@azure/msal-browser 5.10.0 → 5.10.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (200) hide show
  1. package/dist/app/IPublicClientApplication.mjs +1 -1
  2. package/dist/app/PublicClientApplication.mjs +1 -1
  3. package/dist/broker/nativeBroker/NativeStatusCodes.mjs +1 -1
  4. package/dist/broker/nativeBroker/PlatformAuthDOMHandler.mjs +1 -1
  5. package/dist/broker/nativeBroker/PlatformAuthExtensionHandler.mjs +1 -1
  6. package/dist/broker/nativeBroker/PlatformAuthProvider.mjs +1 -1
  7. package/dist/cache/AccountManager.mjs +1 -1
  8. package/dist/cache/AsyncMemoryStorage.mjs +1 -1
  9. package/dist/cache/BrowserCacheManager.mjs +1 -1
  10. package/dist/cache/CacheHelpers.mjs +1 -1
  11. package/dist/cache/CacheKeys.mjs +1 -1
  12. package/dist/cache/CookieStorage.mjs +1 -1
  13. package/dist/cache/DatabaseStorage.mjs +1 -1
  14. package/dist/cache/EncryptedData.mjs +1 -1
  15. package/dist/cache/LocalStorage.mjs +1 -1
  16. package/dist/cache/MemoryStorage.mjs +1 -1
  17. package/dist/cache/SessionStorage.mjs +1 -1
  18. package/dist/cache/TokenCache.mjs +1 -1
  19. package/dist/config/Configuration.mjs +1 -1
  20. package/dist/controllers/NestedAppAuthController.mjs +1 -1
  21. package/dist/controllers/StandardController.mjs +1 -1
  22. package/dist/crypto/BrowserCrypto.mjs +1 -1
  23. package/dist/crypto/CryptoOps.mjs +1 -1
  24. package/dist/crypto/PkceGenerator.mjs +1 -1
  25. package/dist/crypto/SignedHttpRequest.mjs +1 -1
  26. package/dist/custom_auth/CustomAuthConstants.mjs +1 -1
  27. package/dist/custom_auth/CustomAuthPublicClientApplication.mjs +1 -1
  28. package/dist/custom_auth/controller/CustomAuthStandardController.mjs +1 -1
  29. package/dist/custom_auth/core/CustomAuthAuthority.mjs +1 -1
  30. package/dist/custom_auth/core/auth_flow/AuthFlowErrorBase.mjs +1 -1
  31. package/dist/custom_auth/core/auth_flow/AuthFlowResultBase.mjs +1 -1
  32. package/dist/custom_auth/core/auth_flow/AuthFlowState.mjs +1 -1
  33. package/dist/custom_auth/core/auth_flow/AuthFlowStateTypes.mjs +1 -1
  34. package/dist/custom_auth/core/auth_flow/jit/error_type/AuthMethodRegistrationError.mjs +1 -1
  35. package/dist/custom_auth/core/auth_flow/jit/result/AuthMethodRegistrationChallengeMethodResult.mjs +1 -1
  36. package/dist/custom_auth/core/auth_flow/jit/result/AuthMethodRegistrationSubmitChallengeResult.mjs +1 -1
  37. package/dist/custom_auth/core/auth_flow/jit/state/AuthMethodRegistrationCompletedState.mjs +1 -1
  38. package/dist/custom_auth/core/auth_flow/jit/state/AuthMethodRegistrationFailedState.mjs +1 -1
  39. package/dist/custom_auth/core/auth_flow/jit/state/AuthMethodRegistrationState.mjs +1 -1
  40. package/dist/custom_auth/core/auth_flow/mfa/error_type/MfaError.mjs +1 -1
  41. package/dist/custom_auth/core/auth_flow/mfa/result/MfaRequestChallengeResult.mjs +1 -1
  42. package/dist/custom_auth/core/auth_flow/mfa/result/MfaSubmitChallengeResult.mjs +1 -1
  43. package/dist/custom_auth/core/auth_flow/mfa/state/MfaCompletedState.mjs +1 -1
  44. package/dist/custom_auth/core/auth_flow/mfa/state/MfaFailedState.mjs +1 -1
  45. package/dist/custom_auth/core/auth_flow/mfa/state/MfaState.mjs +1 -1
  46. package/dist/custom_auth/core/error/CustomAuthApiError.mjs +1 -1
  47. package/dist/custom_auth/core/error/CustomAuthError.mjs +1 -1
  48. package/dist/custom_auth/core/error/HttpError.mjs +1 -1
  49. package/dist/custom_auth/core/error/HttpErrorCodes.mjs +1 -1
  50. package/dist/custom_auth/core/error/InvalidArgumentError.mjs +1 -1
  51. package/dist/custom_auth/core/error/InvalidConfigurationError.mjs +1 -1
  52. package/dist/custom_auth/core/error/InvalidConfigurationErrorCodes.mjs +1 -1
  53. package/dist/custom_auth/core/error/MethodNotImplementedError.mjs +1 -1
  54. package/dist/custom_auth/core/error/MsalCustomAuthError.mjs +1 -1
  55. package/dist/custom_auth/core/error/NoCachedAccountFoundError.mjs +1 -1
  56. package/dist/custom_auth/core/error/ParsedUrlError.mjs +1 -1
  57. package/dist/custom_auth/core/error/ParsedUrlErrorCodes.mjs +1 -1
  58. package/dist/custom_auth/core/error/UnexpectedError.mjs +1 -1
  59. package/dist/custom_auth/core/error/UnsupportedEnvironmentError.mjs +1 -1
  60. package/dist/custom_auth/core/error/UserAccountAttributeError.mjs +1 -1
  61. package/dist/custom_auth/core/error/UserAlreadySignedInError.mjs +1 -1
  62. package/dist/custom_auth/core/interaction_client/CustomAuthInteractionClientBase.mjs +1 -1
  63. package/dist/custom_auth/core/interaction_client/CustomAuthInterationClientFactory.mjs +1 -1
  64. package/dist/custom_auth/core/interaction_client/jit/JitClient.mjs +1 -1
  65. package/dist/custom_auth/core/interaction_client/jit/result/JitActionResult.mjs +1 -1
  66. package/dist/custom_auth/core/interaction_client/mfa/MfaClient.mjs +1 -1
  67. package/dist/custom_auth/core/interaction_client/mfa/result/MfaActionResult.mjs +1 -1
  68. package/dist/custom_auth/core/network_client/custom_auth_api/BaseApiClient.mjs +1 -1
  69. package/dist/custom_auth/core/network_client/custom_auth_api/CustomAuthApiClient.mjs +1 -1
  70. package/dist/custom_auth/core/network_client/custom_auth_api/CustomAuthApiEndpoint.mjs +1 -1
  71. package/dist/custom_auth/core/network_client/custom_auth_api/RegisterApiClient.mjs +1 -1
  72. package/dist/custom_auth/core/network_client/custom_auth_api/ResetPasswordApiClient.mjs +1 -1
  73. package/dist/custom_auth/core/network_client/custom_auth_api/SignInApiClient.mjs +1 -1
  74. package/dist/custom_auth/core/network_client/custom_auth_api/SignupApiClient.mjs +1 -1
  75. package/dist/custom_auth/core/network_client/custom_auth_api/types/ApiErrorCodes.mjs +1 -1
  76. package/dist/custom_auth/core/network_client/custom_auth_api/types/ApiSuberrors.mjs +1 -1
  77. package/dist/custom_auth/core/network_client/http_client/FetchHttpClient.mjs +1 -1
  78. package/dist/custom_auth/core/network_client/http_client/IHttpClient.mjs +1 -1
  79. package/dist/custom_auth/core/telemetry/PublicApiId.mjs +1 -1
  80. package/dist/custom_auth/core/utils/ArgumentValidator.mjs +1 -1
  81. package/dist/custom_auth/core/utils/UrlUtils.mjs +1 -1
  82. package/dist/custom_auth/get_account/auth_flow/CustomAuthAccountData.mjs +1 -1
  83. package/dist/custom_auth/get_account/auth_flow/error_type/GetAccountError.mjs +1 -1
  84. package/dist/custom_auth/get_account/auth_flow/result/GetAccessTokenResult.mjs +1 -1
  85. package/dist/custom_auth/get_account/auth_flow/result/GetAccountResult.mjs +1 -1
  86. package/dist/custom_auth/get_account/auth_flow/result/SignOutResult.mjs +1 -1
  87. package/dist/custom_auth/get_account/auth_flow/state/GetAccessTokenState.mjs +1 -1
  88. package/dist/custom_auth/get_account/auth_flow/state/GetAccountState.mjs +1 -1
  89. package/dist/custom_auth/get_account/auth_flow/state/SignOutState.mjs +1 -1
  90. package/dist/custom_auth/get_account/interaction_client/CustomAuthSilentCacheClient.mjs +1 -1
  91. package/dist/custom_auth/index.mjs +1 -1
  92. package/dist/custom_auth/operating_context/CustomAuthOperatingContext.mjs +1 -1
  93. package/dist/custom_auth/reset_password/auth_flow/error_type/ResetPasswordError.mjs +1 -1
  94. package/dist/custom_auth/reset_password/auth_flow/result/ResetPasswordResendCodeResult.mjs +1 -1
  95. package/dist/custom_auth/reset_password/auth_flow/result/ResetPasswordStartResult.mjs +1 -1
  96. package/dist/custom_auth/reset_password/auth_flow/result/ResetPasswordSubmitCodeResult.mjs +1 -1
  97. package/dist/custom_auth/reset_password/auth_flow/result/ResetPasswordSubmitPasswordResult.mjs +1 -1
  98. package/dist/custom_auth/reset_password/auth_flow/state/ResetPasswordCodeRequiredState.mjs +1 -1
  99. package/dist/custom_auth/reset_password/auth_flow/state/ResetPasswordCompletedState.mjs +1 -1
  100. package/dist/custom_auth/reset_password/auth_flow/state/ResetPasswordFailedState.mjs +1 -1
  101. package/dist/custom_auth/reset_password/auth_flow/state/ResetPasswordPasswordRequiredState.mjs +1 -1
  102. package/dist/custom_auth/reset_password/auth_flow/state/ResetPasswordState.mjs +1 -1
  103. package/dist/custom_auth/reset_password/interaction_client/ResetPasswordClient.mjs +1 -1
  104. package/dist/custom_auth/sign_in/auth_flow/SignInScenario.mjs +1 -1
  105. package/dist/custom_auth/sign_in/auth_flow/error_type/SignInError.mjs +1 -1
  106. package/dist/custom_auth/sign_in/auth_flow/result/SignInResendCodeResult.mjs +1 -1
  107. package/dist/custom_auth/sign_in/auth_flow/result/SignInResult.mjs +1 -1
  108. package/dist/custom_auth/sign_in/auth_flow/result/SignInSubmitCodeResult.mjs +1 -1
  109. package/dist/custom_auth/sign_in/auth_flow/result/SignInSubmitPasswordResult.mjs +1 -1
  110. package/dist/custom_auth/sign_in/auth_flow/state/SignInCodeRequiredState.mjs +1 -1
  111. package/dist/custom_auth/sign_in/auth_flow/state/SignInCompletedState.mjs +1 -1
  112. package/dist/custom_auth/sign_in/auth_flow/state/SignInContinuationState.mjs +1 -1
  113. package/dist/custom_auth/sign_in/auth_flow/state/SignInFailedState.mjs +1 -1
  114. package/dist/custom_auth/sign_in/auth_flow/state/SignInPasswordRequiredState.mjs +1 -1
  115. package/dist/custom_auth/sign_in/auth_flow/state/SignInState.mjs +1 -1
  116. package/dist/custom_auth/sign_in/interaction_client/SignInClient.mjs +1 -1
  117. package/dist/custom_auth/sign_in/interaction_client/result/SignInActionResult.mjs +1 -1
  118. package/dist/custom_auth/sign_up/auth_flow/error_type/SignUpError.mjs +1 -1
  119. package/dist/custom_auth/sign_up/auth_flow/result/SignUpResendCodeResult.mjs +1 -1
  120. package/dist/custom_auth/sign_up/auth_flow/result/SignUpResult.mjs +1 -1
  121. package/dist/custom_auth/sign_up/auth_flow/result/SignUpSubmitAttributesResult.mjs +1 -1
  122. package/dist/custom_auth/sign_up/auth_flow/result/SignUpSubmitCodeResult.mjs +1 -1
  123. package/dist/custom_auth/sign_up/auth_flow/result/SignUpSubmitPasswordResult.mjs +1 -1
  124. package/dist/custom_auth/sign_up/auth_flow/state/SignUpAttributesRequiredState.mjs +1 -1
  125. package/dist/custom_auth/sign_up/auth_flow/state/SignUpCodeRequiredState.mjs +1 -1
  126. package/dist/custom_auth/sign_up/auth_flow/state/SignUpCompletedState.mjs +1 -1
  127. package/dist/custom_auth/sign_up/auth_flow/state/SignUpFailedState.mjs +1 -1
  128. package/dist/custom_auth/sign_up/auth_flow/state/SignUpPasswordRequiredState.mjs +1 -1
  129. package/dist/custom_auth/sign_up/auth_flow/state/SignUpState.mjs +1 -1
  130. package/dist/custom_auth/sign_up/interaction_client/SignUpClient.mjs +1 -1
  131. package/dist/custom_auth/sign_up/interaction_client/result/SignUpActionResult.mjs +1 -1
  132. package/dist/encode/Base64Decode.mjs +1 -1
  133. package/dist/encode/Base64Encode.mjs +1 -1
  134. package/dist/error/BrowserAuthError.mjs +1 -1
  135. package/dist/error/BrowserAuthErrorCodes.mjs +1 -1
  136. package/dist/error/BrowserConfigurationAuthError.mjs +1 -1
  137. package/dist/error/BrowserConfigurationAuthErrorCodes.mjs +1 -1
  138. package/dist/error/NativeAuthError.mjs +1 -1
  139. package/dist/error/NativeAuthErrorCodes.mjs +1 -1
  140. package/dist/error/NestedAppAuthError.mjs +1 -1
  141. package/dist/event/EventHandler.mjs +1 -1
  142. package/dist/event/EventMessage.mjs +1 -1
  143. package/dist/event/EventType.mjs +1 -1
  144. package/dist/index.mjs +1 -1
  145. package/dist/interaction_client/BaseInteractionClient.mjs +1 -1
  146. package/dist/interaction_client/HybridSpaAuthorizationCodeClient.mjs +1 -1
  147. package/dist/interaction_client/PlatformAuthInteractionClient.mjs +1 -1
  148. package/dist/interaction_client/PopupClient.mjs +1 -1
  149. package/dist/interaction_client/RedirectClient.mjs +1 -1
  150. package/dist/interaction_client/SilentAuthCodeClient.mjs +1 -1
  151. package/dist/interaction_client/SilentCacheClient.mjs +1 -1
  152. package/dist/interaction_client/SilentIframeClient.mjs +1 -1
  153. package/dist/interaction_client/SilentRefreshClient.mjs +1 -1
  154. package/dist/interaction_client/StandardInteractionClient.mjs +1 -1
  155. package/dist/interaction_handler/InteractionHandler.mjs +1 -1
  156. package/dist/interaction_handler/SilentHandler.mjs +1 -1
  157. package/dist/log-strings-mapping.json +1176 -1176
  158. package/dist/naa/BridgeError.mjs +1 -1
  159. package/dist/naa/BridgeProxy.mjs +1 -1
  160. package/dist/naa/BridgeStatusCode.mjs +1 -1
  161. package/dist/naa/mapping/NestedAppAuthAdapter.mjs +1 -1
  162. package/dist/navigation/NavigationClient.mjs +1 -1
  163. package/dist/network/FetchClient.mjs +1 -1
  164. package/dist/operatingcontext/BaseOperatingContext.mjs +1 -1
  165. package/dist/operatingcontext/NestedAppOperatingContext.mjs +1 -1
  166. package/dist/operatingcontext/StandardOperatingContext.mjs +1 -1
  167. package/dist/packageMetadata.mjs +2 -2
  168. package/dist/protocol/Authorize.mjs +1 -1
  169. package/dist/redirect_bridge/index.mjs +1 -1
  170. package/dist/request/RequestHelpers.mjs +1 -1
  171. package/dist/response/ResponseHandler.mjs +1 -1
  172. package/dist/telemetry/BrowserPerformanceClient.mjs +1 -1
  173. package/dist/telemetry/BrowserPerformanceEvents.mjs +1 -1
  174. package/dist/telemetry/BrowserPerformanceMeasurement.mjs +1 -1
  175. package/dist/telemetry/BrowserRootPerformanceEvents.mjs +1 -1
  176. package/dist/utils/BrowserConstants.mjs +1 -1
  177. package/dist/utils/BrowserProtocolUtils.mjs +1 -1
  178. package/dist/utils/BrowserUtils.mjs +1 -1
  179. package/dist/utils/Helpers.mjs +1 -1
  180. package/dist/utils/MsalFrameStatsUtils.mjs +1 -1
  181. package/lib/custom-auth-path/log-strings-mapping.json +2 -2
  182. package/lib/custom-auth-path/msal-custom-auth.cjs +215 -70
  183. package/lib/custom-auth-path/msal-custom-auth.cjs.map +1 -1
  184. package/lib/custom-auth-path/msal-custom-auth.js +215 -70
  185. package/lib/custom-auth-path/msal-custom-auth.js.map +1 -1
  186. package/lib/log-strings-mapping.json +2 -2
  187. package/lib/msal-browser.cjs +218 -72
  188. package/lib/msal-browser.cjs.map +1 -1
  189. package/lib/msal-browser.js +218 -72
  190. package/lib/msal-browser.js.map +1 -1
  191. package/lib/msal-browser.min.js +2 -2
  192. package/lib/redirect-bridge/msal-redirect-bridge.cjs +10 -10
  193. package/lib/redirect-bridge/msal-redirect-bridge.cjs.map +1 -1
  194. package/lib/redirect-bridge/msal-redirect-bridge.js +10 -10
  195. package/lib/redirect-bridge/msal-redirect-bridge.js.map +1 -1
  196. package/lib/redirect-bridge/msal-redirect-bridge.min.js +1 -1
  197. package/package.json +2 -2
  198. package/src/packageMetadata.ts +1 -1
  199. package/types/custom_auth/CustomAuthConstants.d.ts +1 -1
  200. package/types/packageMetadata.d.ts +1 -1
@@ -1,8 +1,8 @@
1
- /*! @azure/msal-browser v5.10.0 2026-05-07 */
1
+ /*! @azure/msal-browser v5.10.1 2026-05-11 */
2
2
  'use strict';
3
3
  'use strict';
4
4
 
5
- /*! @azure/msal-common v16.6.0 2026-05-07 */
5
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
6
6
  /*
7
7
  * Copyright (c) Microsoft Corporation. All rights reserved.
8
8
  * Licensed under the MIT License.
@@ -234,7 +234,7 @@ const JsonWebTokenTypes$1 = {
234
234
  // Token renewal offset default in seconds
235
235
  const DEFAULT_TOKEN_RENEWAL_OFFSET_SEC = 300;
236
236
 
237
- /*! @azure/msal-common v16.6.0 2026-05-07 */
237
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
238
238
  /*
239
239
  * Copyright (c) Microsoft Corporation. All rights reserved.
240
240
  * Licensed under the MIT License.
@@ -286,7 +286,7 @@ const EAR_JWE_CRYPTO = "ear_jwe_crypto";
286
286
  const RESOURCE = "resource";
287
287
  const CLI_DATA = "clidata";
288
288
 
289
- /*! @azure/msal-common v16.6.0 2026-05-07 */
289
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
290
290
  /*
291
291
  * Copyright (c) Microsoft Corporation. All rights reserved.
292
292
  * Licensed under the MIT License.
@@ -317,7 +317,7 @@ function createAuthError(code, additionalMessage) {
317
317
  return new AuthError(code, additionalMessage || getDefaultErrorMessage$1(code));
318
318
  }
319
319
 
320
- /*! @azure/msal-common v16.6.0 2026-05-07 */
320
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
321
321
 
322
322
  /*
323
323
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -337,7 +337,7 @@ function createClientConfigurationError(errorCode) {
337
337
  return new ClientConfigurationError(errorCode);
338
338
  }
339
339
 
340
- /*! @azure/msal-common v16.6.0 2026-05-07 */
340
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
341
341
  /*
342
342
  * Copyright (c) Microsoft Corporation. All rights reserved.
343
343
  * Licensed under the MIT License.
@@ -417,7 +417,7 @@ class StringUtils {
417
417
  }
418
418
  }
419
419
 
420
- /*! @azure/msal-common v16.6.0 2026-05-07 */
420
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
421
421
 
422
422
  /*
423
423
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -440,7 +440,7 @@ function createClientAuthError(errorCode, additionalMessage) {
440
440
  return new ClientAuthError(errorCode, additionalMessage);
441
441
  }
442
442
 
443
- /*! @azure/msal-common v16.6.0 2026-05-07 */
443
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
444
444
  /*
445
445
  * Copyright (c) Microsoft Corporation. All rights reserved.
446
446
  * Licensed under the MIT License.
@@ -466,7 +466,8 @@ const invalidAuthenticationHeader = "invalid_authentication_header";
466
466
  const cannotSetOIDCOptions = "cannot_set_OIDCOptions";
467
467
  const cannotAllowPlatformBroker = "cannot_allow_platform_broker";
468
468
  const authorityMismatch = "authority_mismatch";
469
- const invalidRequestMethodForEAR = "invalid_request_method_for_EAR";
469
+ const invalidRequestMethodForEAR = "invalid_request_method_for_EAR";
470
+ const issuerValidationFailed = "issuer_validation_failed";
470
471
 
471
472
  var ClientConfigurationErrorCodes = /*#__PURE__*/Object.freeze({
472
473
  __proto__: null,
@@ -482,6 +483,7 @@ var ClientConfigurationErrorCodes = /*#__PURE__*/Object.freeze({
482
483
  invalidCloudDiscoveryMetadata: invalidCloudDiscoveryMetadata,
483
484
  invalidCodeChallengeMethod: invalidCodeChallengeMethod,
484
485
  invalidRequestMethodForEAR: invalidRequestMethodForEAR,
486
+ issuerValidationFailed: issuerValidationFailed,
485
487
  logoutRequestEmpty: logoutRequestEmpty,
486
488
  missingNonceAuthenticationHeader: missingNonceAuthenticationHeader,
487
489
  missingSshJwk: missingSshJwk,
@@ -494,7 +496,7 @@ var ClientConfigurationErrorCodes = /*#__PURE__*/Object.freeze({
494
496
  urlParseError: urlParseError
495
497
  });
496
498
 
497
- /*! @azure/msal-common v16.6.0 2026-05-07 */
499
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
498
500
  /*
499
501
  * Copyright (c) Microsoft Corporation. All rights reserved.
500
502
  * Licensed under the MIT License.
@@ -582,7 +584,7 @@ var ClientAuthErrorCodes = /*#__PURE__*/Object.freeze({
582
584
  userCanceled: userCanceled
583
585
  });
584
586
 
585
- /*! @azure/msal-common v16.6.0 2026-05-07 */
587
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
586
588
 
587
589
  /*
588
590
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -777,7 +779,7 @@ class ScopeSet {
777
779
  }
778
780
  }
779
781
 
780
- /*! @azure/msal-common v16.6.0 2026-05-07 */
782
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
781
783
 
782
784
  /*
783
785
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1166,7 +1168,7 @@ function addResource(parameters, resource) {
1166
1168
  }
1167
1169
  }
1168
1170
 
1169
- /*! @azure/msal-common v16.6.0 2026-05-07 */
1171
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
1170
1172
 
1171
1173
  /*
1172
1174
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1275,7 +1277,7 @@ function normalizeUrlForComparison(url) {
1275
1277
  }
1276
1278
  }
1277
1279
 
1278
- /*! @azure/msal-common v16.6.0 2026-05-07 */
1280
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
1279
1281
 
1280
1282
  /*
1281
1283
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1314,7 +1316,7 @@ const DEFAULT_CRYPTO_IMPLEMENTATION = {
1314
1316
  },
1315
1317
  };
1316
1318
 
1317
- /*! @azure/msal-common v16.6.0 2026-05-07 */
1319
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
1318
1320
  /*
1319
1321
  * Copyright (c) Microsoft Corporation. All rights reserved.
1320
1322
  * Licensed under the MIT License.
@@ -1589,12 +1591,12 @@ class Logger {
1589
1591
  }
1590
1592
  }
1591
1593
 
1592
- /*! @azure/msal-common v16.6.0 2026-05-07 */
1594
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
1593
1595
  /* eslint-disable header/header */
1594
1596
  const name$1 = "@azure/msal-common";
1595
- const version$1 = "16.6.0";
1597
+ const version$1 = "16.6.1";
1596
1598
 
1597
- /*! @azure/msal-common v16.6.0 2026-05-07 */
1599
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
1598
1600
  /*
1599
1601
  * Copyright (c) Microsoft Corporation. All rights reserved.
1600
1602
  * Licensed under the MIT License.
@@ -1614,7 +1616,7 @@ const AzureCloudInstance = {
1614
1616
  AzureUsGovernment: "https://login.microsoftonline.us",
1615
1617
  };
1616
1618
 
1617
- /*! @azure/msal-common v16.6.0 2026-05-07 */
1619
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
1618
1620
  /*
1619
1621
  * Copyright (c) Microsoft Corporation. All rights reserved.
1620
1622
  * Licensed under the MIT License.
@@ -1697,7 +1699,7 @@ function updateAccountTenantProfileData(baseAccountInfo, tenantProfile, idTokenC
1697
1699
  return updatedAccountInfo;
1698
1700
  }
1699
1701
 
1700
- /*! @azure/msal-common v16.6.0 2026-05-07 */
1702
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
1701
1703
 
1702
1704
  /*
1703
1705
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1777,7 +1779,7 @@ function checkMaxAge(authTime, maxAge) {
1777
1779
  }
1778
1780
  }
1779
1781
 
1780
- /*! @azure/msal-common v16.6.0 2026-05-07 */
1782
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
1781
1783
 
1782
1784
  /*
1783
1785
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1934,7 +1936,7 @@ class UrlString {
1934
1936
  }
1935
1937
  }
1936
1938
 
1937
- /*! @azure/msal-common v16.6.0 2026-05-07 */
1939
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
1938
1940
 
1939
1941
  /*
1940
1942
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -2020,6 +2022,15 @@ const rawMetdataJSON = {
2020
2022
  preferred_cache: "login.sovcloud-identity.sg",
2021
2023
  aliases: ["login.sovcloud-identity.sg"],
2022
2024
  },
2025
+ {
2026
+ preferred_network: "login.windows-ppe.net",
2027
+ preferred_cache: "login.windows-ppe.net",
2028
+ aliases: [
2029
+ "login.windows-ppe.net",
2030
+ "sts.windows-ppe.net",
2031
+ "login.microsoft-ppe.com",
2032
+ ],
2033
+ },
2023
2034
  ],
2024
2035
  },
2025
2036
  };
@@ -2091,7 +2102,7 @@ function getCloudDiscoveryMetadataFromNetworkResponse(response, authorityHost) {
2091
2102
  return null;
2092
2103
  }
2093
2104
 
2094
- /*! @azure/msal-common v16.6.0 2026-05-07 */
2105
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
2095
2106
  /*
2096
2107
  * Copyright (c) Microsoft Corporation. All rights reserved.
2097
2108
  * Licensed under the MIT License.
@@ -2099,7 +2110,7 @@ function getCloudDiscoveryMetadataFromNetworkResponse(response, authorityHost) {
2099
2110
  const cacheQuotaExceeded = "cache_quota_exceeded";
2100
2111
  const cacheErrorUnknown = "cache_error_unknown";
2101
2112
 
2102
- /*! @azure/msal-common v16.6.0 2026-05-07 */
2113
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
2103
2114
 
2104
2115
  /*
2105
2116
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -2137,7 +2148,7 @@ function createCacheError(e) {
2137
2148
  }
2138
2149
  }
2139
2150
 
2140
- /*! @azure/msal-common v16.6.0 2026-05-07 */
2151
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
2141
2152
 
2142
2153
  /*
2143
2154
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -2175,7 +2186,7 @@ function buildClientInfoFromHomeAccountId(homeAccountId) {
2175
2186
  };
2176
2187
  }
2177
2188
 
2178
- /*! @azure/msal-common v16.6.0 2026-05-07 */
2189
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
2179
2190
  /*
2180
2191
  * Copyright (c) Microsoft Corporation. All rights reserved.
2181
2192
  * Licensed under the MIT License.
@@ -2190,7 +2201,7 @@ const AuthorityType = {
2190
2201
  Ciam: 3,
2191
2202
  };
2192
2203
 
2193
- /*! @azure/msal-common v16.6.0 2026-05-07 */
2204
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
2194
2205
  /*
2195
2206
  * Copyright (c) Microsoft Corporation. All rights reserved.
2196
2207
  * Licensed under the MIT License.
@@ -2212,7 +2223,7 @@ function getTenantIdFromIdTokenClaims(idTokenClaims) {
2212
2223
  return null;
2213
2224
  }
2214
2225
 
2215
- /*! @azure/msal-common v16.6.0 2026-05-07 */
2226
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
2216
2227
  /*
2217
2228
  * Copyright (c) Microsoft Corporation. All rights reserved.
2218
2229
  * Licensed under the MIT License.
@@ -2236,7 +2247,7 @@ const ProtocolMode = {
2236
2247
  EAR: "EAR",
2237
2248
  };
2238
2249
 
2239
- /*! @azure/msal-common v16.6.0 2026-05-07 */
2250
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
2240
2251
  /**
2241
2252
  * Returns the AccountInfo interface for this account.
2242
2253
  */
@@ -2411,7 +2422,7 @@ function isAccountEntity(entity) {
2411
2422
  entity.hasOwnProperty("authorityType"));
2412
2423
  }
2413
2424
 
2414
- /*! @azure/msal-common v16.6.0 2026-05-07 */
2425
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
2415
2426
 
2416
2427
  /*
2417
2428
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -3543,7 +3554,7 @@ class DefaultStorageClass extends CacheManager {
3543
3554
  }
3544
3555
  }
3545
3556
 
3546
- /*! @azure/msal-common v16.6.0 2026-05-07 */
3557
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
3547
3558
  /*
3548
3559
  * Copyright (c) Microsoft Corporation. All rights reserved.
3549
3560
  * Licensed under the MIT License.
@@ -3594,7 +3605,7 @@ const IntFields = new Set([
3594
3605
  "redirectBridgeMessageVersion",
3595
3606
  ]);
3596
3607
 
3597
- /*! @azure/msal-common v16.6.0 2026-05-07 */
3608
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
3598
3609
 
3599
3610
  /*
3600
3611
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -3649,7 +3660,7 @@ class StubPerformanceClient {
3649
3660
  }
3650
3661
  }
3651
3662
 
3652
- /*! @azure/msal-common v16.6.0 2026-05-07 */
3663
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
3653
3664
 
3654
3665
  /*
3655
3666
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -3744,7 +3755,7 @@ function isOidcProtocolMode(config) {
3744
3755
  return (config.authOptions.authority.options.protocolMode === ProtocolMode.OIDC);
3745
3756
  }
3746
3757
 
3747
- /*! @azure/msal-common v16.6.0 2026-05-07 */
3758
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
3748
3759
  /*
3749
3760
  * Copyright (c) Microsoft Corporation. All rights reserved.
3750
3761
  * Licensed under the MIT License.
@@ -3771,7 +3782,7 @@ function isOidcProtocolMode(config) {
3771
3782
  }
3772
3783
  }
3773
3784
 
3774
- /*! @azure/msal-common v16.6.0 2026-05-07 */
3785
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
3775
3786
  /*
3776
3787
  * Copyright (c) Microsoft Corporation. All rights reserved.
3777
3788
  * Licensed under the MIT License.
@@ -3836,7 +3847,7 @@ function wasClockTurnedBack(cachedAt) {
3836
3847
  return cachedAtSec > nowSeconds();
3837
3848
  }
3838
3849
 
3839
- /*! @azure/msal-common v16.6.0 2026-05-07 */
3850
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
3840
3851
 
3841
3852
  /*
3842
3853
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4095,7 +4106,7 @@ function isAuthorityMetadataExpired(metadata) {
4095
4106
  return metadata.expiresAt <= nowSeconds();
4096
4107
  }
4097
4108
 
4098
- /*! @azure/msal-common v16.6.0 2026-05-07 */
4109
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
4099
4110
  /*
4100
4111
  * Copyright (c) Microsoft Corporation. All rights reserved.
4101
4112
  * Licensed under the MIT License.
@@ -4166,7 +4177,7 @@ const RegionDiscoveryGetCurrentVersion = "regionDiscoveryGetCurrentVersion";
4166
4177
  const CacheManagerGetRefreshToken = "cacheManagerGetRefreshToken";
4167
4178
  const SetUserData = "setUserData";
4168
4179
 
4169
- /*! @azure/msal-common v16.6.0 2026-05-07 */
4180
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
4170
4181
  /*
4171
4182
  * Copyright (c) Microsoft Corporation. All rights reserved.
4172
4183
  * Licensed under the MIT License.
@@ -4259,7 +4270,7 @@ const invokeAsync = (callback, eventName, logger, telemetryClient, correlationId
4259
4270
  };
4260
4271
  };
4261
4272
 
4262
- /*! @azure/msal-common v16.6.0 2026-05-07 */
4273
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
4263
4274
 
4264
4275
  /*
4265
4276
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4339,7 +4350,7 @@ class PopTokenGenerator {
4339
4350
  }
4340
4351
  }
4341
4352
 
4342
- /*! @azure/msal-common v16.6.0 2026-05-07 */
4353
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
4343
4354
  /*
4344
4355
  * Copyright (c) Microsoft Corporation. All rights reserved.
4345
4356
  * Licensed under the MIT License.
@@ -4403,7 +4414,7 @@ var InteractionRequiredAuthErrorCodes = /*#__PURE__*/Object.freeze({
4403
4414
  uxNotAllowed: uxNotAllowed
4404
4415
  });
4405
4416
 
4406
- /*! @azure/msal-common v16.6.0 2026-05-07 */
4417
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
4407
4418
 
4408
4419
  /*
4409
4420
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4471,7 +4482,7 @@ function createInteractionRequiredAuthError(errorCode, errorMessage) {
4471
4482
  return new InteractionRequiredAuthError(errorCode, errorMessage);
4472
4483
  }
4473
4484
 
4474
- /*! @azure/msal-common v16.6.0 2026-05-07 */
4485
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
4475
4486
 
4476
4487
  /*
4477
4488
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4490,7 +4501,7 @@ class ServerError extends AuthError {
4490
4501
  }
4491
4502
  }
4492
4503
 
4493
- /*! @azure/msal-common v16.6.0 2026-05-07 */
4504
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
4494
4505
 
4495
4506
  /*
4496
4507
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4558,7 +4569,7 @@ function parseRequestState(base64Decode, state) {
4558
4569
  }
4559
4570
  }
4560
4571
 
4561
- /*! @azure/msal-common v16.6.0 2026-05-07 */
4572
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
4562
4573
 
4563
4574
  /*
4564
4575
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4906,7 +4917,7 @@ function buildAccountToCache(cacheStorage, authority, homeAccountId, base64Decod
4906
4917
  return baseAccount;
4907
4918
  }
4908
4919
 
4909
- /*! @azure/msal-common v16.6.0 2026-05-07 */
4920
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
4910
4921
  /*
4911
4922
  * Copyright (c) Microsoft Corporation. All rights reserved.
4912
4923
  * Licensed under the MIT License.
@@ -4916,7 +4927,7 @@ const CcsCredentialType = {
4916
4927
  UPN: "UPN",
4917
4928
  };
4918
4929
 
4919
- /*! @azure/msal-common v16.6.0 2026-05-07 */
4930
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
4920
4931
  /*
4921
4932
  * Copyright (c) Microsoft Corporation. All rights reserved.
4922
4933
  * Licensed under the MIT License.
@@ -4934,7 +4945,7 @@ async function getClientAssertion(clientAssertion, clientId, tokenEndpoint) {
4934
4945
  }
4935
4946
  }
4936
4947
 
4937
- /*! @azure/msal-common v16.6.0 2026-05-07 */
4948
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
4938
4949
  /*
4939
4950
  * Copyright (c) Microsoft Corporation. All rights reserved.
4940
4951
  * Licensed under the MIT License.
@@ -4955,7 +4966,7 @@ function getRequestThumbprint(clientId, request, homeAccountId) {
4955
4966
  };
4956
4967
  }
4957
4968
 
4958
- /*! @azure/msal-common v16.6.0 2026-05-07 */
4969
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
4959
4970
 
4960
4971
  /*
4961
4972
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -5041,7 +5052,7 @@ class ThrottlingUtils {
5041
5052
  }
5042
5053
  }
5043
5054
 
5044
- /*! @azure/msal-common v16.6.0 2026-05-07 */
5055
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
5045
5056
 
5046
5057
  /*
5047
5058
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -5072,7 +5083,7 @@ function createNetworkError(error, httpStatus, responseHeaders, additionalError)
5072
5083
  return new NetworkError(error, httpStatus, responseHeaders);
5073
5084
  }
5074
5085
 
5075
- /*! @azure/msal-common v16.6.0 2026-05-07 */
5086
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
5076
5087
 
5077
5088
  /*
5078
5089
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -5186,7 +5197,7 @@ async function sendPostRequest(thumbprint, tokenEndpoint, options, correlationId
5186
5197
  return response;
5187
5198
  }
5188
5199
 
5189
- /*! @azure/msal-common v16.6.0 2026-05-07 */
5200
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
5190
5201
  /*
5191
5202
  * Copyright (c) Microsoft Corporation. All rights reserved.
5192
5203
  * Licensed under the MIT License.
@@ -5198,7 +5209,7 @@ function isOpenIdConfigResponse(response) {
5198
5209
  response.hasOwnProperty("jwks_uri"));
5199
5210
  }
5200
5211
 
5201
- /*! @azure/msal-common v16.6.0 2026-05-07 */
5212
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
5202
5213
  /*
5203
5214
  * Copyright (c) Microsoft Corporation. All rights reserved.
5204
5215
  * Licensed under the MIT License.
@@ -5208,7 +5219,7 @@ function isCloudInstanceDiscoveryResponse(response) {
5208
5219
  response.hasOwnProperty("metadata"));
5209
5220
  }
5210
5221
 
5211
- /*! @azure/msal-common v16.6.0 2026-05-07 */
5222
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
5212
5223
  /*
5213
5224
  * Copyright (c) Microsoft Corporation. All rights reserved.
5214
5225
  * Licensed under the MIT License.
@@ -5218,7 +5229,7 @@ function isCloudInstanceDiscoveryErrorResponse(response) {
5218
5229
  response.hasOwnProperty("error_description"));
5219
5230
  }
5220
5231
 
5221
- /*! @azure/msal-common v16.6.0 2026-05-07 */
5232
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
5222
5233
 
5223
5234
  /*
5224
5235
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -5323,7 +5334,7 @@ RegionDiscovery.IMDS_OPTIONS = {
5323
5334
  },
5324
5335
  };
5325
5336
 
5326
- /*! @azure/msal-common v16.6.0 2026-05-07 */
5337
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
5327
5338
 
5328
5339
  /*
5329
5340
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -5578,7 +5589,7 @@ class Authority {
5578
5589
  }, this.correlationId);
5579
5590
  }
5580
5591
  /**
5581
- * Returns metadata entity from cache if it exists, otherwiser returns a new metadata entity built
5592
+ * Returns metadata entity from cache if it exists, otherwise returns a new metadata entity built
5582
5593
  * from the configured canonical authority
5583
5594
  * @returns
5584
5595
  */
@@ -5647,6 +5658,8 @@ class Authority {
5647
5658
  // Get metadata from network if local sources aren't available
5648
5659
  let metadata = await invokeAsync(this.getEndpointMetadataFromNetwork.bind(this), AuthorityGetEndpointMetadataFromNetwork, this.logger, this.performanceClient, this.correlationId)();
5649
5660
  if (metadata) {
5661
+ // Validate the issuer returned by the OIDC discovery document.
5662
+ this.validateIssuer(metadata.issuer);
5650
5663
  // If the user prefers to use an azure region replace the global endpoints with regional information.
5651
5664
  if (this.authorityOptions.azureRegionConfiguration?.azureRegion) {
5652
5665
  metadata = await invokeAsync(this.updateMetadataWithRegionalInformation.bind(this), AuthorityUpdateMetadataWithRegionalInformation, this.logger, this.performanceClient, this.correlationId)(metadata);
@@ -5815,7 +5828,7 @@ class Authority {
5815
5828
  throw createClientConfigurationError(untrustedAuthority);
5816
5829
  }
5817
5830
  updateCloudDiscoveryMetadataFromLocalSources(metadataEntity) {
5818
- this.logger.verbose("0jhlgt", this.correlationId);
5831
+ this.logger.verbose("1tpqlr", this.correlationId);
5819
5832
  this.logger.verbosePii("1fy7uz", this.correlationId);
5820
5833
  this.logger.verbosePii("08zabj", this.correlationId);
5821
5834
  this.logger.verbosePii("1o1kv3", this.correlationId);
@@ -6012,6 +6025,139 @@ class Authority {
6012
6025
  isAliasOfKnownMicrosoftAuthority(host) {
6013
6026
  return InstanceDiscoveryMetadataAliases.has(host);
6014
6027
  }
6028
+ /**
6029
+ * Validates the `issuer` returned by an OIDC discovery document against
6030
+ * this authority, per
6031
+ * https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationValidation
6032
+ *
6033
+ * The issuer is accepted when ANY of the following holds:
6034
+ * 1. The issuer scheme + host + port match the authority's (path may
6035
+ * differ). Applies to all authorities.
6036
+ * 2. The authority is a Microsoft cloud authority (public, sovereign,
6037
+ * or CIAM), the issuer is HTTPS, and the issuer host is in the known
6038
+ * Microsoft authority host set.
6039
+ * 3. Same as (2), but the issuer host is a single-label regional variant
6040
+ * of a known Microsoft host (e.g. `westus.login.microsoftonline.com`).
6041
+ * 4. Same as (2), but the issuer host matches the CIAM tenant pattern
6042
+ * `{tenant}.ciamlogin.com` with an optional `/{tenant}[.onmicrosoft.com][/v2.0]`
6043
+ * path.
6044
+ *
6045
+ * @param issuer The `issuer` value returned in the OIDC discovery document.
6046
+ * @throws ClientConfigurationError("issuer_validation_failed") on failure.
6047
+ */
6048
+ validateIssuer(issuer) {
6049
+ if (!issuer) {
6050
+ throw createClientConfigurationError(issuerValidationFailed);
6051
+ }
6052
+ // Parse with the WHATWG URL API. URL normalizes scheme + host to lowercase per RFC 3986.
6053
+ let issuerUrl;
6054
+ try {
6055
+ issuerUrl = new URL(issuer);
6056
+ }
6057
+ catch {
6058
+ throw createClientConfigurationError(issuerValidationFailed);
6059
+ }
6060
+ const issuerScheme = issuerUrl.protocol;
6061
+ const issuerHost = issuerUrl.host;
6062
+ const authorityScheme = (this.canonicalAuthorityUrlComponents.Protocol || "").toLowerCase();
6063
+ const authorityHost = (this.canonicalAuthorityUrlComponents.HostNameAndPort || "").toLowerCase();
6064
+ // Rule 1: Same scheme and host
6065
+ const matchesAuthorityOrigin = this.matchesAuthorityOrigin(issuerScheme, issuerHost, authorityScheme, authorityHost);
6066
+ // Rule 2: The issuer host is a well-known Microsoft authority host (HTTPS only)
6067
+ const matchesKnownMicrosoftHost = issuerScheme === "https:" &&
6068
+ this.isAliasOfKnownMicrosoftAuthority(issuerHost);
6069
+ /*
6070
+ * Rule 3: The issuer host is a regional variant ({region}.{host}) of a well-known host
6071
+ * (HTTPS only). E.g. westus2.login.microsoft.com
6072
+ */
6073
+ const matchesRegionalMicrosoftHost = issuerScheme === "https:" &&
6074
+ this.matchesRegionalMicrosoftHost(issuerHost);
6075
+ /*
6076
+ * Rule 4: CIAM-specific validation. In a CIAM scenario the issuer is expected to
6077
+ * have "{tenant}.ciamlogin.com" as the host, even when using a custom domain.
6078
+ */
6079
+ const matchesCiamTenantPattern = this.matchesCiamTenantPattern(issuerUrl, authorityHost, this.canonicalAuthorityUrlComponents.PathSegments);
6080
+ // Each rule is an independent boolean; the issuer is valid if ANY rule matches.
6081
+ if (matchesAuthorityOrigin ||
6082
+ matchesKnownMicrosoftHost ||
6083
+ matchesRegionalMicrosoftHost ||
6084
+ matchesCiamTenantPattern) {
6085
+ return;
6086
+ }
6087
+ // issuer validation fails if none of the above rules are satisfied
6088
+ throw createClientConfigurationError(issuerValidationFailed);
6089
+ }
6090
+ /**
6091
+ * Rule 1: The issuer scheme + host (and port) match the authority's. Path
6092
+ * may differ. Applies to all authorities.
6093
+ */
6094
+ matchesAuthorityOrigin(issuerScheme, issuerHost, authorityScheme, authorityHost) {
6095
+ return issuerScheme === authorityScheme && issuerHost === authorityHost;
6096
+ }
6097
+ /**
6098
+ * Rule 3: The issuer host is a regional variant
6099
+ * (`{region}.{host}`) of a known Microsoft authority host.
6100
+ * E.g. `westus2.login.microsoft.com`.
6101
+ */
6102
+ matchesRegionalMicrosoftHost(issuerHost) {
6103
+ const firstDot = issuerHost.indexOf(".");
6104
+ if (firstDot > 0 && firstDot < issuerHost.length - 1) {
6105
+ const hostWithoutRegion = issuerHost.substring(firstDot + 1);
6106
+ return this.isAliasOfKnownMicrosoftAuthority(hostWithoutRegion);
6107
+ }
6108
+ return false;
6109
+ }
6110
+ /**
6111
+ * Rule 4: The issuer matches one of the well-known CIAM tenant patterns
6112
+ * (`https://{tenant}.ciamlogin.com[/{tenant}[.onmicrosoft.com][/v2.0]]`).
6113
+ *
6114
+ * The bare tenant name is extracted from the authority's first path segment
6115
+ * when available (stripping the `.onmicrosoft.com` suffix that
6116
+ * `transformCIAMAuthority` adds), or otherwise from the leftmost label of
6117
+ * the authority host (to support CIAM custom domain scenarios).
6118
+ *
6119
+ * Both `/{tenant}` and `/{tenant}.onmicrosoft.com` path forms are accepted
6120
+ * because the OIDC issuer may use either form depending on the authority URL
6121
+ * that was used to trigger discovery.
6122
+ */
6123
+ matchesCiamTenantPattern(issuerUrl, authorityHost, authorityPathSegments) {
6124
+ /*
6125
+ * authorityPathSegments[0] is the first path segment of the *authority
6126
+ * URL* after transformCIAMAuthority runs (e.g. "contoso.onmicrosoft.com").
6127
+ * Additional CIAM issuer path segments such as "/v2.0" are part of the
6128
+ * issuer string, not the authority URL's PathSegments.
6129
+ */
6130
+ const pathSegment = authorityPathSegments[0];
6131
+ /*
6132
+ * Extract the bare tenant name: strip the .onmicrosoft.com suffix when
6133
+ * present (introduced by transformCIAMAuthority), or fall back to the
6134
+ * first label of the authority hostname for non-transformed/custom-domain
6135
+ * CIAM authorities.
6136
+ */
6137
+ const tenantName = pathSegment
6138
+ ? pathSegment.endsWith(AAD_TENANT_DOMAIN_SUFFIX)
6139
+ ? pathSegment.slice(0, -AAD_TENANT_DOMAIN_SUFFIX.length)
6140
+ : pathSegment
6141
+ : authorityHost.split(".")[0];
6142
+ if (!tenantName) {
6143
+ return false;
6144
+ }
6145
+ const ciamBaseURL = `https://${tenantName}${CIAM_AUTH_URL}`;
6146
+ const validCiamPatterns = [
6147
+ ciamBaseURL,
6148
+ `${ciamBaseURL}/${tenantName}`,
6149
+ `${ciamBaseURL}/${tenantName}/v2.0`,
6150
+ `${ciamBaseURL}/${tenantName}${AAD_TENANT_DOMAIN_SUFFIX}`,
6151
+ `${ciamBaseURL}/${tenantName}${AAD_TENANT_DOMAIN_SUFFIX}/v2.0`, // https://{tenant}.ciamlogin.com/{tenant}.onmicrosoft.com/v2.0
6152
+ ];
6153
+ /*
6154
+ * Compose the canonical issuer string from URL components and strip any
6155
+ * trailing slashes from the path so it can be compared to the pattern set.
6156
+ */
6157
+ const issuerPath = issuerUrl.pathname.replace(/\/+$/, "");
6158
+ const normalizedIssuer = `${issuerUrl.protocol}//${issuerUrl.host}${issuerPath}`;
6159
+ return validCiamPatterns.some((pattern) => pattern === normalizedIssuer);
6160
+ }
6015
6161
  /**
6016
6162
  * Checks whether the provided host is that of a public cloud authority
6017
6163
  *
@@ -6143,7 +6289,7 @@ function buildStaticAuthorityOptions(authOptions) {
6143
6289
  };
6144
6290
  }
6145
6291
 
6146
- /*! @azure/msal-common v16.6.0 2026-05-07 */
6292
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
6147
6293
 
6148
6294
  /*
6149
6295
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6177,7 +6323,7 @@ async function createDiscoveredInstance(authorityUri, networkClient, cacheManage
6177
6323
  }
6178
6324
  }
6179
6325
 
6180
- /*! @azure/msal-common v16.6.0 2026-05-07 */
6326
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
6181
6327
 
6182
6328
  /*
6183
6329
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6434,7 +6580,7 @@ class AuthorizationCodeClient {
6434
6580
  }
6435
6581
  }
6436
6582
 
6437
- /*! @azure/msal-common v16.6.0 2026-05-07 */
6583
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
6438
6584
 
6439
6585
  /*
6440
6586
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6655,7 +6801,7 @@ class RefreshTokenClient {
6655
6801
  }
6656
6802
  }
6657
6803
 
6658
- /*! @azure/msal-common v16.6.0 2026-05-07 */
6804
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
6659
6805
 
6660
6806
  /*
6661
6807
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6771,7 +6917,7 @@ class SilentFlowClient {
6771
6917
  }
6772
6918
  }
6773
6919
 
6774
- /*! @azure/msal-common v16.6.0 2026-05-07 */
6920
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
6775
6921
 
6776
6922
  /*
6777
6923
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6786,7 +6932,7 @@ const StubbedNetworkModule = {
6786
6932
  },
6787
6933
  };
6788
6934
 
6789
- /*! @azure/msal-common v16.6.0 2026-05-07 */
6935
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
6790
6936
 
6791
6937
  /*
6792
6938
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7009,7 +7155,7 @@ function extractLoginHint(account) {
7009
7155
  return account.loginHint || account.idTokenClaims?.login_hint || null;
7010
7156
  }
7011
7157
 
7012
- /*! @azure/msal-common v16.6.0 2026-05-07 */
7158
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
7013
7159
 
7014
7160
  /*
7015
7161
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7042,7 +7188,7 @@ function containsResourceParam(params) {
7042
7188
  return Object.prototype.hasOwnProperty.call(params, "resource");
7043
7189
  }
7044
7190
 
7045
- /*! @azure/msal-common v16.6.0 2026-05-07 */
7191
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
7046
7192
 
7047
7193
  /*
7048
7194
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7100,7 +7246,7 @@ class AuthenticationHeaderParser {
7100
7246
  }
7101
7247
  }
7102
7248
 
7103
- /*! @azure/msal-common v16.6.0 2026-05-07 */
7249
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
7104
7250
  /*
7105
7251
  * Copyright (c) Microsoft Corporation. All rights reserved.
7106
7252
  * Licensed under the MIT License.
@@ -7117,7 +7263,7 @@ var AuthErrorCodes = /*#__PURE__*/Object.freeze({
7117
7263
  unexpectedError: unexpectedError
7118
7264
  });
7119
7265
 
7120
- /*! @azure/msal-common v16.6.0 2026-05-07 */
7266
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
7121
7267
 
7122
7268
  /*
7123
7269
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7378,7 +7524,7 @@ class ServerTelemetryManager {
7378
7524
  }
7379
7525
  }
7380
7526
 
7381
- /*! @azure/msal-common v16.6.0 2026-05-07 */
7527
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
7382
7528
 
7383
7529
  /*
7384
7530
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7399,7 +7545,7 @@ function createJoseHeaderError(code) {
7399
7545
  return new JoseHeaderError(code);
7400
7546
  }
7401
7547
 
7402
- /*! @azure/msal-common v16.6.0 2026-05-07 */
7548
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
7403
7549
  /*
7404
7550
  * Copyright (c) Microsoft Corporation. All rights reserved.
7405
7551
  * Licensed under the MIT License.
@@ -7407,7 +7553,7 @@ function createJoseHeaderError(code) {
7407
7553
  const missingKidError = "missing_kid_error";
7408
7554
  const missingAlgError = "missing_alg_error";
7409
7555
 
7410
- /*! @azure/msal-common v16.6.0 2026-05-07 */
7556
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
7411
7557
 
7412
7558
  /*
7413
7559
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7447,7 +7593,7 @@ class JoseHeader {
7447
7593
  }
7448
7594
  }
7449
7595
 
7450
- /*! @azure/msal-common v16.6.0 2026-05-07 */
7596
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
7451
7597
 
7452
7598
  /*
7453
7599
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -10385,7 +10531,7 @@ const EventType = {
10385
10531
 
10386
10532
  /* eslint-disable header/header */
10387
10533
  const name = "@azure/msal-browser";
10388
- const version = "5.10.0";
10534
+ const version = "5.10.1";
10389
10535
 
10390
10536
  /*
10391
10537
  * Copyright (c) Microsoft Corporation. All rights reserved.