@azure/msal-browser 4.25.1 → 4.26.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (322) hide show
  1. package/dist/app/IPublicClientApplication.mjs +1 -1
  2. package/dist/app/PublicClientApplication.mjs +1 -1
  3. package/dist/app/PublicClientNext.mjs +1 -1
  4. package/dist/broker/nativeBroker/NativeStatusCodes.mjs +1 -1
  5. package/dist/broker/nativeBroker/PlatformAuthDOMHandler.mjs +1 -1
  6. package/dist/broker/nativeBroker/PlatformAuthExtensionHandler.mjs +1 -1
  7. package/dist/broker/nativeBroker/PlatformAuthProvider.mjs +1 -1
  8. package/dist/cache/AccountManager.mjs +1 -1
  9. package/dist/cache/AsyncMemoryStorage.mjs +1 -1
  10. package/dist/cache/BrowserCacheManager.d.ts +64 -7
  11. package/dist/cache/BrowserCacheManager.d.ts.map +1 -1
  12. package/dist/cache/BrowserCacheManager.mjs +400 -141
  13. package/dist/cache/BrowserCacheManager.mjs.map +1 -1
  14. package/dist/cache/CacheHelpers.mjs +1 -1
  15. package/dist/cache/CacheKeys.d.ts +3 -3
  16. package/dist/cache/CacheKeys.mjs +4 -4
  17. package/dist/cache/CookieStorage.mjs +1 -1
  18. package/dist/cache/DatabaseStorage.mjs +1 -1
  19. package/dist/cache/EncryptedData.mjs +1 -1
  20. package/dist/cache/IWindowStorage.d.ts +1 -1
  21. package/dist/cache/IWindowStorage.d.ts.map +1 -1
  22. package/dist/cache/LocalStorage.d.ts +1 -1
  23. package/dist/cache/LocalStorage.d.ts.map +1 -1
  24. package/dist/cache/LocalStorage.mjs +21 -12
  25. package/dist/cache/LocalStorage.mjs.map +1 -1
  26. package/dist/cache/MemoryStorage.mjs +1 -1
  27. package/dist/cache/SessionStorage.mjs +1 -1
  28. package/dist/cache/TokenCache.d.ts.map +1 -1
  29. package/dist/cache/TokenCache.mjs +14 -13
  30. package/dist/cache/TokenCache.mjs.map +1 -1
  31. package/dist/config/Configuration.mjs +1 -1
  32. package/dist/controllers/ControllerFactory.mjs +1 -1
  33. package/dist/controllers/NestedAppAuthController.d.ts.map +1 -1
  34. package/dist/controllers/NestedAppAuthController.mjs +3 -3
  35. package/dist/controllers/NestedAppAuthController.mjs.map +1 -1
  36. package/dist/controllers/StandardController.d.ts.map +1 -1
  37. package/dist/controllers/StandardController.mjs +3 -3
  38. package/dist/controllers/StandardController.mjs.map +1 -1
  39. package/dist/controllers/UnknownOperatingContextController.mjs +1 -1
  40. package/dist/crypto/BrowserCrypto.mjs +1 -1
  41. package/dist/crypto/CryptoOps.mjs +1 -1
  42. package/dist/crypto/PkceGenerator.mjs +1 -1
  43. package/dist/crypto/SignedHttpRequest.mjs +1 -1
  44. package/dist/custom-auth-path/app/PublicClientApplication.mjs +1 -1
  45. package/dist/custom-auth-path/broker/nativeBroker/NativeStatusCodes.mjs +1 -1
  46. package/dist/custom-auth-path/broker/nativeBroker/PlatformAuthDOMHandler.mjs +1 -1
  47. package/dist/custom-auth-path/broker/nativeBroker/PlatformAuthExtensionHandler.mjs +1 -1
  48. package/dist/custom-auth-path/broker/nativeBroker/PlatformAuthProvider.mjs +1 -1
  49. package/dist/custom-auth-path/cache/AccountManager.mjs +1 -1
  50. package/dist/custom-auth-path/cache/AsyncMemoryStorage.mjs +1 -1
  51. package/dist/custom-auth-path/cache/BrowserCacheManager.d.ts +64 -7
  52. package/dist/custom-auth-path/cache/BrowserCacheManager.d.ts.map +1 -1
  53. package/dist/custom-auth-path/cache/BrowserCacheManager.mjs +400 -141
  54. package/dist/custom-auth-path/cache/BrowserCacheManager.mjs.map +1 -1
  55. package/dist/custom-auth-path/cache/CacheHelpers.mjs +1 -1
  56. package/dist/custom-auth-path/cache/CacheKeys.d.ts +3 -3
  57. package/dist/custom-auth-path/cache/CacheKeys.mjs +4 -4
  58. package/dist/custom-auth-path/cache/CookieStorage.mjs +1 -1
  59. package/dist/custom-auth-path/cache/DatabaseStorage.mjs +1 -1
  60. package/dist/custom-auth-path/cache/EncryptedData.mjs +1 -1
  61. package/dist/custom-auth-path/cache/IWindowStorage.d.ts +1 -1
  62. package/dist/custom-auth-path/cache/IWindowStorage.d.ts.map +1 -1
  63. package/dist/custom-auth-path/cache/LocalStorage.d.ts +1 -1
  64. package/dist/custom-auth-path/cache/LocalStorage.d.ts.map +1 -1
  65. package/dist/custom-auth-path/cache/LocalStorage.mjs +21 -12
  66. package/dist/custom-auth-path/cache/LocalStorage.mjs.map +1 -1
  67. package/dist/custom-auth-path/cache/MemoryStorage.mjs +1 -1
  68. package/dist/custom-auth-path/cache/SessionStorage.mjs +1 -1
  69. package/dist/custom-auth-path/cache/TokenCache.d.ts.map +1 -1
  70. package/dist/custom-auth-path/cache/TokenCache.mjs +14 -13
  71. package/dist/custom-auth-path/cache/TokenCache.mjs.map +1 -1
  72. package/dist/custom-auth-path/config/Configuration.mjs +1 -1
  73. package/dist/custom-auth-path/controllers/ControllerFactory.mjs +1 -1
  74. package/dist/custom-auth-path/controllers/NestedAppAuthController.d.ts.map +1 -1
  75. package/dist/custom-auth-path/controllers/StandardController.d.ts.map +1 -1
  76. package/dist/custom-auth-path/controllers/StandardController.mjs +3 -3
  77. package/dist/custom-auth-path/controllers/StandardController.mjs.map +1 -1
  78. package/dist/custom-auth-path/crypto/BrowserCrypto.mjs +1 -1
  79. package/dist/custom-auth-path/crypto/CryptoOps.mjs +1 -1
  80. package/dist/custom-auth-path/crypto/PkceGenerator.mjs +1 -1
  81. package/dist/custom-auth-path/custom_auth/CustomAuthConstants.d.ts +1 -1
  82. package/dist/custom-auth-path/custom_auth/CustomAuthConstants.mjs +1 -1
  83. package/dist/custom-auth-path/custom_auth/CustomAuthPublicClientApplication.mjs +1 -1
  84. package/dist/custom-auth-path/custom_auth/controller/CustomAuthStandardController.mjs +1 -1
  85. package/dist/custom-auth-path/custom_auth/core/CustomAuthAuthority.mjs +1 -1
  86. package/dist/custom-auth-path/custom_auth/core/auth_flow/AuthFlowErrorBase.mjs +1 -1
  87. package/dist/custom-auth-path/custom_auth/core/auth_flow/AuthFlowResultBase.mjs +1 -1
  88. package/dist/custom-auth-path/custom_auth/core/auth_flow/AuthFlowState.mjs +1 -1
  89. package/dist/custom-auth-path/custom_auth/core/auth_flow/AuthFlowStateTypes.mjs +1 -1
  90. package/dist/custom-auth-path/custom_auth/core/auth_flow/jit/error_type/AuthMethodRegistrationError.mjs +1 -1
  91. package/dist/custom-auth-path/custom_auth/core/auth_flow/jit/result/AuthMethodRegistrationChallengeMethodResult.mjs +1 -1
  92. package/dist/custom-auth-path/custom_auth/core/auth_flow/jit/result/AuthMethodRegistrationSubmitChallengeResult.mjs +1 -1
  93. package/dist/custom-auth-path/custom_auth/core/auth_flow/jit/state/AuthMethodRegistrationCompletedState.mjs +1 -1
  94. package/dist/custom-auth-path/custom_auth/core/auth_flow/jit/state/AuthMethodRegistrationFailedState.mjs +1 -1
  95. package/dist/custom-auth-path/custom_auth/core/auth_flow/jit/state/AuthMethodRegistrationState.mjs +1 -1
  96. package/dist/custom-auth-path/custom_auth/core/auth_flow/mfa/error_type/MfaError.mjs +1 -1
  97. package/dist/custom-auth-path/custom_auth/core/auth_flow/mfa/result/MfaRequestChallengeResult.mjs +1 -1
  98. package/dist/custom-auth-path/custom_auth/core/auth_flow/mfa/result/MfaSubmitChallengeResult.mjs +1 -1
  99. package/dist/custom-auth-path/custom_auth/core/auth_flow/mfa/state/MfaCompletedState.mjs +1 -1
  100. package/dist/custom-auth-path/custom_auth/core/auth_flow/mfa/state/MfaFailedState.mjs +1 -1
  101. package/dist/custom-auth-path/custom_auth/core/auth_flow/mfa/state/MfaState.mjs +1 -1
  102. package/dist/custom-auth-path/custom_auth/core/error/CustomAuthApiError.mjs +1 -1
  103. package/dist/custom-auth-path/custom_auth/core/error/CustomAuthError.mjs +1 -1
  104. package/dist/custom-auth-path/custom_auth/core/error/HttpError.mjs +1 -1
  105. package/dist/custom-auth-path/custom_auth/core/error/HttpErrorCodes.mjs +1 -1
  106. package/dist/custom-auth-path/custom_auth/core/error/InvalidArgumentError.mjs +1 -1
  107. package/dist/custom-auth-path/custom_auth/core/error/InvalidConfigurationError.mjs +1 -1
  108. package/dist/custom-auth-path/custom_auth/core/error/InvalidConfigurationErrorCodes.mjs +1 -1
  109. package/dist/custom-auth-path/custom_auth/core/error/MethodNotImplementedError.mjs +1 -1
  110. package/dist/custom-auth-path/custom_auth/core/error/MsalCustomAuthError.mjs +1 -1
  111. package/dist/custom-auth-path/custom_auth/core/error/NoCachedAccountFoundError.mjs +1 -1
  112. package/dist/custom-auth-path/custom_auth/core/error/ParsedUrlError.mjs +1 -1
  113. package/dist/custom-auth-path/custom_auth/core/error/ParsedUrlErrorCodes.mjs +1 -1
  114. package/dist/custom-auth-path/custom_auth/core/error/UnexpectedError.mjs +1 -1
  115. package/dist/custom-auth-path/custom_auth/core/error/UnsupportedEnvironmentError.mjs +1 -1
  116. package/dist/custom-auth-path/custom_auth/core/error/UserAccountAttributeError.mjs +1 -1
  117. package/dist/custom-auth-path/custom_auth/core/error/UserAlreadySignedInError.mjs +1 -1
  118. package/dist/custom-auth-path/custom_auth/core/interaction_client/CustomAuthInteractionClientBase.mjs +1 -1
  119. package/dist/custom-auth-path/custom_auth/core/interaction_client/CustomAuthInterationClientFactory.mjs +1 -1
  120. package/dist/custom-auth-path/custom_auth/core/interaction_client/jit/JitClient.mjs +1 -1
  121. package/dist/custom-auth-path/custom_auth/core/interaction_client/jit/result/JitActionResult.mjs +1 -1
  122. package/dist/custom-auth-path/custom_auth/core/interaction_client/mfa/MfaClient.mjs +1 -1
  123. package/dist/custom-auth-path/custom_auth/core/interaction_client/mfa/result/MfaActionResult.mjs +1 -1
  124. package/dist/custom-auth-path/custom_auth/core/network_client/custom_auth_api/BaseApiClient.mjs +1 -1
  125. package/dist/custom-auth-path/custom_auth/core/network_client/custom_auth_api/CustomAuthApiClient.mjs +1 -1
  126. package/dist/custom-auth-path/custom_auth/core/network_client/custom_auth_api/CustomAuthApiEndpoint.mjs +1 -1
  127. package/dist/custom-auth-path/custom_auth/core/network_client/custom_auth_api/RegisterApiClient.mjs +1 -1
  128. package/dist/custom-auth-path/custom_auth/core/network_client/custom_auth_api/ResetPasswordApiClient.mjs +1 -1
  129. package/dist/custom-auth-path/custom_auth/core/network_client/custom_auth_api/SignInApiClient.mjs +1 -1
  130. package/dist/custom-auth-path/custom_auth/core/network_client/custom_auth_api/SignupApiClient.mjs +1 -1
  131. package/dist/custom-auth-path/custom_auth/core/network_client/custom_auth_api/types/ApiErrorCodes.mjs +1 -1
  132. package/dist/custom-auth-path/custom_auth/core/network_client/custom_auth_api/types/ApiSuberrors.mjs +1 -1
  133. package/dist/custom-auth-path/custom_auth/core/network_client/http_client/FetchHttpClient.mjs +1 -1
  134. package/dist/custom-auth-path/custom_auth/core/network_client/http_client/IHttpClient.mjs +1 -1
  135. package/dist/custom-auth-path/custom_auth/core/telemetry/PublicApiId.mjs +1 -1
  136. package/dist/custom-auth-path/custom_auth/core/utils/ArgumentValidator.mjs +1 -1
  137. package/dist/custom-auth-path/custom_auth/core/utils/UrlUtils.mjs +1 -1
  138. package/dist/custom-auth-path/custom_auth/get_account/auth_flow/CustomAuthAccountData.mjs +1 -1
  139. package/dist/custom-auth-path/custom_auth/get_account/auth_flow/error_type/GetAccountError.mjs +1 -1
  140. package/dist/custom-auth-path/custom_auth/get_account/auth_flow/result/GetAccessTokenResult.mjs +1 -1
  141. package/dist/custom-auth-path/custom_auth/get_account/auth_flow/result/GetAccountResult.mjs +1 -1
  142. package/dist/custom-auth-path/custom_auth/get_account/auth_flow/result/SignOutResult.mjs +1 -1
  143. package/dist/custom-auth-path/custom_auth/get_account/auth_flow/state/GetAccessTokenState.mjs +1 -1
  144. package/dist/custom-auth-path/custom_auth/get_account/auth_flow/state/GetAccountState.mjs +1 -1
  145. package/dist/custom-auth-path/custom_auth/get_account/auth_flow/state/SignOutState.mjs +1 -1
  146. package/dist/custom-auth-path/custom_auth/get_account/interaction_client/CustomAuthSilentCacheClient.mjs +1 -1
  147. package/dist/custom-auth-path/custom_auth/index.mjs +1 -1
  148. package/dist/custom-auth-path/custom_auth/operating_context/CustomAuthOperatingContext.mjs +1 -1
  149. package/dist/custom-auth-path/custom_auth/reset_password/auth_flow/error_type/ResetPasswordError.mjs +1 -1
  150. package/dist/custom-auth-path/custom_auth/reset_password/auth_flow/result/ResetPasswordResendCodeResult.mjs +1 -1
  151. package/dist/custom-auth-path/custom_auth/reset_password/auth_flow/result/ResetPasswordStartResult.mjs +1 -1
  152. package/dist/custom-auth-path/custom_auth/reset_password/auth_flow/result/ResetPasswordSubmitCodeResult.mjs +1 -1
  153. package/dist/custom-auth-path/custom_auth/reset_password/auth_flow/result/ResetPasswordSubmitPasswordResult.mjs +1 -1
  154. package/dist/custom-auth-path/custom_auth/reset_password/auth_flow/state/ResetPasswordCodeRequiredState.mjs +1 -1
  155. package/dist/custom-auth-path/custom_auth/reset_password/auth_flow/state/ResetPasswordCompletedState.mjs +1 -1
  156. package/dist/custom-auth-path/custom_auth/reset_password/auth_flow/state/ResetPasswordFailedState.mjs +1 -1
  157. package/dist/custom-auth-path/custom_auth/reset_password/auth_flow/state/ResetPasswordPasswordRequiredState.mjs +1 -1
  158. package/dist/custom-auth-path/custom_auth/reset_password/auth_flow/state/ResetPasswordState.mjs +1 -1
  159. package/dist/custom-auth-path/custom_auth/reset_password/interaction_client/ResetPasswordClient.mjs +1 -1
  160. package/dist/custom-auth-path/custom_auth/sign_in/auth_flow/SignInScenario.mjs +1 -1
  161. package/dist/custom-auth-path/custom_auth/sign_in/auth_flow/error_type/SignInError.mjs +1 -1
  162. package/dist/custom-auth-path/custom_auth/sign_in/auth_flow/result/SignInResendCodeResult.mjs +1 -1
  163. package/dist/custom-auth-path/custom_auth/sign_in/auth_flow/result/SignInResult.mjs +1 -1
  164. package/dist/custom-auth-path/custom_auth/sign_in/auth_flow/result/SignInSubmitCodeResult.mjs +1 -1
  165. package/dist/custom-auth-path/custom_auth/sign_in/auth_flow/result/SignInSubmitPasswordResult.mjs +1 -1
  166. package/dist/custom-auth-path/custom_auth/sign_in/auth_flow/state/SignInCodeRequiredState.mjs +1 -1
  167. package/dist/custom-auth-path/custom_auth/sign_in/auth_flow/state/SignInCompletedState.mjs +1 -1
  168. package/dist/custom-auth-path/custom_auth/sign_in/auth_flow/state/SignInContinuationState.mjs +1 -1
  169. package/dist/custom-auth-path/custom_auth/sign_in/auth_flow/state/SignInFailedState.mjs +1 -1
  170. package/dist/custom-auth-path/custom_auth/sign_in/auth_flow/state/SignInPasswordRequiredState.mjs +1 -1
  171. package/dist/custom-auth-path/custom_auth/sign_in/auth_flow/state/SignInState.mjs +1 -1
  172. package/dist/custom-auth-path/custom_auth/sign_in/interaction_client/SignInClient.mjs +1 -1
  173. package/dist/custom-auth-path/custom_auth/sign_in/interaction_client/result/SignInActionResult.mjs +1 -1
  174. package/dist/custom-auth-path/custom_auth/sign_up/auth_flow/error_type/SignUpError.mjs +1 -1
  175. package/dist/custom-auth-path/custom_auth/sign_up/auth_flow/result/SignUpResendCodeResult.mjs +1 -1
  176. package/dist/custom-auth-path/custom_auth/sign_up/auth_flow/result/SignUpResult.mjs +1 -1
  177. package/dist/custom-auth-path/custom_auth/sign_up/auth_flow/result/SignUpSubmitAttributesResult.mjs +1 -1
  178. package/dist/custom-auth-path/custom_auth/sign_up/auth_flow/result/SignUpSubmitCodeResult.mjs +1 -1
  179. package/dist/custom-auth-path/custom_auth/sign_up/auth_flow/result/SignUpSubmitPasswordResult.mjs +1 -1
  180. package/dist/custom-auth-path/custom_auth/sign_up/auth_flow/state/SignUpAttributesRequiredState.mjs +1 -1
  181. package/dist/custom-auth-path/custom_auth/sign_up/auth_flow/state/SignUpCodeRequiredState.mjs +1 -1
  182. package/dist/custom-auth-path/custom_auth/sign_up/auth_flow/state/SignUpCompletedState.mjs +1 -1
  183. package/dist/custom-auth-path/custom_auth/sign_up/auth_flow/state/SignUpFailedState.mjs +1 -1
  184. package/dist/custom-auth-path/custom_auth/sign_up/auth_flow/state/SignUpPasswordRequiredState.mjs +1 -1
  185. package/dist/custom-auth-path/custom_auth/sign_up/auth_flow/state/SignUpState.mjs +1 -1
  186. package/dist/custom-auth-path/custom_auth/sign_up/interaction_client/SignUpClient.mjs +1 -1
  187. package/dist/custom-auth-path/custom_auth/sign_up/interaction_client/result/SignUpActionResult.mjs +1 -1
  188. package/dist/custom-auth-path/encode/Base64Decode.mjs +1 -1
  189. package/dist/custom-auth-path/encode/Base64Encode.mjs +1 -1
  190. package/dist/custom-auth-path/error/BrowserAuthError.mjs +1 -1
  191. package/dist/custom-auth-path/error/BrowserAuthErrorCodes.mjs +1 -1
  192. package/dist/custom-auth-path/error/BrowserConfigurationAuthError.mjs +1 -1
  193. package/dist/custom-auth-path/error/BrowserConfigurationAuthErrorCodes.mjs +1 -1
  194. package/dist/custom-auth-path/error/NativeAuthError.mjs +1 -1
  195. package/dist/custom-auth-path/error/NativeAuthErrorCodes.mjs +1 -1
  196. package/dist/custom-auth-path/event/EventHandler.mjs +1 -1
  197. package/dist/custom-auth-path/event/EventType.mjs +1 -1
  198. package/dist/custom-auth-path/interaction_client/BaseInteractionClient.mjs +1 -1
  199. package/dist/custom-auth-path/interaction_client/HybridSpaAuthorizationCodeClient.mjs +1 -1
  200. package/dist/custom-auth-path/interaction_client/PlatformAuthInteractionClient.d.ts +1 -1
  201. package/dist/custom-auth-path/interaction_client/PlatformAuthInteractionClient.d.ts.map +1 -1
  202. package/dist/custom-auth-path/interaction_client/PlatformAuthInteractionClient.mjs +7 -7
  203. package/dist/custom-auth-path/interaction_client/PlatformAuthInteractionClient.mjs.map +1 -1
  204. package/dist/custom-auth-path/interaction_client/PopupClient.mjs +1 -1
  205. package/dist/custom-auth-path/interaction_client/RedirectClient.mjs +1 -1
  206. package/dist/custom-auth-path/interaction_client/SilentAuthCodeClient.mjs +1 -1
  207. package/dist/custom-auth-path/interaction_client/SilentCacheClient.mjs +1 -1
  208. package/dist/custom-auth-path/interaction_client/SilentIframeClient.mjs +1 -1
  209. package/dist/custom-auth-path/interaction_client/SilentRefreshClient.mjs +1 -1
  210. package/dist/custom-auth-path/interaction_client/StandardInteractionClient.mjs +1 -1
  211. package/dist/custom-auth-path/interaction_handler/InteractionHandler.mjs +1 -1
  212. package/dist/custom-auth-path/interaction_handler/SilentHandler.mjs +1 -1
  213. package/dist/custom-auth-path/navigation/NavigationClient.mjs +1 -1
  214. package/dist/custom-auth-path/network/FetchClient.mjs +1 -1
  215. package/dist/custom-auth-path/operatingcontext/BaseOperatingContext.mjs +1 -1
  216. package/dist/custom-auth-path/operatingcontext/StandardOperatingContext.mjs +1 -1
  217. package/dist/custom-auth-path/packageMetadata.d.ts +1 -1
  218. package/dist/custom-auth-path/packageMetadata.mjs +2 -2
  219. package/dist/custom-auth-path/protocol/Authorize.mjs +1 -1
  220. package/dist/custom-auth-path/request/RequestHelpers.mjs +1 -1
  221. package/dist/custom-auth-path/response/ResponseHandler.mjs +1 -1
  222. package/dist/custom-auth-path/utils/BrowserConstants.mjs +1 -1
  223. package/dist/custom-auth-path/utils/BrowserProtocolUtils.mjs +1 -1
  224. package/dist/custom-auth-path/utils/BrowserUtils.mjs +1 -1
  225. package/dist/custom-auth-path/utils/Helpers.mjs +1 -1
  226. package/dist/custom-auth-path/utils/MsalFrameStatsUtils.mjs +1 -1
  227. package/dist/custom_auth/CustomAuthConstants.d.ts +1 -1
  228. package/dist/encode/Base64Decode.mjs +1 -1
  229. package/dist/encode/Base64Encode.mjs +1 -1
  230. package/dist/error/BrowserAuthError.mjs +1 -1
  231. package/dist/error/BrowserAuthErrorCodes.mjs +1 -1
  232. package/dist/error/BrowserConfigurationAuthError.mjs +1 -1
  233. package/dist/error/BrowserConfigurationAuthErrorCodes.mjs +1 -1
  234. package/dist/error/NativeAuthError.mjs +1 -1
  235. package/dist/error/NativeAuthErrorCodes.mjs +1 -1
  236. package/dist/error/NestedAppAuthError.mjs +1 -1
  237. package/dist/event/EventHandler.mjs +1 -1
  238. package/dist/event/EventMessage.mjs +1 -1
  239. package/dist/event/EventType.mjs +1 -1
  240. package/dist/index.mjs +1 -1
  241. package/dist/interaction_client/BaseInteractionClient.mjs +1 -1
  242. package/dist/interaction_client/HybridSpaAuthorizationCodeClient.mjs +1 -1
  243. package/dist/interaction_client/PlatformAuthInteractionClient.d.ts +1 -1
  244. package/dist/interaction_client/PlatformAuthInteractionClient.d.ts.map +1 -1
  245. package/dist/interaction_client/PlatformAuthInteractionClient.mjs +7 -7
  246. package/dist/interaction_client/PlatformAuthInteractionClient.mjs.map +1 -1
  247. package/dist/interaction_client/PopupClient.mjs +1 -1
  248. package/dist/interaction_client/RedirectClient.mjs +1 -1
  249. package/dist/interaction_client/SilentAuthCodeClient.mjs +1 -1
  250. package/dist/interaction_client/SilentCacheClient.mjs +1 -1
  251. package/dist/interaction_client/SilentIframeClient.mjs +1 -1
  252. package/dist/interaction_client/SilentRefreshClient.mjs +1 -1
  253. package/dist/interaction_client/StandardInteractionClient.mjs +1 -1
  254. package/dist/interaction_handler/InteractionHandler.mjs +1 -1
  255. package/dist/interaction_handler/SilentHandler.mjs +1 -1
  256. package/dist/naa/BridgeError.mjs +1 -1
  257. package/dist/naa/BridgeProxy.mjs +1 -1
  258. package/dist/naa/BridgeStatusCode.mjs +1 -1
  259. package/dist/naa/mapping/NestedAppAuthAdapter.mjs +1 -1
  260. package/dist/navigation/NavigationClient.mjs +1 -1
  261. package/dist/network/FetchClient.mjs +1 -1
  262. package/dist/operatingcontext/BaseOperatingContext.mjs +1 -1
  263. package/dist/operatingcontext/NestedAppOperatingContext.mjs +1 -1
  264. package/dist/operatingcontext/StandardOperatingContext.mjs +1 -1
  265. package/dist/operatingcontext/UnknownOperatingContext.mjs +1 -1
  266. package/dist/packageMetadata.d.ts +1 -1
  267. package/dist/packageMetadata.mjs +2 -2
  268. package/dist/protocol/Authorize.mjs +1 -1
  269. package/dist/request/RequestHelpers.mjs +1 -1
  270. package/dist/response/ResponseHandler.mjs +1 -1
  271. package/dist/telemetry/BrowserPerformanceClient.mjs +1 -1
  272. package/dist/telemetry/BrowserPerformanceMeasurement.mjs +1 -1
  273. package/dist/utils/BrowserConstants.mjs +1 -1
  274. package/dist/utils/BrowserProtocolUtils.mjs +1 -1
  275. package/dist/utils/BrowserUtils.mjs +1 -1
  276. package/dist/utils/Helpers.mjs +1 -1
  277. package/dist/utils/MsalFrameStatsUtils.mjs +1 -1
  278. package/lib/custom-auth-path/msal-custom-auth.cjs +1237 -947
  279. package/lib/custom-auth-path/msal-custom-auth.cjs.map +1 -1
  280. package/lib/custom-auth-path/types/cache/BrowserCacheManager.d.ts +64 -7
  281. package/lib/custom-auth-path/types/cache/BrowserCacheManager.d.ts.map +1 -1
  282. package/lib/custom-auth-path/types/cache/CacheKeys.d.ts +3 -3
  283. package/lib/custom-auth-path/types/cache/IWindowStorage.d.ts +1 -1
  284. package/lib/custom-auth-path/types/cache/IWindowStorage.d.ts.map +1 -1
  285. package/lib/custom-auth-path/types/cache/LocalStorage.d.ts +1 -1
  286. package/lib/custom-auth-path/types/cache/LocalStorage.d.ts.map +1 -1
  287. package/lib/custom-auth-path/types/cache/TokenCache.d.ts.map +1 -1
  288. package/lib/custom-auth-path/types/controllers/NestedAppAuthController.d.ts.map +1 -1
  289. package/lib/custom-auth-path/types/controllers/StandardController.d.ts.map +1 -1
  290. package/lib/custom-auth-path/types/custom_auth/CustomAuthConstants.d.ts +1 -1
  291. package/lib/custom-auth-path/types/interaction_client/PlatformAuthInteractionClient.d.ts +1 -1
  292. package/lib/custom-auth-path/types/interaction_client/PlatformAuthInteractionClient.d.ts.map +1 -1
  293. package/lib/custom-auth-path/types/packageMetadata.d.ts +1 -1
  294. package/lib/msal-browser.cjs +946 -656
  295. package/lib/msal-browser.cjs.map +1 -1
  296. package/lib/msal-browser.js +946 -656
  297. package/lib/msal-browser.js.map +1 -1
  298. package/lib/msal-browser.min.js +67 -67
  299. package/lib/types/cache/BrowserCacheManager.d.ts +64 -7
  300. package/lib/types/cache/BrowserCacheManager.d.ts.map +1 -1
  301. package/lib/types/cache/CacheKeys.d.ts +3 -3
  302. package/lib/types/cache/IWindowStorage.d.ts +1 -1
  303. package/lib/types/cache/IWindowStorage.d.ts.map +1 -1
  304. package/lib/types/cache/LocalStorage.d.ts +1 -1
  305. package/lib/types/cache/LocalStorage.d.ts.map +1 -1
  306. package/lib/types/cache/TokenCache.d.ts.map +1 -1
  307. package/lib/types/controllers/NestedAppAuthController.d.ts.map +1 -1
  308. package/lib/types/controllers/StandardController.d.ts.map +1 -1
  309. package/lib/types/custom_auth/CustomAuthConstants.d.ts +1 -1
  310. package/lib/types/interaction_client/PlatformAuthInteractionClient.d.ts +1 -1
  311. package/lib/types/interaction_client/PlatformAuthInteractionClient.d.ts.map +1 -1
  312. package/lib/types/packageMetadata.d.ts +1 -1
  313. package/package.json +2 -2
  314. package/src/cache/BrowserCacheManager.ts +738 -225
  315. package/src/cache/CacheKeys.ts +3 -3
  316. package/src/cache/IWindowStorage.ts +2 -1
  317. package/src/cache/LocalStorage.ts +30 -17
  318. package/src/cache/TokenCache.ts +33 -12
  319. package/src/controllers/NestedAppAuthController.ts +3 -1
  320. package/src/controllers/StandardController.ts +3 -1
  321. package/src/interaction_client/PlatformAuthInteractionClient.ts +15 -5
  322. package/src/packageMetadata.ts +1 -1
@@ -1,4 +1,4 @@
1
- /*! @azure/msal-browser v4.25.1 2025-10-17 */
1
+ /*! @azure/msal-browser v4.26.0 2025-10-29 */
2
2
  'use strict';
3
3
  (function (global, factory) {
4
4
  typeof exports === 'object' && typeof module !== 'undefined' ? factory(exports) :
@@ -6,7 +6,7 @@
6
6
  (global = typeof globalThis !== 'undefined' ? globalThis : global || self, factory(global.msal = {}));
7
7
  })(this, (function (exports) { 'use strict';
8
8
 
9
- /*! @azure/msal-common v15.13.0 2025-10-17 */
9
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
10
10
  /*
11
11
  * Copyright (c) Microsoft Corporation. All rights reserved.
12
12
  * Licensed under the MIT License.
@@ -283,7 +283,7 @@
283
283
  // Token renewal offset default in seconds
284
284
  const DEFAULT_TOKEN_RENEWAL_OFFSET_SEC = 300;
285
285
 
286
- /*! @azure/msal-common v15.13.0 2025-10-17 */
286
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
287
287
  /*
288
288
  * Copyright (c) Microsoft Corporation. All rights reserved.
289
289
  * Licensed under the MIT License.
@@ -300,7 +300,7 @@
300
300
  unexpectedError: unexpectedError
301
301
  });
302
302
 
303
- /*! @azure/msal-common v15.13.0 2025-10-17 */
303
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
304
304
 
305
305
  /*
306
306
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -349,7 +349,7 @@
349
349
  : AuthErrorMessages[code]);
350
350
  }
351
351
 
352
- /*! @azure/msal-common v15.13.0 2025-10-17 */
352
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
353
353
  /*
354
354
  * Copyright (c) Microsoft Corporation. All rights reserved.
355
355
  * Licensed under the MIT License.
@@ -447,7 +447,7 @@
447
447
  userTimeoutReached: userTimeoutReached
448
448
  });
449
449
 
450
- /*! @azure/msal-common v15.13.0 2025-10-17 */
450
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
451
451
 
452
452
  /*
453
453
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -699,7 +699,7 @@
699
699
  return new ClientAuthError(errorCode, additionalMessage);
700
700
  }
701
701
 
702
- /*! @azure/msal-common v15.13.0 2025-10-17 */
702
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
703
703
 
704
704
  /*
705
705
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -738,7 +738,7 @@
738
738
  },
739
739
  };
740
740
 
741
- /*! @azure/msal-common v15.13.0 2025-10-17 */
741
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
742
742
 
743
743
  /*
744
744
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -929,12 +929,12 @@
929
929
  }
930
930
  }
931
931
 
932
- /*! @azure/msal-common v15.13.0 2025-10-17 */
932
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
933
933
  /* eslint-disable header/header */
934
934
  const name$1 = "@azure/msal-common";
935
- const version$1 = "15.13.0";
935
+ const version$1 = "15.13.1";
936
936
 
937
- /*! @azure/msal-common v15.13.0 2025-10-17 */
937
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
938
938
  /*
939
939
  * Copyright (c) Microsoft Corporation. All rights reserved.
940
940
  * Licensed under the MIT License.
@@ -954,7 +954,7 @@
954
954
  AzureUsGovernment: "https://login.microsoftonline.us",
955
955
  };
956
956
 
957
- /*! @azure/msal-common v15.13.0 2025-10-17 */
957
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
958
958
  /*
959
959
  * Copyright (c) Microsoft Corporation. All rights reserved.
960
960
  * Licensed under the MIT License.
@@ -1010,7 +1010,7 @@
1010
1010
  urlParseError: urlParseError
1011
1011
  });
1012
1012
 
1013
- /*! @azure/msal-common v15.13.0 2025-10-17 */
1013
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
1014
1014
 
1015
1015
  /*
1016
1016
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1153,7 +1153,7 @@
1153
1153
  return new ClientConfigurationError(errorCode);
1154
1154
  }
1155
1155
 
1156
- /*! @azure/msal-common v15.13.0 2025-10-17 */
1156
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
1157
1157
  /*
1158
1158
  * Copyright (c) Microsoft Corporation. All rights reserved.
1159
1159
  * Licensed under the MIT License.
@@ -1250,7 +1250,7 @@
1250
1250
  }
1251
1251
  }
1252
1252
 
1253
- /*! @azure/msal-common v15.13.0 2025-10-17 */
1253
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
1254
1254
 
1255
1255
  /*
1256
1256
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1445,7 +1445,47 @@
1445
1445
  }
1446
1446
  }
1447
1447
 
1448
- /*! @azure/msal-common v15.13.0 2025-10-17 */
1448
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
1449
+
1450
+ /*
1451
+ * Copyright (c) Microsoft Corporation. All rights reserved.
1452
+ * Licensed under the MIT License.
1453
+ */
1454
+ /**
1455
+ * Function to build a client info object from server clientInfo string
1456
+ * @param rawClientInfo
1457
+ * @param crypto
1458
+ */
1459
+ function buildClientInfo(rawClientInfo, base64Decode) {
1460
+ if (!rawClientInfo) {
1461
+ throw createClientAuthError(clientInfoEmptyError);
1462
+ }
1463
+ try {
1464
+ const decodedClientInfo = base64Decode(rawClientInfo);
1465
+ return JSON.parse(decodedClientInfo);
1466
+ }
1467
+ catch (e) {
1468
+ throw createClientAuthError(clientInfoDecodingError);
1469
+ }
1470
+ }
1471
+ /**
1472
+ * Function to build a client info object from cached homeAccountId string
1473
+ * @param homeAccountId
1474
+ */
1475
+ function buildClientInfoFromHomeAccountId(homeAccountId) {
1476
+ if (!homeAccountId) {
1477
+ throw createClientAuthError(clientInfoDecodingError);
1478
+ }
1479
+ const clientInfoParts = homeAccountId.split(Separators.CLIENT_INFO_SEPARATOR, 2);
1480
+ return {
1481
+ uid: clientInfoParts[0],
1482
+ utid: clientInfoParts.length < 2
1483
+ ? Constants.EMPTY_STRING
1484
+ : clientInfoParts[1],
1485
+ };
1486
+ }
1487
+
1488
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
1449
1489
  /*
1450
1490
  * Copyright (c) Microsoft Corporation. All rights reserved.
1451
1491
  * Licensed under the MIT License.
@@ -1527,7 +1567,289 @@
1527
1567
  return updatedAccountInfo;
1528
1568
  }
1529
1569
 
1530
- /*! @azure/msal-common v15.13.0 2025-10-17 */
1570
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
1571
+ /*
1572
+ * Copyright (c) Microsoft Corporation. All rights reserved.
1573
+ * Licensed under the MIT License.
1574
+ */
1575
+ /**
1576
+ * Authority types supported by MSAL.
1577
+ */
1578
+ const AuthorityType = {
1579
+ Default: 0,
1580
+ Adfs: 1,
1581
+ Dsts: 2,
1582
+ Ciam: 3,
1583
+ };
1584
+
1585
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
1586
+ /*
1587
+ * Copyright (c) Microsoft Corporation. All rights reserved.
1588
+ * Licensed under the MIT License.
1589
+ */
1590
+ /**
1591
+ * Gets tenantId from available ID token claims to set as credential realm with the following precedence:
1592
+ * 1. tid - if the token is acquired from an Azure AD tenant tid will be present
1593
+ * 2. tfp - if the token is acquired from a modern B2C tenant tfp should be present
1594
+ * 3. acr - if the token is acquired from a legacy B2C tenant acr should be present
1595
+ * Downcased to match the realm case-insensitive comparison requirements
1596
+ * @param idTokenClaims
1597
+ * @returns
1598
+ */
1599
+ function getTenantIdFromIdTokenClaims(idTokenClaims) {
1600
+ if (idTokenClaims) {
1601
+ const tenantId = idTokenClaims.tid || idTokenClaims.tfp || idTokenClaims.acr;
1602
+ return tenantId || null;
1603
+ }
1604
+ return null;
1605
+ }
1606
+
1607
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
1608
+ /*
1609
+ * Copyright (c) Microsoft Corporation. All rights reserved.
1610
+ * Licensed under the MIT License.
1611
+ */
1612
+ /**
1613
+ * Protocol modes supported by MSAL.
1614
+ */
1615
+ const ProtocolMode = {
1616
+ /**
1617
+ * Auth Code + PKCE with Entra ID (formerly AAD) specific optimizations and features
1618
+ */
1619
+ AAD: "AAD",
1620
+ /**
1621
+ * Auth Code + PKCE without Entra ID specific optimizations and features. For use only with non-Microsoft owned authorities.
1622
+ * Support is limited for this mode.
1623
+ */
1624
+ OIDC: "OIDC",
1625
+ /**
1626
+ * Encrypted Authorize Response (EAR) with Entra ID specific optimizations and features
1627
+ */
1628
+ EAR: "EAR",
1629
+ };
1630
+
1631
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
1632
+
1633
+ /*
1634
+ * Copyright (c) Microsoft Corporation. All rights reserved.
1635
+ * Licensed under the MIT License.
1636
+ */
1637
+ /**
1638
+ * Type that defines required and optional parameters for an Account field (based on universal cache schema implemented by all MSALs).
1639
+ *
1640
+ * Key : Value Schema
1641
+ *
1642
+ * Key: <home_account_id>-<environment>-<realm*>
1643
+ *
1644
+ * Value Schema:
1645
+ * {
1646
+ * homeAccountId: home account identifier for the auth scheme,
1647
+ * environment: entity that issued the token, represented as a full host
1648
+ * realm: Full tenant or organizational identifier that the account belongs to
1649
+ * localAccountId: Original tenant-specific accountID, usually used for legacy cases
1650
+ * username: primary username that represents the user, usually corresponds to preferred_username in the v2 endpt
1651
+ * authorityType: Accounts authority type as a string
1652
+ * name: Full name for the account, including given name and family name,
1653
+ * lastModificationTime: last time this entity was modified in the cache
1654
+ * lastModificationApp:
1655
+ * nativeAccountId: Account identifier on the native device
1656
+ * tenantProfiles: Array of tenant profile objects for each tenant that the account has authenticated with in the browser
1657
+ * }
1658
+ * @internal
1659
+ */
1660
+ class AccountEntity {
1661
+ /**
1662
+ * Returns the AccountInfo interface for this account.
1663
+ */
1664
+ static getAccountInfo(accountEntity) {
1665
+ return {
1666
+ homeAccountId: accountEntity.homeAccountId,
1667
+ environment: accountEntity.environment,
1668
+ tenantId: accountEntity.realm,
1669
+ username: accountEntity.username,
1670
+ localAccountId: accountEntity.localAccountId,
1671
+ loginHint: accountEntity.loginHint,
1672
+ name: accountEntity.name,
1673
+ nativeAccountId: accountEntity.nativeAccountId,
1674
+ authorityType: accountEntity.authorityType,
1675
+ // Deserialize tenant profiles array into a Map
1676
+ tenantProfiles: new Map((accountEntity.tenantProfiles || []).map((tenantProfile) => {
1677
+ return [tenantProfile.tenantId, tenantProfile];
1678
+ })),
1679
+ dataBoundary: accountEntity.dataBoundary,
1680
+ };
1681
+ }
1682
+ /**
1683
+ * Returns true if the account entity is in single tenant format (outdated), false otherwise
1684
+ */
1685
+ isSingleTenant() {
1686
+ return !this.tenantProfiles;
1687
+ }
1688
+ /**
1689
+ * Build Account cache from IdToken, clientInfo and authority/policy. Associated with AAD.
1690
+ * @param accountDetails
1691
+ */
1692
+ static createAccount(accountDetails, authority, base64Decode) {
1693
+ const account = new AccountEntity();
1694
+ if (authority.authorityType === AuthorityType.Adfs) {
1695
+ account.authorityType = CacheAccountType.ADFS_ACCOUNT_TYPE;
1696
+ }
1697
+ else if (authority.protocolMode === ProtocolMode.OIDC) {
1698
+ account.authorityType = CacheAccountType.GENERIC_ACCOUNT_TYPE;
1699
+ }
1700
+ else {
1701
+ account.authorityType = CacheAccountType.MSSTS_ACCOUNT_TYPE;
1702
+ }
1703
+ let clientInfo;
1704
+ if (accountDetails.clientInfo && base64Decode) {
1705
+ clientInfo = buildClientInfo(accountDetails.clientInfo, base64Decode);
1706
+ if (clientInfo.xms_tdbr) {
1707
+ account.dataBoundary =
1708
+ clientInfo.xms_tdbr === "EU" ? "EU" : "None";
1709
+ }
1710
+ }
1711
+ account.clientInfo = accountDetails.clientInfo;
1712
+ account.homeAccountId = accountDetails.homeAccountId;
1713
+ account.nativeAccountId = accountDetails.nativeAccountId;
1714
+ const env = accountDetails.environment ||
1715
+ (authority && authority.getPreferredCache());
1716
+ if (!env) {
1717
+ throw createClientAuthError(invalidCacheEnvironment);
1718
+ }
1719
+ account.environment = env;
1720
+ // non AAD scenarios can have empty realm
1721
+ account.realm =
1722
+ clientInfo?.utid ||
1723
+ getTenantIdFromIdTokenClaims(accountDetails.idTokenClaims) ||
1724
+ "";
1725
+ // How do you account for MSA CID here?
1726
+ account.localAccountId =
1727
+ clientInfo?.uid ||
1728
+ accountDetails.idTokenClaims?.oid ||
1729
+ accountDetails.idTokenClaims?.sub ||
1730
+ "";
1731
+ /*
1732
+ * In B2C scenarios the emails claim is used instead of preferred_username and it is an array.
1733
+ * In most cases it will contain a single email. This field should not be relied upon if a custom
1734
+ * policy is configured to return more than 1 email.
1735
+ */
1736
+ const preferredUsername = accountDetails.idTokenClaims?.preferred_username ||
1737
+ accountDetails.idTokenClaims?.upn;
1738
+ const email = accountDetails.idTokenClaims?.emails
1739
+ ? accountDetails.idTokenClaims.emails[0]
1740
+ : null;
1741
+ account.username = preferredUsername || email || "";
1742
+ account.loginHint = accountDetails.idTokenClaims?.login_hint;
1743
+ account.name = accountDetails.idTokenClaims?.name || "";
1744
+ account.cloudGraphHostName = accountDetails.cloudGraphHostName;
1745
+ account.msGraphHost = accountDetails.msGraphHost;
1746
+ if (accountDetails.tenantProfiles) {
1747
+ account.tenantProfiles = accountDetails.tenantProfiles;
1748
+ }
1749
+ else {
1750
+ const tenantProfile = buildTenantProfile(accountDetails.homeAccountId, account.localAccountId, account.realm, accountDetails.idTokenClaims);
1751
+ account.tenantProfiles = [tenantProfile];
1752
+ }
1753
+ return account;
1754
+ }
1755
+ /**
1756
+ * Creates an AccountEntity object from AccountInfo
1757
+ * @param accountInfo
1758
+ * @param cloudGraphHostName
1759
+ * @param msGraphHost
1760
+ * @returns
1761
+ */
1762
+ static createFromAccountInfo(accountInfo, cloudGraphHostName, msGraphHost) {
1763
+ const account = new AccountEntity();
1764
+ account.authorityType =
1765
+ accountInfo.authorityType || CacheAccountType.GENERIC_ACCOUNT_TYPE;
1766
+ account.homeAccountId = accountInfo.homeAccountId;
1767
+ account.localAccountId = accountInfo.localAccountId;
1768
+ account.nativeAccountId = accountInfo.nativeAccountId;
1769
+ account.realm = accountInfo.tenantId;
1770
+ account.environment = accountInfo.environment;
1771
+ account.username = accountInfo.username;
1772
+ account.name = accountInfo.name;
1773
+ account.loginHint = accountInfo.loginHint;
1774
+ account.cloudGraphHostName = cloudGraphHostName;
1775
+ account.msGraphHost = msGraphHost;
1776
+ // Serialize tenant profiles map into an array
1777
+ account.tenantProfiles = Array.from(accountInfo.tenantProfiles?.values() || []);
1778
+ account.dataBoundary = accountInfo.dataBoundary;
1779
+ return account;
1780
+ }
1781
+ /**
1782
+ * Generate HomeAccountId from server response
1783
+ * @param serverClientInfo
1784
+ * @param authType
1785
+ */
1786
+ static generateHomeAccountId(serverClientInfo, authType, logger, cryptoObj, idTokenClaims) {
1787
+ // since ADFS/DSTS do not have tid and does not set client_info
1788
+ if (!(authType === AuthorityType.Adfs ||
1789
+ authType === AuthorityType.Dsts)) {
1790
+ // for cases where there is clientInfo
1791
+ if (serverClientInfo) {
1792
+ try {
1793
+ const clientInfo = buildClientInfo(serverClientInfo, cryptoObj.base64Decode);
1794
+ if (clientInfo.uid && clientInfo.utid) {
1795
+ return `${clientInfo.uid}.${clientInfo.utid}`;
1796
+ }
1797
+ }
1798
+ catch (e) { }
1799
+ }
1800
+ logger.warning("No client info in response");
1801
+ }
1802
+ // default to "sub" claim
1803
+ return idTokenClaims?.sub || "";
1804
+ }
1805
+ /**
1806
+ * Validates an entity: checks for all expected params
1807
+ * @param entity
1808
+ */
1809
+ static isAccountEntity(entity) {
1810
+ if (!entity) {
1811
+ return false;
1812
+ }
1813
+ return (entity.hasOwnProperty("homeAccountId") &&
1814
+ entity.hasOwnProperty("environment") &&
1815
+ entity.hasOwnProperty("realm") &&
1816
+ entity.hasOwnProperty("localAccountId") &&
1817
+ entity.hasOwnProperty("username") &&
1818
+ entity.hasOwnProperty("authorityType"));
1819
+ }
1820
+ /**
1821
+ * Helper function to determine whether 2 accountInfo objects represent the same account
1822
+ * @param accountA
1823
+ * @param accountB
1824
+ * @param compareClaims - If set to true idTokenClaims will also be compared to determine account equality
1825
+ */
1826
+ static accountInfoIsEqual(accountA, accountB, compareClaims) {
1827
+ if (!accountA || !accountB) {
1828
+ return false;
1829
+ }
1830
+ let claimsMatch = true; // default to true so as to not fail comparison below if compareClaims: false
1831
+ if (compareClaims) {
1832
+ const accountAClaims = (accountA.idTokenClaims ||
1833
+ {});
1834
+ const accountBClaims = (accountB.idTokenClaims ||
1835
+ {});
1836
+ // issued at timestamp and nonce are expected to change each time a new id token is acquired
1837
+ claimsMatch =
1838
+ accountAClaims.iat === accountBClaims.iat &&
1839
+ accountAClaims.nonce === accountBClaims.nonce;
1840
+ }
1841
+ return (accountA.homeAccountId === accountB.homeAccountId &&
1842
+ accountA.localAccountId === accountB.localAccountId &&
1843
+ accountA.username === accountB.username &&
1844
+ accountA.tenantId === accountB.tenantId &&
1845
+ accountA.loginHint === accountB.loginHint &&
1846
+ accountA.environment === accountB.environment &&
1847
+ accountA.nativeAccountId === accountB.nativeAccountId &&
1848
+ claimsMatch);
1849
+ }
1850
+ }
1851
+
1852
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
1531
1853
 
1532
1854
  /*
1533
1855
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1550,6 +1872,26 @@
1550
1872
  throw createClientAuthError(tokenParsingError);
1551
1873
  }
1552
1874
  }
1875
+ /**
1876
+ * Check if the signin_state claim contains "kmsi"
1877
+ * @param idTokenClaims
1878
+ * @returns
1879
+ */
1880
+ function isKmsi(idTokenClaims) {
1881
+ if (!idTokenClaims.signin_state) {
1882
+ return false;
1883
+ }
1884
+ /**
1885
+ * Signin_state claim known values:
1886
+ * dvc_mngd - device is managed
1887
+ * dvc_dmjd - device is domain joined
1888
+ * kmsi - user opted to "keep me signed in"
1889
+ * inknownntwk - Request made inside a known network. Don't use this, use CAE instead.
1890
+ */
1891
+ const kmsiClaims = ["kmsi", "dvc_dmjd"]; // There are some cases where kmsi may not be returned but persistent storage is still OK - allow dvc_dmjd as well
1892
+ const kmsi = idTokenClaims.signin_state.some((value) => kmsiClaims.includes(value.trim().toLowerCase()));
1893
+ return kmsi;
1894
+ }
1553
1895
  /**
1554
1896
  * decode a JWT
1555
1897
  *
@@ -1588,7 +1930,7 @@
1588
1930
  }
1589
1931
  }
1590
1932
 
1591
- /*! @azure/msal-common v15.13.0 2025-10-17 */
1933
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
1592
1934
 
1593
1935
  /*
1594
1936
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1704,7 +2046,7 @@
1704
2046
  }
1705
2047
  }
1706
2048
 
1707
- /*! @azure/msal-common v15.13.0 2025-10-17 */
2049
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
1708
2050
 
1709
2051
  /*
1710
2052
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1868,7 +2210,7 @@
1868
2210
  }
1869
2211
  }
1870
2212
 
1871
- /*! @azure/msal-common v15.13.0 2025-10-17 */
2213
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
1872
2214
 
1873
2215
  /*
1874
2216
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -2007,7 +2349,7 @@
2007
2349
  return null;
2008
2350
  }
2009
2351
 
2010
- /*! @azure/msal-common v15.13.0 2025-10-17 */
2352
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
2011
2353
  /*
2012
2354
  * Copyright (c) Microsoft Corporation. All rights reserved.
2013
2355
  * Licensed under the MIT License.
@@ -2015,7 +2357,7 @@
2015
2357
  const cacheQuotaExceeded = "cache_quota_exceeded";
2016
2358
  const cacheErrorUnknown = "cache_error_unknown";
2017
2359
 
2018
- /*! @azure/msal-common v15.13.0 2025-10-17 */
2360
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
2019
2361
 
2020
2362
  /*
2021
2363
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -2060,7 +2402,7 @@
2060
2402
  }
2061
2403
  }
2062
2404
 
2063
- /*! @azure/msal-common v15.13.0 2025-10-17 */
2405
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
2064
2406
 
2065
2407
  /*
2066
2408
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -2119,7 +2461,7 @@
2119
2461
  getBaseAccountInfo(accountFilter, correlationId) {
2120
2462
  const accountEntities = this.getAccountsFilteredBy(accountFilter, correlationId);
2121
2463
  if (accountEntities.length > 0) {
2122
- return accountEntities[0].getAccountInfo();
2464
+ return AccountEntity.getAccountInfo(accountEntities[0]);
2123
2465
  }
2124
2466
  else {
2125
2467
  return null;
@@ -2158,7 +2500,7 @@
2158
2500
  return tenantedAccountInfo;
2159
2501
  }
2160
2502
  getTenantProfilesFromAccountEntity(accountEntity, correlationId, targetTenantId, tenantProfileFilter) {
2161
- const accountInfo = accountEntity.getAccountInfo();
2503
+ const accountInfo = AccountEntity.getAccountInfo(accountEntity);
2162
2504
  let searchTenantProfiles = accountInfo.tenantProfiles || new Map();
2163
2505
  const tokenKeys = this.getTokenKeys();
2164
2506
  // If a tenant ID was provided, only return the tenant profile for that tenant ID if it exists
@@ -2228,27 +2570,28 @@
2228
2570
  /**
2229
2571
  * saves a cache record
2230
2572
  * @param cacheRecord {CacheRecord}
2231
- * @param storeInCache {?StoreInCache}
2232
2573
  * @param correlationId {?string} correlation id
2574
+ * @param kmsi - Keep Me Signed In
2575
+ * @param storeInCache {?StoreInCache}
2233
2576
  */
2234
- async saveCacheRecord(cacheRecord, correlationId, storeInCache) {
2577
+ async saveCacheRecord(cacheRecord, correlationId, kmsi, storeInCache) {
2235
2578
  if (!cacheRecord) {
2236
2579
  throw createClientAuthError(invalidCacheRecord);
2237
2580
  }
2238
2581
  try {
2239
2582
  if (!!cacheRecord.account) {
2240
- await this.setAccount(cacheRecord.account, correlationId);
2583
+ await this.setAccount(cacheRecord.account, correlationId, kmsi);
2241
2584
  }
2242
2585
  if (!!cacheRecord.idToken && storeInCache?.idToken !== false) {
2243
- await this.setIdTokenCredential(cacheRecord.idToken, correlationId);
2586
+ await this.setIdTokenCredential(cacheRecord.idToken, correlationId, kmsi);
2244
2587
  }
2245
2588
  if (!!cacheRecord.accessToken &&
2246
2589
  storeInCache?.accessToken !== false) {
2247
- await this.saveAccessToken(cacheRecord.accessToken, correlationId);
2590
+ await this.saveAccessToken(cacheRecord.accessToken, correlationId, kmsi);
2248
2591
  }
2249
2592
  if (!!cacheRecord.refreshToken &&
2250
2593
  storeInCache?.refreshToken !== false) {
2251
- await this.setRefreshTokenCredential(cacheRecord.refreshToken, correlationId);
2594
+ await this.setRefreshTokenCredential(cacheRecord.refreshToken, correlationId, kmsi);
2252
2595
  }
2253
2596
  if (!!cacheRecord.appMetadata) {
2254
2597
  this.setAppMetadata(cacheRecord.appMetadata, correlationId);
@@ -2268,7 +2611,7 @@
2268
2611
  * saves access token credential
2269
2612
  * @param credential
2270
2613
  */
2271
- async saveAccessToken(credential, correlationId) {
2614
+ async saveAccessToken(credential, correlationId, kmsi) {
2272
2615
  const accessTokenFilter = {
2273
2616
  clientId: credential.clientId,
2274
2617
  credentialType: credential.credentialType,
@@ -2293,7 +2636,7 @@
2293
2636
  }
2294
2637
  }
2295
2638
  });
2296
- await this.setAccessTokenCredential(credential, correlationId);
2639
+ await this.setAccessTokenCredential(credential, correlationId, kmsi);
2297
2640
  }
2298
2641
  /**
2299
2642
  * Retrieve account entities matching all provided tenant-agnostic filters; if no filter is set, get all account entities in the cache
@@ -3169,31 +3512,7 @@
3169
3512
  }
3170
3513
  }
3171
3514
 
3172
- /*! @azure/msal-common v15.13.0 2025-10-17 */
3173
- /*
3174
- * Copyright (c) Microsoft Corporation. All rights reserved.
3175
- * Licensed under the MIT License.
3176
- */
3177
- /**
3178
- * Protocol modes supported by MSAL.
3179
- */
3180
- const ProtocolMode = {
3181
- /**
3182
- * Auth Code + PKCE with Entra ID (formerly AAD) specific optimizations and features
3183
- */
3184
- AAD: "AAD",
3185
- /**
3186
- * Auth Code + PKCE without Entra ID specific optimizations and features. For use only with non-Microsoft owned authorities.
3187
- * Support is limited for this mode.
3188
- */
3189
- OIDC: "OIDC",
3190
- /**
3191
- * Encrypted Authorize Response (EAR) with Entra ID specific optimizations and features
3192
- */
3193
- EAR: "EAR",
3194
- };
3195
-
3196
- /*! @azure/msal-common v15.13.0 2025-10-17 */
3515
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
3197
3516
  /*
3198
3517
  * Copyright (c) Microsoft Corporation. All rights reserved.
3199
3518
  * Licensed under the MIT License.
@@ -3715,7 +4034,7 @@
3715
4034
  "upgradedCacheCount",
3716
4035
  ]);
3717
4036
 
3718
- /*! @azure/msal-common v15.13.0 2025-10-17 */
4037
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
3719
4038
 
3720
4039
  /*
3721
4040
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -3794,7 +4113,7 @@
3794
4113
  }
3795
4114
  }
3796
4115
 
3797
- /*! @azure/msal-common v15.13.0 2025-10-17 */
4116
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
3798
4117
 
3799
4118
  /*
3800
4119
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -3872,79 +4191,39 @@
3872
4191
  serializableCache: serializableCache || null,
3873
4192
  };
3874
4193
  }
3875
- /**
3876
- * Construct authoptions from the client and platform passed values
3877
- * @param authOptions
3878
- */
3879
- function buildAuthOptions(authOptions) {
3880
- return {
3881
- clientCapabilities: [],
3882
- azureCloudOptions: DEFAULT_AZURE_CLOUD_OPTIONS,
3883
- skipAuthorityMetadataCache: false,
3884
- instanceAware: false,
3885
- encodeExtraQueryParams: false,
3886
- ...authOptions,
3887
- };
3888
- }
3889
- /**
3890
- * Returns true if config has protocolMode set to ProtocolMode.OIDC, false otherwise
3891
- * @param ClientConfiguration
3892
- */
3893
- function isOidcProtocolMode(config) {
3894
- return (config.authOptions.authority.options.protocolMode === ProtocolMode.OIDC);
3895
- }
3896
-
3897
- /*! @azure/msal-common v15.13.0 2025-10-17 */
3898
- /*
3899
- * Copyright (c) Microsoft Corporation. All rights reserved.
3900
- * Licensed under the MIT License.
3901
- */
3902
- const CcsCredentialType = {
3903
- HOME_ACCOUNT_ID: "home_account_id",
3904
- UPN: "UPN",
3905
- };
3906
-
3907
- /*! @azure/msal-common v15.13.0 2025-10-17 */
3908
-
3909
- /*
3910
- * Copyright (c) Microsoft Corporation. All rights reserved.
3911
- * Licensed under the MIT License.
3912
- */
3913
- /**
3914
- * Function to build a client info object from server clientInfo string
3915
- * @param rawClientInfo
3916
- * @param crypto
3917
- */
3918
- function buildClientInfo(rawClientInfo, base64Decode) {
3919
- if (!rawClientInfo) {
3920
- throw createClientAuthError(clientInfoEmptyError);
3921
- }
3922
- try {
3923
- const decodedClientInfo = base64Decode(rawClientInfo);
3924
- return JSON.parse(decodedClientInfo);
3925
- }
3926
- catch (e) {
3927
- throw createClientAuthError(clientInfoDecodingError);
3928
- }
3929
- }
3930
- /**
3931
- * Function to build a client info object from cached homeAccountId string
3932
- * @param homeAccountId
4194
+ /**
4195
+ * Construct authoptions from the client and platform passed values
4196
+ * @param authOptions
3933
4197
  */
3934
- function buildClientInfoFromHomeAccountId(homeAccountId) {
3935
- if (!homeAccountId) {
3936
- throw createClientAuthError(clientInfoDecodingError);
3937
- }
3938
- const clientInfoParts = homeAccountId.split(Separators.CLIENT_INFO_SEPARATOR, 2);
4198
+ function buildAuthOptions(authOptions) {
3939
4199
  return {
3940
- uid: clientInfoParts[0],
3941
- utid: clientInfoParts.length < 2
3942
- ? Constants.EMPTY_STRING
3943
- : clientInfoParts[1],
4200
+ clientCapabilities: [],
4201
+ azureCloudOptions: DEFAULT_AZURE_CLOUD_OPTIONS,
4202
+ skipAuthorityMetadataCache: false,
4203
+ instanceAware: false,
4204
+ encodeExtraQueryParams: false,
4205
+ ...authOptions,
3944
4206
  };
4207
+ }
4208
+ /**
4209
+ * Returns true if config has protocolMode set to ProtocolMode.OIDC, false otherwise
4210
+ * @param ClientConfiguration
4211
+ */
4212
+ function isOidcProtocolMode(config) {
4213
+ return (config.authOptions.authority.options.protocolMode === ProtocolMode.OIDC);
3945
4214
  }
3946
4215
 
3947
- /*! @azure/msal-common v15.13.0 2025-10-17 */
4216
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
4217
+ /*
4218
+ * Copyright (c) Microsoft Corporation. All rights reserved.
4219
+ * Licensed under the MIT License.
4220
+ */
4221
+ const CcsCredentialType = {
4222
+ HOME_ACCOUNT_ID: "home_account_id",
4223
+ UPN: "UPN",
4224
+ };
4225
+
4226
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
3948
4227
  /*
3949
4228
  * Copyright (c) Microsoft Corporation. All rights reserved.
3950
4229
  * Licensed under the MIT License.
@@ -3994,7 +4273,7 @@
3994
4273
  const EAR_JWK = "ear_jwk";
3995
4274
  const EAR_JWE_CRYPTO = "ear_jwe_crypto";
3996
4275
 
3997
- /*! @azure/msal-common v15.13.0 2025-10-17 */
4276
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
3998
4277
 
3999
4278
  /*
4000
4279
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4374,22 +4653,7 @@
4374
4653
  });
4375
4654
  }
4376
4655
 
4377
- /*! @azure/msal-common v15.13.0 2025-10-17 */
4378
- /*
4379
- * Copyright (c) Microsoft Corporation. All rights reserved.
4380
- * Licensed under the MIT License.
4381
- */
4382
- /**
4383
- * Authority types supported by MSAL.
4384
- */
4385
- const AuthorityType = {
4386
- Default: 0,
4387
- Adfs: 1,
4388
- Dsts: 2,
4389
- Ciam: 3,
4390
- };
4391
-
4392
- /*! @azure/msal-common v15.13.0 2025-10-17 */
4656
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
4393
4657
  /*
4394
4658
  * Copyright (c) Microsoft Corporation. All rights reserved.
4395
4659
  * Licensed under the MIT License.
@@ -4401,7 +4665,7 @@
4401
4665
  response.hasOwnProperty("jwks_uri"));
4402
4666
  }
4403
4667
 
4404
- /*! @azure/msal-common v15.13.0 2025-10-17 */
4668
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
4405
4669
  /*
4406
4670
  * Copyright (c) Microsoft Corporation. All rights reserved.
4407
4671
  * Licensed under the MIT License.
@@ -4411,7 +4675,7 @@
4411
4675
  response.hasOwnProperty("metadata"));
4412
4676
  }
4413
4677
 
4414
- /*! @azure/msal-common v15.13.0 2025-10-17 */
4678
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
4415
4679
  /*
4416
4680
  * Copyright (c) Microsoft Corporation. All rights reserved.
4417
4681
  * Licensed under the MIT License.
@@ -4421,7 +4685,7 @@
4421
4685
  response.hasOwnProperty("error_description"));
4422
4686
  }
4423
4687
 
4424
- /*! @azure/msal-common v15.13.0 2025-10-17 */
4688
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
4425
4689
  /*
4426
4690
  * Copyright (c) Microsoft Corporation. All rights reserved.
4427
4691
  * Licensed under the MIT License.
@@ -4517,7 +4781,7 @@
4517
4781
  };
4518
4782
  };
4519
4783
 
4520
- /*! @azure/msal-common v15.13.0 2025-10-17 */
4784
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
4521
4785
 
4522
4786
  /*
4523
4787
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4623,7 +4887,7 @@
4623
4887
  },
4624
4888
  };
4625
4889
 
4626
- /*! @azure/msal-common v15.13.0 2025-10-17 */
4890
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
4627
4891
  /*
4628
4892
  * Copyright (c) Microsoft Corporation. All rights reserved.
4629
4893
  * Licensed under the MIT License.
@@ -4688,7 +4952,7 @@
4688
4952
  return cachedAtSec > nowSeconds();
4689
4953
  }
4690
4954
 
4691
- /*! @azure/msal-common v15.13.0 2025-10-17 */
4955
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
4692
4956
 
4693
4957
  /*
4694
4958
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4950,7 +5214,7 @@
4950
5214
  return metadata.expiresAt <= nowSeconds();
4951
5215
  }
4952
5216
 
4953
- /*! @azure/msal-common v15.13.0 2025-10-17 */
5217
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
4954
5218
 
4955
5219
  /*
4956
5220
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -5789,7 +6053,7 @@
5789
6053
  };
5790
6054
  }
5791
6055
 
5792
- /*! @azure/msal-common v15.13.0 2025-10-17 */
6056
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
5793
6057
 
5794
6058
  /*
5795
6059
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -5820,7 +6084,7 @@
5820
6084
  }
5821
6085
  }
5822
6086
 
5823
- /*! @azure/msal-common v15.13.0 2025-10-17 */
6087
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
5824
6088
 
5825
6089
  /*
5826
6090
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -5839,7 +6103,7 @@
5839
6103
  }
5840
6104
  }
5841
6105
 
5842
- /*! @azure/msal-common v15.13.0 2025-10-17 */
6106
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
5843
6107
  /*
5844
6108
  * Copyright (c) Microsoft Corporation. All rights reserved.
5845
6109
  * Licensed under the MIT License.
@@ -5860,7 +6124,7 @@
5860
6124
  };
5861
6125
  }
5862
6126
 
5863
- /*! @azure/msal-common v15.13.0 2025-10-17 */
6127
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
5864
6128
 
5865
6129
  /*
5866
6130
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -5947,7 +6211,7 @@
5947
6211
  }
5948
6212
  }
5949
6213
 
5950
- /*! @azure/msal-common v15.13.0 2025-10-17 */
6214
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
5951
6215
 
5952
6216
  /*
5953
6217
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -5978,7 +6242,7 @@
5978
6242
  return new NetworkError(error, httpStatus, responseHeaders);
5979
6243
  }
5980
6244
 
5981
- /*! @azure/msal-common v15.13.0 2025-10-17 */
6245
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
5982
6246
 
5983
6247
  /*
5984
6248
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6048,328 +6312,85 @@
6048
6312
  response.status < 500 &&
6049
6313
  response.status !== 429) {
6050
6314
  // Telemetry data successfully logged by server, clear Telemetry cache
6051
- this.config.serverTelemetryManager.clearTelemetryCache();
6052
- }
6053
- return response;
6054
- }
6055
- /**
6056
- * Wraps sendPostRequestAsync with necessary preflight and postflight logic
6057
- * @param thumbprint - Request thumbprint for throttling
6058
- * @param tokenEndpoint - Endpoint to make the POST to
6059
- * @param options - Body and Headers to include on the POST request
6060
- * @param correlationId - CorrelationId for telemetry
6061
- */
6062
- async sendPostRequest(thumbprint, tokenEndpoint, options, correlationId) {
6063
- ThrottlingUtils.preProcess(this.cacheManager, thumbprint, correlationId);
6064
- let response;
6065
- try {
6066
- response = await invokeAsync((this.networkClient.sendPostRequestAsync.bind(this.networkClient)), PerformanceEvents.NetworkClientSendPostRequestAsync, this.logger, this.performanceClient, correlationId)(tokenEndpoint, options);
6067
- const responseHeaders = response.headers || {};
6068
- this.performanceClient?.addFields({
6069
- refreshTokenSize: response.body.refresh_token?.length || 0,
6070
- httpVerToken: responseHeaders[HeaderNames.X_MS_HTTP_VERSION] || "",
6071
- requestId: responseHeaders[HeaderNames.X_MS_REQUEST_ID] || "",
6072
- }, correlationId);
6073
- }
6074
- catch (e) {
6075
- if (e instanceof NetworkError) {
6076
- const responseHeaders = e.responseHeaders;
6077
- if (responseHeaders) {
6078
- this.performanceClient?.addFields({
6079
- httpVerToken: responseHeaders[HeaderNames.X_MS_HTTP_VERSION] || "",
6080
- requestId: responseHeaders[HeaderNames.X_MS_REQUEST_ID] ||
6081
- "",
6082
- contentTypeHeader: responseHeaders[HeaderNames.CONTENT_TYPE] ||
6083
- undefined,
6084
- contentLengthHeader: responseHeaders[HeaderNames.CONTENT_LENGTH] ||
6085
- undefined,
6086
- httpStatus: e.httpStatus,
6087
- }, correlationId);
6088
- }
6089
- throw e.error;
6090
- }
6091
- if (e instanceof AuthError) {
6092
- throw e;
6093
- }
6094
- else {
6095
- throw createClientAuthError(networkError);
6096
- }
6097
- }
6098
- ThrottlingUtils.postProcess(this.cacheManager, thumbprint, response, correlationId);
6099
- return response;
6100
- }
6101
- /**
6102
- * Updates the authority object of the client. Endpoint discovery must be completed.
6103
- * @param updatedAuthority
6104
- */
6105
- async updateAuthority(cloudInstanceHostname, correlationId) {
6106
- this.performanceClient?.addQueueMeasurement(PerformanceEvents.UpdateTokenEndpointAuthority, correlationId);
6107
- const cloudInstanceAuthorityUri = `https://${cloudInstanceHostname}/${this.authority.tenant}/`;
6108
- const cloudInstanceAuthority = await createDiscoveredInstance(cloudInstanceAuthorityUri, this.networkClient, this.cacheManager, this.authority.options, this.logger, correlationId, this.performanceClient);
6109
- this.authority = cloudInstanceAuthority;
6110
- }
6111
- /**
6112
- * Creates query string for the /token request
6113
- * @param request
6114
- */
6115
- createTokenQueryParameters(request) {
6116
- const parameters = new Map();
6117
- if (request.embeddedClientId) {
6118
- addBrokerParameters(parameters, this.config.authOptions.clientId, this.config.authOptions.redirectUri);
6119
- }
6120
- if (request.tokenQueryParameters) {
6121
- addExtraQueryParameters(parameters, request.tokenQueryParameters);
6122
- }
6123
- addCorrelationId(parameters, request.correlationId);
6124
- instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
6125
- return mapToQueryString(parameters);
6126
- }
6127
- }
6128
-
6129
- /*! @azure/msal-common v15.13.0 2025-10-17 */
6130
- /*
6131
- * Copyright (c) Microsoft Corporation. All rights reserved.
6132
- * Licensed under the MIT License.
6133
- */
6134
- /**
6135
- * Gets tenantId from available ID token claims to set as credential realm with the following precedence:
6136
- * 1. tid - if the token is acquired from an Azure AD tenant tid will be present
6137
- * 2. tfp - if the token is acquired from a modern B2C tenant tfp should be present
6138
- * 3. acr - if the token is acquired from a legacy B2C tenant acr should be present
6139
- * Downcased to match the realm case-insensitive comparison requirements
6140
- * @param idTokenClaims
6141
- * @returns
6142
- */
6143
- function getTenantIdFromIdTokenClaims(idTokenClaims) {
6144
- if (idTokenClaims) {
6145
- const tenantId = idTokenClaims.tid || idTokenClaims.tfp || idTokenClaims.acr;
6146
- return tenantId || null;
6147
- }
6148
- return null;
6149
- }
6150
-
6151
- /*! @azure/msal-common v15.13.0 2025-10-17 */
6152
-
6153
- /*
6154
- * Copyright (c) Microsoft Corporation. All rights reserved.
6155
- * Licensed under the MIT License.
6156
- */
6157
- /**
6158
- * Type that defines required and optional parameters for an Account field (based on universal cache schema implemented by all MSALs).
6159
- *
6160
- * Key : Value Schema
6161
- *
6162
- * Key: <home_account_id>-<environment>-<realm*>
6163
- *
6164
- * Value Schema:
6165
- * {
6166
- * homeAccountId: home account identifier for the auth scheme,
6167
- * environment: entity that issued the token, represented as a full host
6168
- * realm: Full tenant or organizational identifier that the account belongs to
6169
- * localAccountId: Original tenant-specific accountID, usually used for legacy cases
6170
- * username: primary username that represents the user, usually corresponds to preferred_username in the v2 endpt
6171
- * authorityType: Accounts authority type as a string
6172
- * name: Full name for the account, including given name and family name,
6173
- * lastModificationTime: last time this entity was modified in the cache
6174
- * lastModificationApp:
6175
- * nativeAccountId: Account identifier on the native device
6176
- * tenantProfiles: Array of tenant profile objects for each tenant that the account has authenticated with in the browser
6177
- * }
6178
- * @internal
6179
- */
6180
- class AccountEntity {
6181
- /**
6182
- * Returns the AccountInfo interface for this account.
6183
- */
6184
- getAccountInfo() {
6185
- return {
6186
- homeAccountId: this.homeAccountId,
6187
- environment: this.environment,
6188
- tenantId: this.realm,
6189
- username: this.username,
6190
- localAccountId: this.localAccountId,
6191
- loginHint: this.loginHint,
6192
- name: this.name,
6193
- nativeAccountId: this.nativeAccountId,
6194
- authorityType: this.authorityType,
6195
- // Deserialize tenant profiles array into a Map
6196
- tenantProfiles: new Map((this.tenantProfiles || []).map((tenantProfile) => {
6197
- return [tenantProfile.tenantId, tenantProfile];
6198
- })),
6199
- dataBoundary: this.dataBoundary,
6200
- };
6201
- }
6202
- /**
6203
- * Returns true if the account entity is in single tenant format (outdated), false otherwise
6204
- */
6205
- isSingleTenant() {
6206
- return !this.tenantProfiles;
6207
- }
6208
- /**
6209
- * Build Account cache from IdToken, clientInfo and authority/policy. Associated with AAD.
6210
- * @param accountDetails
6211
- */
6212
- static createAccount(accountDetails, authority, base64Decode) {
6213
- const account = new AccountEntity();
6214
- if (authority.authorityType === AuthorityType.Adfs) {
6215
- account.authorityType = CacheAccountType.ADFS_ACCOUNT_TYPE;
6216
- }
6217
- else if (authority.protocolMode === ProtocolMode.OIDC) {
6218
- account.authorityType = CacheAccountType.GENERIC_ACCOUNT_TYPE;
6219
- }
6220
- else {
6221
- account.authorityType = CacheAccountType.MSSTS_ACCOUNT_TYPE;
6222
- }
6223
- let clientInfo;
6224
- if (accountDetails.clientInfo && base64Decode) {
6225
- clientInfo = buildClientInfo(accountDetails.clientInfo, base64Decode);
6226
- if (clientInfo.xms_tdbr) {
6227
- account.dataBoundary =
6228
- clientInfo.xms_tdbr === "EU" ? "EU" : "None";
6229
- }
6230
- }
6231
- account.clientInfo = accountDetails.clientInfo;
6232
- account.homeAccountId = accountDetails.homeAccountId;
6233
- account.nativeAccountId = accountDetails.nativeAccountId;
6234
- const env = accountDetails.environment ||
6235
- (authority && authority.getPreferredCache());
6236
- if (!env) {
6237
- throw createClientAuthError(invalidCacheEnvironment);
6238
- }
6239
- account.environment = env;
6240
- // non AAD scenarios can have empty realm
6241
- account.realm =
6242
- clientInfo?.utid ||
6243
- getTenantIdFromIdTokenClaims(accountDetails.idTokenClaims) ||
6244
- "";
6245
- // How do you account for MSA CID here?
6246
- account.localAccountId =
6247
- clientInfo?.uid ||
6248
- accountDetails.idTokenClaims?.oid ||
6249
- accountDetails.idTokenClaims?.sub ||
6250
- "";
6251
- /*
6252
- * In B2C scenarios the emails claim is used instead of preferred_username and it is an array.
6253
- * In most cases it will contain a single email. This field should not be relied upon if a custom
6254
- * policy is configured to return more than 1 email.
6255
- */
6256
- const preferredUsername = accountDetails.idTokenClaims?.preferred_username ||
6257
- accountDetails.idTokenClaims?.upn;
6258
- const email = accountDetails.idTokenClaims?.emails
6259
- ? accountDetails.idTokenClaims.emails[0]
6260
- : null;
6261
- account.username = preferredUsername || email || "";
6262
- account.loginHint = accountDetails.idTokenClaims?.login_hint;
6263
- account.name = accountDetails.idTokenClaims?.name || "";
6264
- account.cloudGraphHostName = accountDetails.cloudGraphHostName;
6265
- account.msGraphHost = accountDetails.msGraphHost;
6266
- if (accountDetails.tenantProfiles) {
6267
- account.tenantProfiles = accountDetails.tenantProfiles;
6268
- }
6269
- else {
6270
- const tenantProfile = buildTenantProfile(accountDetails.homeAccountId, account.localAccountId, account.realm, accountDetails.idTokenClaims);
6271
- account.tenantProfiles = [tenantProfile];
6315
+ this.config.serverTelemetryManager.clearTelemetryCache();
6272
6316
  }
6273
- return account;
6274
- }
6275
- /**
6276
- * Creates an AccountEntity object from AccountInfo
6277
- * @param accountInfo
6278
- * @param cloudGraphHostName
6279
- * @param msGraphHost
6280
- * @returns
6281
- */
6282
- static createFromAccountInfo(accountInfo, cloudGraphHostName, msGraphHost) {
6283
- const account = new AccountEntity();
6284
- account.authorityType =
6285
- accountInfo.authorityType || CacheAccountType.GENERIC_ACCOUNT_TYPE;
6286
- account.homeAccountId = accountInfo.homeAccountId;
6287
- account.localAccountId = accountInfo.localAccountId;
6288
- account.nativeAccountId = accountInfo.nativeAccountId;
6289
- account.realm = accountInfo.tenantId;
6290
- account.environment = accountInfo.environment;
6291
- account.username = accountInfo.username;
6292
- account.name = accountInfo.name;
6293
- account.loginHint = accountInfo.loginHint;
6294
- account.cloudGraphHostName = cloudGraphHostName;
6295
- account.msGraphHost = msGraphHost;
6296
- // Serialize tenant profiles map into an array
6297
- account.tenantProfiles = Array.from(accountInfo.tenantProfiles?.values() || []);
6298
- account.dataBoundary = accountInfo.dataBoundary;
6299
- return account;
6317
+ return response;
6300
6318
  }
6301
6319
  /**
6302
- * Generate HomeAccountId from server response
6303
- * @param serverClientInfo
6304
- * @param authType
6320
+ * Wraps sendPostRequestAsync with necessary preflight and postflight logic
6321
+ * @param thumbprint - Request thumbprint for throttling
6322
+ * @param tokenEndpoint - Endpoint to make the POST to
6323
+ * @param options - Body and Headers to include on the POST request
6324
+ * @param correlationId - CorrelationId for telemetry
6305
6325
  */
6306
- static generateHomeAccountId(serverClientInfo, authType, logger, cryptoObj, idTokenClaims) {
6307
- // since ADFS/DSTS do not have tid and does not set client_info
6308
- if (!(authType === AuthorityType.Adfs ||
6309
- authType === AuthorityType.Dsts)) {
6310
- // for cases where there is clientInfo
6311
- if (serverClientInfo) {
6312
- try {
6313
- const clientInfo = buildClientInfo(serverClientInfo, cryptoObj.base64Decode);
6314
- if (clientInfo.uid && clientInfo.utid) {
6315
- return `${clientInfo.uid}.${clientInfo.utid}`;
6316
- }
6326
+ async sendPostRequest(thumbprint, tokenEndpoint, options, correlationId) {
6327
+ ThrottlingUtils.preProcess(this.cacheManager, thumbprint, correlationId);
6328
+ let response;
6329
+ try {
6330
+ response = await invokeAsync((this.networkClient.sendPostRequestAsync.bind(this.networkClient)), PerformanceEvents.NetworkClientSendPostRequestAsync, this.logger, this.performanceClient, correlationId)(tokenEndpoint, options);
6331
+ const responseHeaders = response.headers || {};
6332
+ this.performanceClient?.addFields({
6333
+ refreshTokenSize: response.body.refresh_token?.length || 0,
6334
+ httpVerToken: responseHeaders[HeaderNames.X_MS_HTTP_VERSION] || "",
6335
+ requestId: responseHeaders[HeaderNames.X_MS_REQUEST_ID] || "",
6336
+ }, correlationId);
6337
+ }
6338
+ catch (e) {
6339
+ if (e instanceof NetworkError) {
6340
+ const responseHeaders = e.responseHeaders;
6341
+ if (responseHeaders) {
6342
+ this.performanceClient?.addFields({
6343
+ httpVerToken: responseHeaders[HeaderNames.X_MS_HTTP_VERSION] || "",
6344
+ requestId: responseHeaders[HeaderNames.X_MS_REQUEST_ID] ||
6345
+ "",
6346
+ contentTypeHeader: responseHeaders[HeaderNames.CONTENT_TYPE] ||
6347
+ undefined,
6348
+ contentLengthHeader: responseHeaders[HeaderNames.CONTENT_LENGTH] ||
6349
+ undefined,
6350
+ httpStatus: e.httpStatus,
6351
+ }, correlationId);
6317
6352
  }
6318
- catch (e) { }
6353
+ throw e.error;
6354
+ }
6355
+ if (e instanceof AuthError) {
6356
+ throw e;
6357
+ }
6358
+ else {
6359
+ throw createClientAuthError(networkError);
6319
6360
  }
6320
- logger.warning("No client info in response");
6321
6361
  }
6322
- // default to "sub" claim
6323
- return idTokenClaims?.sub || "";
6362
+ ThrottlingUtils.postProcess(this.cacheManager, thumbprint, response, correlationId);
6363
+ return response;
6324
6364
  }
6325
6365
  /**
6326
- * Validates an entity: checks for all expected params
6327
- * @param entity
6366
+ * Updates the authority object of the client. Endpoint discovery must be completed.
6367
+ * @param updatedAuthority
6328
6368
  */
6329
- static isAccountEntity(entity) {
6330
- if (!entity) {
6331
- return false;
6332
- }
6333
- return (entity.hasOwnProperty("homeAccountId") &&
6334
- entity.hasOwnProperty("environment") &&
6335
- entity.hasOwnProperty("realm") &&
6336
- entity.hasOwnProperty("localAccountId") &&
6337
- entity.hasOwnProperty("username") &&
6338
- entity.hasOwnProperty("authorityType"));
6369
+ async updateAuthority(cloudInstanceHostname, correlationId) {
6370
+ this.performanceClient?.addQueueMeasurement(PerformanceEvents.UpdateTokenEndpointAuthority, correlationId);
6371
+ const cloudInstanceAuthorityUri = `https://${cloudInstanceHostname}/${this.authority.tenant}/`;
6372
+ const cloudInstanceAuthority = await createDiscoveredInstance(cloudInstanceAuthorityUri, this.networkClient, this.cacheManager, this.authority.options, this.logger, correlationId, this.performanceClient);
6373
+ this.authority = cloudInstanceAuthority;
6339
6374
  }
6340
6375
  /**
6341
- * Helper function to determine whether 2 accountInfo objects represent the same account
6342
- * @param accountA
6343
- * @param accountB
6344
- * @param compareClaims - If set to true idTokenClaims will also be compared to determine account equality
6376
+ * Creates query string for the /token request
6377
+ * @param request
6345
6378
  */
6346
- static accountInfoIsEqual(accountA, accountB, compareClaims) {
6347
- if (!accountA || !accountB) {
6348
- return false;
6379
+ createTokenQueryParameters(request) {
6380
+ const parameters = new Map();
6381
+ if (request.embeddedClientId) {
6382
+ addBrokerParameters(parameters, this.config.authOptions.clientId, this.config.authOptions.redirectUri);
6349
6383
  }
6350
- let claimsMatch = true; // default to true so as to not fail comparison below if compareClaims: false
6351
- if (compareClaims) {
6352
- const accountAClaims = (accountA.idTokenClaims ||
6353
- {});
6354
- const accountBClaims = (accountB.idTokenClaims ||
6355
- {});
6356
- // issued at timestamp and nonce are expected to change each time a new id token is acquired
6357
- claimsMatch =
6358
- accountAClaims.iat === accountBClaims.iat &&
6359
- accountAClaims.nonce === accountBClaims.nonce;
6384
+ if (request.tokenQueryParameters) {
6385
+ addExtraQueryParameters(parameters, request.tokenQueryParameters);
6360
6386
  }
6361
- return (accountA.homeAccountId === accountB.homeAccountId &&
6362
- accountA.localAccountId === accountB.localAccountId &&
6363
- accountA.username === accountB.username &&
6364
- accountA.tenantId === accountB.tenantId &&
6365
- accountA.loginHint === accountB.loginHint &&
6366
- accountA.environment === accountB.environment &&
6367
- accountA.nativeAccountId === accountB.nativeAccountId &&
6368
- claimsMatch);
6387
+ addCorrelationId(parameters, request.correlationId);
6388
+ instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
6389
+ return mapToQueryString(parameters);
6369
6390
  }
6370
6391
  }
6371
6392
 
6372
- /*! @azure/msal-common v15.13.0 2025-10-17 */
6393
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
6373
6394
  /*
6374
6395
  * Copyright (c) Microsoft Corporation. All rights reserved.
6375
6396
  * Licensed under the MIT License.
@@ -6397,7 +6418,7 @@
6397
6418
  uxNotAllowed: uxNotAllowed
6398
6419
  });
6399
6420
 
6400
- /*! @azure/msal-common v15.13.0 2025-10-17 */
6421
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
6401
6422
 
6402
6423
  /*
6403
6424
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6487,7 +6508,7 @@
6487
6508
  return new InteractionRequiredAuthError(errorCode, InteractionRequiredAuthErrorMessages[errorCode]);
6488
6509
  }
6489
6510
 
6490
- /*! @azure/msal-common v15.13.0 2025-10-17 */
6511
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
6491
6512
 
6492
6513
  /*
6493
6514
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6559,7 +6580,7 @@
6559
6580
  }
6560
6581
  }
6561
6582
 
6562
- /*! @azure/msal-common v15.13.0 2025-10-17 */
6583
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
6563
6584
 
6564
6585
  /*
6565
6586
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6641,7 +6662,7 @@
6641
6662
  }
6642
6663
  }
6643
6664
 
6644
- /*! @azure/msal-common v15.13.0 2025-10-17 */
6665
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
6645
6666
  /*
6646
6667
  * Copyright (c) Microsoft Corporation. All rights reserved.
6647
6668
  * Licensed under the MIT License.
@@ -6668,7 +6689,7 @@
6668
6689
  }
6669
6690
  }
6670
6691
 
6671
- /*! @azure/msal-common v15.13.0 2025-10-17 */
6692
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
6672
6693
 
6673
6694
  /*
6674
6695
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6780,14 +6801,14 @@
6780
6801
  if (handlingRefreshTokenResponse &&
6781
6802
  !forceCacheRefreshTokenResponse &&
6782
6803
  cacheRecord.account) {
6783
- const key = this.cacheStorage.generateAccountKey(cacheRecord.account.getAccountInfo());
6804
+ const key = this.cacheStorage.generateAccountKey(AccountEntity.getAccountInfo(cacheRecord.account));
6784
6805
  const account = this.cacheStorage.getAccount(key, request.correlationId);
6785
6806
  if (!account) {
6786
6807
  this.logger.warning("Account used to refresh tokens not in persistence, refreshed tokens will not be stored in the cache");
6787
6808
  return await ResponseHandler.generateAuthenticationResult(this.cryptoObj, authority, cacheRecord, false, request, idTokenClaims, requestStateObj, undefined, serverRequestId);
6788
6809
  }
6789
6810
  }
6790
- await this.cacheStorage.saveCacheRecord(cacheRecord, request.correlationId, request.storeInCache);
6811
+ await this.cacheStorage.saveCacheRecord(cacheRecord, request.correlationId, isKmsi(idTokenClaims || {}), request.storeInCache);
6791
6812
  }
6792
6813
  finally {
6793
6814
  if (this.persistencePlugin &&
@@ -6934,7 +6955,7 @@
6934
6955
  serverTokenResponse?.spa_accountid;
6935
6956
  }
6936
6957
  const accountInfo = cacheRecord.account
6937
- ? updateAccountTenantProfileData(cacheRecord.account.getAccountInfo(), undefined, // tenantProfile optional
6958
+ ? updateAccountTenantProfileData(AccountEntity.getAccountInfo(cacheRecord.account), undefined, // tenantProfile optional
6938
6959
  idTokenClaims, cacheRecord.idToken?.secret)
6939
6960
  : null;
6940
6961
  return {
@@ -6999,7 +7020,7 @@
6999
7020
  return baseAccount;
7000
7021
  }
7001
7022
 
7002
- /*! @azure/msal-common v15.13.0 2025-10-17 */
7023
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
7003
7024
  /*
7004
7025
  * Copyright (c) Microsoft Corporation. All rights reserved.
7005
7026
  * Licensed under the MIT License.
@@ -7017,7 +7038,7 @@
7017
7038
  }
7018
7039
  }
7019
7040
 
7020
- /*! @azure/msal-common v15.13.0 2025-10-17 */
7041
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
7021
7042
 
7022
7043
  /*
7023
7044
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7252,7 +7273,7 @@
7252
7273
  }
7253
7274
  }
7254
7275
 
7255
- /*! @azure/msal-common v15.13.0 2025-10-17 */
7276
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
7256
7277
 
7257
7278
  /*
7258
7279
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7461,7 +7482,7 @@
7461
7482
  }
7462
7483
  }
7463
7484
 
7464
- /*! @azure/msal-common v15.13.0 2025-10-17 */
7485
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
7465
7486
 
7466
7487
  /*
7467
7488
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7559,7 +7580,7 @@
7559
7580
  }
7560
7581
  }
7561
7582
 
7562
- /*! @azure/msal-common v15.13.0 2025-10-17 */
7583
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
7563
7584
 
7564
7585
  /*
7565
7586
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7574,7 +7595,7 @@
7574
7595
  },
7575
7596
  };
7576
7597
 
7577
- /*! @azure/msal-common v15.13.0 2025-10-17 */
7598
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
7578
7599
 
7579
7600
  /*
7580
7601
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7798,7 +7819,7 @@
7798
7819
  return account.loginHint || account.idTokenClaims?.login_hint || null;
7799
7820
  }
7800
7821
 
7801
- /*! @azure/msal-common v15.13.0 2025-10-17 */
7822
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
7802
7823
 
7803
7824
  /*
7804
7825
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7856,7 +7877,7 @@
7856
7877
  }
7857
7878
  }
7858
7879
 
7859
- /*! @azure/msal-common v15.13.0 2025-10-17 */
7880
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
7860
7881
 
7861
7882
  /*
7862
7883
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -8119,7 +8140,7 @@
8119
8140
  }
8120
8141
  }
8121
8142
 
8122
- /*! @azure/msal-common v15.13.0 2025-10-17 */
8143
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
8123
8144
  /*
8124
8145
  * Copyright (c) Microsoft Corporation. All rights reserved.
8125
8146
  * Licensed under the MIT License.
@@ -8127,7 +8148,7 @@
8127
8148
  const missingKidError = "missing_kid_error";
8128
8149
  const missingAlgError = "missing_alg_error";
8129
8150
 
8130
- /*! @azure/msal-common v15.13.0 2025-10-17 */
8151
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
8131
8152
 
8132
8153
  /*
8133
8154
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -8152,7 +8173,7 @@
8152
8173
  return new JoseHeaderError(code, JoseHeaderErrorMessages[code]);
8153
8174
  }
8154
8175
 
8155
- /*! @azure/msal-common v15.13.0 2025-10-17 */
8176
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
8156
8177
 
8157
8178
  /*
8158
8179
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -8192,7 +8213,7 @@
8192
8213
  }
8193
8214
  }
8194
8215
 
8195
- /*! @azure/msal-common v15.13.0 2025-10-17 */
8216
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
8196
8217
 
8197
8218
  /*
8198
8219
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -10308,7 +10329,7 @@
10308
10329
 
10309
10330
  /* eslint-disable header/header */
10310
10331
  const name = "@azure/msal-browser";
10311
- const version = "4.25.1";
10332
+ const version = "4.26.0";
10312
10333
 
10313
10334
  /*
10314
10335
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -10316,9 +10337,9 @@
10316
10337
  */
10317
10338
  const PREFIX = "msal";
10318
10339
  const BROWSER_PREFIX = "browser";
10319
- const CACHE_KEY_SEPARATOR = "-";
10320
- const CREDENTIAL_SCHEMA_VERSION = 1;
10321
- const ACCOUNT_SCHEMA_VERSION = 1;
10340
+ const CACHE_KEY_SEPARATOR = "|";
10341
+ const CREDENTIAL_SCHEMA_VERSION = 2;
10342
+ const ACCOUNT_SCHEMA_VERSION = 2;
10322
10343
  const LOG_LEVEL_CACHE_KEY = `${PREFIX}.${BROWSER_PREFIX}.log.level`;
10323
10344
  const LOG_PII_CACHE_KEY = `${PREFIX}.${BROWSER_PREFIX}.log.pii`;
10324
10345
  const BROWSER_PERF_ENABLED_KEY = `${PREFIX}.${BROWSER_PREFIX}.performance.enabled`;
@@ -11478,7 +11499,10 @@
11478
11499
  return null;
11479
11500
  }
11480
11501
  try {
11481
- return JSON.parse(decryptedData);
11502
+ return {
11503
+ ...JSON.parse(decryptedData),
11504
+ lastUpdatedAt: data.lastUpdatedAt,
11505
+ };
11482
11506
  }
11483
11507
  catch (e) {
11484
11508
  this.performanceClient.incrementFields({ encryptedCacheCorruptionCount: 1 }, correlationId);
@@ -11488,19 +11512,24 @@
11488
11512
  setItem(key, value) {
11489
11513
  window.localStorage.setItem(key, value);
11490
11514
  }
11491
- async setUserData(key, value, correlationId, timestamp) {
11515
+ async setUserData(key, value, correlationId, timestamp, kmsi) {
11492
11516
  if (!this.initialized || !this.encryptionCookie) {
11493
11517
  throw createBrowserAuthError(uninitializedPublicClientApplication);
11494
11518
  }
11495
- const { data, nonce } = await invokeAsync(encrypt, PerformanceEvents.Encrypt, this.logger, this.performanceClient, correlationId)(this.encryptionCookie.key, value, this.getContext(key));
11496
- const encryptedData = {
11497
- id: this.encryptionCookie.id,
11498
- nonce: nonce,
11499
- data: data,
11500
- lastUpdatedAt: timestamp,
11501
- };
11519
+ if (kmsi) {
11520
+ this.setItem(key, value);
11521
+ }
11522
+ else {
11523
+ const { data, nonce } = await invokeAsync(encrypt, PerformanceEvents.Encrypt, this.logger, this.performanceClient, correlationId)(this.encryptionCookie.key, value, this.getContext(key));
11524
+ const encryptedData = {
11525
+ id: this.encryptionCookie.id,
11526
+ nonce: nonce,
11527
+ data: data,
11528
+ lastUpdatedAt: timestamp,
11529
+ };
11530
+ this.setItem(key, JSON.stringify(encryptedData));
11531
+ }
11502
11532
  this.memoryStorage.setItem(key, value);
11503
- this.setItem(key, JSON.stringify(encryptedData));
11504
11533
  // Notify other frames to update their in-memory cache
11505
11534
  this.broadcast.postMessage({
11506
11535
  key: key,
@@ -11600,13 +11629,14 @@
11600
11629
  if (!isEncrypted(encObj)) {
11601
11630
  // Data is not encrypted
11602
11631
  this.performanceClient.incrementFields({ unencryptedCacheCount: 1 }, correlationId);
11603
- return encObj;
11632
+ return rawCache;
11604
11633
  }
11605
11634
  if (encObj.id !== this.encryptionCookie.id) {
11606
11635
  // Data was encrypted with a different key. It must be removed because it is from a previous session.
11607
11636
  this.performanceClient.incrementFields({ encryptedCacheExpiredCount: 1 }, correlationId);
11608
11637
  return null;
11609
11638
  }
11639
+ this.performanceClient.incrementFields({ encryptedCacheCount: 1 }, correlationId);
11610
11640
  return invokeAsync(decrypt, PerformanceEvents.Decrypt, this.logger, this.performanceClient, correlationId)(this.encryptionCookie.key, encObj.nonce, this.getContext(key), encObj.data);
11611
11641
  }
11612
11642
  /**
@@ -11798,108 +11828,338 @@
11798
11828
  * Migrates any existing cache data from previous versions of MSAL.js into the current cache structure.
11799
11829
  */
11800
11830
  async migrateExistingCache(correlationId) {
11801
- const accountKeys0 = getAccountKeys(this.browserStorage, 0);
11802
- const tokenKeys0 = getTokenKeys(this.clientId, this.browserStorage, 0);
11831
+ let accountKeys = getAccountKeys(this.browserStorage);
11832
+ let tokenKeys = getTokenKeys(this.clientId, this.browserStorage);
11803
11833
  this.performanceClient.addFields({
11804
- oldAccountCount: accountKeys0.length,
11805
- oldAccessCount: tokenKeys0.accessToken.length,
11806
- oldIdCount: tokenKeys0.idToken.length,
11807
- oldRefreshCount: tokenKeys0.refreshToken.length,
11834
+ preMigrateAcntCount: accountKeys.length,
11835
+ preMigrateATCount: tokenKeys.accessToken.length,
11836
+ preMigrateITCount: tokenKeys.idToken.length,
11837
+ preMigrateRTCount: tokenKeys.refreshToken.length,
11808
11838
  }, correlationId);
11809
- const accountKeys1 = getAccountKeys(this.browserStorage, 1);
11810
- const tokenKeys1 = getTokenKeys(this.clientId, this.browserStorage, 1);
11839
+ for (let i = 0; i < ACCOUNT_SCHEMA_VERSION; i++) {
11840
+ const credentialSchema = i; // For now account and credential schemas are the same, but may diverge in future
11841
+ await this.removeStaleAccounts(i, credentialSchema, correlationId);
11842
+ }
11843
+ // Must migrate idTokens first to ensure we have KMSI info for the rest
11844
+ for (let i = 0; i < CREDENTIAL_SCHEMA_VERSION; i++) {
11845
+ const accountSchema = i; // For now account and credential schemas are the same, but may diverge in future
11846
+ await this.migrateIdTokens(i, accountSchema, correlationId);
11847
+ }
11848
+ const kmsiMap = this.getKMSIValues();
11849
+ for (let i = 0; i < CREDENTIAL_SCHEMA_VERSION; i++) {
11850
+ await this.migrateAccessTokens(i, kmsiMap, correlationId);
11851
+ await this.migrateRefreshTokens(i, kmsiMap, correlationId);
11852
+ }
11853
+ accountKeys = getAccountKeys(this.browserStorage);
11854
+ tokenKeys = getTokenKeys(this.clientId, this.browserStorage);
11811
11855
  this.performanceClient.addFields({
11812
- currAccountCount: accountKeys1.length,
11813
- currAccessCount: tokenKeys1.accessToken.length,
11814
- currIdCount: tokenKeys1.idToken.length,
11815
- currRefreshCount: tokenKeys1.refreshToken.length,
11856
+ postMigrateAcntCount: accountKeys.length,
11857
+ postMigrateATCount: tokenKeys.accessToken.length,
11858
+ postMigrateITCount: tokenKeys.idToken.length,
11859
+ postMigrateRTCount: tokenKeys.refreshToken.length,
11816
11860
  }, correlationId);
11817
- await Promise.all([
11818
- this.updateV0ToCurrent(ACCOUNT_SCHEMA_VERSION, accountKeys0, accountKeys1, correlationId),
11819
- this.updateV0ToCurrent(CREDENTIAL_SCHEMA_VERSION, tokenKeys0.idToken, tokenKeys1.idToken, correlationId),
11820
- this.updateV0ToCurrent(CREDENTIAL_SCHEMA_VERSION, tokenKeys0.accessToken, tokenKeys1.accessToken, correlationId),
11821
- this.updateV0ToCurrent(CREDENTIAL_SCHEMA_VERSION, tokenKeys0.refreshToken, tokenKeys1.refreshToken, correlationId),
11822
- ]);
11823
- if (accountKeys0.length > 0) {
11824
- this.browserStorage.setItem(getAccountKeysCacheKey(0), JSON.stringify(accountKeys0));
11861
+ }
11862
+ /**
11863
+ * Parses entry, adds lastUpdatedAt if it doesn't exist, removes entry if expired or invalid
11864
+ * @param key
11865
+ * @param correlationId
11866
+ * @returns
11867
+ */
11868
+ async updateOldEntry(key, correlationId) {
11869
+ const rawValue = this.browserStorage.getItem(key);
11870
+ const parsedValue = this.validateAndParseJson(rawValue || "");
11871
+ if (!parsedValue) {
11872
+ this.browserStorage.removeItem(key);
11873
+ return null;
11825
11874
  }
11826
- else {
11827
- this.browserStorage.removeItem(getAccountKeysCacheKey(0));
11875
+ if (!parsedValue.lastUpdatedAt) {
11876
+ // Add lastUpdatedAt to the existing v0 entry if it doesnt exist so we know when it's safe to remove it
11877
+ parsedValue.lastUpdatedAt = Date.now().toString();
11878
+ this.setItem(key, JSON.stringify(parsedValue), correlationId);
11828
11879
  }
11829
- if (accountKeys1.length > 0) {
11830
- this.browserStorage.setItem(getAccountKeysCacheKey(1), JSON.stringify(accountKeys1));
11880
+ else if (isCacheExpired(parsedValue.lastUpdatedAt, this.cacheConfig.cacheRetentionDays)) {
11881
+ this.browserStorage.removeItem(key);
11882
+ this.performanceClient.incrementFields({ expiredCacheRemovedCount: 1 }, correlationId);
11883
+ return null;
11831
11884
  }
11832
- else {
11833
- this.browserStorage.removeItem(getAccountKeysCacheKey(1));
11834
- }
11835
- this.setTokenKeys(tokenKeys0, correlationId, 0);
11836
- this.setTokenKeys(tokenKeys1, correlationId, 1);
11837
- }
11838
- async updateV0ToCurrent(currentSchema, v0Keys, v1Keys, correlationId) {
11839
- const upgradePromises = [];
11840
- for (const v0Key of [...v0Keys]) {
11841
- const rawV0Value = this.browserStorage.getItem(v0Key);
11842
- const parsedV0Value = this.validateAndParseJson(rawV0Value || "");
11843
- if (!parsedV0Value) {
11844
- removeElementFromArray(v0Keys, v0Key);
11885
+ const decryptedData = isEncrypted(parsedValue)
11886
+ ? await this.browserStorage.decryptData(key, parsedValue, correlationId)
11887
+ : parsedValue;
11888
+ if (!decryptedData || !isCredentialEntity(decryptedData)) {
11889
+ this.performanceClient.incrementFields({ invalidCacheCount: 1 }, correlationId);
11890
+ return null;
11891
+ }
11892
+ if ((isAccessTokenEntity(decryptedData) ||
11893
+ isRefreshTokenEntity(decryptedData)) &&
11894
+ decryptedData.expiresOn &&
11895
+ isTokenExpired(decryptedData.expiresOn, DEFAULT_TOKEN_RENEWAL_OFFSET_SEC)) {
11896
+ this.browserStorage.removeItem(key);
11897
+ this.performanceClient.incrementFields({ expiredCacheRemovedCount: 1 }, correlationId);
11898
+ return null;
11899
+ }
11900
+ return decryptedData;
11901
+ }
11902
+ /**
11903
+ * Remove accounts from the cache for older schema versions if they have not been updated in the last cacheRetentionDays
11904
+ * @param accountSchema
11905
+ * @param credentialSchema
11906
+ * @param correlationId
11907
+ * @returns
11908
+ */
11909
+ async removeStaleAccounts(accountSchema, credentialSchema, correlationId) {
11910
+ const accountKeysToCheck = getAccountKeys(this.browserStorage, accountSchema);
11911
+ if (accountKeysToCheck.length === 0) {
11912
+ return;
11913
+ }
11914
+ for (const accountKey of [...accountKeysToCheck]) {
11915
+ this.performanceClient.incrementFields({ oldAcntCount: 1 }, correlationId);
11916
+ const rawValue = this.browserStorage.getItem(accountKey);
11917
+ const parsedValue = this.validateAndParseJson(rawValue || "");
11918
+ if (!parsedValue) {
11919
+ removeElementFromArray(accountKeysToCheck, accountKey);
11920
+ continue;
11921
+ }
11922
+ if (!parsedValue.lastUpdatedAt) {
11923
+ // Add lastUpdatedAt to the existing entry if it doesnt exist so we know when it's safe to remove it
11924
+ parsedValue.lastUpdatedAt = Date.now().toString();
11925
+ this.setItem(accountKey, JSON.stringify(parsedValue), correlationId);
11926
+ continue;
11927
+ }
11928
+ else if (isCacheExpired(parsedValue.lastUpdatedAt, this.cacheConfig.cacheRetentionDays)) {
11929
+ // Cache expired remove account and associated tokens
11930
+ await this.removeAccountOldSchema(accountKey, parsedValue, credentialSchema, correlationId);
11931
+ removeElementFromArray(accountKeysToCheck, accountKey);
11932
+ }
11933
+ }
11934
+ this.setAccountKeys(accountKeysToCheck, correlationId, accountSchema);
11935
+ }
11936
+ /**
11937
+ * Remove the given account and all associated tokens from the cache
11938
+ * @param accountKey
11939
+ * @param rawObject
11940
+ * @param credentialSchema
11941
+ * @param correlationId
11942
+ */
11943
+ async removeAccountOldSchema(accountKey, rawObject, credentialSchema, correlationId) {
11944
+ const decryptedData = isEncrypted(rawObject)
11945
+ ? (await this.browserStorage.decryptData(accountKey, rawObject, correlationId))
11946
+ : rawObject;
11947
+ const homeAccountId = decryptedData?.homeAccountId;
11948
+ if (homeAccountId) {
11949
+ const tokenKeys = this.getTokenKeys(credentialSchema);
11950
+ [...tokenKeys.idToken]
11951
+ .filter((key) => key.includes(homeAccountId))
11952
+ .forEach((key) => {
11953
+ this.browserStorage.removeItem(key);
11954
+ removeElementFromArray(tokenKeys.idToken, key);
11955
+ });
11956
+ [...tokenKeys.accessToken]
11957
+ .filter((key) => key.includes(homeAccountId))
11958
+ .forEach((key) => {
11959
+ this.browserStorage.removeItem(key);
11960
+ removeElementFromArray(tokenKeys.accessToken, key);
11961
+ });
11962
+ [...tokenKeys.refreshToken]
11963
+ .filter((key) => key.includes(homeAccountId))
11964
+ .forEach((key) => {
11965
+ this.browserStorage.removeItem(key);
11966
+ removeElementFromArray(tokenKeys.refreshToken, key);
11967
+ });
11968
+ this.setTokenKeys(tokenKeys, correlationId, credentialSchema);
11969
+ }
11970
+ this.performanceClient.incrementFields({ expiredAcntRemovedCount: 1 }, correlationId);
11971
+ this.browserStorage.removeItem(accountKey);
11972
+ }
11973
+ /**
11974
+ * Gets key value pair mapping homeAccountId to KMSI value
11975
+ * @returns
11976
+ */
11977
+ getKMSIValues() {
11978
+ const kmsiMap = {};
11979
+ const tokenKeys = this.getTokenKeys().idToken;
11980
+ for (const key of tokenKeys) {
11981
+ const rawValue = this.browserStorage.getUserData(key);
11982
+ if (rawValue) {
11983
+ const idToken = JSON.parse(rawValue);
11984
+ const claims = extractTokenClaims(idToken.secret, base64Decode);
11985
+ if (claims) {
11986
+ kmsiMap[idToken.homeAccountId] = isKmsi(claims);
11987
+ }
11988
+ }
11989
+ }
11990
+ return kmsiMap;
11991
+ }
11992
+ /**
11993
+ * Migrates id tokens from the old schema to the new schema, also migrates associated account object if it doesn't already exist in the new schema
11994
+ * @param credentialSchema
11995
+ * @param accountSchema
11996
+ * @param correlationId
11997
+ * @returns
11998
+ */
11999
+ async migrateIdTokens(credentialSchema, accountSchema, correlationId) {
12000
+ const credentialKeysToMigrate = getTokenKeys(this.clientId, this.browserStorage, credentialSchema);
12001
+ if (credentialKeysToMigrate.idToken.length === 0) {
12002
+ return;
12003
+ }
12004
+ const currentCredentialKeys = getTokenKeys(this.clientId, this.browserStorage, CREDENTIAL_SCHEMA_VERSION);
12005
+ const currentAccountKeys = getAccountKeys(this.browserStorage);
12006
+ const previousAccountKeys = getAccountKeys(this.browserStorage, accountSchema);
12007
+ for (const idTokenKey of [...credentialKeysToMigrate.idToken]) {
12008
+ this.performanceClient.incrementFields({ oldITCount: 1 }, correlationId);
12009
+ const oldSchemaData = (await this.updateOldEntry(idTokenKey, correlationId));
12010
+ if (!oldSchemaData) {
12011
+ removeElementFromArray(credentialKeysToMigrate.idToken, idTokenKey);
12012
+ continue;
12013
+ }
12014
+ const currentAccountKey = currentAccountKeys.find((key) => key.includes(oldSchemaData.homeAccountId));
12015
+ const previousAccountKey = previousAccountKeys.find((key) => key.includes(oldSchemaData.homeAccountId));
12016
+ let account = null;
12017
+ if (currentAccountKey) {
12018
+ account = this.getAccount(currentAccountKey, correlationId);
12019
+ }
12020
+ else if (previousAccountKey) {
12021
+ const rawValue = this.browserStorage.getItem(previousAccountKey);
12022
+ const parsedValue = this.validateAndParseJson(rawValue || "");
12023
+ account =
12024
+ parsedValue && isEncrypted(parsedValue)
12025
+ ? (await this.browserStorage.decryptData(previousAccountKey, parsedValue, correlationId))
12026
+ : parsedValue;
12027
+ }
12028
+ if (!account) {
12029
+ // Don't migrate idToken if we don't have an account for it
12030
+ this.performanceClient.incrementFields({ skipITMigrateCount: 1 }, correlationId);
11845
12031
  continue;
11846
12032
  }
11847
- if (!parsedV0Value.lastUpdatedAt) {
11848
- // Add lastUpdatedAt to the existing v0 entry if it doesnt exist so we know when it's safe to remove it
11849
- parsedV0Value.lastUpdatedAt = Date.now().toString();
11850
- this.setItem(v0Key, JSON.stringify(parsedV0Value), correlationId);
11851
- }
11852
- const decryptedData = isEncrypted(parsedV0Value)
11853
- ? await this.browserStorage.decryptData(v0Key, parsedV0Value, correlationId)
11854
- : parsedV0Value;
11855
- let expirationTime;
11856
- if (decryptedData) {
11857
- if (isAccessTokenEntity(decryptedData)) {
11858
- expirationTime = decryptedData.expiresOn;
12033
+ const claims = extractTokenClaims(oldSchemaData.secret, base64Decode);
12034
+ const newIdTokenKey = this.generateCredentialKey(oldSchemaData);
12035
+ const currentIdToken = this.getIdTokenCredential(newIdTokenKey, correlationId);
12036
+ const oldTokenHasSignInState = Object.keys(claims).includes("signin_state");
12037
+ const currentTokenHasSignInState = currentIdToken &&
12038
+ Object.keys(extractTokenClaims(currentIdToken.secret, base64Decode) || {}).includes("signin_state");
12039
+ /**
12040
+ * Only migrate if:
12041
+ * 1. Token doesn't yet exist in current schema
12042
+ * 2. Old schema token has been updated more recently than the current one AND migrating it won't result in loss of KMSI state
12043
+ */
12044
+ if (!currentIdToken ||
12045
+ (oldSchemaData.lastUpdatedAt > currentIdToken.lastUpdatedAt &&
12046
+ (oldTokenHasSignInState || !currentTokenHasSignInState))) {
12047
+ const tenantProfiles = account.tenantProfiles || [];
12048
+ const tenantId = getTenantIdFromIdTokenClaims(claims) || account.realm;
12049
+ if (tenantId &&
12050
+ !tenantProfiles.find((tenantProfile) => {
12051
+ return tenantProfile.tenantId === tenantId;
12052
+ })) {
12053
+ const newTenantProfile = buildTenantProfile(account.homeAccountId, account.localAccountId, tenantId, claims);
12054
+ tenantProfiles.push(newTenantProfile);
11859
12055
  }
11860
- else if (isRefreshTokenEntity(decryptedData)) {
11861
- expirationTime = decryptedData.expiresOn;
12056
+ account.tenantProfiles = tenantProfiles;
12057
+ const newAccountKey = this.generateAccountKey(AccountEntity.getAccountInfo(account));
12058
+ const kmsi = isKmsi(claims);
12059
+ await this.setUserData(newAccountKey, JSON.stringify(account), correlationId, account.lastUpdatedAt, kmsi);
12060
+ if (!currentAccountKeys.includes(newAccountKey)) {
12061
+ currentAccountKeys.push(newAccountKey);
11862
12062
  }
12063
+ await this.setUserData(newIdTokenKey, JSON.stringify(oldSchemaData), correlationId, oldSchemaData.lastUpdatedAt, kmsi);
12064
+ this.performanceClient.incrementFields({ migratedITCount: 1 }, correlationId);
12065
+ currentCredentialKeys.idToken.push(newIdTokenKey);
12066
+ }
12067
+ }
12068
+ this.setTokenKeys(credentialKeysToMigrate, correlationId, credentialSchema);
12069
+ this.setTokenKeys(currentCredentialKeys, correlationId);
12070
+ this.setAccountKeys(currentAccountKeys, correlationId);
12071
+ }
12072
+ /**
12073
+ * Migrates access tokens from old cache schema to current schema
12074
+ * @param credentialSchema
12075
+ * @param kmsiMap
12076
+ * @param correlationId
12077
+ * @returns
12078
+ */
12079
+ async migrateAccessTokens(credentialSchema, kmsiMap, correlationId) {
12080
+ const credentialKeysToMigrate = getTokenKeys(this.clientId, this.browserStorage, credentialSchema);
12081
+ if (credentialKeysToMigrate.accessToken.length === 0) {
12082
+ return;
12083
+ }
12084
+ const currentCredentialKeys = getTokenKeys(this.clientId, this.browserStorage, CREDENTIAL_SCHEMA_VERSION);
12085
+ for (const accessTokenKey of [...credentialKeysToMigrate.accessToken]) {
12086
+ this.performanceClient.incrementFields({ oldATCount: 1 }, correlationId);
12087
+ const oldSchemaData = (await this.updateOldEntry(accessTokenKey, correlationId));
12088
+ if (!oldSchemaData) {
12089
+ removeElementFromArray(credentialKeysToMigrate.accessToken, accessTokenKey);
12090
+ continue;
11863
12091
  }
11864
- if (!decryptedData ||
11865
- isCacheExpired(parsedV0Value.lastUpdatedAt, this.cacheConfig.cacheRetentionDays) ||
11866
- (expirationTime &&
11867
- isTokenExpired(expirationTime, DEFAULT_TOKEN_RENEWAL_OFFSET_SEC))) {
11868
- this.browserStorage.removeItem(v0Key);
11869
- removeElementFromArray(v0Keys, v0Key);
11870
- this.performanceClient.incrementFields({ expiredCacheRemovedCount: 1 }, correlationId);
12092
+ if (!Object.keys(kmsiMap).includes(oldSchemaData.homeAccountId)) {
12093
+ // Don't migrate tokens if we don't have an idToken for them
12094
+ this.performanceClient.incrementFields({ skipATMigrateCount: 1 }, correlationId);
11871
12095
  continue;
11872
12096
  }
11873
- if (this.cacheConfig.cacheLocation !==
11874
- BrowserCacheLocation.LocalStorage ||
11875
- isEncrypted(parsedV0Value)) {
11876
- const v1Key = `${PREFIX}.${currentSchema}${CACHE_KEY_SEPARATOR}${v0Key}`;
11877
- const rawV1Entry = this.browserStorage.getItem(v1Key);
11878
- if (!rawV1Entry) {
11879
- upgradePromises.push(this.setUserData(v1Key, JSON.stringify(decryptedData), correlationId, parsedV0Value.lastUpdatedAt).then(() => {
11880
- v1Keys.push(v1Key);
11881
- this.performanceClient.incrementFields({ upgradedCacheCount: 1 }, correlationId);
11882
- }));
11883
- continue;
12097
+ const newKey = this.generateCredentialKey(oldSchemaData);
12098
+ const kmsi = kmsiMap[oldSchemaData.homeAccountId];
12099
+ if (!currentCredentialKeys.accessToken.includes(newKey)) {
12100
+ await this.setUserData(newKey, JSON.stringify(oldSchemaData), correlationId, oldSchemaData.lastUpdatedAt, kmsi);
12101
+ this.performanceClient.incrementFields({ migratedATCount: 1 }, correlationId);
12102
+ currentCredentialKeys.accessToken.push(newKey);
12103
+ }
12104
+ else {
12105
+ const currentToken = this.getAccessTokenCredential(newKey, correlationId);
12106
+ if (!currentToken ||
12107
+ oldSchemaData.lastUpdatedAt > currentToken.lastUpdatedAt) {
12108
+ // If the token already exists, only overwrite it if the old token has a more recent lastUpdatedAt
12109
+ await this.setUserData(newKey, JSON.stringify(oldSchemaData), correlationId, oldSchemaData.lastUpdatedAt, kmsi);
12110
+ this.performanceClient.incrementFields({ migratedATCount: 1 }, correlationId);
11884
12111
  }
11885
- else {
11886
- const parsedV1Entry = this.validateAndParseJson(rawV1Entry);
11887
- // If the entry already exists but is older than the v0 entry, replace it
11888
- if (Number(parsedV0Value.lastUpdatedAt) >
11889
- Number(parsedV1Entry.lastUpdatedAt)) {
11890
- upgradePromises.push(this.setUserData(v1Key, JSON.stringify(decryptedData), correlationId, parsedV0Value.lastUpdatedAt).then(() => {
11891
- this.performanceClient.incrementFields({ updatedCacheFromV0Count: 1 }, correlationId);
11892
- }));
11893
- continue;
11894
- }
12112
+ }
12113
+ }
12114
+ this.setTokenKeys(credentialKeysToMigrate, correlationId, credentialSchema);
12115
+ this.setTokenKeys(currentCredentialKeys, correlationId);
12116
+ }
12117
+ /**
12118
+ * Migrates refresh tokens from old cache schema to current schema
12119
+ * @param credentialSchema
12120
+ * @param kmsiMap
12121
+ * @param correlationId
12122
+ * @returns
12123
+ */
12124
+ async migrateRefreshTokens(credentialSchema, kmsiMap, correlationId) {
12125
+ const credentialKeysToMigrate = getTokenKeys(this.clientId, this.browserStorage, credentialSchema);
12126
+ if (credentialKeysToMigrate.refreshToken.length === 0) {
12127
+ return;
12128
+ }
12129
+ const currentCredentialKeys = getTokenKeys(this.clientId, this.browserStorage, CREDENTIAL_SCHEMA_VERSION);
12130
+ for (const refreshTokenKey of [
12131
+ ...credentialKeysToMigrate.refreshToken,
12132
+ ]) {
12133
+ this.performanceClient.incrementFields({ oldRTCount: 1 }, correlationId);
12134
+ const oldSchemaData = (await this.updateOldEntry(refreshTokenKey, correlationId));
12135
+ if (!oldSchemaData) {
12136
+ removeElementFromArray(credentialKeysToMigrate.refreshToken, refreshTokenKey);
12137
+ continue;
12138
+ }
12139
+ if (!Object.keys(kmsiMap).includes(oldSchemaData.homeAccountId)) {
12140
+ // Don't migrate tokens if we don't have an idToken for them
12141
+ this.performanceClient.incrementFields({ skipRTMigrateCount: 1 }, correlationId);
12142
+ continue;
12143
+ }
12144
+ const newKey = this.generateCredentialKey(oldSchemaData);
12145
+ const kmsi = kmsiMap[oldSchemaData.homeAccountId];
12146
+ if (!currentCredentialKeys.refreshToken.includes(newKey)) {
12147
+ await this.setUserData(newKey, JSON.stringify(oldSchemaData), correlationId, oldSchemaData.lastUpdatedAt, kmsi);
12148
+ this.performanceClient.incrementFields({ migratedRTCount: 1 }, correlationId);
12149
+ currentCredentialKeys.refreshToken.push(newKey);
12150
+ }
12151
+ else {
12152
+ const currentToken = this.getRefreshTokenCredential(newKey, correlationId);
12153
+ if (!currentToken ||
12154
+ oldSchemaData.lastUpdatedAt > currentToken.lastUpdatedAt) {
12155
+ // If the token already exists, only overwrite it if the old token has a more recent lastUpdatedAt
12156
+ await this.setUserData(newKey, JSON.stringify(oldSchemaData), correlationId, oldSchemaData.lastUpdatedAt, kmsi);
12157
+ this.performanceClient.incrementFields({ migratedRTCount: 1 }, correlationId);
11895
12158
  }
11896
12159
  }
11897
- /*
11898
- * Note: If we reach here for unencrypted localStorage data, we continue without migrating
11899
- * as we can't migrate unencrypted localStorage data right now since we can't guarantee KMSI=no
11900
- */
11901
12160
  }
11902
- return Promise.all(upgradePromises);
12161
+ this.setTokenKeys(credentialKeysToMigrate, correlationId, credentialSchema);
12162
+ this.setTokenKeys(currentCredentialKeys, correlationId);
11903
12163
  }
11904
12164
  /**
11905
12165
  * Tracks upgrades and downgrades for telemetry and debugging purposes
@@ -11944,20 +12204,31 @@
11944
12204
  * @param value
11945
12205
  */
11946
12206
  setItem(key, value, correlationId) {
11947
- let tokenKeysV0Count = 0;
11948
- let accessTokenKeys = [];
12207
+ const tokenKeysCount = new Array(CREDENTIAL_SCHEMA_VERSION + 1).fill(0); // Array mapping schema version to number of token keys stored for that version
12208
+ const accessTokenKeys = []; // Flat map of all access token keys stored, ordered by schema version
11949
12209
  const maxRetries = 20;
11950
12210
  for (let i = 0; i <= maxRetries; i++) {
12211
+ // Attempt to store item in cache, if cache is full this call will throw and we'll attempt to clear space by removing access tokens from the cache one by one, starting with tokens stored by previous versions of MSAL.js
11951
12212
  try {
11952
12213
  this.browserStorage.setItem(key, value);
11953
12214
  if (i > 0) {
11954
- // Finally update the token keys array with the tokens removed
11955
- if (i <= tokenKeysV0Count) {
11956
- this.removeAccessTokenKeys(accessTokenKeys.slice(0, i), correlationId, 0);
11957
- }
11958
- else {
11959
- this.removeAccessTokenKeys(accessTokenKeys.slice(0, tokenKeysV0Count), correlationId, 0);
11960
- this.removeAccessTokenKeys(accessTokenKeys.slice(tokenKeysV0Count, i), correlationId);
12215
+ // If any tokens were removed in order to store this item update the token keys array with the tokens removed
12216
+ for (let schemaVersion = 0; schemaVersion <= CREDENTIAL_SCHEMA_VERSION; schemaVersion++) {
12217
+ // Get the sum of all previous token counts to use as start index for this schema version
12218
+ const startIndex = tokenKeysCount
12219
+ .slice(0, schemaVersion)
12220
+ .reduce((sum, count) => sum + count, 0);
12221
+ if (startIndex >= i) {
12222
+ // Done removing tokens
12223
+ break;
12224
+ }
12225
+ const endIndex = i > startIndex + tokenKeysCount[schemaVersion]
12226
+ ? startIndex + tokenKeysCount[schemaVersion]
12227
+ : i;
12228
+ if (i > startIndex &&
12229
+ tokenKeysCount[schemaVersion] > 0) {
12230
+ this.removeAccessTokenKeys(accessTokenKeys.slice(startIndex, endIndex), correlationId, schemaVersion);
12231
+ }
11961
12232
  }
11962
12233
  }
11963
12234
  break; // If setItem succeeds, exit the loop
@@ -11969,16 +12240,19 @@
11969
12240
  i < maxRetries) {
11970
12241
  if (!accessTokenKeys.length) {
11971
12242
  // If we are currently trying to set the token keys, use the value we're trying to set
11972
- const tokenKeys0 = key ===
11973
- getTokenKeysCacheKey(this.clientId, 0)
11974
- ? JSON.parse(value).accessToken
11975
- : this.getTokenKeys(0).accessToken;
11976
- const tokenKeys1 = key ===
11977
- getTokenKeysCacheKey(this.clientId)
11978
- ? JSON.parse(value).accessToken
11979
- : this.getTokenKeys().accessToken;
11980
- accessTokenKeys = [...tokenKeys0, ...tokenKeys1];
11981
- tokenKeysV0Count = tokenKeys0.length;
12243
+ for (let i = 0; i <= CREDENTIAL_SCHEMA_VERSION; i++) {
12244
+ if (key ===
12245
+ getTokenKeysCacheKey(this.clientId, i)) {
12246
+ const tokenKeys = JSON.parse(value).accessToken;
12247
+ accessTokenKeys.push(...tokenKeys);
12248
+ tokenKeysCount[i] = tokenKeys.length;
12249
+ }
12250
+ else {
12251
+ const tokenKeys = this.getTokenKeys(i).accessToken;
12252
+ accessTokenKeys.push(...tokenKeys);
12253
+ tokenKeysCount[i] = tokenKeys.length;
12254
+ }
12255
+ }
11982
12256
  }
11983
12257
  if (accessTokenKeys.length <= i) {
11984
12258
  // Nothing to remove, rethrow the error
@@ -12001,21 +12275,32 @@
12001
12275
  * @param value
12002
12276
  * @param correlationId
12003
12277
  */
12004
- async setUserData(key, value, correlationId, timestamp) {
12005
- let tokenKeysV0Count = 0;
12006
- let accessTokenKeys = [];
12278
+ async setUserData(key, value, correlationId, timestamp, kmsi) {
12279
+ const tokenKeysCount = new Array(CREDENTIAL_SCHEMA_VERSION + 1).fill(0); // Array mapping schema version to number of token keys stored for that version
12280
+ const accessTokenKeys = []; // Flat map of all access token keys stored, ordered by schema version
12007
12281
  const maxRetries = 20;
12008
12282
  for (let i = 0; i <= maxRetries; i++) {
12009
12283
  try {
12010
- await invokeAsync(this.browserStorage.setUserData.bind(this.browserStorage), PerformanceEvents.SetUserData, this.logger, this.performanceClient)(key, value, correlationId, timestamp);
12284
+ // Attempt to store item in cache, if cache is full this call will throw and we'll attempt to clear space by removing access tokens from the cache one by one, starting with tokens stored by previous versions of MSAL.js
12285
+ await invokeAsync(this.browserStorage.setUserData.bind(this.browserStorage), PerformanceEvents.SetUserData, this.logger, this.performanceClient)(key, value, correlationId, timestamp, kmsi);
12011
12286
  if (i > 0) {
12012
- // Finally update the token keys array with the tokens removed
12013
- if (i <= tokenKeysV0Count) {
12014
- this.removeAccessTokenKeys(accessTokenKeys.slice(0, i), correlationId, 0);
12015
- }
12016
- else {
12017
- this.removeAccessTokenKeys(accessTokenKeys.slice(0, tokenKeysV0Count), correlationId, 0);
12018
- this.removeAccessTokenKeys(accessTokenKeys.slice(tokenKeysV0Count, i), correlationId);
12287
+ // If any tokens were removed in order to store this item update the token keys array with the tokens removed
12288
+ for (let schemaVersion = 0; schemaVersion <= CREDENTIAL_SCHEMA_VERSION; schemaVersion++) {
12289
+ // Get the sum of all previous token counts to use as start index for this schema version
12290
+ const startIndex = tokenKeysCount
12291
+ .slice(0, schemaVersion)
12292
+ .reduce((sum, count) => sum + count, 0);
12293
+ if (startIndex >= i) {
12294
+ // Done removing tokens
12295
+ break;
12296
+ }
12297
+ const endIndex = i > startIndex + tokenKeysCount[schemaVersion]
12298
+ ? startIndex + tokenKeysCount[schemaVersion]
12299
+ : i;
12300
+ if (i > startIndex &&
12301
+ tokenKeysCount[schemaVersion] > 0) {
12302
+ this.removeAccessTokenKeys(accessTokenKeys.slice(startIndex, endIndex), correlationId, schemaVersion);
12303
+ }
12019
12304
  }
12020
12305
  }
12021
12306
  break; // If setItem succeeds, exit the loop
@@ -12026,10 +12311,12 @@
12026
12311
  cacheQuotaExceeded &&
12027
12312
  i < maxRetries) {
12028
12313
  if (!accessTokenKeys.length) {
12029
- const tokenKeys0 = this.getTokenKeys(0).accessToken;
12030
- const tokenKeys1 = this.getTokenKeys().accessToken;
12031
- accessTokenKeys = [...tokenKeys0, ...tokenKeys1];
12032
- tokenKeysV0Count = tokenKeys0.length;
12314
+ // If we are currently trying to set the token keys, use the value we're trying to set
12315
+ for (let i = 0; i <= CREDENTIAL_SCHEMA_VERSION; i++) {
12316
+ const tokenKeys = this.getTokenKeys(i).accessToken;
12317
+ accessTokenKeys.push(...tokenKeys);
12318
+ tokenKeysCount[i] = tokenKeys.length;
12319
+ }
12033
12320
  }
12034
12321
  if (accessTokenKeys.length <= i) {
12035
12322
  // Nothing left to remove, rethrow the error
@@ -12069,20 +12356,21 @@
12069
12356
  * set account entity in the platform cache
12070
12357
  * @param account
12071
12358
  */
12072
- async setAccount(account, correlationId) {
12359
+ async setAccount(account, correlationId, kmsi) {
12073
12360
  this.logger.trace("BrowserCacheManager.setAccount called");
12074
- const key = this.generateAccountKey(account.getAccountInfo());
12361
+ const key = this.generateAccountKey(AccountEntity.getAccountInfo(account));
12075
12362
  const timestamp = Date.now().toString();
12076
12363
  account.lastUpdatedAt = timestamp;
12077
- await this.setUserData(key, JSON.stringify(account), correlationId, timestamp);
12364
+ await this.setUserData(key, JSON.stringify(account), correlationId, timestamp, kmsi);
12078
12365
  const wasAdded = this.addAccountKeyToMap(key, correlationId);
12366
+ this.performanceClient.addFields({ kmsi: kmsi }, correlationId);
12079
12367
  /**
12080
12368
  * @deprecated - Remove this in next major version in favor of more consistent LOGIN event
12081
12369
  */
12082
12370
  if (this.cacheConfig.cacheLocation ===
12083
12371
  BrowserCacheLocation.LocalStorage &&
12084
12372
  wasAdded) {
12085
- this.eventHandler.emitEvent(EventType.ACCOUNT_ADDED, undefined, account.getAccountInfo());
12373
+ this.eventHandler.emitEvent(EventType.ACCOUNT_ADDED, undefined, AccountEntity.getAccountInfo(account));
12086
12374
  }
12087
12375
  }
12088
12376
  /**
@@ -12092,6 +12380,14 @@
12092
12380
  getAccountKeys() {
12093
12381
  return getAccountKeys(this.browserStorage);
12094
12382
  }
12383
+ setAccountKeys(accountKeys, correlationId, schemaVersion = ACCOUNT_SCHEMA_VERSION) {
12384
+ if (accountKeys.length === 0) {
12385
+ this.removeItem(getAccountKeysCacheKey(schemaVersion));
12386
+ }
12387
+ else {
12388
+ this.setItem(getAccountKeysCacheKey(schemaVersion), JSON.stringify(accountKeys), correlationId);
12389
+ }
12390
+ }
12095
12391
  /**
12096
12392
  * Add a new account to the key map
12097
12393
  * @param key
@@ -12123,14 +12419,7 @@
12123
12419
  const removalIndex = accountKeys.indexOf(key);
12124
12420
  if (removalIndex > -1) {
12125
12421
  accountKeys.splice(removalIndex, 1);
12126
- if (accountKeys.length === 0) {
12127
- // If no keys left, remove the map
12128
- this.removeItem(getAccountKeysCacheKey());
12129
- return;
12130
- }
12131
- else {
12132
- this.setItem(getAccountKeysCacheKey(), JSON.stringify(accountKeys), correlationId);
12133
- }
12422
+ this.setAccountKeys(accountKeys, correlationId);
12134
12423
  this.logger.trace("BrowserCacheManager.removeAccountKeyFromMap account key removed");
12135
12424
  }
12136
12425
  else {
@@ -12270,12 +12559,12 @@
12270
12559
  * set IdToken credential to the platform cache
12271
12560
  * @param idToken
12272
12561
  */
12273
- async setIdTokenCredential(idToken, correlationId) {
12562
+ async setIdTokenCredential(idToken, correlationId, kmsi) {
12274
12563
  this.logger.trace("BrowserCacheManager.setIdTokenCredential called");
12275
12564
  const idTokenKey = this.generateCredentialKey(idToken);
12276
12565
  const timestamp = Date.now().toString();
12277
12566
  idToken.lastUpdatedAt = timestamp;
12278
- await this.setUserData(idTokenKey, JSON.stringify(idToken), correlationId, timestamp);
12567
+ await this.setUserData(idTokenKey, JSON.stringify(idToken), correlationId, timestamp, kmsi);
12279
12568
  const tokenKeys = this.getTokenKeys();
12280
12569
  if (tokenKeys.idToken.indexOf(idTokenKey) === -1) {
12281
12570
  this.logger.info("BrowserCacheManager: addTokenKey - idToken added to map");
@@ -12307,12 +12596,12 @@
12307
12596
  * set accessToken credential to the platform cache
12308
12597
  * @param accessToken
12309
12598
  */
12310
- async setAccessTokenCredential(accessToken, correlationId) {
12599
+ async setAccessTokenCredential(accessToken, correlationId, kmsi) {
12311
12600
  this.logger.trace("BrowserCacheManager.setAccessTokenCredential called");
12312
12601
  const accessTokenKey = this.generateCredentialKey(accessToken);
12313
12602
  const timestamp = Date.now().toString();
12314
12603
  accessToken.lastUpdatedAt = timestamp;
12315
- await this.setUserData(accessTokenKey, JSON.stringify(accessToken), correlationId, timestamp);
12604
+ await this.setUserData(accessTokenKey, JSON.stringify(accessToken), correlationId, timestamp, kmsi);
12316
12605
  const tokenKeys = this.getTokenKeys();
12317
12606
  const index = tokenKeys.accessToken.indexOf(accessTokenKey);
12318
12607
  if (index !== -1) {
@@ -12346,12 +12635,12 @@
12346
12635
  * set refreshToken credential to the platform cache
12347
12636
  * @param refreshToken
12348
12637
  */
12349
- async setRefreshTokenCredential(refreshToken, correlationId) {
12638
+ async setRefreshTokenCredential(refreshToken, correlationId, kmsi) {
12350
12639
  this.logger.trace("BrowserCacheManager.setRefreshTokenCredential called");
12351
12640
  const refreshTokenKey = this.generateCredentialKey(refreshToken);
12352
12641
  const timestamp = Date.now().toString();
12353
12642
  refreshToken.lastUpdatedAt = timestamp;
12354
- await this.setUserData(refreshTokenKey, JSON.stringify(refreshToken), correlationId, timestamp);
12643
+ await this.setUserData(refreshTokenKey, JSON.stringify(refreshToken), correlationId, timestamp, kmsi);
12355
12644
  const tokenKeys = this.getTokenKeys();
12356
12645
  if (tokenKeys.refreshToken.indexOf(refreshTokenKey) === -1) {
12357
12646
  this.logger.info("BrowserCacheManager: addTokenKey - refreshToken added to map");
@@ -12851,7 +13140,7 @@
12851
13140
  idToken: idTokenEntity,
12852
13141
  accessToken: accessTokenEntity,
12853
13142
  };
12854
- return this.saveCacheRecord(cacheRecord, result.correlationId);
13143
+ return this.saveCacheRecord(cacheRecord, result.correlationId, isKmsi(extractTokenClaims(result.idToken, base64Decode)));
12855
13144
  }
12856
13145
  /**
12857
13146
  * saves a cache record
@@ -12859,9 +13148,9 @@
12859
13148
  * @param storeInCache {?StoreInCache}
12860
13149
  * @param correlationId {?string} correlation id
12861
13150
  */
12862
- async saveCacheRecord(cacheRecord, correlationId, storeInCache) {
13151
+ async saveCacheRecord(cacheRecord, correlationId, kmsi, storeInCache) {
12863
13152
  try {
12864
- await super.saveCacheRecord(cacheRecord, correlationId, storeInCache);
13153
+ await super.saveCacheRecord(cacheRecord, correlationId, kmsi, storeInCache);
12865
13154
  }
12866
13155
  catch (e) {
12867
13156
  if (e instanceof CacheError &&
@@ -14093,7 +14382,7 @@
14093
14382
  // generate authenticationResult
14094
14383
  const result = await this.generateAuthenticationResult(response, request, idTokenClaims, baseAccount, authority.canonicalAuthority, reqTimestamp);
14095
14384
  // cache accounts and tokens in the appropriate storage
14096
- await this.cacheAccount(baseAccount, this.correlationId);
14385
+ await this.cacheAccount(baseAccount, this.correlationId, isKmsi(idTokenClaims));
14097
14386
  await this.cacheNativeTokens(response, request, homeAccountIdentifier, idTokenClaims, response.access_token, result.tenantId, reqTimestamp);
14098
14387
  return result;
14099
14388
  }
@@ -14180,7 +14469,7 @@
14180
14469
  const tid = accountProperties["TenantId"] ||
14181
14470
  idTokenClaims.tid ||
14182
14471
  Constants.EMPTY_STRING;
14183
- const accountInfo = updateAccountTenantProfileData(accountEntity.getAccountInfo(), undefined, // tenantProfile optional
14472
+ const accountInfo = updateAccountTenantProfileData(AccountEntity.getAccountInfo(accountEntity), undefined, // tenantProfile optional
14184
14473
  idTokenClaims, response.id_token);
14185
14474
  /**
14186
14475
  * In pairwise broker flows, this check prevents the broker's native account id
@@ -14217,11 +14506,11 @@
14217
14506
  * cache the account entity in browser storage
14218
14507
  * @param accountEntity
14219
14508
  */
14220
- async cacheAccount(accountEntity, correlationId) {
14509
+ async cacheAccount(accountEntity, correlationId, kmsi) {
14221
14510
  // Store the account info and hence `nativeAccountId` in browser cache
14222
- await this.browserStorage.setAccount(accountEntity, this.correlationId);
14511
+ await this.browserStorage.setAccount(accountEntity, this.correlationId, kmsi);
14223
14512
  // Remove any existing cached tokens for this account in browser storage
14224
- this.browserStorage.removeAccountContext(accountEntity.getAccountInfo(), correlationId);
14513
+ this.browserStorage.removeAccountContext(AccountEntity.getAccountInfo(accountEntity), correlationId);
14225
14514
  }
14226
14515
  /**
14227
14516
  * Stores the access_token and id_token in inmemory storage
@@ -14248,7 +14537,7 @@
14248
14537
  idToken: cachedIdToken,
14249
14538
  accessToken: cachedAccessToken,
14250
14539
  };
14251
- return this.nativeStorageManager.saveCacheRecord(nativeCacheRecord, this.correlationId, request.storeInCache);
14540
+ return this.nativeStorageManager.saveCacheRecord(nativeCacheRecord, this.correlationId, isKmsi(idTokenClaims), request.storeInCache);
14252
14541
  }
14253
14542
  getExpiresInValue(tokenType, expiresIn) {
14254
14543
  return tokenType === AuthenticationScheme.POP
@@ -16526,6 +16815,7 @@
16526
16815
  const idTokenClaims = response.id_token
16527
16816
  ? extractTokenClaims(response.id_token, base64Decode)
16528
16817
  : undefined;
16818
+ const kmsi = isKmsi(idTokenClaims || {});
16529
16819
  const authorityOptions = {
16530
16820
  protocolMode: this.config.auth.protocolMode,
16531
16821
  knownAuthorities: this.config.auth.knownAuthorities,
@@ -16537,9 +16827,9 @@
16537
16827
  ? new Authority(Authority.generateAuthority(request.authority, request.azureCloudOptions), this.config.system.networkClient, this.storage, authorityOptions, this.logger, request.correlationId || createNewGuid())
16538
16828
  : undefined;
16539
16829
  const cacheRecordAccount = await this.loadAccount(request, options.clientInfo || response.client_info || "", correlationId, idTokenClaims, authority);
16540
- const idToken = await this.loadIdToken(response, cacheRecordAccount.homeAccountId, cacheRecordAccount.environment, cacheRecordAccount.realm, correlationId);
16541
- const accessToken = await this.loadAccessToken(request, response, cacheRecordAccount.homeAccountId, cacheRecordAccount.environment, cacheRecordAccount.realm, options, correlationId);
16542
- const refreshToken = await this.loadRefreshToken(response, cacheRecordAccount.homeAccountId, cacheRecordAccount.environment, correlationId);
16830
+ const idToken = await this.loadIdToken(response, cacheRecordAccount.homeAccountId, cacheRecordAccount.environment, cacheRecordAccount.realm, correlationId, kmsi);
16831
+ const accessToken = await this.loadAccessToken(request, response, cacheRecordAccount.homeAccountId, cacheRecordAccount.environment, cacheRecordAccount.realm, options, correlationId, kmsi);
16832
+ const refreshToken = await this.loadRefreshToken(response, cacheRecordAccount.homeAccountId, cacheRecordAccount.environment, correlationId, kmsi);
16543
16833
  return this.generateAuthenticationResult(request, {
16544
16834
  account: cacheRecordAccount,
16545
16835
  idToken,
@@ -16560,7 +16850,7 @@
16560
16850
  this.logger.verbose("TokenCache - loading account");
16561
16851
  if (request.account) {
16562
16852
  const accountEntity = AccountEntity.createFromAccountInfo(request.account);
16563
- await this.storage.setAccount(accountEntity, correlationId);
16853
+ await this.storage.setAccount(accountEntity, correlationId, isKmsi(idTokenClaims || {}));
16564
16854
  return accountEntity;
16565
16855
  }
16566
16856
  else if (!authority || (!clientInfo && !idTokenClaims)) {
@@ -16572,7 +16862,7 @@
16572
16862
  const cachedAccount = buildAccountToCache(this.storage, authority, homeAccountId, base64Decode, correlationId, idTokenClaims, clientInfo, authority.hostnameAndPort, claimsTenantId, undefined, // authCodePayload
16573
16863
  undefined, // nativeAccountId
16574
16864
  this.logger);
16575
- await this.storage.setAccount(cachedAccount, correlationId);
16865
+ await this.storage.setAccount(cachedAccount, correlationId, isKmsi(idTokenClaims || {}));
16576
16866
  return cachedAccount;
16577
16867
  }
16578
16868
  /**
@@ -16583,14 +16873,14 @@
16583
16873
  * @param tenantId
16584
16874
  * @returns `IdTokenEntity`
16585
16875
  */
16586
- async loadIdToken(response, homeAccountId, environment, tenantId, correlationId) {
16876
+ async loadIdToken(response, homeAccountId, environment, tenantId, correlationId, kmsi) {
16587
16877
  if (!response.id_token) {
16588
16878
  this.logger.verbose("TokenCache - no id token found in response");
16589
16879
  return null;
16590
16880
  }
16591
16881
  this.logger.verbose("TokenCache - loading id token");
16592
16882
  const idTokenEntity = createIdTokenEntity(homeAccountId, environment, response.id_token, this.config.auth.clientId, tenantId);
16593
- await this.storage.setIdTokenCredential(idTokenEntity, correlationId);
16883
+ await this.storage.setIdTokenCredential(idTokenEntity, correlationId, kmsi);
16594
16884
  return idTokenEntity;
16595
16885
  }
16596
16886
  /**
@@ -16602,7 +16892,7 @@
16602
16892
  * @param tenantId
16603
16893
  * @returns `AccessTokenEntity`
16604
16894
  */
16605
- async loadAccessToken(request, response, homeAccountId, environment, tenantId, options, correlationId) {
16895
+ async loadAccessToken(request, response, homeAccountId, environment, tenantId, options, correlationId, kmsi) {
16606
16896
  if (!response.access_token) {
16607
16897
  this.logger.verbose("TokenCache - no access token found in response");
16608
16898
  return null;
@@ -16625,7 +16915,7 @@
16625
16915
  (response.ext_expires_in || response.expires_in) +
16626
16916
  nowSeconds();
16627
16917
  const accessTokenEntity = createAccessTokenEntity(homeAccountId, environment, response.access_token, this.config.auth.clientId, tenantId, scopes.printScopes(), expiresOn, extendedExpiresOn, base64Decode);
16628
- await this.storage.setAccessTokenCredential(accessTokenEntity, correlationId);
16918
+ await this.storage.setAccessTokenCredential(accessTokenEntity, correlationId, kmsi);
16629
16919
  return accessTokenEntity;
16630
16920
  }
16631
16921
  /**
@@ -16636,7 +16926,7 @@
16636
16926
  * @param environment
16637
16927
  * @returns `RefreshTokenEntity`
16638
16928
  */
16639
- async loadRefreshToken(response, homeAccountId, environment, correlationId) {
16929
+ async loadRefreshToken(response, homeAccountId, environment, correlationId, kmsi) {
16640
16930
  if (!response.refresh_token) {
16641
16931
  this.logger.verbose("TokenCache - no refresh token found in response");
16642
16932
  return null;
@@ -16644,7 +16934,7 @@
16644
16934
  this.logger.verbose("TokenCache - loading refresh token");
16645
16935
  const refreshTokenEntity = createRefreshTokenEntity(homeAccountId, environment, response.refresh_token, this.config.auth.clientId, response.foci, undefined, // userAssertionHash
16646
16936
  response.refresh_token_expires_in);
16647
- await this.storage.setRefreshTokenCredential(refreshTokenEntity, correlationId);
16937
+ await this.storage.setRefreshTokenCredential(refreshTokenEntity, correlationId, kmsi);
16648
16938
  return refreshTokenEntity;
16649
16939
  }
16650
16940
  /**
@@ -16673,7 +16963,7 @@
16673
16963
  uniqueId: cacheRecord.account.localAccountId,
16674
16964
  tenantId: cacheRecord.account.realm,
16675
16965
  scopes: responseScopes,
16676
- account: accountEntity.getAccountInfo(),
16966
+ account: AccountEntity.getAccountInfo(accountEntity),
16677
16967
  idToken: cacheRecord.idToken?.secret || "",
16678
16968
  idTokenClaims: idTokenClaims || {},
16679
16969
  accessToken: accessToken,
@@ -17691,7 +17981,7 @@
17691
17981
  this.logger.verbose("hydrateCache called");
17692
17982
  // Account gets saved to browser storage regardless of native or not
17693
17983
  const accountEntity = AccountEntity.createFromAccountInfo(result.account, result.cloudGraphHostName, result.msGraphHost);
17694
- await this.browserStorage.setAccount(accountEntity, result.correlationId);
17984
+ await this.browserStorage.setAccount(accountEntity, result.correlationId, isKmsi(result.idTokenClaims));
17695
17985
  if (result.fromNativeBroker) {
17696
17986
  this.logger.verbose("Response was from native broker, storing in-memory");
17697
17987
  // Tokens from native broker are stored in-memory
@@ -18969,7 +19259,7 @@
18969
19259
  async hydrateCache(result, request) {
18970
19260
  this.logger.verbose("hydrateCache called");
18971
19261
  const accountEntity = AccountEntity.createFromAccountInfo(result.account, result.cloudGraphHostName, result.msGraphHost);
18972
- await this.browserStorage.setAccount(accountEntity, result.correlationId);
19262
+ await this.browserStorage.setAccount(accountEntity, result.correlationId, isKmsi(result.idTokenClaims));
18973
19263
  return this.browserStorage.hydrateCache(result, request);
18974
19264
  }
18975
19265
  }