1 -1
  170. package/dist/custom-auth-path/custom_auth/sign_in/auth_flow/state/SignInPasswordRequiredState.mjs +1 -1
  171. package/dist/custom-auth-path/custom_auth/sign_in/auth_flow/state/SignInState.mjs +1 -1
  172. package/dist/custom-auth-path/custom_auth/sign_in/interaction_client/SignInClient.mjs +1 -1
  173. package/dist/custom-auth-path/custom_auth/sign_in/interaction_client/result/SignInActionResult.mjs +1 -1
  174. package/dist/custom-auth-path/custom_auth/sign_up/auth_flow/error_type/SignUpError.mjs +1 -1
  175. package/dist/custom-auth-path/custom_auth/sign_up/auth_flow/result/SignUpResendCodeResult.mjs +1 -1
  176. package/dist/custom-auth-path/custom_auth/sign_up/auth_flow/result/SignUpResult.mjs +1 -1
  177. package/dist/custom-auth-path/custom_auth/sign_up/auth_flow/result/SignUpSubmitAttributesResult.mjs +1 -1
  178. package/dist/custom-auth-path/custom_auth/sign_up/auth_flow/result/SignUpSubmitCodeResult.mjs +1 -1
  179. package/dist/custom-auth-path/custom_auth/sign_up/auth_flow/result/SignUpSubmitPasswordResult.mjs +1 -1
  180. package/dist/custom-auth-path/custom_auth/sign_up/auth_flow/state/SignUpAttributesRequiredState.mjs +1 -1
  181. package/dist/custom-auth-path/custom_auth/sign_up/auth_flow/state/SignUpCodeRequiredState.mjs +1 -1
  182. package/dist/custom-auth-path/custom_auth/sign_up/auth_flow/state/SignUpCompletedState.mjs +1 -1
  183. package/dist/custom-auth-path/custom_auth/sign_up/auth_flow/state/SignUpFailedState.mjs +1 -1
  184. package/dist/custom-auth-path/custom_auth/sign_up/auth_flow/state/SignUpPasswordRequiredState.mjs +1 -1
  185. package/dist/custom-auth-path/custom_auth/sign_up/auth_flow/state/SignUpState.mjs +1 -1
  186. package/dist/custom-auth-path/custom_auth/sign_up/interaction_client/SignUpClient.mjs +1 -1
  187. package/dist/custom-auth-path/custom_auth/sign_up/interaction_client/result/SignUpActionResult.mjs +1 -1
  188. package/dist/custom-auth-path/encode/Base64Decode.mjs +1 -1
  189. package/dist/custom-auth-path/encode/Base64Encode.mjs +1 -1
  190. package/dist/custom-auth-path/error/BrowserAuthError.mjs +1 -1
  191. package/dist/custom-auth-path/error/BrowserAuthErrorCodes.mjs +1 -1
  192. package/dist/custom-auth-path/error/BrowserConfigurationAuthError.mjs +1 -1
  193. package/dist/custom-auth-path/error/BrowserConfigurationAuthErrorCodes.mjs +1 -1
  194. package/dist/custom-auth-path/error/NativeAuthError.mjs +1 -1
  195. package/dist/custom-auth-path/error/NativeAuthErrorCodes.mjs +1 -1
  196. package/dist/custom-auth-path/event/EventHandler.mjs +1 -1
  197. package/dist/custom-auth-path/event/EventType.mjs +1 -1
  198. package/dist/custom-auth-path/interaction_client/BaseInteractionClient.mjs +1 -1
  199. package/dist/custom-auth-path/interaction_client/HybridSpaAuthorizationCodeClient.mjs +1 -1
  200. package/dist/custom-auth-path/interaction_client/PlatformAuthInteractionClient.d.ts +1 -1
  201. package/dist/custom-auth-path/interaction_client/PlatformAuthInteractionClient.d.ts.map +1 -1
  202. package/dist/custom-auth-path/interaction_client/PlatformAuthInteractionClient.mjs +7 -7
  203. package/dist/custom-auth-path/interaction_client/PlatformAuthInteractionClient.mjs.map +1 -1
  204. package/dist/custom-auth-path/interaction_client/PopupClient.mjs +1 -1
  205. package/dist/custom-auth-path/interaction_client/RedirectClient.mjs +1 -1
  206. package/dist/custom-auth-path/interaction_client/SilentAuthCodeClient.mjs +1 -1
  207. package/dist/custom-auth-path/interaction_client/SilentCacheClient.mjs +1 -1
  208. package/dist/custom-auth-path/interaction_client/SilentIframeClient.mjs +1 -1
  209. package/dist/custom-auth-path/interaction_client/SilentRefreshClient.mjs +1 -1
  210. package/dist/custom-auth-path/interaction_client/StandardInteractionClient.mjs +1 -1
  211. package/dist/custom-auth-path/interaction_handler/InteractionHandler.mjs +1 -1
  212. package/dist/custom-auth-path/interaction_handler/SilentHandler.mjs +1 -1
  213. package/dist/custom-auth-path/navigation/NavigationClient.mjs +1 -1
  214. package/dist/custom-auth-path/network/FetchClient.mjs +1 -1
  215. package/dist/custom-auth-path/operatingcontext/BaseOperatingContext.mjs +1 -1
  216. package/dist/custom-auth-path/operatingcontext/StandardOperatingContext.mjs +1 -1
  217. package/dist/custom-auth-path/packageMetadata.d.ts +1 -1
  218. package/dist/custom-auth-path/packageMetadata.mjs +2 -2
  219. package/dist/custom-auth-path/protocol/Authorize.mjs +1 -1
  220. package/dist/custom-auth-path/request/RequestHelpers.mjs +1 -1
  221. package/dist/custom-auth-path/response/ResponseHandler.mjs +1 -1
  222. package/dist/custom-auth-path/utils/BrowserConstants.mjs +1 -1
  223. package/dist/custom-auth-path/utils/BrowserProtocolUtils.mjs +1 -1
  224. package/dist/custom-auth-path/utils/BrowserUtils.mjs +1 -1
  225. package/dist/custom-auth-path/utils/Helpers.mjs +1 -1
  226. package/dist/custom-auth-path/utils/MsalFrameStatsUtils.mjs +1 -1
  227. package/dist/custom_auth/CustomAuthConstants.d.ts +1 -1
  228. package/dist/encode/Base64Decode.mjs +1 -1
  229. package/dist/encode/Base64Encode.mjs +1 -1
  230. package/dist/error/BrowserAuthError.mjs +1 -1
  231. package/dist/error/BrowserAuthErrorCodes.mjs +1 -1
  232. package/dist/error/BrowserConfigurationAuthError.mjs +1 -1
  233. package/dist/error/BrowserConfigurationAuthErrorCodes.mjs +1 -1
  234. package/dist/error/NativeAuthError.mjs +1 -1
  235. package/dist/error/NativeAuthErrorCodes.mjs +1 -1
  236. package/dist/error/NestedAppAuthError.mjs +1 -1
  237. package/dist/event/EventHandler.mjs +1 -1
  238. package/dist/event/EventMessage.mjs +1 -1
  239. package/dist/event/EventType.mjs +1 -1
  240. package/dist/index.mjs +1 -1
  241. package/dist/interaction_client/BaseInteractionClient.mjs +1 -1
  242. package/dist/interaction_client/HybridSpaAuthorizationCodeClient.mjs +1 -1
  243. package/dist/interaction_client/PlatformAuthInteractionClient.d.ts +1 -1
  244. package/dist/interaction_client/PlatformAuthInteractionClient.d.ts.map +1 -1
  245. package/dist/interaction_client/PlatformAuthInteractionClient.mjs +7 -7
  246. package/dist/interaction_client/PlatformAuthInteractionClient.mjs.map +1 -1
  247. package/dist/interaction_client/PopupClient.mjs +1 -1
  248. package/dist/interaction_client/RedirectClient.mjs +1 -1
  249. package/dist/interaction_client/SilentAuthCodeClient.mjs +1 -1
  250. package/dist/interaction_client/SilentCacheClient.mjs +1 -1
  251. package/dist/interaction_client/SilentIframeClient.mjs +1 -1
  252. package/dist/interaction_client/SilentRefreshClient.mjs +1 -1
  253. package/dist/interaction_client/StandardInteractionClient.mjs +1 -1
  254. package/dist/interaction_handler/InteractionHandler.mjs +1 -1
  255. package/dist/interaction_handler/SilentHandler.mjs +1 -1
  256. package/dist/naa/BridgeError.mjs +1 -1
  257. package/dist/naa/BridgeProxy.mjs +1 -1
  258. package/dist/naa/BridgeStatusCode.mjs +1 -1
  259. package/dist/naa/mapping/NestedAppAuthAdapter.mjs +1 -1
  260. package/dist/navigation/NavigationClient.mjs +1 -1
  261. package/dist/network/FetchClient.mjs +1 -1
  262. package/dist/operatingcontext/BaseOperatingContext.mjs +1 -1
  263. package/dist/operatingcontext/NestedAppOperatingContext.mjs +1 -1
  264. package/dist/operatingcontext/StandardOperatingContext.mjs +1 -1
  265. package/dist/operatingcontext/UnknownOperatingContext.mjs +1 -1
  266. package/dist/packageMetadata.d.ts +1 -1
  267. package/dist/packageMetadata.mjs +2 -2
  268. package/dist/protocol/Authorize.mjs +1 -1
  269. package/dist/request/RequestHelpers.mjs +1 -1
  270. package/dist/response/ResponseHandler.mjs +1 -1
  271. package/dist/telemetry/BrowserPerformanceClient.mjs +1 -1
  272. package/dist/telemetry/BrowserPerformanceMeasurement.mjs +1 -1
  273. package/dist/utils/BrowserConstants.mjs +1 -1
  274. package/dist/utils/BrowserProtocolUtils.mjs +1 -1
  275. package/dist/utils/BrowserUtils.mjs +1 -1
  276. package/dist/utils/Helpers.mjs +1 -1
  277. package/dist/utils/MsalFrameStatsUtils.mjs +1 -1
  278. package/lib/custom-auth-path/msal-custom-auth.cjs +1237 -947
  279. package/lib/custom-auth-path/msal-custom-auth.cjs.map +1 -1
  280. package/lib/custom-auth-path/types/cache/BrowserCacheManager.d.ts +64 -7
  281. package/lib/custom-auth-path/types/cache/BrowserCacheManager.d.ts.map +1 -1
  282. package/lib/custom-auth-path/types/cache/CacheKeys.d.ts +3 -3
  283. package/lib/custom-auth-path/types/cache/IWindowStorage.d.ts +1 -1
  284. package/lib/custom-auth-path/types/cache/IWindowStorage.d.ts.map +1 -1
  285. package/lib/custom-auth-path/types/cache/LocalStorage.d.ts +1 -1
  286. package/lib/custom-auth-path/types/cache/LocalStorage.d.ts.map +1 -1
  287. package/lib/custom-auth-path/types/cache/TokenCache.d.ts.map +1 -1
  288. package/lib/custom-auth-path/types/controllers/NestedAppAuthController.d.ts.map +1 -1
  289. package/lib/custom-auth-path/types/controllers/StandardController.d.ts.map +1 -1
  290. package/lib/custom-auth-path/types/custom_auth/CustomAuthConstants.d.ts +1 -1
  291. package/lib/custom-auth-path/types/interaction_client/PlatformAuthInteractionClient.d.ts +1 -1
  292. package/lib/custom-auth-path/types/interaction_client/PlatformAuthInteractionClient.d.ts.map +1 -1
  293. package/lib/custom-auth-path/types/packageMetadata.d.ts +1 -1
  294. package/lib/msal-browser.cjs +946 -656
  295. package/lib/msal-browser.cjs.map +1 -1
  296. package/lib/msal-browser.js +946 -656
  297. package/lib/msal-browser.js.map +1 -1
  298. package/lib/msal-browser.min.js +67 -67
  299. package/lib/types/cache/BrowserCacheManager.d.ts +64 -7
  300. package/lib/types/cache/BrowserCacheManager.d.ts.map +1 -1
  301. package/lib/types/cache/CacheKeys.d.ts +3 -3
  302. package/lib/types/cache/IWindowStorage.d.ts +1 -1
  303. package/lib/types/cache/IWindowStorage.d.ts.map +1 -1
  304. package/lib/types/cache/LocalStorage.d.ts +1 -1
  305. package/lib/types/cache/LocalStorage.d.ts.map +1 -1
  306. package/lib/types/cache/TokenCache.d.ts.map +1 -1
  307. package/lib/types/controllers/NestedAppAuthController.d.ts.map +1 -1
  308. package/lib/types/controllers/StandardController.d.ts.map +1 -1
  309. package/lib/types/custom_auth/CustomAuthConstants.d.ts +1 -1
  310. package/lib/types/interaction_client/PlatformAuthInteractionClient.d.ts +1 -1
  311. package/lib/types/interaction_client/PlatformAuthInteractionClient.d.ts.map +1 -1
  312. package/lib/types/packageMetadata.d.ts +1 -1
  313. package/package.json +2 -2
  314. package/src/cache/BrowserCacheManager.ts +738 -225
  315. package/src/cache/CacheKeys.ts +3 -3
  316. package/src/cache/IWindowStorage.ts +2 -1
  317. package/src/cache/LocalStorage.ts +30 -17
  318. package/src/cache/TokenCache.ts +33 -12
  319. package/src/controllers/NestedAppAuthController.ts +3 -1
  320. package/src/controllers/StandardController.ts +3 -1
  321. package/src/interaction_client/PlatformAuthInteractionClient.ts +15 -5
  322. package/src/packageMetadata.ts +1 -1
@@ -1,8 +1,8 @@
1
- /*! @azure/msal-browser v4.25.1 2025-10-17 */
1
+ /*! @azure/msal-browser v4.26.0 2025-10-29 */
2
2
  'use strict';
3
3
  'use strict';
4
4
 
5
- /*! @azure/msal-common v15.13.0 2025-10-17 */
5
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
6
6
  /*
7
7
  * Copyright (c) Microsoft Corporation. All rights reserved.
8
8
  * Licensed under the MIT License.
@@ -279,7 +279,7 @@ const JsonWebTokenTypes = {
279
279
  // Token renewal offset default in seconds
280
280
  const DEFAULT_TOKEN_RENEWAL_OFFSET_SEC = 300;
281
281
 
282
- /*! @azure/msal-common v15.13.0 2025-10-17 */
282
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
283
283
  /*
284
284
  * Copyright (c) Microsoft Corporation. All rights reserved.
285
285
  * Licensed under the MIT License.
@@ -296,7 +296,7 @@ var AuthErrorCodes = /*#__PURE__*/Object.freeze({
296
296
  unexpectedError: unexpectedError
297
297
  });
298
298
 
299
- /*! @azure/msal-common v15.13.0 2025-10-17 */
299
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
300
300
 
301
301
  /*
302
302
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -345,7 +345,7 @@ function createAuthError(code, additionalMessage) {
345
345
  : AuthErrorMessages[code]);
346
346
  }
347
347
 
348
- /*! @azure/msal-common v15.13.0 2025-10-17 */
348
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
349
349
  /*
350
350
  * Copyright (c) Microsoft Corporation. All rights reserved.
351
351
  * Licensed under the MIT License.
@@ -443,7 +443,7 @@ var ClientAuthErrorCodes = /*#__PURE__*/Object.freeze({
443
443
  userTimeoutReached: userTimeoutReached
444
444
  });
445
445
 
446
- /*! @azure/msal-common v15.13.0 2025-10-17 */
446
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
447
447
 
448
448
  /*
449
449
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -695,7 +695,7 @@ function createClientAuthError(errorCode, additionalMessage) {
695
695
  return new ClientAuthError(errorCode, additionalMessage);
696
696
  }
697
697
 
698
- /*! @azure/msal-common v15.13.0 2025-10-17 */
698
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
699
699
 
700
700
  /*
701
701
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -734,7 +734,7 @@ const DEFAULT_CRYPTO_IMPLEMENTATION = {
734
734
  },
735
735
  };
736
736
 
737
- /*! @azure/msal-common v15.13.0 2025-10-17 */
737
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
738
738
 
739
739
  /*
740
740
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -925,12 +925,12 @@ class Logger {
925
925
  }
926
926
  }
927
927
 
928
- /*! @azure/msal-common v15.13.0 2025-10-17 */
928
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
929
929
  /* eslint-disable header/header */
930
930
  const name$1 = "@azure/msal-common";
931
- const version$1 = "15.13.0";
931
+ const version$1 = "15.13.1";
932
932
 
933
- /*! @azure/msal-common v15.13.0 2025-10-17 */
933
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
934
934
  /*
935
935
  * Copyright (c) Microsoft Corporation. All rights reserved.
936
936
  * Licensed under the MIT License.
@@ -950,7 +950,7 @@ const AzureCloudInstance = {
950
950
  AzureUsGovernment: "https://login.microsoftonline.us",
951
951
  };
952
952
 
953
- /*! @azure/msal-common v15.13.0 2025-10-17 */
953
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
954
954
  /*
955
955
  * Copyright (c) Microsoft Corporation. All rights reserved.
956
956
  * Licensed under the MIT License.
@@ -1006,7 +1006,7 @@ var ClientConfigurationErrorCodes = /*#__PURE__*/Object.freeze({
1006
1006
  urlParseError: urlParseError
1007
1007
  });
1008
1008
 
1009
- /*! @azure/msal-common v15.13.0 2025-10-17 */
1009
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
1010
1010
 
1011
1011
  /*
1012
1012
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1149,7 +1149,7 @@ function createClientConfigurationError(errorCode) {
1149
1149
  return new ClientConfigurationError(errorCode);
1150
1150
  }
1151
1151
 
1152
- /*! @azure/msal-common v15.13.0 2025-10-17 */
1152
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
1153
1153
  /*
1154
1154
  * Copyright (c) Microsoft Corporation. All rights reserved.
1155
1155
  * Licensed under the MIT License.
@@ -1246,7 +1246,7 @@ class StringUtils {
1246
1246
  }
1247
1247
  }
1248
1248
 
1249
- /*! @azure/msal-common v15.13.0 2025-10-17 */
1249
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
1250
1250
 
1251
1251
  /*
1252
1252
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1441,7 +1441,47 @@ class ScopeSet {
1441
1441
  }
1442
1442
  }
1443
1443
 
1444
- /*! @azure/msal-common v15.13.0 2025-10-17 */
1444
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
1445
+
1446
+ /*
1447
+ * Copyright (c) Microsoft Corporation. All rights reserved.
1448
+ * Licensed under the MIT License.
1449
+ */
1450
+ /**
1451
+ * Function to build a client info object from server clientInfo string
1452
+ * @param rawClientInfo
1453
+ * @param crypto
1454
+ */
1455
+ function buildClientInfo(rawClientInfo, base64Decode) {
1456
+ if (!rawClientInfo) {
1457
+ throw createClientAuthError(clientInfoEmptyError);
1458
+ }
1459
+ try {
1460
+ const decodedClientInfo = base64Decode(rawClientInfo);
1461
+ return JSON.parse(decodedClientInfo);
1462
+ }
1463
+ catch (e) {
1464
+ throw createClientAuthError(clientInfoDecodingError);
1465
+ }
1466
+ }
1467
+ /**
1468
+ * Function to build a client info object from cached homeAccountId string
1469
+ * @param homeAccountId
1470
+ */
1471
+ function buildClientInfoFromHomeAccountId(homeAccountId) {
1472
+ if (!homeAccountId) {
1473
+ throw createClientAuthError(clientInfoDecodingError);
1474
+ }
1475
+ const clientInfoParts = homeAccountId.split(Separators.CLIENT_INFO_SEPARATOR, 2);
1476
+ return {
1477
+ uid: clientInfoParts[0],
1478
+ utid: clientInfoParts.length < 2
1479
+ ? Constants.EMPTY_STRING
1480
+ : clientInfoParts[1],
1481
+ };
1482
+ }
1483
+
1484
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
1445
1485
  /*
1446
1486
  * Copyright (c) Microsoft Corporation. All rights reserved.
1447
1487
  * Licensed under the MIT License.
@@ -1523,7 +1563,289 @@ function updateAccountTenantProfileData(baseAccountInfo, tenantProfile, idTokenC
1523
1563
  return updatedAccountInfo;
1524
1564
  }
1525
1565
 
1526
- /*! @azure/msal-common v15.13.0 2025-10-17 */
1566
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
1567
+ /*
1568
+ * Copyright (c) Microsoft Corporation. All rights reserved.
1569
+ * Licensed under the MIT License.
1570
+ */
1571
+ /**
1572
+ * Authority types supported by MSAL.
1573
+ */
1574
+ const AuthorityType = {
1575
+ Default: 0,
1576
+ Adfs: 1,
1577
+ Dsts: 2,
1578
+ Ciam: 3,
1579
+ };
1580
+
1581
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
1582
+ /*
1583
+ * Copyright (c) Microsoft Corporation. All rights reserved.
1584
+ * Licensed under the MIT License.
1585
+ */
1586
+ /**
1587
+ * Gets tenantId from available ID token claims to set as credential realm with the following precedence:
1588
+ * 1. tid - if the token is acquired from an Azure AD tenant tid will be present
1589
+ * 2. tfp - if the token is acquired from a modern B2C tenant tfp should be present
1590
+ * 3. acr - if the token is acquired from a legacy B2C tenant acr should be present
1591
+ * Downcased to match the realm case-insensitive comparison requirements
1592
+ * @param idTokenClaims
1593
+ * @returns
1594
+ */
1595
+ function getTenantIdFromIdTokenClaims(idTokenClaims) {
1596
+ if (idTokenClaims) {
1597
+ const tenantId = idTokenClaims.tid || idTokenClaims.tfp || idTokenClaims.acr;
1598
+ return tenantId || null;
1599
+ }
1600
+ return null;
1601
+ }
1602
+
1603
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
1604
+ /*
1605
+ * Copyright (c) Microsoft Corporation. All rights reserved.
1606
+ * Licensed under the MIT License.
1607
+ */
1608
+ /**
1609
+ * Protocol modes supported by MSAL.
1610
+ */
1611
+ const ProtocolMode = {
1612
+ /**
1613
+ * Auth Code + PKCE with Entra ID (formerly AAD) specific optimizations and features
1614
+ */
1615
+ AAD: "AAD",
1616
+ /**
1617
+ * Auth Code + PKCE without Entra ID specific optimizations and features. For use only with non-Microsoft owned authorities.
1618
+ * Support is limited for this mode.
1619
+ */
1620
+ OIDC: "OIDC",
1621
+ /**
1622
+ * Encrypted Authorize Response (EAR) with Entra ID specific optimizations and features
1623
+ */
1624
+ EAR: "EAR",
1625
+ };
1626
+
1627
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
1628
+
1629
+ /*
1630
+ * Copyright (c) Microsoft Corporation. All rights reserved.
1631
+ * Licensed under the MIT License.
1632
+ */
1633
+ /**
1634
+ * Type that defines required and optional parameters for an Account field (based on universal cache schema implemented by all MSALs).
1635
+ *
1636
+ * Key : Value Schema
1637
+ *
1638
+ * Key: <home_account_id>-<environment>-<realm*>
1639
+ *
1640
+ * Value Schema:
1641
+ * {
1642
+ * homeAccountId: home account identifier for the auth scheme,
1643
+ * environment: entity that issued the token, represented as a full host
1644
+ * realm: Full tenant or organizational identifier that the account belongs to
1645
+ * localAccountId: Original tenant-specific accountID, usually used for legacy cases
1646
+ * username: primary username that represents the user, usually corresponds to preferred_username in the v2 endpt
1647
+ * authorityType: Accounts authority type as a string
1648
+ * name: Full name for the account, including given name and family name,
1649
+ * lastModificationTime: last time this entity was modified in the cache
1650
+ * lastModificationApp:
1651
+ * nativeAccountId: Account identifier on the native device
1652
+ * tenantProfiles: Array of tenant profile objects for each tenant that the account has authenticated with in the browser
1653
+ * }
1654
+ * @internal
1655
+ */
1656
+ class AccountEntity {
1657
+ /**
1658
+ * Returns the AccountInfo interface for this account.
1659
+ */
1660
+ static getAccountInfo(accountEntity) {
1661
+ return {
1662
+ homeAccountId: accountEntity.homeAccountId,
1663
+ environment: accountEntity.environment,
1664
+ tenantId: accountEntity.realm,
1665
+ username: accountEntity.username,
1666
+ localAccountId: accountEntity.localAccountId,
1667
+ loginHint: accountEntity.loginHint,
1668
+ name: accountEntity.name,
1669
+ nativeAccountId: accountEntity.nativeAccountId,
1670
+ authorityType: accountEntity.authorityType,
1671
+ // Deserialize tenant profiles array into a Map
1672
+ tenantProfiles: new Map((accountEntity.tenantProfiles || []).map((tenantProfile) => {
1673
+ return [tenantProfile.tenantId, tenantProfile];
1674
+ })),
1675
+ dataBoundary: accountEntity.dataBoundary,
1676
+ };
1677
+ }
1678
+ /**
1679
+ * Returns true if the account entity is in single tenant format (outdated), false otherwise
1680
+ */
1681
+ isSingleTenant() {
1682
+ return !this.tenantProfiles;
1683
+ }
1684
+ /**
1685
+ * Build Account cache from IdToken, clientInfo and authority/policy. Associated with AAD.
1686
+ * @param accountDetails
1687
+ */
1688
+ static createAccount(accountDetails, authority, base64Decode) {
1689
+ const account = new AccountEntity();
1690
+ if (authority.authorityType === AuthorityType.Adfs) {
1691
+ account.authorityType = CacheAccountType.ADFS_ACCOUNT_TYPE;
1692
+ }
1693
+ else if (authority.protocolMode === ProtocolMode.OIDC) {
1694
+ account.authorityType = CacheAccountType.GENERIC_ACCOUNT_TYPE;
1695
+ }
1696
+ else {
1697
+ account.authorityType = CacheAccountType.MSSTS_ACCOUNT_TYPE;
1698
+ }
1699
+ let clientInfo;
1700
+ if (accountDetails.clientInfo && base64Decode) {
1701
+ clientInfo = buildClientInfo(accountDetails.clientInfo, base64Decode);
1702
+ if (clientInfo.xms_tdbr) {
1703
+ account.dataBoundary =
1704
+ clientInfo.xms_tdbr === "EU" ? "EU" : "None";
1705
+ }
1706
+ }
1707
+ account.clientInfo = accountDetails.clientInfo;
1708
+ account.homeAccountId = accountDetails.homeAccountId;
1709
+ account.nativeAccountId = accountDetails.nativeAccountId;
1710
+ const env = accountDetails.environment ||
1711
+ (authority && authority.getPreferredCache());
1712
+ if (!env) {
1713
+ throw createClientAuthError(invalidCacheEnvironment);
1714
+ }
1715
+ account.environment = env;
1716
+ // non AAD scenarios can have empty realm
1717
+ account.realm =
1718
+ clientInfo?.utid ||
1719
+ getTenantIdFromIdTokenClaims(accountDetails.idTokenClaims) ||
1720
+ "";
1721
+ // How do you account for MSA CID here?
1722
+ account.localAccountId =
1723
+ clientInfo?.uid ||
1724
+ accountDetails.idTokenClaims?.oid ||
1725
+ accountDetails.idTokenClaims?.sub ||
1726
+ "";
1727
+ /*
1728
+ * In B2C scenarios the emails claim is used instead of preferred_username and it is an array.
1729
+ * In most cases it will contain a single email. This field should not be relied upon if a custom
1730
+ * policy is configured to return more than 1 email.
1731
+ */
1732
+ const preferredUsername = accountDetails.idTokenClaims?.preferred_username ||
1733
+ accountDetails.idTokenClaims?.upn;
1734
+ const email = accountDetails.idTokenClaims?.emails
1735
+ ? accountDetails.idTokenClaims.emails[0]
1736
+ : null;
1737
+ account.username = preferredUsername || email || "";
1738
+ account.loginHint = accountDetails.idTokenClaims?.login_hint;
1739
+ account.name = accountDetails.idTokenClaims?.name || "";
1740
+ account.cloudGraphHostName = accountDetails.cloudGraphHostName;
1741
+ account.msGraphHost = accountDetails.msGraphHost;
1742
+ if (accountDetails.tenantProfiles) {
1743
+ account.tenantProfiles = accountDetails.tenantProfiles;
1744
+ }
1745
+ else {
1746
+ const tenantProfile = buildTenantProfile(accountDetails.homeAccountId, account.localAccountId, account.realm, accountDetails.idTokenClaims);
1747
+ account.tenantProfiles = [tenantProfile];
1748
+ }
1749
+ return account;
1750
+ }
1751
+ /**
1752
+ * Creates an AccountEntity object from AccountInfo
1753
+ * @param accountInfo
1754
+ * @param cloudGraphHostName
1755
+ * @param msGraphHost
1756
+ * @returns
1757
+ */
1758
+ static createFromAccountInfo(accountInfo, cloudGraphHostName, msGraphHost) {
1759
+ const account = new AccountEntity();
1760
+ account.authorityType =
1761
+ accountInfo.authorityType || CacheAccountType.GENERIC_ACCOUNT_TYPE;
1762
+ account.homeAccountId = accountInfo.homeAccountId;
1763
+ account.localAccountId = accountInfo.localAccountId;
1764
+ account.nativeAccountId = accountInfo.nativeAccountId;
1765
+ account.realm = accountInfo.tenantId;
1766
+ account.environment = accountInfo.environment;
1767
+ account.username = accountInfo.username;
1768
+ account.name = accountInfo.name;
1769
+ account.loginHint = accountInfo.loginHint;
1770
+ account.cloudGraphHostName = cloudGraphHostName;
1771
+ account.msGraphHost = msGraphHost;
1772
+ // Serialize tenant profiles map into an array
1773
+ account.tenantProfiles = Array.from(accountInfo.tenantProfiles?.values() || []);
1774
+ account.dataBoundary = accountInfo.dataBoundary;
1775
+ return account;
1776
+ }
1777
+ /**
1778
+ * Generate HomeAccountId from server response
1779
+ * @param serverClientInfo
1780
+ * @param authType
1781
+ */
1782
+ static generateHomeAccountId(serverClientInfo, authType, logger, cryptoObj, idTokenClaims) {
1783
+ // since ADFS/DSTS do not have tid and does not set client_info
1784
+ if (!(authType === AuthorityType.Adfs ||
1785
+ authType === AuthorityType.Dsts)) {
1786
+ // for cases where there is clientInfo
1787
+ if (serverClientInfo) {
1788
+ try {
1789
+ const clientInfo = buildClientInfo(serverClientInfo, cryptoObj.base64Decode);
1790
+ if (clientInfo.uid && clientInfo.utid) {
1791
+ return `${clientInfo.uid}.${clientInfo.utid}`;
1792
+ }
1793
+ }
1794
+ catch (e) { }
1795
+ }
1796
+ logger.warning("No client info in response");
1797
+ }
1798
+ // default to "sub" claim
1799
+ return idTokenClaims?.sub || "";
1800
+ }
1801
+ /**
1802
+ * Validates an entity: checks for all expected params
1803
+ * @param entity
1804
+ */
1805
+ static isAccountEntity(entity) {
1806
+ if (!entity) {
1807
+ return false;
1808
+ }
1809
+ return (entity.hasOwnProperty("homeAccountId") &&
1810
+ entity.hasOwnProperty("environment") &&
1811
+ entity.hasOwnProperty("realm") &&
1812
+ entity.hasOwnProperty("localAccountId") &&
1813
+ entity.hasOwnProperty("username") &&
1814
+ entity.hasOwnProperty("authorityType"));
1815
+ }
1816
+ /**
1817
+ * Helper function to determine whether 2 accountInfo objects represent the same account
1818
+ * @param accountA
1819
+ * @param accountB
1820
+ * @param compareClaims - If set to true idTokenClaims will also be compared to determine account equality
1821
+ */
1822
+ static accountInfoIsEqual(accountA, accountB, compareClaims) {
1823
+ if (!accountA || !accountB) {
1824
+ return false;
1825
+ }
1826
+ let claimsMatch = true; // default to true so as to not fail comparison below if compareClaims: false
1827
+ if (compareClaims) {
1828
+ const accountAClaims = (accountA.idTokenClaims ||
1829
+ {});
1830
+ const accountBClaims = (accountB.idTokenClaims ||
1831
+ {});
1832
+ // issued at timestamp and nonce are expected to change each time a new id token is acquired
1833
+ claimsMatch =
1834
+ accountAClaims.iat === accountBClaims.iat &&
1835
+ accountAClaims.nonce === accountBClaims.nonce;
1836
+ }
1837
+ return (accountA.homeAccountId === accountB.homeAccountId &&
1838
+ accountA.localAccountId === accountB.localAccountId &&
1839
+ accountA.username === accountB.username &&
1840
+ accountA.tenantId === accountB.tenantId &&
1841
+ accountA.loginHint === accountB.loginHint &&
1842
+ accountA.environment === accountB.environment &&
1843
+ accountA.nativeAccountId === accountB.nativeAccountId &&
1844
+ claimsMatch);
1845
+ }
1846
+ }
1847
+
1848
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
1527
1849
 
1528
1850
  /*
1529
1851
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1546,6 +1868,26 @@ function extractTokenClaims(encodedToken, base64Decode) {
1546
1868
  throw createClientAuthError(tokenParsingError);
1547
1869
  }
1548
1870
  }
1871
+ /**
1872
+ * Check if the signin_state claim contains "kmsi"
1873
+ * @param idTokenClaims
1874
+ * @returns
1875
+ */
1876
+ function isKmsi(idTokenClaims) {
1877
+ if (!idTokenClaims.signin_state) {
1878
+ return false;
1879
+ }
1880
+ /**
1881
+ * Signin_state claim known values:
1882
+ * dvc_mngd - device is managed
1883
+ * dvc_dmjd - device is domain joined
1884
+ * kmsi - user opted to "keep me signed in"
1885
+ * inknownntwk - Request made inside a known network. Don't use this, use CAE instead.
1886
+ */
1887
+ const kmsiClaims = ["kmsi", "dvc_dmjd"]; // There are some cases where kmsi may not be returned but persistent storage is still OK - allow dvc_dmjd as well
1888
+ const kmsi = idTokenClaims.signin_state.some((value) => kmsiClaims.includes(value.trim().toLowerCase()));
1889
+ return kmsi;
1890
+ }
1549
1891
  /**
1550
1892
  * decode a JWT
1551
1893
  *
@@ -1584,7 +1926,7 @@ function checkMaxAge(authTime, maxAge) {
1584
1926
  }
1585
1927
  }
1586
1928
 
1587
- /*! @azure/msal-common v15.13.0 2025-10-17 */
1929
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
1588
1930
 
1589
1931
  /*
1590
1932
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1700,7 +2042,7 @@ function normalizeUrlForComparison(url) {
1700
2042
  }
1701
2043
  }
1702
2044
 
1703
- /*! @azure/msal-common v15.13.0 2025-10-17 */
2045
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
1704
2046
 
1705
2047
  /*
1706
2048
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1864,7 +2206,7 @@ class UrlString {
1864
2206
  }
1865
2207
  }
1866
2208
 
1867
- /*! @azure/msal-common v15.13.0 2025-10-17 */
2209
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
1868
2210
 
1869
2211
  /*
1870
2212
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -2003,7 +2345,7 @@ function getCloudDiscoveryMetadataFromNetworkResponse(response, authorityHost) {
2003
2345
  return null;
2004
2346
  }
2005
2347
 
2006
- /*! @azure/msal-common v15.13.0 2025-10-17 */
2348
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
2007
2349
  /*
2008
2350
  * Copyright (c) Microsoft Corporation. All rights reserved.
2009
2351
  * Licensed under the MIT License.
@@ -2011,7 +2353,7 @@ function getCloudDiscoveryMetadataFromNetworkResponse(response, authorityHost) {
2011
2353
  const cacheQuotaExceeded = "cache_quota_exceeded";
2012
2354
  const cacheErrorUnknown = "cache_error_unknown";
2013
2355
 
2014
- /*! @azure/msal-common v15.13.0 2025-10-17 */
2356
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
2015
2357
 
2016
2358
  /*
2017
2359
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -2056,7 +2398,7 @@ function createCacheError(e) {
2056
2398
  }
2057
2399
  }
2058
2400
 
2059
- /*! @azure/msal-common v15.13.0 2025-10-17 */
2401
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
2060
2402
 
2061
2403
  /*
2062
2404
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -2115,7 +2457,7 @@ class CacheManager {
2115
2457
  getBaseAccountInfo(accountFilter, correlationId) {
2116
2458
  const accountEntities = this.getAccountsFilteredBy(accountFilter, correlationId);
2117
2459
  if (accountEntities.length > 0) {
2118
- return accountEntities[0].getAccountInfo();
2460
+ return AccountEntity.getAccountInfo(accountEntities[0]);
2119
2461
  }
2120
2462
  else {
2121
2463
  return null;
@@ -2154,7 +2496,7 @@ class CacheManager {
2154
2496
  return tenantedAccountInfo;
2155
2497
  }
2156
2498
  getTenantProfilesFromAccountEntity(accountEntity, correlationId, targetTenantId, tenantProfileFilter) {
2157
- const accountInfo = accountEntity.getAccountInfo();
2499
+ const accountInfo = AccountEntity.getAccountInfo(accountEntity);
2158
2500
  let searchTenantProfiles = accountInfo.tenantProfiles || new Map();
2159
2501
  const tokenKeys = this.getTokenKeys();
2160
2502
  // If a tenant ID was provided, only return the tenant profile for that tenant ID if it exists
@@ -2224,27 +2566,28 @@ class CacheManager {
2224
2566
  /**
2225
2567
  * saves a cache record
2226
2568
  * @param cacheRecord {CacheRecord}
2227
- * @param storeInCache {?StoreInCache}
2228
2569
  * @param correlationId {?string} correlation id
2570
+ * @param kmsi - Keep Me Signed In
2571
+ * @param storeInCache {?StoreInCache}
2229
2572
  */
2230
- async saveCacheRecord(cacheRecord, correlationId, storeInCache) {
2573
+ async saveCacheRecord(cacheRecord, correlationId, kmsi, storeInCache) {
2231
2574
  if (!cacheRecord) {
2232
2575
  throw createClientAuthError(invalidCacheRecord);
2233
2576
  }
2234
2577
  try {
2235
2578
  if (!!cacheRecord.account) {
2236
- await this.setAccount(cacheRecord.account, correlationId);
2579
+ await this.setAccount(cacheRecord.account, correlationId, kmsi);
2237
2580
  }
2238
2581
  if (!!cacheRecord.idToken && storeInCache?.idToken !== false) {
2239
- await this.setIdTokenCredential(cacheRecord.idToken, correlationId);
2582
+ await this.setIdTokenCredential(cacheRecord.idToken, correlationId, kmsi);
2240
2583
  }
2241
2584
  if (!!cacheRecord.accessToken &&
2242
2585
  storeInCache?.accessToken !== false) {
2243
- await this.saveAccessToken(cacheRecord.accessToken, correlationId);
2586
+ await this.saveAccessToken(cacheRecord.accessToken, correlationId, kmsi);
2244
2587
  }
2245
2588
  if (!!cacheRecord.refreshToken &&
2246
2589
  storeInCache?.refreshToken !== false) {
2247
- await this.setRefreshTokenCredential(cacheRecord.refreshToken, correlationId);
2590
+ await this.setRefreshTokenCredential(cacheRecord.refreshToken, correlationId, kmsi);
2248
2591
  }
2249
2592
  if (!!cacheRecord.appMetadata) {
2250
2593
  this.setAppMetadata(cacheRecord.appMetadata, correlationId);
@@ -2264,7 +2607,7 @@ class CacheManager {
2264
2607
  * saves access token credential
2265
2608
  * @param credential
2266
2609
  */
2267
- async saveAccessToken(credential, correlationId) {
2610
+ async saveAccessToken(credential, correlationId, kmsi) {
2268
2611
  const accessTokenFilter = {
2269
2612
  clientId: credential.clientId,
2270
2613
  credentialType: credential.credentialType,
@@ -2289,7 +2632,7 @@ class CacheManager {
2289
2632
  }
2290
2633
  }
2291
2634
  });
2292
- await this.setAccessTokenCredential(credential, correlationId);
2635
+ await this.setAccessTokenCredential(credential, correlationId, kmsi);
2293
2636
  }
2294
2637
  /**
2295
2638
  * Retrieve account entities matching all provided tenant-agnostic filters; if no filter is set, get all account entities in the cache
@@ -3165,31 +3508,7 @@ class DefaultStorageClass extends CacheManager {
3165
3508
  }
3166
3509
  }
3167
3510
 
3168
- /*! @azure/msal-common v15.13.0 2025-10-17 */
3169
- /*
3170
- * Copyright (c) Microsoft Corporation. All rights reserved.
3171
- * Licensed under the MIT License.
3172
- */
3173
- /**
3174
- * Protocol modes supported by MSAL.
3175
- */
3176
- const ProtocolMode = {
3177
- /**
3178
- * Auth Code + PKCE with Entra ID (formerly AAD) specific optimizations and features
3179
- */
3180
- AAD: "AAD",
3181
- /**
3182
- * Auth Code + PKCE without Entra ID specific optimizations and features. For use only with non-Microsoft owned authorities.
3183
- * Support is limited for this mode.
3184
- */
3185
- OIDC: "OIDC",
3186
- /**
3187
- * Encrypted Authorize Response (EAR) with Entra ID specific optimizations and features
3188
- */
3189
- EAR: "EAR",
3190
- };
3191
-
3192
- /*! @azure/msal-common v15.13.0 2025-10-17 */
3511
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
3193
3512
  /*
3194
3513
  * Copyright (c) Microsoft Corporation. All rights reserved.
3195
3514
  * Licensed under the MIT License.
@@ -3711,7 +4030,7 @@ const IntFields = new Set([
3711
4030
  "upgradedCacheCount",
3712
4031
  ]);
3713
4032
 
3714
- /*! @azure/msal-common v15.13.0 2025-10-17 */
4033
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
3715
4034
 
3716
4035
  /*
3717
4036
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -3790,7 +4109,7 @@ class StubPerformanceClient {
3790
4109
  }
3791
4110
  }
3792
4111
 
3793
- /*! @azure/msal-common v15.13.0 2025-10-17 */
4112
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
3794
4113
 
3795
4114
  /*
3796
4115
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -3868,79 +4187,39 @@ function buildClientConfiguration({ authOptions: userAuthOptions, systemOptions:
3868
4187
  serializableCache: serializableCache || null,
3869
4188
  };
3870
4189
  }
3871
- /**
3872
- * Construct authoptions from the client and platform passed values
3873
- * @param authOptions
3874
- */
3875
- function buildAuthOptions(authOptions) {
3876
- return {
3877
- clientCapabilities: [],
3878
- azureCloudOptions: DEFAULT_AZURE_CLOUD_OPTIONS,
3879
- skipAuthorityMetadataCache: false,
3880
- instanceAware: false,
3881
- encodeExtraQueryParams: false,
3882
- ...authOptions,
3883
- };
3884
- }
3885
- /**
3886
- * Returns true if config has protocolMode set to ProtocolMode.OIDC, false otherwise
3887
- * @param ClientConfiguration
3888
- */
3889
- function isOidcProtocolMode(config) {
3890
- return (config.authOptions.authority.options.protocolMode === ProtocolMode.OIDC);
3891
- }
3892
-
3893
- /*! @azure/msal-common v15.13.0 2025-10-17 */
3894
- /*
3895
- * Copyright (c) Microsoft Corporation. All rights reserved.
3896
- * Licensed under the MIT License.
3897
- */
3898
- const CcsCredentialType = {
3899
- HOME_ACCOUNT_ID: "home_account_id",
3900
- UPN: "UPN",
3901
- };
3902
-
3903
- /*! @azure/msal-common v15.13.0 2025-10-17 */
3904
-
3905
- /*
3906
- * Copyright (c) Microsoft Corporation. All rights reserved.
3907
- * Licensed under the MIT License.
3908
- */
3909
- /**
3910
- * Function to build a client info object from server clientInfo string
3911
- * @param rawClientInfo
3912
- * @param crypto
3913
- */
3914
- function buildClientInfo(rawClientInfo, base64Decode) {
3915
- if (!rawClientInfo) {
3916
- throw createClientAuthError(clientInfoEmptyError);
3917
- }
3918
- try {
3919
- const decodedClientInfo = base64Decode(rawClientInfo);
3920
- return JSON.parse(decodedClientInfo);
3921
- }
3922
- catch (e) {
3923
- throw createClientAuthError(clientInfoDecodingError);
3924
- }
3925
- }
3926
- /**
3927
- * Function to build a client info object from cached homeAccountId string
3928
- * @param homeAccountId
4190
+ /**
4191
+ * Construct authoptions from the client and platform passed values
4192
+ * @param authOptions
3929
4193
  */
3930
- function buildClientInfoFromHomeAccountId(homeAccountId) {
3931
- if (!homeAccountId) {
3932
- throw createClientAuthError(clientInfoDecodingError);
3933
- }
3934
- const clientInfoParts = homeAccountId.split(Separators.CLIENT_INFO_SEPARATOR, 2);
4194
+ function buildAuthOptions(authOptions) {
3935
4195
  return {
3936
- uid: clientInfoParts[0],
3937
- utid: clientInfoParts.length < 2
3938
- ? Constants.EMPTY_STRING
3939
- : clientInfoParts[1],
4196
+ clientCapabilities: [],
4197
+ azureCloudOptions: DEFAULT_AZURE_CLOUD_OPTIONS,
4198
+ skipAuthorityMetadataCache: false,
4199
+ instanceAware: false,
4200
+ encodeExtraQueryParams: false,
4201
+ ...authOptions,
3940
4202
  };
4203
+ }
4204
+ /**
4205
+ * Returns true if config has protocolMode set to ProtocolMode.OIDC, false otherwise
4206
+ * @param ClientConfiguration
4207
+ */
4208
+ function isOidcProtocolMode(config) {
4209
+ return (config.authOptions.authority.options.protocolMode === ProtocolMode.OIDC);
3941
4210
  }
3942
4211
 
3943
- /*! @azure/msal-common v15.13.0 2025-10-17 */
4212
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
4213
+ /*
4214
+ * Copyright (c) Microsoft Corporation. All rights reserved.
4215
+ * Licensed under the MIT License.
4216
+ */
4217
+ const CcsCredentialType = {
4218
+ HOME_ACCOUNT_ID: "home_account_id",
4219
+ UPN: "UPN",
4220
+ };
4221
+
4222
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
3944
4223
  /*
3945
4224
  * Copyright (c) Microsoft Corporation. All rights reserved.
3946
4225
  * Licensed under the MIT License.
@@ -3990,7 +4269,7 @@ const INSTANCE_AWARE = "instance_aware";
3990
4269
  const EAR_JWK = "ear_jwk";
3991
4270
  const EAR_JWE_CRYPTO = "ear_jwe_crypto";
3992
4271
 
3993
- /*! @azure/msal-common v15.13.0 2025-10-17 */
4272
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
3994
4273
 
3995
4274
  /*
3996
4275
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4370,22 +4649,7 @@ function addPostBodyParameters(parameters, bodyParameters) {
4370
4649
  });
4371
4650
  }
4372
4651
 
4373
- /*! @azure/msal-common v15.13.0 2025-10-17 */
4374
- /*
4375
- * Copyright (c) Microsoft Corporation. All rights reserved.
4376
- * Licensed under the MIT License.
4377
- */
4378
- /**
4379
- * Authority types supported by MSAL.
4380
- */
4381
- const AuthorityType = {
4382
- Default: 0,
4383
- Adfs: 1,
4384
- Dsts: 2,
4385
- Ciam: 3,
4386
- };
4387
-
4388
- /*! @azure/msal-common v15.13.0 2025-10-17 */
4652
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
4389
4653
  /*
4390
4654
  * Copyright (c) Microsoft Corporation. All rights reserved.
4391
4655
  * Licensed under the MIT License.
@@ -4397,7 +4661,7 @@ function isOpenIdConfigResponse(response) {
4397
4661
  response.hasOwnProperty("jwks_uri"));
4398
4662
  }
4399
4663
 
4400
- /*! @azure/msal-common v15.13.0 2025-10-17 */
4664
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
4401
4665
  /*
4402
4666
  * Copyright (c) Microsoft Corporation. All rights reserved.
4403
4667
  * Licensed under the MIT License.
@@ -4407,7 +4671,7 @@ function isCloudInstanceDiscoveryResponse(response) {
4407
4671
  response.hasOwnProperty("metadata"));
4408
4672
  }
4409
4673
 
4410
- /*! @azure/msal-common v15.13.0 2025-10-17 */
4674
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
4411
4675
  /*
4412
4676
  * Copyright (c) Microsoft Corporation. All rights reserved.
4413
4677
  * Licensed under the MIT License.
@@ -4417,7 +4681,7 @@ function isCloudInstanceDiscoveryErrorResponse(response) {
4417
4681
  response.hasOwnProperty("error_description"));
4418
4682
  }
4419
4683
 
4420
- /*! @azure/msal-common v15.13.0 2025-10-17 */
4684
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
4421
4685
  /*
4422
4686
  * Copyright (c) Microsoft Corporation. All rights reserved.
4423
4687
  * Licensed under the MIT License.
@@ -4513,7 +4777,7 @@ const invokeAsync = (callback, eventName, logger, telemetryClient, correlationId
4513
4777
  };
4514
4778
  };
4515
4779
 
4516
- /*! @azure/msal-common v15.13.0 2025-10-17 */
4780
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
4517
4781
 
4518
4782
  /*
4519
4783
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4619,7 +4883,7 @@ RegionDiscovery.IMDS_OPTIONS = {
4619
4883
  },
4620
4884
  };
4621
4885
 
4622
- /*! @azure/msal-common v15.13.0 2025-10-17 */
4886
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
4623
4887
  /*
4624
4888
  * Copyright (c) Microsoft Corporation. All rights reserved.
4625
4889
  * Licensed under the MIT License.
@@ -4684,7 +4948,7 @@ function wasClockTurnedBack(cachedAt) {
4684
4948
  return cachedAtSec > nowSeconds();
4685
4949
  }
4686
4950
 
4687
- /*! @azure/msal-common v15.13.0 2025-10-17 */
4951
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
4688
4952
 
4689
4953
  /*
4690
4954
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4946,7 +5210,7 @@ function isAuthorityMetadataExpired(metadata) {
4946
5210
  return metadata.expiresAt <= nowSeconds();
4947
5211
  }
4948
5212
 
4949
- /*! @azure/msal-common v15.13.0 2025-10-17 */
5213
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
4950
5214
 
4951
5215
  /*
4952
5216
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -5785,7 +6049,7 @@ function buildStaticAuthorityOptions(authOptions) {
5785
6049
  };
5786
6050
  }
5787
6051
 
5788
- /*! @azure/msal-common v15.13.0 2025-10-17 */
6052
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
5789
6053
 
5790
6054
  /*
5791
6055
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -5816,7 +6080,7 @@ async function createDiscoveredInstance(authorityUri, networkClient, cacheManage
5816
6080
  }
5817
6081
  }
5818
6082
 
5819
- /*! @azure/msal-common v15.13.0 2025-10-17 */
6083
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
5820
6084
 
5821
6085
  /*
5822
6086
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -5835,7 +6099,7 @@ class ServerError extends AuthError {
5835
6099
  }
5836
6100
  }
5837
6101
 
5838
- /*! @azure/msal-common v15.13.0 2025-10-17 */
6102
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
5839
6103
  /*
5840
6104
  * Copyright (c) Microsoft Corporation. All rights reserved.
5841
6105
  * Licensed under the MIT License.
@@ -5856,7 +6120,7 @@ function getRequestThumbprint(clientId, request, homeAccountId) {
5856
6120
  };
5857
6121
  }
5858
6122
 
5859
- /*! @azure/msal-common v15.13.0 2025-10-17 */
6123
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
5860
6124
 
5861
6125
  /*
5862
6126
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -5943,7 +6207,7 @@ class ThrottlingUtils {
5943
6207
  }
5944
6208
  }
5945
6209
 
5946
- /*! @azure/msal-common v15.13.0 2025-10-17 */
6210
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
5947
6211
 
5948
6212
  /*
5949
6213
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -5974,7 +6238,7 @@ function createNetworkError(error, httpStatus, responseHeaders, additionalError)
5974
6238
  return new NetworkError(error, httpStatus, responseHeaders);
5975
6239
  }
5976
6240
 
5977
- /*! @azure/msal-common v15.13.0 2025-10-17 */
6241
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
5978
6242
 
5979
6243
  /*
5980
6244
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6044,328 +6308,85 @@ class BaseClient {
6044
6308
  response.status < 500 &&
6045
6309
  response.status !== 429) {
6046
6310
  // Telemetry data successfully logged by server, clear Telemetry cache
6047
- this.config.serverTelemetryManager.clearTelemetryCache();
6048
- }
6049
- return response;
6050
- }
6051
- /**
6052
- * Wraps sendPostRequestAsync with necessary preflight and postflight logic
6053
- * @param thumbprint - Request thumbprint for throttling
6054
- * @param tokenEndpoint - Endpoint to make the POST to
6055
- * @param options - Body and Headers to include on the POST request
6056
- * @param correlationId - CorrelationId for telemetry
6057
- */
6058
- async sendPostRequest(thumbprint, tokenEndpoint, options, correlationId) {
6059
- ThrottlingUtils.preProcess(this.cacheManager, thumbprint, correlationId);
6060
- let response;
6061
- try {
6062
- response = await invokeAsync((this.networkClient.sendPostRequestAsync.bind(this.networkClient)), PerformanceEvents.NetworkClientSendPostRequestAsync, this.logger, this.performanceClient, correlationId)(tokenEndpoint, options);
6063
- const responseHeaders = response.headers || {};
6064
- this.performanceClient?.addFields({
6065
- refreshTokenSize: response.body.refresh_token?.length || 0,
6066
- httpVerToken: responseHeaders[HeaderNames.X_MS_HTTP_VERSION] || "",
6067
- requestId: responseHeaders[HeaderNames.X_MS_REQUEST_ID] || "",
6068
- }, correlationId);
6069
- }
6070
- catch (e) {
6071
- if (e instanceof NetworkError) {
6072
- const responseHeaders = e.responseHeaders;
6073
- if (responseHeaders) {
6074
- this.performanceClient?.addFields({
6075
- httpVerToken: responseHeaders[HeaderNames.X_MS_HTTP_VERSION] || "",
6076
- requestId: responseHeaders[HeaderNames.X_MS_REQUEST_ID] ||
6077
- "",
6078
- contentTypeHeader: responseHeaders[HeaderNames.CONTENT_TYPE] ||
6079
- undefined,
6080
- contentLengthHeader: responseHeaders[HeaderNames.CONTENT_LENGTH] ||
6081
- undefined,
6082
- httpStatus: e.httpStatus,
6083
- }, correlationId);
6084
- }
6085
- throw e.error;
6086
- }
6087
- if (e instanceof AuthError) {
6088
- throw e;
6089
- }
6090
- else {
6091
- throw createClientAuthError(networkError);
6092
- }
6093
- }
6094
- ThrottlingUtils.postProcess(this.cacheManager, thumbprint, response, correlationId);
6095
- return response;
6096
- }
6097
- /**
6098
- * Updates the authority object of the client. Endpoint discovery must be completed.
6099
- * @param updatedAuthority
6100
- */
6101
- async updateAuthority(cloudInstanceHostname, correlationId) {
6102
- this.performanceClient?.addQueueMeasurement(PerformanceEvents.UpdateTokenEndpointAuthority, correlationId);
6103
- const cloudInstanceAuthorityUri = `https://${cloudInstanceHostname}/${this.authority.tenant}/`;
6104
- const cloudInstanceAuthority = await createDiscoveredInstance(cloudInstanceAuthorityUri, this.networkClient, this.cacheManager, this.authority.options, this.logger, correlationId, this.performanceClient);
6105
- this.authority = cloudInstanceAuthority;
6106
- }
6107
- /**
6108
- * Creates query string for the /token request
6109
- * @param request
6110
- */
6111
- createTokenQueryParameters(request) {
6112
- const parameters = new Map();
6113
- if (request.embeddedClientId) {
6114
- addBrokerParameters(parameters, this.config.authOptions.clientId, this.config.authOptions.redirectUri);
6115
- }
6116
- if (request.tokenQueryParameters) {
6117
- addExtraQueryParameters(parameters, request.tokenQueryParameters);
6118
- }
6119
- addCorrelationId(parameters, request.correlationId);
6120
- instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
6121
- return mapToQueryString(parameters);
6122
- }
6123
- }
6124
-
6125
- /*! @azure/msal-common v15.13.0 2025-10-17 */
6126
- /*
6127
- * Copyright (c) Microsoft Corporation. All rights reserved.
6128
- * Licensed under the MIT License.
6129
- */
6130
- /**
6131
- * Gets tenantId from available ID token claims to set as credential realm with the following precedence:
6132
- * 1. tid - if the token is acquired from an Azure AD tenant tid will be present
6133
- * 2. tfp - if the token is acquired from a modern B2C tenant tfp should be present
6134
- * 3. acr - if the token is acquired from a legacy B2C tenant acr should be present
6135
- * Downcased to match the realm case-insensitive comparison requirements
6136
- * @param idTokenClaims
6137
- * @returns
6138
- */
6139
- function getTenantIdFromIdTokenClaims(idTokenClaims) {
6140
- if (idTokenClaims) {
6141
- const tenantId = idTokenClaims.tid || idTokenClaims.tfp || idTokenClaims.acr;
6142
- return tenantId || null;
6143
- }
6144
- return null;
6145
- }
6146
-
6147
- /*! @azure/msal-common v15.13.0 2025-10-17 */
6148
-
6149
- /*
6150
- * Copyright (c) Microsoft Corporation. All rights reserved.
6151
- * Licensed under the MIT License.
6152
- */
6153
- /**
6154
- * Type that defines required and optional parameters for an Account field (based on universal cache schema implemented by all MSALs).
6155
- *
6156
- * Key : Value Schema
6157
- *
6158
- * Key: <home_account_id>-<environment>-<realm*>
6159
- *
6160
- * Value Schema:
6161
- * {
6162
- * homeAccountId: home account identifier for the auth scheme,
6163
- * environment: entity that issued the token, represented as a full host
6164
- * realm: Full tenant or organizational identifier that the account belongs to
6165
- * localAccountId: Original tenant-specific accountID, usually used for legacy cases
6166
- * username: primary username that represents the user, usually corresponds to preferred_username in the v2 endpt
6167
- * authorityType: Accounts authority type as a string
6168
- * name: Full name for the account, including given name and family name,
6169
- * lastModificationTime: last time this entity was modified in the cache
6170
- * lastModificationApp:
6171
- * nativeAccountId: Account identifier on the native device
6172
- * tenantProfiles: Array of tenant profile objects for each tenant that the account has authenticated with in the browser
6173
- * }
6174
- * @internal
6175
- */
6176
- class AccountEntity {
6177
- /**
6178
- * Returns the AccountInfo interface for this account.
6179
- */
6180
- getAccountInfo() {
6181
- return {
6182
- homeAccountId: this.homeAccountId,
6183
- environment: this.environment,
6184
- tenantId: this.realm,
6185
- username: this.username,
6186
- localAccountId: this.localAccountId,
6187
- loginHint: this.loginHint,
6188
- name: this.name,
6189
- nativeAccountId: this.nativeAccountId,
6190
- authorityType: this.authorityType,
6191
- // Deserialize tenant profiles array into a Map
6192
- tenantProfiles: new Map((this.tenantProfiles || []).map((tenantProfile) => {
6193
- return [tenantProfile.tenantId, tenantProfile];
6194
- })),
6195
- dataBoundary: this.dataBoundary,
6196
- };
6197
- }
6198
- /**
6199
- * Returns true if the account entity is in single tenant format (outdated), false otherwise
6200
- */
6201
- isSingleTenant() {
6202
- return !this.tenantProfiles;
6203
- }
6204
- /**
6205
- * Build Account cache from IdToken, clientInfo and authority/policy. Associated with AAD.
6206
- * @param accountDetails
6207
- */
6208
- static createAccount(accountDetails, authority, base64Decode) {
6209
- const account = new AccountEntity();
6210
- if (authority.authorityType === AuthorityType.Adfs) {
6211
- account.authorityType = CacheAccountType.ADFS_ACCOUNT_TYPE;
6212
- }
6213
- else if (authority.protocolMode === ProtocolMode.OIDC) {
6214
- account.authorityType = CacheAccountType.GENERIC_ACCOUNT_TYPE;
6215
- }
6216
- else {
6217
- account.authorityType = CacheAccountType.MSSTS_ACCOUNT_TYPE;
6218
- }
6219
- let clientInfo;
6220
- if (accountDetails.clientInfo && base64Decode) {
6221
- clientInfo = buildClientInfo(accountDetails.clientInfo, base64Decode);
6222
- if (clientInfo.xms_tdbr) {
6223
- account.dataBoundary =
6224
- clientInfo.xms_tdbr === "EU" ? "EU" : "None";
6225
- }
6226
- }
6227
- account.clientInfo = accountDetails.clientInfo;
6228
- account.homeAccountId = accountDetails.homeAccountId;
6229
- account.nativeAccountId = accountDetails.nativeAccountId;
6230
- const env = accountDetails.environment ||
6231
- (authority && authority.getPreferredCache());
6232
- if (!env) {
6233
- throw createClientAuthError(invalidCacheEnvironment);
6234
- }
6235
- account.environment = env;
6236
- // non AAD scenarios can have empty realm
6237
- account.realm =
6238
- clientInfo?.utid ||
6239
- getTenantIdFromIdTokenClaims(accountDetails.idTokenClaims) ||
6240
- "";
6241
- // How do you account for MSA CID here?
6242
- account.localAccountId =
6243
- clientInfo?.uid ||
6244
- accountDetails.idTokenClaims?.oid ||
6245
- accountDetails.idTokenClaims?.sub ||
6246
- "";
6247
- /*
6248
- * In B2C scenarios the emails claim is used instead of preferred_username and it is an array.
6249
- * In most cases it will contain a single email. This field should not be relied upon if a custom
6250
- * policy is configured to return more than 1 email.
6251
- */
6252
- const preferredUsername = accountDetails.idTokenClaims?.preferred_username ||
6253
- accountDetails.idTokenClaims?.upn;
6254
- const email = accountDetails.idTokenClaims?.emails
6255
- ? accountDetails.idTokenClaims.emails[0]
6256
- : null;
6257
- account.username = preferredUsername || email || "";
6258
- account.loginHint = accountDetails.idTokenClaims?.login_hint;
6259
- account.name = accountDetails.idTokenClaims?.name || "";
6260
- account.cloudGraphHostName = accountDetails.cloudGraphHostName;
6261
- account.msGraphHost = accountDetails.msGraphHost;
6262
- if (accountDetails.tenantProfiles) {
6263
- account.tenantProfiles = accountDetails.tenantProfiles;
6264
- }
6265
- else {
6266
- const tenantProfile = buildTenantProfile(accountDetails.homeAccountId, account.localAccountId, account.realm, accountDetails.idTokenClaims);
6267
- account.tenantProfiles = [tenantProfile];
6311
+ this.config.serverTelemetryManager.clearTelemetryCache();
6268
6312
  }
6269
- return account;
6270
- }
6271
- /**
6272
- * Creates an AccountEntity object from AccountInfo
6273
- * @param accountInfo
6274
- * @param cloudGraphHostName
6275
- * @param msGraphHost
6276
- * @returns
6277
- */
6278
- static createFromAccountInfo(accountInfo, cloudGraphHostName, msGraphHost) {
6279
- const account = new AccountEntity();
6280
- account.authorityType =
6281
- accountInfo.authorityType || CacheAccountType.GENERIC_ACCOUNT_TYPE;
6282
- account.homeAccountId = accountInfo.homeAccountId;
6283
- account.localAccountId = accountInfo.localAccountId;
6284
- account.nativeAccountId = accountInfo.nativeAccountId;
6285
- account.realm = accountInfo.tenantId;
6286
- account.environment = accountInfo.environment;
6287
- account.username = accountInfo.username;
6288
- account.name = accountInfo.name;
6289
- account.loginHint = accountInfo.loginHint;
6290
- account.cloudGraphHostName = cloudGraphHostName;
6291
- account.msGraphHost = msGraphHost;
6292
- // Serialize tenant profiles map into an array
6293
- account.tenantProfiles = Array.from(accountInfo.tenantProfiles?.values() || []);
6294
- account.dataBoundary = accountInfo.dataBoundary;
6295
- return account;
6313
+ return response;
6296
6314
  }
6297
6315
  /**
6298
- * Generate HomeAccountId from server response
6299
- * @param serverClientInfo
6300
- * @param authType
6316
+ * Wraps sendPostRequestAsync with necessary preflight and postflight logic
6317
+ * @param thumbprint - Request thumbprint for throttling
6318
+ * @param tokenEndpoint - Endpoint to make the POST to
6319
+ * @param options - Body and Headers to include on the POST request
6320
+ * @param correlationId - CorrelationId for telemetry
6301
6321
  */
6302
- static generateHomeAccountId(serverClientInfo, authType, logger, cryptoObj, idTokenClaims) {
6303
- // since ADFS/DSTS do not have tid and does not set client_info
6304
- if (!(authType === AuthorityType.Adfs ||
6305
- authType === AuthorityType.Dsts)) {
6306
- // for cases where there is clientInfo
6307
- if (serverClientInfo) {
6308
- try {
6309
- const clientInfo = buildClientInfo(serverClientInfo, cryptoObj.base64Decode);
6310
- if (clientInfo.uid && clientInfo.utid) {
6311
- return `${clientInfo.uid}.${clientInfo.utid}`;
6312
- }
6322
+ async sendPostRequest(thumbprint, tokenEndpoint, options, correlationId) {
6323
+ ThrottlingUtils.preProcess(this.cacheManager, thumbprint, correlationId);
6324
+ let response;
6325
+ try {
6326
+ response = await invokeAsync((this.networkClient.sendPostRequestAsync.bind(this.networkClient)), PerformanceEvents.NetworkClientSendPostRequestAsync, this.logger, this.performanceClient, correlationId)(tokenEndpoint, options);
6327
+ const responseHeaders = response.headers || {};
6328
+ this.performanceClient?.addFields({
6329
+ refreshTokenSize: response.body.refresh_token?.length || 0,
6330
+ httpVerToken: responseHeaders[HeaderNames.X_MS_HTTP_VERSION] || "",
6331
+ requestId: responseHeaders[HeaderNames.X_MS_REQUEST_ID] || "",
6332
+ }, correlationId);
6333
+ }
6334
+ catch (e) {
6335
+ if (e instanceof NetworkError) {
6336
+ const responseHeaders = e.responseHeaders;
6337
+ if (responseHeaders) {
6338
+ this.performanceClient?.addFields({
6339
+ httpVerToken: responseHeaders[HeaderNames.X_MS_HTTP_VERSION] || "",
6340
+ requestId: responseHeaders[HeaderNames.X_MS_REQUEST_ID] ||
6341
+ "",
6342
+ contentTypeHeader: responseHeaders[HeaderNames.CONTENT_TYPE] ||
6343
+ undefined,
6344
+ contentLengthHeader: responseHeaders[HeaderNames.CONTENT_LENGTH] ||
6345
+ undefined,
6346
+ httpStatus: e.httpStatus,
6347
+ }, correlationId);
6313
6348
  }
6314
- catch (e) { }
6349
+ throw e.error;
6350
+ }
6351
+ if (e instanceof AuthError) {
6352
+ throw e;
6353
+ }
6354
+ else {
6355
+ throw createClientAuthError(networkError);
6315
6356
  }
6316
- logger.warning("No client info in response");
6317
6357
  }
6318
- // default to "sub" claim
6319
- return idTokenClaims?.sub || "";
6358
+ ThrottlingUtils.postProcess(this.cacheManager, thumbprint, response, correlationId);
6359
+ return response;
6320
6360
  }
6321
6361
  /**
6322
- * Validates an entity: checks for all expected params
6323
- * @param entity
6362
+ * Updates the authority object of the client. Endpoint discovery must be completed.
6363
+ * @param updatedAuthority
6324
6364
  */
6325
- static isAccountEntity(entity) {
6326
- if (!entity) {
6327
- return false;
6328
- }
6329
- return (entity.hasOwnProperty("homeAccountId") &&
6330
- entity.hasOwnProperty("environment") &&
6331
- entity.hasOwnProperty("realm") &&
6332
- entity.hasOwnProperty("localAccountId") &&
6333
- entity.hasOwnProperty("username") &&
6334
- entity.hasOwnProperty("authorityType"));
6365
+ async updateAuthority(cloudInstanceHostname, correlationId) {
6366
+ this.performanceClient?.addQueueMeasurement(PerformanceEvents.UpdateTokenEndpointAuthority, correlationId);
6367
+ const cloudInstanceAuthorityUri = `https://${cloudInstanceHostname}/${this.authority.tenant}/`;
6368
+ const cloudInstanceAuthority = await createDiscoveredInstance(cloudInstanceAuthorityUri, this.networkClient, this.cacheManager, this.authority.options, this.logger, correlationId, this.performanceClient);
6369
+ this.authority = cloudInstanceAuthority;
6335
6370
  }
6336
6371
  /**
6337
- * Helper function to determine whether 2 accountInfo objects represent the same account
6338
- * @param accountA
6339
- * @param accountB
6340
- * @param compareClaims - If set to true idTokenClaims will also be compared to determine account equality
6372
+ * Creates query string for the /token request
6373
+ * @param request
6341
6374
  */
6342
- static accountInfoIsEqual(accountA, accountB, compareClaims) {
6343
- if (!accountA || !accountB) {
6344
- return false;
6375
+ createTokenQueryParameters(request) {
6376
+ const parameters = new Map();
6377
+ if (request.embeddedClientId) {
6378
+ addBrokerParameters(parameters, this.config.authOptions.clientId, this.config.authOptions.redirectUri);
6345
6379
  }
6346
- let claimsMatch = true; // default to true so as to not fail comparison below if compareClaims: false
6347
- if (compareClaims) {
6348
- const accountAClaims = (accountA.idTokenClaims ||
6349
- {});
6350
- const accountBClaims = (accountB.idTokenClaims ||
6351
- {});
6352
- // issued at timestamp and nonce are expected to change each time a new id token is acquired
6353
- claimsMatch =
6354
- accountAClaims.iat === accountBClaims.iat &&
6355
- accountAClaims.nonce === accountBClaims.nonce;
6380
+ if (request.tokenQueryParameters) {
6381
+ addExtraQueryParameters(parameters, request.tokenQueryParameters);
6356
6382
  }
6357
- return (accountA.homeAccountId === accountB.homeAccountId &&
6358
- accountA.localAccountId === accountB.localAccountId &&
6359
- accountA.username === accountB.username &&
6360
- accountA.tenantId === accountB.tenantId &&
6361
- accountA.loginHint === accountB.loginHint &&
6362
- accountA.environment === accountB.environment &&
6363
- accountA.nativeAccountId === accountB.nativeAccountId &&
6364
- claimsMatch);
6383
+ addCorrelationId(parameters, request.correlationId);
6384
+ instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
6385
+ return mapToQueryString(parameters);
6365
6386
  }
6366
6387
  }
6367
6388
 
6368
- /*! @azure/msal-common v15.13.0 2025-10-17 */
6389
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
6369
6390
  /*
6370
6391
  * Copyright (c) Microsoft Corporation. All rights reserved.
6371
6392
  * Licensed under the MIT License.
@@ -6393,7 +6414,7 @@ var InteractionRequiredAuthErrorCodes = /*#__PURE__*/Object.freeze({
6393
6414
  uxNotAllowed: uxNotAllowed
6394
6415
  });
6395
6416
 
6396
- /*! @azure/msal-common v15.13.0 2025-10-17 */
6417
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
6397
6418
 
6398
6419
  /*
6399
6420
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6483,7 +6504,7 @@ function createInteractionRequiredAuthError(errorCode) {
6483
6504
  return new InteractionRequiredAuthError(errorCode, InteractionRequiredAuthErrorMessages[errorCode]);
6484
6505
  }
6485
6506
 
6486
- /*! @azure/msal-common v15.13.0 2025-10-17 */
6507
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
6487
6508
 
6488
6509
  /*
6489
6510
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6555,7 +6576,7 @@ class ProtocolUtils {
6555
6576
  }
6556
6577
  }
6557
6578
 
6558
- /*! @azure/msal-common v15.13.0 2025-10-17 */
6579
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
6559
6580
 
6560
6581
  /*
6561
6582
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6637,7 +6658,7 @@ class PopTokenGenerator {
6637
6658
  }
6638
6659
  }
6639
6660
 
6640
- /*! @azure/msal-common v15.13.0 2025-10-17 */
6661
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
6641
6662
  /*
6642
6663
  * Copyright (c) Microsoft Corporation. All rights reserved.
6643
6664
  * Licensed under the MIT License.
@@ -6664,7 +6685,7 @@ class PopTokenGenerator {
6664
6685
  }
6665
6686
  }
6666
6687
 
6667
- /*! @azure/msal-common v15.13.0 2025-10-17 */
6688
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
6668
6689
 
6669
6690
  /*
6670
6691
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6776,14 +6797,14 @@ class ResponseHandler {
6776
6797
  if (handlingRefreshTokenResponse &&
6777
6798
  !forceCacheRefreshTokenResponse &&
6778
6799
  cacheRecord.account) {
6779
- const key = this.cacheStorage.generateAccountKey(cacheRecord.account.getAccountInfo());
6800
+ const key = this.cacheStorage.generateAccountKey(AccountEntity.getAccountInfo(cacheRecord.account));
6780
6801
  const account = this.cacheStorage.getAccount(key, request.correlationId);
6781
6802
  if (!account) {
6782
6803
  this.logger.warning("Account used to refresh tokens not in persistence, refreshed tokens will not be stored in the cache");
6783
6804
  return await ResponseHandler.generateAuthenticationResult(this.cryptoObj, authority, cacheRecord, false, request, idTokenClaims, requestStateObj, undefined, serverRequestId);
6784
6805
  }
6785
6806
  }
6786
- await this.cacheStorage.saveCacheRecord(cacheRecord, request.correlationId, request.storeInCache);
6807
+ await this.cacheStorage.saveCacheRecord(cacheRecord, request.correlationId, isKmsi(idTokenClaims || {}), request.storeInCache);
6787
6808
  }
6788
6809
  finally {
6789
6810
  if (this.persistencePlugin &&
@@ -6930,7 +6951,7 @@ class ResponseHandler {
6930
6951
  serverTokenResponse?.spa_accountid;
6931
6952
  }
6932
6953
  const accountInfo = cacheRecord.account
6933
- ? updateAccountTenantProfileData(cacheRecord.account.getAccountInfo(), undefined, // tenantProfile optional
6954
+ ? updateAccountTenantProfileData(AccountEntity.getAccountInfo(cacheRecord.account), undefined, // tenantProfile optional
6934
6955
  idTokenClaims, cacheRecord.idToken?.secret)
6935
6956
  : null;
6936
6957
  return {
@@ -6995,7 +7016,7 @@ function buildAccountToCache(cacheStorage, authority, homeAccountId, base64Decod
6995
7016
  return baseAccount;
6996
7017
  }
6997
7018
 
6998
- /*! @azure/msal-common v15.13.0 2025-10-17 */
7019
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
6999
7020
  /*
7000
7021
  * Copyright (c) Microsoft Corporation. All rights reserved.
7001
7022
  * Licensed under the MIT License.
@@ -7013,7 +7034,7 @@ async function getClientAssertion(clientAssertion, clientId, tokenEndpoint) {
7013
7034
  }
7014
7035
  }
7015
7036
 
7016
- /*! @azure/msal-common v15.13.0 2025-10-17 */
7037
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
7017
7038
 
7018
7039
  /*
7019
7040
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7248,7 +7269,7 @@ class AuthorizationCodeClient extends BaseClient {
7248
7269
  }
7249
7270
  }
7250
7271
 
7251
- /*! @azure/msal-common v15.13.0 2025-10-17 */
7272
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
7252
7273
 
7253
7274
  /*
7254
7275
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7457,7 +7478,7 @@ class RefreshTokenClient extends BaseClient {
7457
7478
  }
7458
7479
  }
7459
7480
 
7460
- /*! @azure/msal-common v15.13.0 2025-10-17 */
7481
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
7461
7482
 
7462
7483
  /*
7463
7484
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7555,7 +7576,7 @@ class SilentFlowClient extends BaseClient {
7555
7576
  }
7556
7577
  }
7557
7578
 
7558
- /*! @azure/msal-common v15.13.0 2025-10-17 */
7579
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
7559
7580
 
7560
7581
  /*
7561
7582
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7570,7 +7591,7 @@ const StubbedNetworkModule = {
7570
7591
  },
7571
7592
  };
7572
7593
 
7573
- /*! @azure/msal-common v15.13.0 2025-10-17 */
7594
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
7574
7595
 
7575
7596
  /*
7576
7597
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7794,7 +7815,7 @@ function extractLoginHint(account) {
7794
7815
  return account.loginHint || account.idTokenClaims?.login_hint || null;
7795
7816
  }
7796
7817
 
7797
- /*! @azure/msal-common v15.13.0 2025-10-17 */
7818
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
7798
7819
 
7799
7820
  /*
7800
7821
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7852,7 +7873,7 @@ class AuthenticationHeaderParser {
7852
7873
  }
7853
7874
  }
7854
7875
 
7855
- /*! @azure/msal-common v15.13.0 2025-10-17 */
7876
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
7856
7877
 
7857
7878
  /*
7858
7879
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -8115,7 +8136,7 @@ class ServerTelemetryManager {
8115
8136
  }
8116
8137
  }
8117
8138
 
8118
- /*! @azure/msal-common v15.13.0 2025-10-17 */
8139
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
8119
8140
  /*
8120
8141
  * Copyright (c) Microsoft Corporation. All rights reserved.
8121
8142
  * Licensed under the MIT License.
@@ -8123,7 +8144,7 @@ class ServerTelemetryManager {
8123
8144
  const missingKidError = "missing_kid_error";
8124
8145
  const missingAlgError = "missing_alg_error";
8125
8146
 
8126
- /*! @azure/msal-common v15.13.0 2025-10-17 */
8147
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
8127
8148
 
8128
8149
  /*
8129
8150
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -8148,7 +8169,7 @@ function createJoseHeaderError(code) {
8148
8169
  return new JoseHeaderError(code, JoseHeaderErrorMessages[code]);
8149
8170
  }
8150
8171
 
8151
- /*! @azure/msal-common v15.13.0 2025-10-17 */
8172
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
8152
8173
 
8153
8174
  /*
8154
8175
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -8188,7 +8209,7 @@ class JoseHeader {
8188
8209
  }
8189
8210
  }
8190
8211
 
8191
- /*! @azure/msal-common v15.13.0 2025-10-17 */
8212
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
8192
8213
 
8193
8214
  /*
8194
8215
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -10304,7 +10325,7 @@ function buildConfiguration({ auth: userInputAuth, cache: userInputCache, system
10304
10325
 
10305
10326
  /* eslint-disable header/header */
10306
10327
  const name = "@azure/msal-browser";
10307
- const version = "4.25.1";
10328
+ const version = "4.26.0";
10308
10329
 
10309
10330
  /*
10310
10331
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -10312,9 +10333,9 @@ const version = "4.25.1";
10312
10333
  */
10313
10334
  const PREFIX = "msal";
10314
10335
  const BROWSER_PREFIX = "browser";
10315
- const CACHE_KEY_SEPARATOR = "-";
10316
- const CREDENTIAL_SCHEMA_VERSION = 1;
10317
- const ACCOUNT_SCHEMA_VERSION = 1;
10336
+ const CACHE_KEY_SEPARATOR = "|";
10337
+ const CREDENTIAL_SCHEMA_VERSION = 2;
10338
+ const ACCOUNT_SCHEMA_VERSION = 2;
10318
10339
  const LOG_LEVEL_CACHE_KEY = `${PREFIX}.${BROWSER_PREFIX}.log.level`;
10319
10340
  const LOG_PII_CACHE_KEY = `${PREFIX}.${BROWSER_PREFIX}.log.pii`;
10320
10341
  const BROWSER_PERF_ENABLED_KEY = `${PREFIX}.${BROWSER_PREFIX}.performance.enabled`;
@@ -11474,7 +11495,10 @@ class LocalStorage {
11474
11495
  return null;
11475
11496
  }
11476
11497
  try {
11477
- return JSON.parse(decryptedData);
11498
+ return {
11499
+ ...JSON.parse(decryptedData),
11500
+ lastUpdatedAt: data.lastUpdatedAt,
11501
+ };
11478
11502
  }
11479
11503
  catch (e) {
11480
11504
  this.performanceClient.incrementFields({ encryptedCacheCorruptionCount: 1 }, correlationId);
@@ -11484,19 +11508,24 @@ class LocalStorage {
11484
11508
  setItem(key, value) {
11485
11509
  window.localStorage.setItem(key, value);
11486
11510
  }
11487
- async setUserData(key, value, correlationId, timestamp) {
11511
+ async setUserData(key, value, correlationId, timestamp, kmsi) {
11488
11512
  if (!this.initialized || !this.encryptionCookie) {
11489
11513
  throw createBrowserAuthError(uninitializedPublicClientApplication);
11490
11514
  }
11491
- const { data, nonce } = await invokeAsync(encrypt, PerformanceEvents.Encrypt, this.logger, this.performanceClient, correlationId)(this.encryptionCookie.key, value, this.getContext(key));
11492
- const encryptedData = {
11493
- id: this.encryptionCookie.id,
11494
- nonce: nonce,
11495
- data: data,
11496
- lastUpdatedAt: timestamp,
11497
- };
11515
+ if (kmsi) {
11516
+ this.setItem(key, value);
11517
+ }
11518
+ else {
11519
+ const { data, nonce } = await invokeAsync(encrypt, PerformanceEvents.Encrypt, this.logger, this.performanceClient, correlationId)(this.encryptionCookie.key, value, this.getContext(key));
11520
+ const encryptedData = {
11521
+ id: this.encryptionCookie.id,
11522
+ nonce: nonce,
11523
+ data: data,
11524
+ lastUpdatedAt: timestamp,
11525
+ };
11526
+ this.setItem(key, JSON.stringify(encryptedData));
11527
+ }
11498
11528
  this.memoryStorage.setItem(key, value);
11499
- this.setItem(key, JSON.stringify(encryptedData));
11500
11529
  // Notify other frames to update their in-memory cache
11501
11530
  this.broadcast.postMessage({
11502
11531
  key: key,
@@ -11596,13 +11625,14 @@ class LocalStorage {
11596
11625
  if (!isEncrypted(encObj)) {
11597
11626
  // Data is not encrypted
11598
11627
  this.performanceClient.incrementFields({ unencryptedCacheCount: 1 }, correlationId);
11599
- return encObj;
11628
+ return rawCache;
11600
11629
  }
11601
11630
  if (encObj.id !== this.encryptionCookie.id) {
11602
11631
  // Data was encrypted with a different key. It must be removed because it is from a previous session.
11603
11632
  this.performanceClient.incrementFields({ encryptedCacheExpiredCount: 1 }, correlationId);
11604
11633
  return null;
11605
11634
  }
11635
+ this.performanceClient.incrementFields({ encryptedCacheCount: 1 }, correlationId);
11606
11636
  return invokeAsync(decrypt, PerformanceEvents.Decrypt, this.logger, this.performanceClient, correlationId)(this.encryptionCookie.key, encObj.nonce, this.getContext(key), encObj.data);
11607
11637
  }
11608
11638
  /**
@@ -11794,108 +11824,338 @@ class BrowserCacheManager extends CacheManager {
11794
11824
  * Migrates any existing cache data from previous versions of MSAL.js into the current cache structure.
11795
11825
  */
11796
11826
  async migrateExistingCache(correlationId) {
11797
- const accountKeys0 = getAccountKeys(this.browserStorage, 0);
11798
- const tokenKeys0 = getTokenKeys(this.clientId, this.browserStorage, 0);
11827
+ let accountKeys = getAccountKeys(this.browserStorage);
11828
+ let tokenKeys = getTokenKeys(this.clientId, this.browserStorage);
11799
11829
  this.performanceClient.addFields({
11800
- oldAccountCount: accountKeys0.length,
11801
- oldAccessCount: tokenKeys0.accessToken.length,
11802
- oldIdCount: tokenKeys0.idToken.length,
11803
- oldRefreshCount: tokenKeys0.refreshToken.length,
11830
+ preMigrateAcntCount: accountKeys.length,
11831
+ preMigrateATCount: tokenKeys.accessToken.length,
11832
+ preMigrateITCount: tokenKeys.idToken.length,
11833
+ preMigrateRTCount: tokenKeys.refreshToken.length,
11804
11834
  }, correlationId);
11805
- const accountKeys1 = getAccountKeys(this.browserStorage, 1);
11806
- const tokenKeys1 = getTokenKeys(this.clientId, this.browserStorage, 1);
11835
+ for (let i = 0; i < ACCOUNT_SCHEMA_VERSION; i++) {
11836
+ const credentialSchema = i; // For now account and credential schemas are the same, but may diverge in future
11837
+ await this.removeStaleAccounts(i, credentialSchema, correlationId);
11838
+ }
11839
+ // Must migrate idTokens first to ensure we have KMSI info for the rest
11840
+ for (let i = 0; i < CREDENTIAL_SCHEMA_VERSION; i++) {
11841
+ const accountSchema = i; // For now account and credential schemas are the same, but may diverge in future
11842
+ await this.migrateIdTokens(i, accountSchema, correlationId);
11843
+ }
11844
+ const kmsiMap = this.getKMSIValues();
11845
+ for (let i = 0; i < CREDENTIAL_SCHEMA_VERSION; i++) {
11846
+ await this.migrateAccessTokens(i, kmsiMap, correlationId);
11847
+ await this.migrateRefreshTokens(i, kmsiMap, correlationId);
11848
+ }
11849
+ accountKeys = getAccountKeys(this.browserStorage);
11850
+ tokenKeys = getTokenKeys(this.clientId, this.browserStorage);
11807
11851
  this.performanceClient.addFields({
11808
- currAccountCount: accountKeys1.length,
11809
- currAccessCount: tokenKeys1.accessToken.length,
11810
- currIdCount: tokenKeys1.idToken.length,
11811
- currRefreshCount: tokenKeys1.refreshToken.length,
11852
+ postMigrateAcntCount: accountKeys.length,
11853
+ postMigrateATCount: tokenKeys.accessToken.length,
11854
+ postMigrateITCount: tokenKeys.idToken.length,
11855
+ postMigrateRTCount: tokenKeys.refreshToken.length,
11812
11856
  }, correlationId);
11813
- await Promise.all([
11814
- this.updateV0ToCurrent(ACCOUNT_SCHEMA_VERSION, accountKeys0, accountKeys1, correlationId),
11815
- this.updateV0ToCurrent(CREDENTIAL_SCHEMA_VERSION, tokenKeys0.idToken, tokenKeys1.idToken, correlationId),
11816
- this.updateV0ToCurrent(CREDENTIAL_SCHEMA_VERSION, tokenKeys0.accessToken, tokenKeys1.accessToken, correlationId),
11817
- this.updateV0ToCurrent(CREDENTIAL_SCHEMA_VERSION, tokenKeys0.refreshToken, tokenKeys1.refreshToken, correlationId),
11818
- ]);
11819
- if (accountKeys0.length > 0) {
11820
- this.browserStorage.setItem(getAccountKeysCacheKey(0), JSON.stringify(accountKeys0));
11857
+ }
11858
+ /**
11859
+ * Parses entry, adds lastUpdatedAt if it doesn't exist, removes entry if expired or invalid
11860
+ * @param key
11861
+ * @param correlationId
11862
+ * @returns
11863
+ */
11864
+ async updateOldEntry(key, correlationId) {
11865
+ const rawValue = this.browserStorage.getItem(key);
11866
+ const parsedValue = this.validateAndParseJson(rawValue || "");
11867
+ if (!parsedValue) {
11868
+ this.browserStorage.removeItem(key);
11869
+ return null;
11821
11870
  }
11822
- else {
11823
- this.browserStorage.removeItem(getAccountKeysCacheKey(0));
11871
+ if (!parsedValue.lastUpdatedAt) {
11872
+ // Add lastUpdatedAt to the existing v0 entry if it doesnt exist so we know when it's safe to remove it
11873
+ parsedValue.lastUpdatedAt = Date.now().toString();
11874
+ this.setItem(key, JSON.stringify(parsedValue), correlationId);
11824
11875
  }
11825
- if (accountKeys1.length > 0) {
11826
- this.browserStorage.setItem(getAccountKeysCacheKey(1), JSON.stringify(accountKeys1));
11876
+ else if (isCacheExpired(parsedValue.lastUpdatedAt, this.cacheConfig.cacheRetentionDays)) {
11877
+ this.browserStorage.removeItem(key);
11878
+ this.performanceClient.incrementFields({ expiredCacheRemovedCount: 1 }, correlationId);
11879
+ return null;
11827
11880
  }
11828
- else {
11829
- this.browserStorage.removeItem(getAccountKeysCacheKey(1));
11830
- }
11831
- this.setTokenKeys(tokenKeys0, correlationId, 0);
11832
- this.setTokenKeys(tokenKeys1, correlationId, 1);
11833
- }
11834
- async updateV0ToCurrent(currentSchema, v0Keys, v1Keys, correlationId) {
11835
- const upgradePromises = [];
11836
- for (const v0Key of [...v0Keys]) {
11837
- const rawV0Value = this.browserStorage.getItem(v0Key);
11838
- const parsedV0Value = this.validateAndParseJson(rawV0Value || "");
11839
- if (!parsedV0Value) {
11840
- removeElementFromArray(v0Keys, v0Key);
11881
+ const decryptedData = isEncrypted(parsedValue)
11882
+ ? await this.browserStorage.decryptData(key, parsedValue, correlationId)
11883
+ : parsedValue;
11884
+ if (!decryptedData || !isCredentialEntity(decryptedData)) {
11885
+ this.performanceClient.incrementFields({ invalidCacheCount: 1 }, correlationId);
11886
+ return null;
11887
+ }
11888
+ if ((isAccessTokenEntity(decryptedData) ||
11889
+ isRefreshTokenEntity(decryptedData)) &&
11890
+ decryptedData.expiresOn &&
11891
+ isTokenExpired(decryptedData.expiresOn, DEFAULT_TOKEN_RENEWAL_OFFSET_SEC)) {
11892
+ this.browserStorage.removeItem(key);
11893
+ this.performanceClient.incrementFields({ expiredCacheRemovedCount: 1 }, correlationId);
11894
+ return null;
11895
+ }
11896
+ return decryptedData;
11897
+ }
11898
+ /**
11899
+ * Remove accounts from the cache for older schema versions if they have not been updated in the last cacheRetentionDays
11900
+ * @param accountSchema
11901
+ * @param credentialSchema
11902
+ * @param correlationId
11903
+ * @returns
11904
+ */
11905
+ async removeStaleAccounts(accountSchema, credentialSchema, correlationId) {
11906
+ const accountKeysToCheck = getAccountKeys(this.browserStorage, accountSchema);
11907
+ if (accountKeysToCheck.length === 0) {
11908
+ return;
11909
+ }
11910
+ for (const accountKey of [...accountKeysToCheck]) {
11911
+ this.performanceClient.incrementFields({ oldAcntCount: 1 }, correlationId);
11912
+ const rawValue = this.browserStorage.getItem(accountKey);
11913
+ const parsedValue = this.validateAndParseJson(rawValue || "");
11914
+ if (!parsedValue) {
11915
+ removeElementFromArray(accountKeysToCheck, accountKey);
11916
+ continue;
11917
+ }
11918
+ if (!parsedValue.lastUpdatedAt) {
11919
+ // Add lastUpdatedAt to the existing entry if it doesnt exist so we know when it's safe to remove it
11920
+ parsedValue.lastUpdatedAt = Date.now().toString();
11921
+ this.setItem(accountKey, JSON.stringify(parsedValue), correlationId);
11922
+ continue;
11923
+ }
11924
+ else if (isCacheExpired(parsedValue.lastUpdatedAt, this.cacheConfig.cacheRetentionDays)) {
11925
+ // Cache expired remove account and associated tokens
11926
+ await this.removeAccountOldSchema(accountKey, parsedValue, credentialSchema, correlationId);
11927
+ removeElementFromArray(accountKeysToCheck, accountKey);
11928
+ }
11929
+ }
11930
+ this.setAccountKeys(accountKeysToCheck, correlationId, accountSchema);
11931
+ }
11932
+ /**
11933
+ * Remove the given account and all associated tokens from the cache
11934
+ * @param accountKey
11935
+ * @param rawObject
11936
+ * @param credentialSchema
11937
+ * @param correlationId
11938
+ */
11939
+ async removeAccountOldSchema(accountKey, rawObject, credentialSchema, correlationId) {
11940
+ const decryptedData = isEncrypted(rawObject)
11941
+ ? (await this.browserStorage.decryptData(accountKey, rawObject, correlationId))
11942
+ : rawObject;
11943
+ const homeAccountId = decryptedData?.homeAccountId;
11944
+ if (homeAccountId) {
11945
+ const tokenKeys = this.getTokenKeys(credentialSchema);
11946
+ [...tokenKeys.idToken]
11947
+ .filter((key) => key.includes(homeAccountId))
11948
+ .forEach((key) => {
11949
+ this.browserStorage.removeItem(key);
11950
+ removeElementFromArray(tokenKeys.idToken, key);
11951
+ });
11952
+ [...tokenKeys.accessToken]
11953
+ .filter((key) => key.includes(homeAccountId))
11954
+ .forEach((key) => {
11955
+ this.browserStorage.removeItem(key);
11956
+ removeElementFromArray(tokenKeys.accessToken, key);
11957
+ });
11958
+ [...tokenKeys.refreshToken]
11959
+ .filter((key) => key.includes(homeAccountId))
11960
+ .forEach((key) => {
11961
+ this.browserStorage.removeItem(key);
11962
+ removeElementFromArray(tokenKeys.refreshToken, key);
11963
+ });
11964
+ this.setTokenKeys(tokenKeys, correlationId, credentialSchema);
11965
+ }
11966
+ this.performanceClient.incrementFields({ expiredAcntRemovedCount: 1 }, correlationId);
11967
+ this.browserStorage.removeItem(accountKey);
11968
+ }
11969
+ /**
11970
+ * Gets key value pair mapping homeAccountId to KMSI value
11971
+ * @returns
11972
+ */
11973
+ getKMSIValues() {
11974
+ const kmsiMap = {};
11975
+ const tokenKeys = this.getTokenKeys().idToken;
11976
+ for (const key of tokenKeys) {
11977
+ const rawValue = this.browserStorage.getUserData(key);
11978
+ if (rawValue) {
11979
+ const idToken = JSON.parse(rawValue);
11980
+ const claims = extractTokenClaims(idToken.secret, base64Decode);
11981
+ if (claims) {
11982
+ kmsiMap[idToken.homeAccountId] = isKmsi(claims);
11983
+ }
11984
+ }
11985
+ }
11986
+ return kmsiMap;
11987
+ }
11988
+ /**
11989
+ * Migrates id tokens from the old schema to the new schema, also migrates associated account object if it doesn't already exist in the new schema
11990
+ * @param credentialSchema
11991
+ * @param accountSchema
11992
+ * @param correlationId
11993
+ * @returns
11994
+ */
11995
+ async migrateIdTokens(credentialSchema, accountSchema, correlationId) {
11996
+ const credentialKeysToMigrate = getTokenKeys(this.clientId, this.browserStorage, credentialSchema);
11997
+ if (credentialKeysToMigrate.idToken.length === 0) {
11998
+ return;
11999
+ }
12000
+ const currentCredentialKeys = getTokenKeys(this.clientId, this.browserStorage, CREDENTIAL_SCHEMA_VERSION);
12001
+ const currentAccountKeys = getAccountKeys(this.browserStorage);
12002
+ const previousAccountKeys = getAccountKeys(this.browserStorage, accountSchema);
12003
+ for (const idTokenKey of [...credentialKeysToMigrate.idToken]) {
12004
+ this.performanceClient.incrementFields({ oldITCount: 1 }, correlationId);
12005
+ const oldSchemaData = (await this.updateOldEntry(idTokenKey, correlationId));
12006
+ if (!oldSchemaData) {
12007
+ removeElementFromArray(credentialKeysToMigrate.idToken, idTokenKey);
12008
+ continue;
12009
+ }
12010
+ const currentAccountKey = currentAccountKeys.find((key) => key.includes(oldSchemaData.homeAccountId));
12011
+ const previousAccountKey = previousAccountKeys.find((key) => key.includes(oldSchemaData.homeAccountId));
12012
+ let account = null;
12013
+ if (currentAccountKey) {
12014
+ account = this.getAccount(currentAccountKey, correlationId);
12015
+ }
12016
+ else if (previousAccountKey) {
12017
+ const rawValue = this.browserStorage.getItem(previousAccountKey);
12018
+ const parsedValue = this.validateAndParseJson(rawValue || "");
12019
+ account =
12020
+ parsedValue && isEncrypted(parsedValue)
12021
+ ? (await this.browserStorage.decryptData(previousAccountKey, parsedValue, correlationId))
12022
+ : parsedValue;
12023
+ }
12024
+ if (!account) {
12025
+ // Don't migrate idToken if we don't have an account for it
12026
+ this.performanceClient.incrementFields({ skipITMigrateCount: 1 }, correlationId);
11841
12027
  continue;
11842
12028
  }
11843
- if (!parsedV0Value.lastUpdatedAt) {
11844
- // Add lastUpdatedAt to the existing v0 entry if it doesnt exist so we know when it's safe to remove it
11845
- parsedV0Value.lastUpdatedAt = Date.now().toString();
11846
- this.setItem(v0Key, JSON.stringify(parsedV0Value), correlationId);
11847
- }
11848
- const decryptedData = isEncrypted(parsedV0Value)
11849
- ? await this.browserStorage.decryptData(v0Key, parsedV0Value, correlationId)
11850
- : parsedV0Value;
11851
- let expirationTime;
11852
- if (decryptedData) {
11853
- if (isAccessTokenEntity(decryptedData)) {
11854
- expirationTime = decryptedData.expiresOn;
12029
+ const claims = extractTokenClaims(oldSchemaData.secret, base64Decode);
12030
+ const newIdTokenKey = this.generateCredentialKey(oldSchemaData);
12031
+ const currentIdToken = this.getIdTokenCredential(newIdTokenKey, correlationId);
12032
+ const oldTokenHasSignInState = Object.keys(claims).includes("signin_state");
12033
+ const currentTokenHasSignInState = currentIdToken &&
12034
+ Object.keys(extractTokenClaims(currentIdToken.secret, base64Decode) || {}).includes("signin_state");
12035
+ /**
12036
+ * Only migrate if:
12037
+ * 1. Token doesn't yet exist in current schema
12038
+ * 2. Old schema token has been updated more recently than the current one AND migrating it won't result in loss of KMSI state
12039
+ */
12040
+ if (!currentIdToken ||
12041
+ (oldSchemaData.lastUpdatedAt > currentIdToken.lastUpdatedAt &&
12042
+ (oldTokenHasSignInState || !currentTokenHasSignInState))) {
12043
+ const tenantProfiles = account.tenantProfiles || [];
12044
+ const tenantId = getTenantIdFromIdTokenClaims(claims) || account.realm;
12045
+ if (tenantId &&
12046
+ !tenantProfiles.find((tenantProfile) => {
12047
+ return tenantProfile.tenantId === tenantId;
12048
+ })) {
12049
+ const newTenantProfile = buildTenantProfile(account.homeAccountId, account.localAccountId, tenantId, claims);
12050
+ tenantProfiles.push(newTenantProfile);
11855
12051
  }
11856
- else if (isRefreshTokenEntity(decryptedData)) {
11857
- expirationTime = decryptedData.expiresOn;
12052
+ account.tenantProfiles = tenantProfiles;
12053
+ const newAccountKey = this.generateAccountKey(AccountEntity.getAccountInfo(account));
12054
+ const kmsi = isKmsi(claims);
12055
+ await this.setUserData(newAccountKey, JSON.stringify(account), correlationId, account.lastUpdatedAt, kmsi);
12056
+ if (!currentAccountKeys.includes(newAccountKey)) {
12057
+ currentAccountKeys.push(newAccountKey);
11858
12058
  }
12059
+ await this.setUserData(newIdTokenKey, JSON.stringify(oldSchemaData), correlationId, oldSchemaData.lastUpdatedAt, kmsi);
12060
+ this.performanceClient.incrementFields({ migratedITCount: 1 }, correlationId);
12061
+ currentCredentialKeys.idToken.push(newIdTokenKey);
12062
+ }
12063
+ }
12064
+ this.setTokenKeys(credentialKeysToMigrate, correlationId, credentialSchema);
12065
+ this.setTokenKeys(currentCredentialKeys, correlationId);
12066
+ this.setAccountKeys(currentAccountKeys, correlationId);
12067
+ }
12068
+ /**
12069
+ * Migrates access tokens from old cache schema to current schema
12070
+ * @param credentialSchema
12071
+ * @param kmsiMap
12072
+ * @param correlationId
12073
+ * @returns
12074
+ */
12075
+ async migrateAccessTokens(credentialSchema, kmsiMap, correlationId) {
12076
+ const credentialKeysToMigrate = getTokenKeys(this.clientId, this.browserStorage, credentialSchema);
12077
+ if (credentialKeysToMigrate.accessToken.length === 0) {
12078
+ return;
12079
+ }
12080
+ const currentCredentialKeys = getTokenKeys(this.clientId, this.browserStorage, CREDENTIAL_SCHEMA_VERSION);
12081
+ for (const accessTokenKey of [...credentialKeysToMigrate.accessToken]) {
12082
+ this.performanceClient.incrementFields({ oldATCount: 1 }, correlationId);
12083
+ const oldSchemaData = (await this.updateOldEntry(accessTokenKey, correlationId));
12084
+ if (!oldSchemaData) {
12085
+ removeElementFromArray(credentialKeysToMigrate.accessToken, accessTokenKey);
12086
+ continue;
11859
12087
  }
11860
- if (!decryptedData ||
11861
- isCacheExpired(parsedV0Value.lastUpdatedAt, this.cacheConfig.cacheRetentionDays) ||
11862
- (expirationTime &&
11863
- isTokenExpired(expirationTime, DEFAULT_TOKEN_RENEWAL_OFFSET_SEC))) {
11864
- this.browserStorage.removeItem(v0Key);
11865
- removeElementFromArray(v0Keys, v0Key);
11866
- this.performanceClient.incrementFields({ expiredCacheRemovedCount: 1 }, correlationId);
12088
+ if (!Object.keys(kmsiMap).includes(oldSchemaData.homeAccountId)) {
12089
+ // Don't migrate tokens if we don't have an idToken for them
12090
+ this.performanceClient.incrementFields({ skipATMigrateCount: 1 }, correlationId);
11867
12091
  continue;
11868
12092
  }
11869
- if (this.cacheConfig.cacheLocation !==
11870
- BrowserCacheLocation.LocalStorage ||
11871
- isEncrypted(parsedV0Value)) {
11872
- const v1Key = `${PREFIX}.${currentSchema}${CACHE_KEY_SEPARATOR}${v0Key}`;
11873
- const rawV1Entry = this.browserStorage.getItem(v1Key);
11874
- if (!rawV1Entry) {
11875
- upgradePromises.push(this.setUserData(v1Key, JSON.stringify(decryptedData), correlationId, parsedV0Value.lastUpdatedAt).then(() => {
11876
- v1Keys.push(v1Key);
11877
- this.performanceClient.incrementFields({ upgradedCacheCount: 1 }, correlationId);
11878
- }));
11879
- continue;
12093
+ const newKey = this.generateCredentialKey(oldSchemaData);
12094
+ const kmsi = kmsiMap[oldSchemaData.homeAccountId];
12095
+ if (!currentCredentialKeys.accessToken.includes(newKey)) {
12096
+ await this.setUserData(newKey, JSON.stringify(oldSchemaData), correlationId, oldSchemaData.lastUpdatedAt, kmsi);
12097
+ this.performanceClient.incrementFields({ migratedATCount: 1 }, correlationId);
12098
+ currentCredentialKeys.accessToken.push(newKey);
12099
+ }
12100
+ else {
12101
+ const currentToken = this.getAccessTokenCredential(newKey, correlationId);
12102
+ if (!currentToken ||
12103
+ oldSchemaData.lastUpdatedAt > currentToken.lastUpdatedAt) {
12104
+ // If the token already exists, only overwrite it if the old token has a more recent lastUpdatedAt
12105
+ await this.setUserData(newKey, JSON.stringify(oldSchemaData), correlationId, oldSchemaData.lastUpdatedAt, kmsi);
12106
+ this.performanceClient.incrementFields({ migratedATCount: 1 }, correlationId);
11880
12107
  }
11881
- else {
11882
- const parsedV1Entry = this.validateAndParseJson(rawV1Entry);
11883
- // If the entry already exists but is older than the v0 entry, replace it
11884
- if (Number(parsedV0Value.lastUpdatedAt) >
11885
- Number(parsedV1Entry.lastUpdatedAt)) {
11886
- upgradePromises.push(this.setUserData(v1Key, JSON.stringify(decryptedData), correlationId, parsedV0Value.lastUpdatedAt).then(() => {
11887
- this.performanceClient.incrementFields({ updatedCacheFromV0Count: 1 }, correlationId);
11888
- }));
11889
- continue;
11890
- }
12108
+ }
12109
+ }
12110
+ this.setTokenKeys(credentialKeysToMigrate, correlationId, credentialSchema);
12111
+ this.setTokenKeys(currentCredentialKeys, correlationId);
12112
+ }
12113
+ /**
12114
+ * Migrates refresh tokens from old cache schema to current schema
12115
+ * @param credentialSchema
12116
+ * @param kmsiMap
12117
+ * @param correlationId
12118
+ * @returns
12119
+ */
12120
+ async migrateRefreshTokens(credentialSchema, kmsiMap, correlationId) {
12121
+ const credentialKeysToMigrate = getTokenKeys(this.clientId, this.browserStorage, credentialSchema);
12122
+ if (credentialKeysToMigrate.refreshToken.length === 0) {
12123
+ return;
12124
+ }
12125
+ const currentCredentialKeys = getTokenKeys(this.clientId, this.browserStorage, CREDENTIAL_SCHEMA_VERSION);
12126
+ for (const refreshTokenKey of [
12127
+ ...credentialKeysToMigrate.refreshToken,
12128
+ ]) {
12129
+ this.performanceClient.incrementFields({ oldRTCount: 1 }, correlationId);
12130
+ const oldSchemaData = (await this.updateOldEntry(refreshTokenKey, correlationId));
12131
+ if (!oldSchemaData) {
12132
+ removeElementFromArray(credentialKeysToMigrate.refreshToken, refreshTokenKey);
12133
+ continue;
12134
+ }
12135
+ if (!Object.keys(kmsiMap).includes(oldSchemaData.homeAccountId)) {
12136
+ // Don't migrate tokens if we don't have an idToken for them
12137
+ this.performanceClient.incrementFields({ skipRTMigrateCount: 1 }, correlationId);
12138
+ continue;
12139
+ }
12140
+ const newKey = this.generateCredentialKey(oldSchemaData);
12141
+ const kmsi = kmsiMap[oldSchemaData.homeAccountId];
12142
+ if (!currentCredentialKeys.refreshToken.includes(newKey)) {
12143
+ await this.setUserData(newKey, JSON.stringify(oldSchemaData), correlationId, oldSchemaData.lastUpdatedAt, kmsi);
12144
+ this.performanceClient.incrementFields({ migratedRTCount: 1 }, correlationId);
12145
+ currentCredentialKeys.refreshToken.push(newKey);
12146
+ }
12147
+ else {
12148
+ const currentToken = this.getRefreshTokenCredential(newKey, correlationId);
12149
+ if (!currentToken ||
12150
+ oldSchemaData.lastUpdatedAt > currentToken.lastUpdatedAt) {
12151
+ // If the token already exists, only overwrite it if the old token has a more recent lastUpdatedAt
12152
+ await this.setUserData(newKey, JSON.stringify(oldSchemaData), correlationId, oldSchemaData.lastUpdatedAt, kmsi);
12153
+ this.performanceClient.incrementFields({ migratedRTCount: 1 }, correlationId);
11891
12154
  }
11892
12155
  }
11893
- /*
11894
- * Note: If we reach here for unencrypted localStorage data, we continue without migrating
11895
- * as we can't migrate unencrypted localStorage data right now since we can't guarantee KMSI=no
11896
- */
11897
12156
  }
11898
- return Promise.all(upgradePromises);
12157
+ this.setTokenKeys(credentialKeysToMigrate, correlationId, credentialSchema);
12158
+ this.setTokenKeys(currentCredentialKeys, correlationId);
11899
12159
  }
11900
12160
  /**
11901
12161
  * Tracks upgrades and downgrades for telemetry and debugging purposes
@@ -11940,20 +12200,31 @@ class BrowserCacheManager extends CacheManager {
11940
12200
  * @param value
11941
12201
  */
11942
12202
  setItem(key, value, correlationId) {
11943
- let tokenKeysV0Count = 0;
11944
- let accessTokenKeys = [];
12203
+ const tokenKeysCount = new Array(CREDENTIAL_SCHEMA_VERSION + 1).fill(0); // Array mapping schema version to number of token keys stored for that version
12204
+ const accessTokenKeys = []; // Flat map of all access token keys stored, ordered by schema version
11945
12205
  const maxRetries = 20;
11946
12206
  for (let i = 0; i <= maxRetries; i++) {
12207
+ // Attempt to store item in cache, if cache is full this call will throw and we'll attempt to clear space by removing access tokens from the cache one by one, starting with tokens stored by previous versions of MSAL.js
11947
12208
  try {
11948
12209
  this.browserStorage.setItem(key, value);
11949
12210
  if (i > 0) {
11950
- // Finally update the token keys array with the tokens removed
11951
- if (i <= tokenKeysV0Count) {
11952
- this.removeAccessTokenKeys(accessTokenKeys.slice(0, i), correlationId, 0);
11953
- }
11954
- else {
11955
- this.removeAccessTokenKeys(accessTokenKeys.slice(0, tokenKeysV0Count), correlationId, 0);
11956
- this.removeAccessTokenKeys(accessTokenKeys.slice(tokenKeysV0Count, i), correlationId);
12211
+ // If any tokens were removed in order to store this item update the token keys array with the tokens removed
12212
+ for (let schemaVersion = 0; schemaVersion <= CREDENTIAL_SCHEMA_VERSION; schemaVersion++) {
12213
+ // Get the sum of all previous token counts to use as start index for this schema version
12214
+ const startIndex = tokenKeysCount
12215
+ .slice(0, schemaVersion)
12216
+ .reduce((sum, count) => sum + count, 0);
12217
+ if (startIndex >= i) {
12218
+ // Done removing tokens
12219
+ break;
12220
+ }
12221
+ const endIndex = i > startIndex + tokenKeysCount[schemaVersion]
12222
+ ? startIndex + tokenKeysCount[schemaVersion]
12223
+ : i;
12224
+ if (i > startIndex &&
12225
+ tokenKeysCount[schemaVersion] > 0) {
12226
+ this.removeAccessTokenKeys(accessTokenKeys.slice(startIndex, endIndex), correlationId, schemaVersion);
12227
+ }
11957
12228
  }
11958
12229
  }
11959
12230
  break; // If setItem succeeds, exit the loop
@@ -11965,16 +12236,19 @@ class BrowserCacheManager extends CacheManager {
11965
12236
  i < maxRetries) {
11966
12237
  if (!accessTokenKeys.length) {
11967
12238
  // If we are currently trying to set the token keys, use the value we're trying to set
11968
- const tokenKeys0 = key ===
11969
- getTokenKeysCacheKey(this.clientId, 0)
11970
- ? JSON.parse(value).accessToken
11971
- : this.getTokenKeys(0).accessToken;
11972
- const tokenKeys1 = key ===
11973
- getTokenKeysCacheKey(this.clientId)
11974
- ? JSON.parse(value).accessToken
11975
- : this.getTokenKeys().accessToken;
11976
- accessTokenKeys = [...tokenKeys0, ...tokenKeys1];
11977
- tokenKeysV0Count = tokenKeys0.length;
12239
+ for (let i = 0; i <= CREDENTIAL_SCHEMA_VERSION; i++) {
12240
+ if (key ===
12241
+ getTokenKeysCacheKey(this.clientId, i)) {
12242
+ const tokenKeys = JSON.parse(value).accessToken;
12243
+ accessTokenKeys.push(...tokenKeys);
12244
+ tokenKeysCount[i] = tokenKeys.length;
12245
+ }
12246
+ else {
12247
+ const tokenKeys = this.getTokenKeys(i).accessToken;
12248
+ accessTokenKeys.push(...tokenKeys);
12249
+ tokenKeysCount[i] = tokenKeys.length;
12250
+ }
12251
+ }
11978
12252
  }
11979
12253
  if (accessTokenKeys.length <= i) {
11980
12254
  // Nothing to remove, rethrow the error
@@ -11997,21 +12271,32 @@ class BrowserCacheManager extends CacheManager {
11997
12271
  * @param value
11998
12272
  * @param correlationId
11999
12273
  */
12000
- async setUserData(key, value, correlationId, timestamp) {
12001
- let tokenKeysV0Count = 0;
12002
- let accessTokenKeys = [];
12274
+ async setUserData(key, value, correlationId, timestamp, kmsi) {
12275
+ const tokenKeysCount = new Array(CREDENTIAL_SCHEMA_VERSION + 1).fill(0); // Array mapping schema version to number of token keys stored for that version
12276
+ const accessTokenKeys = []; // Flat map of all access token keys stored, ordered by schema version
12003
12277
  const maxRetries = 20;
12004
12278
  for (let i = 0; i <= maxRetries; i++) {
12005
12279
  try {
12006
- await invokeAsync(this.browserStorage.setUserData.bind(this.browserStorage), PerformanceEvents.SetUserData, this.logger, this.performanceClient)(key, value, correlationId, timestamp);
12280
+ // Attempt to store item in cache, if cache is full this call will throw and we'll attempt to clear space by removing access tokens from the cache one by one, starting with tokens stored by previous versions of MSAL.js
12281
+ await invokeAsync(this.browserStorage.setUserData.bind(this.browserStorage), PerformanceEvents.SetUserData, this.logger, this.performanceClient)(key, value, correlationId, timestamp, kmsi);
12007
12282
  if (i > 0) {
12008
- // Finally update the token keys array with the tokens removed
12009
- if (i <= tokenKeysV0Count) {
12010
- this.removeAccessTokenKeys(accessTokenKeys.slice(0, i), correlationId, 0);
12011
- }
12012
- else {
12013
- this.removeAccessTokenKeys(accessTokenKeys.slice(0, tokenKeysV0Count), correlationId, 0);
12014
- this.removeAccessTokenKeys(accessTokenKeys.slice(tokenKeysV0Count, i), correlationId);
12283
+ // If any tokens were removed in order to store this item update the token keys array with the tokens removed
12284
+ for (let schemaVersion = 0; schemaVersion <= CREDENTIAL_SCHEMA_VERSION; schemaVersion++) {
12285
+ // Get the sum of all previous token counts to use as start index for this schema version
12286
+ const startIndex = tokenKeysCount
12287
+ .slice(0, schemaVersion)
12288
+ .reduce((sum, count) => sum + count, 0);
12289
+ if (startIndex >= i) {
12290
+ // Done removing tokens
12291
+ break;
12292
+ }
12293
+ const endIndex = i > startIndex + tokenKeysCount[schemaVersion]
12294
+ ? startIndex + tokenKeysCount[schemaVersion]
12295
+ : i;
12296
+ if (i > startIndex &&
12297
+ tokenKeysCount[schemaVersion] > 0) {
12298
+ this.removeAccessTokenKeys(accessTokenKeys.slice(startIndex, endIndex), correlationId, schemaVersion);
12299
+ }
12015
12300
  }
12016
12301
  }
12017
12302
  break; // If setItem succeeds, exit the loop
@@ -12022,10 +12307,12 @@ class BrowserCacheManager extends CacheManager {
12022
12307
  cacheQuotaExceeded &&
12023
12308
  i < maxRetries) {
12024
12309
  if (!accessTokenKeys.length) {
12025
- const tokenKeys0 = this.getTokenKeys(0).accessToken;
12026
- const tokenKeys1 = this.getTokenKeys().accessToken;
12027
- accessTokenKeys = [...tokenKeys0, ...tokenKeys1];
12028
- tokenKeysV0Count = tokenKeys0.length;
12310
+ // If we are currently trying to set the token keys, use the value we're trying to set
12311
+ for (let i = 0; i <= CREDENTIAL_SCHEMA_VERSION; i++) {
12312
+ const tokenKeys = this.getTokenKeys(i).accessToken;
12313
+ accessTokenKeys.push(...tokenKeys);
12314
+ tokenKeysCount[i] = tokenKeys.length;
12315
+ }
12029
12316
  }
12030
12317
  if (accessTokenKeys.length <= i) {
12031
12318
  // Nothing left to remove, rethrow the error
@@ -12065,20 +12352,21 @@ class BrowserCacheManager extends CacheManager {
12065
12352
  * set account entity in the platform cache
12066
12353
  * @param account
12067
12354
  */
12068
- async setAccount(account, correlationId) {
12355
+ async setAccount(account, correlationId, kmsi) {
12069
12356
  this.logger.trace("BrowserCacheManager.setAccount called");
12070
- const key = this.generateAccountKey(account.getAccountInfo());
12357
+ const key = this.generateAccountKey(AccountEntity.getAccountInfo(account));
12071
12358
  const timestamp = Date.now().toString();
12072
12359
  account.lastUpdatedAt = timestamp;
12073
- await this.setUserData(key, JSON.stringify(account), correlationId, timestamp);
12360
+ await this.setUserData(key, JSON.stringify(account), correlationId, timestamp, kmsi);
12074
12361
  const wasAdded = this.addAccountKeyToMap(key, correlationId);
12362
+ this.performanceClient.addFields({ kmsi: kmsi }, correlationId);
12075
12363
  /**
12076
12364
  * @deprecated - Remove this in next major version in favor of more consistent LOGIN event
12077
12365
  */
12078
12366
  if (this.cacheConfig.cacheLocation ===
12079
12367
  BrowserCacheLocation.LocalStorage &&
12080
12368
  wasAdded) {
12081
- this.eventHandler.emitEvent(EventType.ACCOUNT_ADDED, undefined, account.getAccountInfo());
12369
+ this.eventHandler.emitEvent(EventType.ACCOUNT_ADDED, undefined, AccountEntity.getAccountInfo(account));
12082
12370
  }
12083
12371
  }
12084
12372
  /**
@@ -12088,6 +12376,14 @@ class BrowserCacheManager extends CacheManager {
12088
12376
  getAccountKeys() {
12089
12377
  return getAccountKeys(this.browserStorage);
12090
12378
  }
12379
+ setAccountKeys(accountKeys, correlationId, schemaVersion = ACCOUNT_SCHEMA_VERSION) {
12380
+ if (accountKeys.length === 0) {
12381
+ this.removeItem(getAccountKeysCacheKey(schemaVersion));
12382
+ }
12383
+ else {
12384
+ this.setItem(getAccountKeysCacheKey(schemaVersion), JSON.stringify(accountKeys), correlationId);
12385
+ }
12386
+ }
12091
12387
  /**
12092
12388
  * Add a new account to the key map
12093
12389
  * @param key
@@ -12119,14 +12415,7 @@ class BrowserCacheManager extends CacheManager {
12119
12415
  const removalIndex = accountKeys.indexOf(key);
12120
12416
  if (removalIndex > -1) {
12121
12417
  accountKeys.splice(removalIndex, 1);
12122
- if (accountKeys.length === 0) {
12123
- // If no keys left, remove the map
12124
- this.removeItem(getAccountKeysCacheKey());
12125
- return;
12126
- }
12127
- else {
12128
- this.setItem(getAccountKeysCacheKey(), JSON.stringify(accountKeys), correlationId);
12129
- }
12418
+ this.setAccountKeys(accountKeys, correlationId);
12130
12419
  this.logger.trace("BrowserCacheManager.removeAccountKeyFromMap account key removed");
12131
12420
  }
12132
12421
  else {
@@ -12266,12 +12555,12 @@ class BrowserCacheManager extends CacheManager {
12266
12555
  * set IdToken credential to the platform cache
12267
12556
  * @param idToken
12268
12557
  */
12269
- async setIdTokenCredential(idToken, correlationId) {
12558
+ async setIdTokenCredential(idToken, correlationId, kmsi) {
12270
12559
  this.logger.trace("BrowserCacheManager.setIdTokenCredential called");
12271
12560
  const idTokenKey = this.generateCredentialKey(idToken);
12272
12561
  const timestamp = Date.now().toString();
12273
12562
  idToken.lastUpdatedAt = timestamp;
12274
- await this.setUserData(idTokenKey, JSON.stringify(idToken), correlationId, timestamp);
12563
+ await this.setUserData(idTokenKey, JSON.stringify(idToken), correlationId, timestamp, kmsi);
12275
12564
  const tokenKeys = this.getTokenKeys();
12276
12565
  if (tokenKeys.idToken.indexOf(idTokenKey) === -1) {
12277
12566
  this.logger.info("BrowserCacheManager: addTokenKey - idToken added to map");
@@ -12303,12 +12592,12 @@ class BrowserCacheManager extends CacheManager {
12303
12592
  * set accessToken credential to the platform cache
12304
12593
  * @param accessToken
12305
12594
  */
12306
- async setAccessTokenCredential(accessToken, correlationId) {
12595
+ async setAccessTokenCredential(accessToken, correlationId, kmsi) {
12307
12596
  this.logger.trace("BrowserCacheManager.setAccessTokenCredential called");
12308
12597
  const accessTokenKey = this.generateCredentialKey(accessToken);
12309
12598
  const timestamp = Date.now().toString();
12310
12599
  accessToken.lastUpdatedAt = timestamp;
12311
- await this.setUserData(accessTokenKey, JSON.stringify(accessToken), correlationId, timestamp);
12600
+ await this.setUserData(accessTokenKey, JSON.stringify(accessToken), correlationId, timestamp, kmsi);
12312
12601
  const tokenKeys = this.getTokenKeys();
12313
12602
  const index = tokenKeys.accessToken.indexOf(accessTokenKey);
12314
12603
  if (index !== -1) {
@@ -12342,12 +12631,12 @@ class BrowserCacheManager extends CacheManager {
12342
12631
  * set refreshToken credential to the platform cache
12343
12632
  * @param refreshToken
12344
12633
  */
12345
- async setRefreshTokenCredential(refreshToken, correlationId) {
12634
+ async setRefreshTokenCredential(refreshToken, correlationId, kmsi) {
12346
12635
  this.logger.trace("BrowserCacheManager.setRefreshTokenCredential called");
12347
12636
  const refreshTokenKey = this.generateCredentialKey(refreshToken);
12348
12637
  const timestamp = Date.now().toString();
12349
12638
  refreshToken.lastUpdatedAt = timestamp;
12350
- await this.setUserData(refreshTokenKey, JSON.stringify(refreshToken), correlationId, timestamp);
12639
+ await this.setUserData(refreshTokenKey, JSON.stringify(refreshToken), correlationId, timestamp, kmsi);
12351
12640
  const tokenKeys = this.getTokenKeys();
12352
12641
  if (tokenKeys.refreshToken.indexOf(refreshTokenKey) === -1) {
12353
12642
  this.logger.info("BrowserCacheManager: addTokenKey - refreshToken added to map");
@@ -12847,7 +13136,7 @@ class BrowserCacheManager extends CacheManager {
12847
13136
  idToken: idTokenEntity,
12848
13137
  accessToken: accessTokenEntity,
12849
13138
  };
12850
- return this.saveCacheRecord(cacheRecord, result.correlationId);
13139
+ return this.saveCacheRecord(cacheRecord, result.correlationId, isKmsi(extractTokenClaims(result.idToken, base64Decode)));
12851
13140
  }
12852
13141
  /**
12853
13142
  * saves a cache record
@@ -12855,9 +13144,9 @@ class BrowserCacheManager extends CacheManager {
12855
13144
  * @param storeInCache {?StoreInCache}
12856
13145
  * @param correlationId {?string} correlation id
12857
13146
  */
12858
- async saveCacheRecord(cacheRecord, correlationId, storeInCache) {
13147
+ async saveCacheRecord(cacheRecord, correlationId, kmsi, storeInCache) {
12859
13148
  try {
12860
- await super.saveCacheRecord(cacheRecord, correlationId, storeInCache);
13149
+ await super.saveCacheRecord(cacheRecord, correlationId, kmsi, storeInCache);
12861
13150
  }
12862
13151
  catch (e) {
12863
13152
  if (e instanceof CacheError &&
@@ -14089,7 +14378,7 @@ class PlatformAuthInteractionClient extends BaseInteractionClient {
14089
14378
  // generate authenticationResult
14090
14379
  const result = await this.generateAuthenticationResult(response, request, idTokenClaims, baseAccount, authority.canonicalAuthority, reqTimestamp);
14091
14380
  // cache accounts and tokens in the appropriate storage
14092
- await this.cacheAccount(baseAccount, this.correlationId);
14381
+ await this.cacheAccount(baseAccount, this.correlationId, isKmsi(idTokenClaims));
14093
14382
  await this.cacheNativeTokens(response, request, homeAccountIdentifier, idTokenClaims, response.access_token, result.tenantId, reqTimestamp);
14094
14383
  return result;
14095
14384
  }
@@ -14176,7 +14465,7 @@ class PlatformAuthInteractionClient extends BaseInteractionClient {
14176
14465
  const tid = accountProperties["TenantId"] ||
14177
14466
  idTokenClaims.tid ||
14178
14467
  Constants.EMPTY_STRING;
14179
- const accountInfo = updateAccountTenantProfileData(accountEntity.getAccountInfo(), undefined, // tenantProfile optional
14468
+ const accountInfo = updateAccountTenantProfileData(AccountEntity.getAccountInfo(accountEntity), undefined, // tenantProfile optional
14180
14469
  idTokenClaims, response.id_token);
14181
14470
  /**
14182
14471
  * In pairwise broker flows, this check prevents the broker's native account id
@@ -14213,11 +14502,11 @@ class PlatformAuthInteractionClient extends BaseInteractionClient {
14213
14502
  * cache the account entity in browser storage
14214
14503
  * @param accountEntity
14215
14504
  */
14216
- async cacheAccount(accountEntity, correlationId) {
14505
+ async cacheAccount(accountEntity, correlationId, kmsi) {
14217
14506
  // Store the account info and hence `nativeAccountId` in browser cache
14218
- await this.browserStorage.setAccount(accountEntity, this.correlationId);
14507
+ await this.browserStorage.setAccount(accountEntity, this.correlationId, kmsi);
14219
14508
  // Remove any existing cached tokens for this account in browser storage
14220
- this.browserStorage.removeAccountContext(accountEntity.getAccountInfo(), correlationId);
14509
+ this.browserStorage.removeAccountContext(AccountEntity.getAccountInfo(accountEntity), correlationId);
14221
14510
  }
14222
14511
  /**
14223
14512
  * Stores the access_token and id_token in inmemory storage
@@ -14244,7 +14533,7 @@ class PlatformAuthInteractionClient extends BaseInteractionClient {
14244
14533
  idToken: cachedIdToken,
14245
14534
  accessToken: cachedAccessToken,
14246
14535
  };
14247
- return this.nativeStorageManager.saveCacheRecord(nativeCacheRecord, this.correlationId, request.storeInCache);
14536
+ return this.nativeStorageManager.saveCacheRecord(nativeCacheRecord, this.correlationId, isKmsi(idTokenClaims), request.storeInCache);
14248
14537
  }
14249
14538
  getExpiresInValue(tokenType, expiresIn) {
14250
14539
  return tokenType === AuthenticationScheme.POP
@@ -16522,6 +16811,7 @@ class TokenCache {
16522
16811
  const idTokenClaims = response.id_token
16523
16812
  ? extractTokenClaims(response.id_token, base64Decode)
16524
16813
  : undefined;
16814
+ const kmsi = isKmsi(idTokenClaims || {});
16525
16815
  const authorityOptions = {
16526
16816
  protocolMode: this.config.auth.protocolMode,
16527
16817
  knownAuthorities: this.config.auth.knownAuthorities,
@@ -16533,9 +16823,9 @@ class TokenCache {
16533
16823
  ? new Authority(Authority.generateAuthority(request.authority, request.azureCloudOptions), this.config.system.networkClient, this.storage, authorityOptions, this.logger, request.correlationId || createNewGuid())
16534
16824
  : undefined;
16535
16825
  const cacheRecordAccount = await this.loadAccount(request, options.clientInfo || response.client_info || "", correlationId, idTokenClaims, authority);
16536
- const idToken = await this.loadIdToken(response, cacheRecordAccount.homeAccountId, cacheRecordAccount.environment, cacheRecordAccount.realm, correlationId);
16537
- const accessToken = await this.loadAccessToken(request, response, cacheRecordAccount.homeAccountId, cacheRecordAccount.environment, cacheRecordAccount.realm, options, correlationId);
16538
- const refreshToken = await this.loadRefreshToken(response, cacheRecordAccount.homeAccountId, cacheRecordAccount.environment, correlationId);
16826
+ const idToken = await this.loadIdToken(response, cacheRecordAccount.homeAccountId, cacheRecordAccount.environment, cacheRecordAccount.realm, correlationId, kmsi);
16827
+ const accessToken = await this.loadAccessToken(request, response, cacheRecordAccount.homeAccountId, cacheRecordAccount.environment, cacheRecordAccount.realm, options, correlationId, kmsi);
16828
+ const refreshToken = await this.loadRefreshToken(response, cacheRecordAccount.homeAccountId, cacheRecordAccount.environment, correlationId, kmsi);
16539
16829
  return this.generateAuthenticationResult(request, {
16540
16830
  account: cacheRecordAccount,
16541
16831
  idToken,
@@ -16556,7 +16846,7 @@ class TokenCache {
16556
16846
  this.logger.verbose("TokenCache - loading account");
16557
16847
  if (request.account) {
16558
16848
  const accountEntity = AccountEntity.createFromAccountInfo(request.account);
16559
- await this.storage.setAccount(accountEntity, correlationId);
16849
+ await this.storage.setAccount(accountEntity, correlationId, isKmsi(idTokenClaims || {}));
16560
16850
  return accountEntity;
16561
16851
  }
16562
16852
  else if (!authority || (!clientInfo && !idTokenClaims)) {
@@ -16568,7 +16858,7 @@ class TokenCache {
16568
16858
  const cachedAccount = buildAccountToCache(this.storage, authority, homeAccountId, base64Decode, correlationId, idTokenClaims, clientInfo, authority.hostnameAndPort, claimsTenantId, undefined, // authCodePayload
16569
16859
  undefined, // nativeAccountId
16570
16860
  this.logger);
16571
- await this.storage.setAccount(cachedAccount, correlationId);
16861
+ await this.storage.setAccount(cachedAccount, correlationId, isKmsi(idTokenClaims || {}));
16572
16862
  return cachedAccount;
16573
16863
  }
16574
16864
  /**
@@ -16579,14 +16869,14 @@ class TokenCache {
16579
16869
  * @param tenantId
16580
16870
  * @returns `IdTokenEntity`
16581
16871
  */
16582
- async loadIdToken(response, homeAccountId, environment, tenantId, correlationId) {
16872
+ async loadIdToken(response, homeAccountId, environment, tenantId, correlationId, kmsi) {
16583
16873
  if (!response.id_token) {
16584
16874
  this.logger.verbose("TokenCache - no id token found in response");
16585
16875
  return null;
16586
16876
  }
16587
16877
  this.logger.verbose("TokenCache - loading id token");
16588
16878
  const idTokenEntity = createIdTokenEntity(homeAccountId, environment, response.id_token, this.config.auth.clientId, tenantId);
16589
- await this.storage.setIdTokenCredential(idTokenEntity, correlationId);
16879
+ await this.storage.setIdTokenCredential(idTokenEntity, correlationId, kmsi);
16590
16880
  return idTokenEntity;
16591
16881
  }
16592
16882
  /**
@@ -16598,7 +16888,7 @@ class TokenCache {
16598
16888
  * @param tenantId
16599
16889
  * @returns `AccessTokenEntity`
16600
16890
  */
16601
- async loadAccessToken(request, response, homeAccountId, environment, tenantId, options, correlationId) {
16891
+ async loadAccessToken(request, response, homeAccountId, environment, tenantId, options, correlationId, kmsi) {
16602
16892
  if (!response.access_token) {
16603
16893
  this.logger.verbose("TokenCache - no access token found in response");
16604
16894
  return null;
@@ -16621,7 +16911,7 @@ class TokenCache {
16621
16911
  (response.ext_expires_in || response.expires_in) +
16622
16912
  nowSeconds();
16623
16913
  const accessTokenEntity = createAccessTokenEntity(homeAccountId, environment, response.access_token, this.config.auth.clientId, tenantId, scopes.printScopes(), expiresOn, extendedExpiresOn, base64Decode);
16624
- await this.storage.setAccessTokenCredential(accessTokenEntity, correlationId);
16914
+ await this.storage.setAccessTokenCredential(accessTokenEntity, correlationId, kmsi);
16625
16915
  return accessTokenEntity;
16626
16916
  }
16627
16917
  /**
@@ -16632,7 +16922,7 @@ class TokenCache {
16632
16922
  * @param environment
16633
16923
  * @returns `RefreshTokenEntity`
16634
16924
  */
16635
- async loadRefreshToken(response, homeAccountId, environment, correlationId) {
16925
+ async loadRefreshToken(response, homeAccountId, environment, correlationId, kmsi) {
16636
16926
  if (!response.refresh_token) {
16637
16927
  this.logger.verbose("TokenCache - no refresh token found in response");
16638
16928
  return null;
@@ -16640,7 +16930,7 @@ class TokenCache {
16640
16930
  this.logger.verbose("TokenCache - loading refresh token");
16641
16931
  const refreshTokenEntity = createRefreshTokenEntity(homeAccountId, environment, response.refresh_token, this.config.auth.clientId, response.foci, undefined, // userAssertionHash
16642
16932
  response.refresh_token_expires_in);
16643
- await this.storage.setRefreshTokenCredential(refreshTokenEntity, correlationId);
16933
+ await this.storage.setRefreshTokenCredential(refreshTokenEntity, correlationId, kmsi);
16644
16934
  return refreshTokenEntity;
16645
16935
  }
16646
16936
  /**
@@ -16669,7 +16959,7 @@ class TokenCache {
16669
16959
  uniqueId: cacheRecord.account.localAccountId,
16670
16960
  tenantId: cacheRecord.account.realm,
16671
16961
  scopes: responseScopes,
16672
- account: accountEntity.getAccountInfo(),
16962
+ account: AccountEntity.getAccountInfo(accountEntity),
16673
16963
  idToken: cacheRecord.idToken?.secret || "",
16674
16964
  idTokenClaims: idTokenClaims || {},
16675
16965
  accessToken: accessToken,
@@ -17687,7 +17977,7 @@ class StandardController {
17687
17977
  this.logger.verbose("hydrateCache called");
17688
17978
  // Account gets saved to browser storage regardless of native or not
17689
17979
  const accountEntity = AccountEntity.createFromAccountInfo(result.account, result.cloudGraphHostName, result.msGraphHost);
17690
- await this.browserStorage.setAccount(accountEntity, result.correlationId);
17980
+ await this.browserStorage.setAccount(accountEntity, result.correlationId, isKmsi(result.idTokenClaims));
17691
17981
  if (result.fromNativeBroker) {
17692
17982
  this.logger.verbose("Response was from native broker, storing in-memory");
17693
17983
  // Tokens from native broker are stored in-memory
@@ -18965,7 +19255,7 @@ class NestedAppAuthController {
18965
19255
  async hydrateCache(result, request) {
18966
19256
  this.logger.verbose("hydrateCache called");
18967
19257
  const accountEntity = AccountEntity.createFromAccountInfo(result.account, result.cloudGraphHostName, result.msGraphHost);
18968
- await this.browserStorage.setAccount(accountEntity, result.correlationId);
19258
+ await this.browserStorage.setAccount(accountEntity, result.correlationId, isKmsi(result.idTokenClaims));
18969
19259
  return this.browserStorage.hydrateCache(result, request);
18970
19260
  }
18971
19261
  }