@azure/msal-browser 5.10.0 → 5.10.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (200) hide show
  1. package/dist/app/IPublicClientApplication.mjs +1 -1
  2. package/dist/app/PublicClientApplication.mjs +1 -1
  3. package/dist/broker/nativeBroker/NativeStatusCodes.mjs +1 -1
  4. package/dist/broker/nativeBroker/PlatformAuthDOMHandler.mjs +1 -1
  5. package/dist/broker/nativeBroker/PlatformAuthExtensionHandler.mjs +1 -1
  6. package/dist/broker/nativeBroker/PlatformAuthProvider.mjs +1 -1
  7. package/dist/cache/AccountManager.mjs +1 -1
  8. package/dist/cache/AsyncMemoryStorage.mjs +1 -1
  9. package/dist/cache/BrowserCacheManager.mjs +1 -1
  10. package/dist/cache/CacheHelpers.mjs +1 -1
  11. package/dist/cache/CacheKeys.mjs +1 -1
  12. package/dist/cache/CookieStorage.mjs +1 -1
  13. package/dist/cache/DatabaseStorage.mjs +1 -1
  14. package/dist/cache/EncryptedData.mjs +1 -1
  15. package/dist/cache/LocalStorage.mjs +1 -1
  16. package/dist/cache/MemoryStorage.mjs +1 -1
  17. package/dist/cache/SessionStorage.mjs +1 -1
  18. package/dist/cache/TokenCache.mjs +1 -1
  19. package/dist/config/Configuration.mjs +1 -1
  20. package/dist/controllers/NestedAppAuthController.mjs +1 -1
  21. package/dist/controllers/StandardController.mjs +1 -1
  22. package/dist/crypto/BrowserCrypto.mjs +1 -1
  23. package/dist/crypto/CryptoOps.mjs +1 -1
  24. package/dist/crypto/PkceGenerator.mjs +1 -1
  25. package/dist/crypto/SignedHttpRequest.mjs +1 -1
  26. package/dist/custom_auth/CustomAuthConstants.mjs +1 -1
  27. package/dist/custom_auth/CustomAuthPublicClientApplication.mjs +1 -1
  28. package/dist/custom_auth/controller/CustomAuthStandardController.mjs +1 -1
  29. package/dist/custom_auth/core/CustomAuthAuthority.mjs +1 -1
  30. package/dist/custom_auth/core/auth_flow/AuthFlowErrorBase.mjs +1 -1
  31. package/dist/custom_auth/core/auth_flow/AuthFlowResultBase.mjs +1 -1
  32. package/dist/custom_auth/core/auth_flow/AuthFlowState.mjs +1 -1
  33. package/dist/custom_auth/core/auth_flow/AuthFlowStateTypes.mjs +1 -1
  34. package/dist/custom_auth/core/auth_flow/jit/error_type/AuthMethodRegistrationError.mjs +1 -1
  35. package/dist/custom_auth/core/auth_flow/jit/result/AuthMethodRegistrationChallengeMethodResult.mjs +1 -1
  36. package/dist/custom_auth/core/auth_flow/jit/result/AuthMethodRegistrationSubmitChallengeResult.mjs +1 -1
  37. package/dist/custom_auth/core/auth_flow/jit/state/AuthMethodRegistrationCompletedState.mjs +1 -1
  38. package/dist/custom_auth/core/auth_flow/jit/state/AuthMethodRegistrationFailedState.mjs +1 -1
  39. package/dist/custom_auth/core/auth_flow/jit/state/AuthMethodRegistrationState.mjs +1 -1
  40. package/dist/custom_auth/core/auth_flow/mfa/error_type/MfaError.mjs +1 -1
  41. package/dist/custom_auth/core/auth_flow/mfa/result/MfaRequestChallengeResult.mjs +1 -1
  42. package/dist/custom_auth/core/auth_flow/mfa/result/MfaSubmitChallengeResult.mjs +1 -1
  43. package/dist/custom_auth/core/auth_flow/mfa/state/MfaCompletedState.mjs +1 -1
  44. package/dist/custom_auth/core/auth_flow/mfa/state/MfaFailedState.mjs +1 -1
  45. package/dist/custom_auth/core/auth_flow/mfa/state/MfaState.mjs +1 -1
  46. package/dist/custom_auth/core/error/CustomAuthApiError.mjs +1 -1
  47. package/dist/custom_auth/core/error/CustomAuthError.mjs +1 -1
  48. package/dist/custom_auth/core/error/HttpError.mjs +1 -1
  49. package/dist/custom_auth/core/error/HttpErrorCodes.mjs +1 -1
  50. package/dist/custom_auth/core/error/InvalidArgumentError.mjs +1 -1
  51. package/dist/custom_auth/core/error/InvalidConfigurationError.mjs +1 -1
  52. package/dist/custom_auth/core/error/InvalidConfigurationErrorCodes.mjs +1 -1
  53. package/dist/custom_auth/core/error/MethodNotImplementedError.mjs +1 -1
  54. package/dist/custom_auth/core/error/MsalCustomAuthError.mjs +1 -1
  55. package/dist/custom_auth/core/error/NoCachedAccountFoundError.mjs +1 -1
  56. package/dist/custom_auth/core/error/ParsedUrlError.mjs +1 -1
  57. package/dist/custom_auth/core/error/ParsedUrlErrorCodes.mjs +1 -1
  58. package/dist/custom_auth/core/error/UnexpectedError.mjs +1 -1
  59. package/dist/custom_auth/core/error/UnsupportedEnvironmentError.mjs +1 -1
  60. package/dist/custom_auth/core/error/UserAccountAttributeError.mjs +1 -1
  61. package/dist/custom_auth/core/error/UserAlreadySignedInError.mjs +1 -1
  62. package/dist/custom_auth/core/interaction_client/CustomAuthInteractionClientBase.mjs +1 -1
  63. package/dist/custom_auth/core/interaction_client/CustomAuthInterationClientFactory.mjs +1 -1
  64. package/dist/custom_auth/core/interaction_client/jit/JitClient.mjs +1 -1
  65. package/dist/custom_auth/core/interaction_client/jit/result/JitActionResult.mjs +1 -1
  66. package/dist/custom_auth/core/interaction_client/mfa/MfaClient.mjs +1 -1
  67. package/dist/custom_auth/core/interaction_client/mfa/result/MfaActionResult.mjs +1 -1
  68. package/dist/custom_auth/core/network_client/custom_auth_api/BaseApiClient.mjs +1 -1
  69. package/dist/custom_auth/core/network_client/custom_auth_api/CustomAuthApiClient.mjs +1 -1
  70. package/dist/custom_auth/core/network_client/custom_auth_api/CustomAuthApiEndpoint.mjs +1 -1
  71. package/dist/custom_auth/core/network_client/custom_auth_api/RegisterApiClient.mjs +1 -1
  72. package/dist/custom_auth/core/network_client/custom_auth_api/ResetPasswordApiClient.mjs +1 -1
  73. package/dist/custom_auth/core/network_client/custom_auth_api/SignInApiClient.mjs +1 -1
  74. package/dist/custom_auth/core/network_client/custom_auth_api/SignupApiClient.mjs +1 -1
  75. package/dist/custom_auth/core/network_client/custom_auth_api/types/ApiErrorCodes.mjs +1 -1
  76. package/dist/custom_auth/core/network_client/custom_auth_api/types/ApiSuberrors.mjs +1 -1
  77. package/dist/custom_auth/core/network_client/http_client/FetchHttpClient.mjs +1 -1
  78. package/dist/custom_auth/core/network_client/http_client/IHttpClient.mjs +1 -1
  79. package/dist/custom_auth/core/telemetry/PublicApiId.mjs +1 -1
  80. package/dist/custom_auth/core/utils/ArgumentValidator.mjs +1 -1
  81. package/dist/custom_auth/core/utils/UrlUtils.mjs +1 -1
  82. package/dist/custom_auth/get_account/auth_flow/CustomAuthAccountData.mjs +1 -1
  83. package/dist/custom_auth/get_account/auth_flow/error_type/GetAccountError.mjs +1 -1
  84. package/dist/custom_auth/get_account/auth_flow/result/GetAccessTokenResult.mjs +1 -1
  85. package/dist/custom_auth/get_account/auth_flow/result/GetAccountResult.mjs +1 -1
  86. package/dist/custom_auth/get_account/auth_flow/result/SignOutResult.mjs +1 -1
  87. package/dist/custom_auth/get_account/auth_flow/state/GetAccessTokenState.mjs +1 -1
  88. package/dist/custom_auth/get_account/auth_flow/state/GetAccountState.mjs +1 -1
  89. package/dist/custom_auth/get_account/auth_flow/state/SignOutState.mjs +1 -1
  90. package/dist/custom_auth/get_account/interaction_client/CustomAuthSilentCacheClient.mjs +1 -1
  91. package/dist/custom_auth/index.mjs +1 -1
  92. package/dist/custom_auth/operating_context/CustomAuthOperatingContext.mjs +1 -1
  93. package/dist/custom_auth/reset_password/auth_flow/error_type/ResetPasswordError.mjs +1 -1
  94. package/dist/custom_auth/reset_password/auth_flow/result/ResetPasswordResendCodeResult.mjs +1 -1
  95. package/dist/custom_auth/reset_password/auth_flow/result/ResetPasswordStartResult.mjs +1 -1
  96. package/dist/custom_auth/reset_password/auth_flow/result/ResetPasswordSubmitCodeResult.mjs +1 -1
  97. package/dist/custom_auth/reset_password/auth_flow/result/ResetPasswordSubmitPasswordResult.mjs +1 -1
  98. package/dist/custom_auth/reset_password/auth_flow/state/ResetPasswordCodeRequiredState.mjs +1 -1
  99. package/dist/custom_auth/reset_password/auth_flow/state/ResetPasswordCompletedState.mjs +1 -1
  100. package/dist/custom_auth/reset_password/auth_flow/state/ResetPasswordFailedState.mjs +1 -1
  101. package/dist/custom_auth/reset_password/auth_flow/state/ResetPasswordPasswordRequiredState.mjs +1 -1
  102. package/dist/custom_auth/reset_password/auth_flow/state/ResetPasswordState.mjs +1 -1
  103. package/dist/custom_auth/reset_password/interaction_client/ResetPasswordClient.mjs +1 -1
  104. package/dist/custom_auth/sign_in/auth_flow/SignInScenario.mjs +1 -1
  105. package/dist/custom_auth/sign_in/auth_flow/error_type/SignInError.mjs +1 -1
  106. package/dist/custom_auth/sign_in/auth_flow/result/SignInResendCodeResult.mjs +1 -1
  107. package/dist/custom_auth/sign_in/auth_flow/result/SignInResult.mjs +1 -1
  108. package/dist/custom_auth/sign_in/auth_flow/result/SignInSubmitCodeResult.mjs +1 -1
  109. package/dist/custom_auth/sign_in/auth_flow/result/SignInSubmitPasswordResult.mjs +1 -1
  110. package/dist/custom_auth/sign_in/auth_flow/state/SignInCodeRequiredState.mjs +1 -1
  111. package/dist/custom_auth/sign_in/auth_flow/state/SignInCompletedState.mjs +1 -1
  112. package/dist/custom_auth/sign_in/auth_flow/state/SignInContinuationState.mjs +1 -1
  113. package/dist/custom_auth/sign_in/auth_flow/state/SignInFailedState.mjs +1 -1
  114. package/dist/custom_auth/sign_in/auth_flow/state/SignInPasswordRequiredState.mjs +1 -1
  115. package/dist/custom_auth/sign_in/auth_flow/state/SignInState.mjs +1 -1
  116. package/dist/custom_auth/sign_in/interaction_client/SignInClient.mjs +1 -1
  117. package/dist/custom_auth/sign_in/interaction_client/result/SignInActionResult.mjs +1 -1
  118. package/dist/custom_auth/sign_up/auth_flow/error_type/SignUpError.mjs +1 -1
  119. package/dist/custom_auth/sign_up/auth_flow/result/SignUpResendCodeResult.mjs +1 -1
  120. package/dist/custom_auth/sign_up/auth_flow/result/SignUpResult.mjs +1 -1
  121. package/dist/custom_auth/sign_up/auth_flow/result/SignUpSubmitAttributesResult.mjs +1 -1
  122. package/dist/custom_auth/sign_up/auth_flow/result/SignUpSubmitCodeResult.mjs +1 -1
  123. package/dist/custom_auth/sign_up/auth_flow/result/SignUpSubmitPasswordResult.mjs +1 -1
  124. package/dist/custom_auth/sign_up/auth_flow/state/SignUpAttributesRequiredState.mjs +1 -1
  125. package/dist/custom_auth/sign_up/auth_flow/state/SignUpCodeRequiredState.mjs +1 -1
  126. package/dist/custom_auth/sign_up/auth_flow/state/SignUpCompletedState.mjs +1 -1
  127. package/dist/custom_auth/sign_up/auth_flow/state/SignUpFailedState.mjs +1 -1
  128. package/dist/custom_auth/sign_up/auth_flow/state/SignUpPasswordRequiredState.mjs +1 -1
  129. package/dist/custom_auth/sign_up/auth_flow/state/SignUpState.mjs +1 -1
  130. package/dist/custom_auth/sign_up/interaction_client/SignUpClient.mjs +1 -1
  131. package/dist/custom_auth/sign_up/interaction_client/result/SignUpActionResult.mjs +1 -1
  132. package/dist/encode/Base64Decode.mjs +1 -1
  133. package/dist/encode/Base64Encode.mjs +1 -1
  134. package/dist/error/BrowserAuthError.mjs +1 -1
  135. package/dist/error/BrowserAuthErrorCodes.mjs +1 -1
  136. package/dist/error/BrowserConfigurationAuthError.mjs +1 -1
  137. package/dist/error/BrowserConfigurationAuthErrorCodes.mjs +1 -1
  138. package/dist/error/NativeAuthError.mjs +1 -1
  139. package/dist/error/NativeAuthErrorCodes.mjs +1 -1
  140. package/dist/error/NestedAppAuthError.mjs +1 -1
  141. package/dist/event/EventHandler.mjs +1 -1
  142. package/dist/event/EventMessage.mjs +1 -1
  143. package/dist/event/EventType.mjs +1 -1
  144. package/dist/index.mjs +1 -1
  145. package/dist/interaction_client/BaseInteractionClient.mjs +1 -1
  146. package/dist/interaction_client/HybridSpaAuthorizationCodeClient.mjs +1 -1
  147. package/dist/interaction_client/PlatformAuthInteractionClient.mjs +1 -1
  148. package/dist/interaction_client/PopupClient.mjs +1 -1
  149. package/dist/interaction_client/RedirectClient.mjs +1 -1
  150. package/dist/interaction_client/SilentAuthCodeClient.mjs +1 -1
  151. package/dist/interaction_client/SilentCacheClient.mjs +1 -1
  152. package/dist/interaction_client/SilentIframeClient.mjs +1 -1
  153. package/dist/interaction_client/SilentRefreshClient.mjs +1 -1
  154. package/dist/interaction_client/StandardInteractionClient.mjs +1 -1
  155. package/dist/interaction_handler/InteractionHandler.mjs +1 -1
  156. package/dist/interaction_handler/SilentHandler.mjs +1 -1
  157. package/dist/log-strings-mapping.json +1176 -1176
  158. package/dist/naa/BridgeError.mjs +1 -1
  159. package/dist/naa/BridgeProxy.mjs +1 -1
  160. package/dist/naa/BridgeStatusCode.mjs +1 -1
  161. package/dist/naa/mapping/NestedAppAuthAdapter.mjs +1 -1
  162. package/dist/navigation/NavigationClient.mjs +1 -1
  163. package/dist/network/FetchClient.mjs +1 -1
  164. package/dist/operatingcontext/BaseOperatingContext.mjs +1 -1
  165. package/dist/operatingcontext/NestedAppOperatingContext.mjs +1 -1
  166. package/dist/operatingcontext/StandardOperatingContext.mjs +1 -1
  167. package/dist/packageMetadata.mjs +2 -2
  168. package/dist/protocol/Authorize.mjs +1 -1
  169. package/dist/redirect_bridge/index.mjs +1 -1
  170. package/dist/request/RequestHelpers.mjs +1 -1
  171. package/dist/response/ResponseHandler.mjs +1 -1
  172. package/dist/telemetry/BrowserPerformanceClient.mjs +1 -1
  173. package/dist/telemetry/BrowserPerformanceEvents.mjs +1 -1
  174. package/dist/telemetry/BrowserPerformanceMeasurement.mjs +1 -1
  175. package/dist/telemetry/BrowserRootPerformanceEvents.mjs +1 -1
  176. package/dist/utils/BrowserConstants.mjs +1 -1
  177. package/dist/utils/BrowserProtocolUtils.mjs +1 -1
  178. package/dist/utils/BrowserUtils.mjs +1 -1
  179. package/dist/utils/Helpers.mjs +1 -1
  180. package/dist/utils/MsalFrameStatsUtils.mjs +1 -1
  181. package/lib/custom-auth-path/log-strings-mapping.json +2 -2
  182. package/lib/custom-auth-path/msal-custom-auth.cjs +215 -70
  183. package/lib/custom-auth-path/msal-custom-auth.cjs.map +1 -1
  184. package/lib/custom-auth-path/msal-custom-auth.js +215 -70
  185. package/lib/custom-auth-path/msal-custom-auth.js.map +1 -1
  186. package/lib/log-strings-mapping.json +2 -2
  187. package/lib/msal-browser.cjs +218 -72
  188. package/lib/msal-browser.cjs.map +1 -1
  189. package/lib/msal-browser.js +218 -72
  190. package/lib/msal-browser.js.map +1 -1
  191. package/lib/msal-browser.min.js +2 -2
  192. package/lib/redirect-bridge/msal-redirect-bridge.cjs +10 -10
  193. package/lib/redirect-bridge/msal-redirect-bridge.cjs.map +1 -1
  194. package/lib/redirect-bridge/msal-redirect-bridge.js +10 -10
  195. package/lib/redirect-bridge/msal-redirect-bridge.js.map +1 -1
  196. package/lib/redirect-bridge/msal-redirect-bridge.min.js +1 -1
  197. package/package.json +2 -2
  198. package/src/packageMetadata.ts +1 -1
  199. package/types/custom_auth/CustomAuthConstants.d.ts +1 -1
  200. package/types/packageMetadata.d.ts +1 -1
@@ -1,8 +1,8 @@
1
- /*! @azure/msal-browser v5.10.0 2026-05-07 */
1
+ /*! @azure/msal-browser v5.10.1 2026-05-11 */
2
2
  'use strict';
3
3
  'use strict';
4
4
 
5
- /*! @azure/msal-common v16.6.0 2026-05-07 */
5
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
6
6
  /*
7
7
  * Copyright (c) Microsoft Corporation. All rights reserved.
8
8
  * Licensed under the MIT License.
@@ -229,7 +229,7 @@ const JsonWebTokenTypes = {
229
229
  // Token renewal offset default in seconds
230
230
  const DEFAULT_TOKEN_RENEWAL_OFFSET_SEC = 300;
231
231
 
232
- /*! @azure/msal-common v16.6.0 2026-05-07 */
232
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
233
233
  /*
234
234
  * Copyright (c) Microsoft Corporation. All rights reserved.
235
235
  * Licensed under the MIT License.
@@ -281,7 +281,7 @@ const EAR_JWE_CRYPTO = "ear_jwe_crypto";
281
281
  const RESOURCE = "resource";
282
282
  const CLI_DATA = "clidata";
283
283
 
284
- /*! @azure/msal-common v16.6.0 2026-05-07 */
284
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
285
285
  /*
286
286
  * Copyright (c) Microsoft Corporation. All rights reserved.
287
287
  * Licensed under the MIT License.
@@ -312,7 +312,7 @@ function createAuthError(code, additionalMessage) {
312
312
  return new AuthError(code, additionalMessage || getDefaultErrorMessage$1(code));
313
313
  }
314
314
 
315
- /*! @azure/msal-common v16.6.0 2026-05-07 */
315
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
316
316
 
317
317
  /*
318
318
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -332,7 +332,7 @@ function createClientConfigurationError(errorCode) {
332
332
  return new ClientConfigurationError(errorCode);
333
333
  }
334
334
 
335
- /*! @azure/msal-common v16.6.0 2026-05-07 */
335
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
336
336
  /*
337
337
  * Copyright (c) Microsoft Corporation. All rights reserved.
338
338
  * Licensed under the MIT License.
@@ -412,7 +412,7 @@ class StringUtils {
412
412
  }
413
413
  }
414
414
 
415
- /*! @azure/msal-common v16.6.0 2026-05-07 */
415
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
416
416
 
417
417
  /*
418
418
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -435,7 +435,7 @@ function createClientAuthError(errorCode, additionalMessage) {
435
435
  return new ClientAuthError(errorCode, additionalMessage);
436
436
  }
437
437
 
438
- /*! @azure/msal-common v16.6.0 2026-05-07 */
438
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
439
439
  /*
440
440
  * Copyright (c) Microsoft Corporation. All rights reserved.
441
441
  * Licensed under the MIT License.
@@ -457,9 +457,10 @@ const missingSshKid = "missing_ssh_kid";
457
457
  const cannotSetOIDCOptions = "cannot_set_OIDCOptions";
458
458
  const cannotAllowPlatformBroker = "cannot_allow_platform_broker";
459
459
  const authorityMismatch = "authority_mismatch";
460
- const invalidRequestMethodForEAR = "invalid_request_method_for_EAR";
460
+ const invalidRequestMethodForEAR = "invalid_request_method_for_EAR";
461
+ const issuerValidationFailed = "issuer_validation_failed";
461
462
 
462
- /*! @azure/msal-common v16.6.0 2026-05-07 */
463
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
463
464
  /*
464
465
  * Copyright (c) Microsoft Corporation. All rights reserved.
465
466
  * Licensed under the MIT License.
@@ -498,7 +499,7 @@ const methodNotImplemented = "method_not_implemented";
498
499
  const resourceParameterRequired = "resource_parameter_required";
499
500
  const misplacedResourceParam = "misplaced_resource_parameter";
500
501
 
501
- /*! @azure/msal-common v16.6.0 2026-05-07 */
502
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
502
503
 
503
504
  /*
504
505
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -693,7 +694,7 @@ class ScopeSet {
693
694
  }
694
695
  }
695
696
 
696
- /*! @azure/msal-common v16.6.0 2026-05-07 */
697
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
697
698
 
698
699
  /*
699
700
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1082,7 +1083,7 @@ function addResource(parameters, resource) {
1082
1083
  }
1083
1084
  }
1084
1085
 
1085
- /*! @azure/msal-common v16.6.0 2026-05-07 */
1086
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
1086
1087
 
1087
1088
  /*
1088
1089
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1191,7 +1192,7 @@ function normalizeUrlForComparison(url) {
1191
1192
  }
1192
1193
  }
1193
1194
 
1194
- /*! @azure/msal-common v16.6.0 2026-05-07 */
1195
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
1195
1196
 
1196
1197
  /*
1197
1198
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1230,7 +1231,7 @@ const DEFAULT_CRYPTO_IMPLEMENTATION = {
1230
1231
  },
1231
1232
  };
1232
1233
 
1233
- /*! @azure/msal-common v16.6.0 2026-05-07 */
1234
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
1234
1235
  /*
1235
1236
  * Copyright (c) Microsoft Corporation. All rights reserved.
1236
1237
  * Licensed under the MIT License.
@@ -1491,12 +1492,12 @@ class Logger {
1491
1492
  }
1492
1493
  }
1493
1494
 
1494
- /*! @azure/msal-common v16.6.0 2026-05-07 */
1495
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
1495
1496
  /* eslint-disable header/header */
1496
1497
  const name$1 = "@azure/msal-common";
1497
- const version$1 = "16.6.0";
1498
+ const version$1 = "16.6.1";
1498
1499
 
1499
- /*! @azure/msal-common v16.6.0 2026-05-07 */
1500
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
1500
1501
  /*
1501
1502
  * Copyright (c) Microsoft Corporation. All rights reserved.
1502
1503
  * Licensed under the MIT License.
@@ -1505,7 +1506,7 @@ const AzureCloudInstance = {
1505
1506
  // AzureCloudInstance is not specified.
1506
1507
  None: "none"};
1507
1508
 
1508
- /*! @azure/msal-common v16.6.0 2026-05-07 */
1509
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
1509
1510
  /*
1510
1511
  * Copyright (c) Microsoft Corporation. All rights reserved.
1511
1512
  * Licensed under the MIT License.
@@ -1588,7 +1589,7 @@ function updateAccountTenantProfileData(baseAccountInfo, tenantProfile, idTokenC
1588
1589
  return updatedAccountInfo;
1589
1590
  }
1590
1591
 
1591
- /*! @azure/msal-common v16.6.0 2026-05-07 */
1592
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
1592
1593
 
1593
1594
  /*
1594
1595
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1668,7 +1669,7 @@ function checkMaxAge(authTime, maxAge) {
1668
1669
  }
1669
1670
  }
1670
1671
 
1671
- /*! @azure/msal-common v16.6.0 2026-05-07 */
1672
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
1672
1673
 
1673
1674
  /*
1674
1675
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1825,7 +1826,7 @@ class UrlString {
1825
1826
  }
1826
1827
  }
1827
1828
 
1828
- /*! @azure/msal-common v16.6.0 2026-05-07 */
1829
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
1829
1830
 
1830
1831
  /*
1831
1832
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1911,6 +1912,15 @@ const rawMetdataJSON = {
1911
1912
  preferred_cache: "login.sovcloud-identity.sg",
1912
1913
  aliases: ["login.sovcloud-identity.sg"],
1913
1914
  },
1915
+ {
1916
+ preferred_network: "login.windows-ppe.net",
1917
+ preferred_cache: "login.windows-ppe.net",
1918
+ aliases: [
1919
+ "login.windows-ppe.net",
1920
+ "sts.windows-ppe.net",
1921
+ "login.microsoft-ppe.com",
1922
+ ],
1923
+ },
1914
1924
  ],
1915
1925
  },
1916
1926
  };
@@ -1982,7 +1992,7 @@ function getCloudDiscoveryMetadataFromNetworkResponse(response, authorityHost) {
1982
1992
  return null;
1983
1993
  }
1984
1994
 
1985
- /*! @azure/msal-common v16.6.0 2026-05-07 */
1995
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
1986
1996
  /*
1987
1997
  * Copyright (c) Microsoft Corporation. All rights reserved.
1988
1998
  * Licensed under the MIT License.
@@ -1990,7 +2000,7 @@ function getCloudDiscoveryMetadataFromNetworkResponse(response, authorityHost) {
1990
2000
  const cacheQuotaExceeded = "cache_quota_exceeded";
1991
2001
  const cacheErrorUnknown = "cache_error_unknown";
1992
2002
 
1993
- /*! @azure/msal-common v16.6.0 2026-05-07 */
2003
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
1994
2004
 
1995
2005
  /*
1996
2006
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -2028,7 +2038,7 @@ function createCacheError(e) {
2028
2038
  }
2029
2039
  }
2030
2040
 
2031
- /*! @azure/msal-common v16.6.0 2026-05-07 */
2041
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
2032
2042
 
2033
2043
  /*
2034
2044
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -2066,7 +2076,7 @@ function buildClientInfoFromHomeAccountId(homeAccountId) {
2066
2076
  };
2067
2077
  }
2068
2078
 
2069
- /*! @azure/msal-common v16.6.0 2026-05-07 */
2079
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
2070
2080
  /*
2071
2081
  * Copyright (c) Microsoft Corporation. All rights reserved.
2072
2082
  * Licensed under the MIT License.
@@ -2081,7 +2091,7 @@ const AuthorityType = {
2081
2091
  Ciam: 3,
2082
2092
  };
2083
2093
 
2084
- /*! @azure/msal-common v16.6.0 2026-05-07 */
2094
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
2085
2095
  /*
2086
2096
  * Copyright (c) Microsoft Corporation. All rights reserved.
2087
2097
  * Licensed under the MIT License.
@@ -2103,7 +2113,7 @@ function getTenantIdFromIdTokenClaims(idTokenClaims) {
2103
2113
  return null;
2104
2114
  }
2105
2115
 
2106
- /*! @azure/msal-common v16.6.0 2026-05-07 */
2116
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
2107
2117
  /*
2108
2118
  * Copyright (c) Microsoft Corporation. All rights reserved.
2109
2119
  * Licensed under the MIT License.
@@ -2127,7 +2137,7 @@ const ProtocolMode = {
2127
2137
  EAR: "EAR",
2128
2138
  };
2129
2139
 
2130
- /*! @azure/msal-common v16.6.0 2026-05-07 */
2140
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
2131
2141
  /**
2132
2142
  * Returns the AccountInfo interface for this account.
2133
2143
  */
@@ -2302,7 +2312,7 @@ function isAccountEntity(entity) {
2302
2312
  entity.hasOwnProperty("authorityType"));
2303
2313
  }
2304
2314
 
2305
- /*! @azure/msal-common v16.6.0 2026-05-07 */
2315
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
2306
2316
 
2307
2317
  /*
2308
2318
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -3433,7 +3443,7 @@ class DefaultStorageClass extends CacheManager {
3433
3443
  }
3434
3444
  }
3435
3445
 
3436
- /*! @azure/msal-common v16.6.0 2026-05-07 */
3446
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
3437
3447
  /*
3438
3448
  * Copyright (c) Microsoft Corporation. All rights reserved.
3439
3449
  * Licensed under the MIT License.
@@ -3447,7 +3457,7 @@ class DefaultStorageClass extends CacheManager {
3447
3457
  const PerformanceEventStatus = {
3448
3458
  InProgress: 1};
3449
3459
 
3450
- /*! @azure/msal-common v16.6.0 2026-05-07 */
3460
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
3451
3461
 
3452
3462
  /*
3453
3463
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -3502,7 +3512,7 @@ class StubPerformanceClient {
3502
3512
  }
3503
3513
  }
3504
3514
 
3505
- /*! @azure/msal-common v16.6.0 2026-05-07 */
3515
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
3506
3516
 
3507
3517
  /*
3508
3518
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -3597,7 +3607,7 @@ function isOidcProtocolMode(config) {
3597
3607
  return (config.authOptions.authority.options.protocolMode === ProtocolMode.OIDC);
3598
3608
  }
3599
3609
 
3600
- /*! @azure/msal-common v16.6.0 2026-05-07 */
3610
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
3601
3611
  /*
3602
3612
  * Copyright (c) Microsoft Corporation. All rights reserved.
3603
3613
  * Licensed under the MIT License.
@@ -3624,7 +3634,7 @@ function isOidcProtocolMode(config) {
3624
3634
  }
3625
3635
  }
3626
3636
 
3627
- /*! @azure/msal-common v16.6.0 2026-05-07 */
3637
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
3628
3638
  /*
3629
3639
  * Copyright (c) Microsoft Corporation. All rights reserved.
3630
3640
  * Licensed under the MIT License.
@@ -3689,7 +3699,7 @@ function wasClockTurnedBack(cachedAt) {
3689
3699
  return cachedAtSec > nowSeconds();
3690
3700
  }
3691
3701
 
3692
- /*! @azure/msal-common v16.6.0 2026-05-07 */
3702
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
3693
3703
 
3694
3704
  /*
3695
3705
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -3948,7 +3958,7 @@ function isAuthorityMetadataExpired(metadata) {
3948
3958
  return metadata.expiresAt <= nowSeconds();
3949
3959
  }
3950
3960
 
3951
- /*! @azure/msal-common v16.6.0 2026-05-07 */
3961
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
3952
3962
  /*
3953
3963
  * Copyright (c) Microsoft Corporation. All rights reserved.
3954
3964
  * Licensed under the MIT License.
@@ -4019,7 +4029,7 @@ const RegionDiscoveryGetCurrentVersion = "regionDiscoveryGetCurrentVersion";
4019
4029
  const CacheManagerGetRefreshToken = "cacheManagerGetRefreshToken";
4020
4030
  const SetUserData = "setUserData";
4021
4031
 
4022
- /*! @azure/msal-common v16.6.0 2026-05-07 */
4032
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
4023
4033
  /*
4024
4034
  * Copyright (c) Microsoft Corporation. All rights reserved.
4025
4035
  * Licensed under the MIT License.
@@ -4112,7 +4122,7 @@ const invokeAsync = (callback, eventName, logger, telemetryClient, correlationId
4112
4122
  };
4113
4123
  };
4114
4124
 
4115
- /*! @azure/msal-common v16.6.0 2026-05-07 */
4125
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
4116
4126
 
4117
4127
  /*
4118
4128
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4192,7 +4202,7 @@ class PopTokenGenerator {
4192
4202
  }
4193
4203
  }
4194
4204
 
4195
- /*! @azure/msal-common v16.6.0 2026-05-07 */
4205
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
4196
4206
  /*
4197
4207
  * Copyright (c) Microsoft Corporation. All rights reserved.
4198
4208
  * Licensed under the MIT License.
@@ -4243,7 +4253,7 @@ const badToken = "bad_token";
4243
4253
  */
4244
4254
  const interruptedUser = "interrupted_user";
4245
4255
 
4246
- /*! @azure/msal-common v16.6.0 2026-05-07 */
4256
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
4247
4257
 
4248
4258
  /*
4249
4259
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4311,7 +4321,7 @@ function createInteractionRequiredAuthError(errorCode, errorMessage) {
4311
4321
  return new InteractionRequiredAuthError(errorCode, errorMessage);
4312
4322
  }
4313
4323
 
4314
- /*! @azure/msal-common v16.6.0 2026-05-07 */
4324
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
4315
4325
 
4316
4326
  /*
4317
4327
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4330,7 +4340,7 @@ class ServerError extends AuthError {
4330
4340
  }
4331
4341
  }
4332
4342
 
4333
- /*! @azure/msal-common v16.6.0 2026-05-07 */
4343
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
4334
4344
 
4335
4345
  /*
4336
4346
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4398,7 +4408,7 @@ function parseRequestState(base64Decode, state) {
4398
4408
  }
4399
4409
  }
4400
4410
 
4401
- /*! @azure/msal-common v16.6.0 2026-05-07 */
4411
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
4402
4412
 
4403
4413
  /*
4404
4414
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4746,7 +4756,7 @@ function buildAccountToCache(cacheStorage, authority, homeAccountId, base64Decod
4746
4756
  return baseAccount;
4747
4757
  }
4748
4758
 
4749
- /*! @azure/msal-common v16.6.0 2026-05-07 */
4759
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
4750
4760
  /*
4751
4761
  * Copyright (c) Microsoft Corporation. All rights reserved.
4752
4762
  * Licensed under the MIT License.
@@ -4756,7 +4766,7 @@ const CcsCredentialType = {
4756
4766
  UPN: "UPN",
4757
4767
  };
4758
4768
 
4759
- /*! @azure/msal-common v16.6.0 2026-05-07 */
4769
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
4760
4770
  /*
4761
4771
  * Copyright (c) Microsoft Corporation. All rights reserved.
4762
4772
  * Licensed under the MIT License.
@@ -4774,7 +4784,7 @@ async function getClientAssertion(clientAssertion, clientId, tokenEndpoint) {
4774
4784
  }
4775
4785
  }
4776
4786
 
4777
- /*! @azure/msal-common v16.6.0 2026-05-07 */
4787
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
4778
4788
  /*
4779
4789
  * Copyright (c) Microsoft Corporation. All rights reserved.
4780
4790
  * Licensed under the MIT License.
@@ -4795,7 +4805,7 @@ function getRequestThumbprint(clientId, request, homeAccountId) {
4795
4805
  };
4796
4806
  }
4797
4807
 
4798
- /*! @azure/msal-common v16.6.0 2026-05-07 */
4808
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
4799
4809
 
4800
4810
  /*
4801
4811
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4881,7 +4891,7 @@ class ThrottlingUtils {
4881
4891
  }
4882
4892
  }
4883
4893
 
4884
- /*! @azure/msal-common v16.6.0 2026-05-07 */
4894
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
4885
4895
 
4886
4896
  /*
4887
4897
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4912,7 +4922,7 @@ function createNetworkError(error, httpStatus, responseHeaders, additionalError)
4912
4922
  return new NetworkError(error, httpStatus, responseHeaders);
4913
4923
  }
4914
4924
 
4915
- /*! @azure/msal-common v16.6.0 2026-05-07 */
4925
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
4916
4926
 
4917
4927
  /*
4918
4928
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -5026,7 +5036,7 @@ async function sendPostRequest(thumbprint, tokenEndpoint, options, correlationId
5026
5036
  return response;
5027
5037
  }
5028
5038
 
5029
- /*! @azure/msal-common v16.6.0 2026-05-07 */
5039
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
5030
5040
  /*
5031
5041
  * Copyright (c) Microsoft Corporation. All rights reserved.
5032
5042
  * Licensed under the MIT License.
@@ -5038,7 +5048,7 @@ function isOpenIdConfigResponse(response) {
5038
5048
  response.hasOwnProperty("jwks_uri"));
5039
5049
  }
5040
5050
 
5041
- /*! @azure/msal-common v16.6.0 2026-05-07 */
5051
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
5042
5052
  /*
5043
5053
  * Copyright (c) Microsoft Corporation. All rights reserved.
5044
5054
  * Licensed under the MIT License.
@@ -5048,7 +5058,7 @@ function isCloudInstanceDiscoveryResponse(response) {
5048
5058
  response.hasOwnProperty("metadata"));
5049
5059
  }
5050
5060
 
5051
- /*! @azure/msal-common v16.6.0 2026-05-07 */
5061
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
5052
5062
  /*
5053
5063
  * Copyright (c) Microsoft Corporation. All rights reserved.
5054
5064
  * Licensed under the MIT License.
@@ -5058,7 +5068,7 @@ function isCloudInstanceDiscoveryErrorResponse(response) {
5058
5068
  response.hasOwnProperty("error_description"));
5059
5069
  }
5060
5070
 
5061
- /*! @azure/msal-common v16.6.0 2026-05-07 */
5071
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
5062
5072
 
5063
5073
  /*
5064
5074
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -5163,7 +5173,7 @@ RegionDiscovery.IMDS_OPTIONS = {
5163
5173
  },
5164
5174
  };
5165
5175
 
5166
- /*! @azure/msal-common v16.6.0 2026-05-07 */
5176
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
5167
5177
 
5168
5178
  /*
5169
5179
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -5418,7 +5428,7 @@ class Authority {
5418
5428
  }, this.correlationId);
5419
5429
  }
5420
5430
  /**
5421
- * Returns metadata entity from cache if it exists, otherwiser returns a new metadata entity built
5431
+ * Returns metadata entity from cache if it exists, otherwise returns a new metadata entity built
5422
5432
  * from the configured canonical authority
5423
5433
  * @returns
5424
5434
  */
@@ -5487,6 +5497,8 @@ class Authority {
5487
5497
  // Get metadata from network if local sources aren't available
5488
5498
  let metadata = await invokeAsync(this.getEndpointMetadataFromNetwork.bind(this), AuthorityGetEndpointMetadataFromNetwork, this.logger, this.performanceClient, this.correlationId)();
5489
5499
  if (metadata) {
5500
+ // Validate the issuer returned by the OIDC discovery document.
5501
+ this.validateIssuer(metadata.issuer);
5490
5502
  // If the user prefers to use an azure region replace the global endpoints with regional information.
5491
5503
  if (this.authorityOptions.azureRegionConfiguration?.azureRegion) {
5492
5504
  metadata = await invokeAsync(this.updateMetadataWithRegionalInformation.bind(this), AuthorityUpdateMetadataWithRegionalInformation, this.logger, this.performanceClient, this.correlationId)(metadata);
@@ -5655,7 +5667,7 @@ class Authority {
5655
5667
  throw createClientConfigurationError(untrustedAuthority);
5656
5668
  }
5657
5669
  updateCloudDiscoveryMetadataFromLocalSources(metadataEntity) {
5658
- this.logger.verbose("0jhlgt", this.correlationId);
5670
+ this.logger.verbose("1tpqlr", this.correlationId);
5659
5671
  this.logger.verbosePii("1fy7uz", this.correlationId);
5660
5672
  this.logger.verbosePii("08zabj", this.correlationId);
5661
5673
  this.logger.verbosePii("1o1kv3", this.correlationId);
@@ -5852,6 +5864,139 @@ class Authority {
5852
5864
  isAliasOfKnownMicrosoftAuthority(host) {
5853
5865
  return InstanceDiscoveryMetadataAliases.has(host);
5854
5866
  }
5867
+ /**
5868
+ * Validates the `issuer` returned by an OIDC discovery document against
5869
+ * this authority, per
5870
+ * https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationValidation
5871
+ *
5872
+ * The issuer is accepted when ANY of the following holds:
5873
+ * 1. The issuer scheme + host + port match the authority's (path may
5874
+ * differ). Applies to all authorities.
5875
+ * 2. The authority is a Microsoft cloud authority (public, sovereign,
5876
+ * or CIAM), the issuer is HTTPS, and the issuer host is in the known
5877
+ * Microsoft authority host set.
5878
+ * 3. Same as (2), but the issuer host is a single-label regional variant
5879
+ * of a known Microsoft host (e.g. `westus.login.microsoftonline.com`).
5880
+ * 4. Same as (2), but the issuer host matches the CIAM tenant pattern
5881
+ * `{tenant}.ciamlogin.com` with an optional `/{tenant}[.onmicrosoft.com][/v2.0]`
5882
+ * path.
5883
+ *
5884
+ * @param issuer The `issuer` value returned in the OIDC discovery document.
5885
+ * @throws ClientConfigurationError("issuer_validation_failed") on failure.
5886
+ */
5887
+ validateIssuer(issuer) {
5888
+ if (!issuer) {
5889
+ throw createClientConfigurationError(issuerValidationFailed);
5890
+ }
5891
+ // Parse with the WHATWG URL API. URL normalizes scheme + host to lowercase per RFC 3986.
5892
+ let issuerUrl;
5893
+ try {
5894
+ issuerUrl = new URL(issuer);
5895
+ }
5896
+ catch {
5897
+ throw createClientConfigurationError(issuerValidationFailed);
5898
+ }
5899
+ const issuerScheme = issuerUrl.protocol;
5900
+ const issuerHost = issuerUrl.host;
5901
+ const authorityScheme = (this.canonicalAuthorityUrlComponents.Protocol || "").toLowerCase();
5902
+ const authorityHost = (this.canonicalAuthorityUrlComponents.HostNameAndPort || "").toLowerCase();
5903
+ // Rule 1: Same scheme and host
5904
+ const matchesAuthorityOrigin = this.matchesAuthorityOrigin(issuerScheme, issuerHost, authorityScheme, authorityHost);
5905
+ // Rule 2: The issuer host is a well-known Microsoft authority host (HTTPS only)
5906
+ const matchesKnownMicrosoftHost = issuerScheme === "https:" &&
5907
+ this.isAliasOfKnownMicrosoftAuthority(issuerHost);
5908
+ /*
5909
+ * Rule 3: The issuer host is a regional variant ({region}.{host}) of a well-known host
5910
+ * (HTTPS only). E.g. westus2.login.microsoft.com
5911
+ */
5912
+ const matchesRegionalMicrosoftHost = issuerScheme === "https:" &&
5913
+ this.matchesRegionalMicrosoftHost(issuerHost);
5914
+ /*
5915
+ * Rule 4: CIAM-specific validation. In a CIAM scenario the issuer is expected to
5916
+ * have "{tenant}.ciamlogin.com" as the host, even when using a custom domain.
5917
+ */
5918
+ const matchesCiamTenantPattern = this.matchesCiamTenantPattern(issuerUrl, authorityHost, this.canonicalAuthorityUrlComponents.PathSegments);
5919
+ // Each rule is an independent boolean; the issuer is valid if ANY rule matches.
5920
+ if (matchesAuthorityOrigin ||
5921
+ matchesKnownMicrosoftHost ||
5922
+ matchesRegionalMicrosoftHost ||
5923
+ matchesCiamTenantPattern) {
5924
+ return;
5925
+ }
5926
+ // issuer validation fails if none of the above rules are satisfied
5927
+ throw createClientConfigurationError(issuerValidationFailed);
5928
+ }
5929
+ /**
5930
+ * Rule 1: The issuer scheme + host (and port) match the authority's. Path
5931
+ * may differ. Applies to all authorities.
5932
+ */
5933
+ matchesAuthorityOrigin(issuerScheme, issuerHost, authorityScheme, authorityHost) {
5934
+ return issuerScheme === authorityScheme && issuerHost === authorityHost;
5935
+ }
5936
+ /**
5937
+ * Rule 3: The issuer host is a regional variant
5938
+ * (`{region}.{host}`) of a known Microsoft authority host.
5939
+ * E.g. `westus2.login.microsoft.com`.
5940
+ */
5941
+ matchesRegionalMicrosoftHost(issuerHost) {
5942
+ const firstDot = issuerHost.indexOf(".");
5943
+ if (firstDot > 0 && firstDot < issuerHost.length - 1) {
5944
+ const hostWithoutRegion = issuerHost.substring(firstDot + 1);
5945
+ return this.isAliasOfKnownMicrosoftAuthority(hostWithoutRegion);
5946
+ }
5947
+ return false;
5948
+ }
5949
+ /**
5950
+ * Rule 4: The issuer matches one of the well-known CIAM tenant patterns
5951
+ * (`https://{tenant}.ciamlogin.com[/{tenant}[.onmicrosoft.com][/v2.0]]`).
5952
+ *
5953
+ * The bare tenant name is extracted from the authority's first path segment
5954
+ * when available (stripping the `.onmicrosoft.com` suffix that
5955
+ * `transformCIAMAuthority` adds), or otherwise from the leftmost label of
5956
+ * the authority host (to support CIAM custom domain scenarios).
5957
+ *
5958
+ * Both `/{tenant}` and `/{tenant}.onmicrosoft.com` path forms are accepted
5959
+ * because the OIDC issuer may use either form depending on the authority URL
5960
+ * that was used to trigger discovery.
5961
+ */
5962
+ matchesCiamTenantPattern(issuerUrl, authorityHost, authorityPathSegments) {
5963
+ /*
5964
+ * authorityPathSegments[0] is the first path segment of the *authority
5965
+ * URL* after transformCIAMAuthority runs (e.g. "contoso.onmicrosoft.com").
5966
+ * Additional CIAM issuer path segments such as "/v2.0" are part of the
5967
+ * issuer string, not the authority URL's PathSegments.
5968
+ */
5969
+ const pathSegment = authorityPathSegments[0];
5970
+ /*
5971
+ * Extract the bare tenant name: strip the .onmicrosoft.com suffix when
5972
+ * present (introduced by transformCIAMAuthority), or fall back to the
5973
+ * first label of the authority hostname for non-transformed/custom-domain
5974
+ * CIAM authorities.
5975
+ */
5976
+ const tenantName = pathSegment
5977
+ ? pathSegment.endsWith(AAD_TENANT_DOMAIN_SUFFIX)
5978
+ ? pathSegment.slice(0, -AAD_TENANT_DOMAIN_SUFFIX.length)
5979
+ : pathSegment
5980
+ : authorityHost.split(".")[0];
5981
+ if (!tenantName) {
5982
+ return false;
5983
+ }
5984
+ const ciamBaseURL = `https://${tenantName}${CIAM_AUTH_URL}`;
5985
+ const validCiamPatterns = [
5986
+ ciamBaseURL,
5987
+ `${ciamBaseURL}/${tenantName}`,
5988
+ `${ciamBaseURL}/${tenantName}/v2.0`,
5989
+ `${ciamBaseURL}/${tenantName}${AAD_TENANT_DOMAIN_SUFFIX}`,
5990
+ `${ciamBaseURL}/${tenantName}${AAD_TENANT_DOMAIN_SUFFIX}/v2.0`, // https://{tenant}.ciamlogin.com/{tenant}.onmicrosoft.com/v2.0
5991
+ ];
5992
+ /*
5993
+ * Compose the canonical issuer string from URL components and strip any
5994
+ * trailing slashes from the path so it can be compared to the pattern set.
5995
+ */
5996
+ const issuerPath = issuerUrl.pathname.replace(/\/+$/, "");
5997
+ const normalizedIssuer = `${issuerUrl.protocol}//${issuerUrl.host}${issuerPath}`;
5998
+ return validCiamPatterns.some((pattern) => pattern === normalizedIssuer);
5999
+ }
5855
6000
  /**
5856
6001
  * Checks whether the provided host is that of a public cloud authority
5857
6002
  *
@@ -5983,7 +6128,7 @@ function buildStaticAuthorityOptions(authOptions) {
5983
6128
  };
5984
6129
  }
5985
6130
 
5986
- /*! @azure/msal-common v16.6.0 2026-05-07 */
6131
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
5987
6132
 
5988
6133
  /*
5989
6134
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6017,7 +6162,7 @@ async function createDiscoveredInstance(authorityUri, networkClient, cacheManage
6017
6162
  }
6018
6163
  }
6019
6164
 
6020
- /*! @azure/msal-common v16.6.0 2026-05-07 */
6165
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
6021
6166
 
6022
6167
  /*
6023
6168
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6274,7 +6419,7 @@ class AuthorizationCodeClient {
6274
6419
  }
6275
6420
  }
6276
6421
 
6277
- /*! @azure/msal-common v16.6.0 2026-05-07 */
6422
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
6278
6423
 
6279
6424
  /*
6280
6425
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6495,7 +6640,7 @@ class RefreshTokenClient {
6495
6640
  }
6496
6641
  }
6497
6642
 
6498
- /*! @azure/msal-common v16.6.0 2026-05-07 */
6643
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
6499
6644
 
6500
6645
  /*
6501
6646
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6611,7 +6756,7 @@ class SilentFlowClient {
6611
6756
  }
6612
6757
  }
6613
6758
 
6614
- /*! @azure/msal-common v16.6.0 2026-05-07 */
6759
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
6615
6760
 
6616
6761
  /*
6617
6762
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6626,7 +6771,7 @@ const StubbedNetworkModule = {
6626
6771
  },
6627
6772
  };
6628
6773
 
6629
- /*! @azure/msal-common v16.6.0 2026-05-07 */
6774
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
6630
6775
 
6631
6776
  /*
6632
6777
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6849,7 +6994,7 @@ function extractLoginHint(account) {
6849
6994
  return account.loginHint || account.idTokenClaims?.login_hint || null;
6850
6995
  }
6851
6996
 
6852
- /*! @azure/msal-common v16.6.0 2026-05-07 */
6997
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
6853
6998
 
6854
6999
  /*
6855
7000
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6882,7 +7027,7 @@ function containsResourceParam(params) {
6882
7027
  return Object.prototype.hasOwnProperty.call(params, "resource");
6883
7028
  }
6884
7029
 
6885
- /*! @azure/msal-common v16.6.0 2026-05-07 */
7030
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
6886
7031
  /*
6887
7032
  * Copyright (c) Microsoft Corporation. All rights reserved.
6888
7033
  * Licensed under the MIT License.
@@ -6892,7 +7037,7 @@ function containsResourceParam(params) {
6892
7037
  */
6893
7038
  const unexpectedError = "unexpected_error";
6894
7039
 
6895
- /*! @azure/msal-common v16.6.0 2026-05-07 */
7040
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
6896
7041
 
6897
7042
  /*
6898
7043
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7153,7 +7298,7 @@ class ServerTelemetryManager {
7153
7298
  }
7154
7299
  }
7155
7300
 
7156
- /*! @azure/msal-common v16.6.0 2026-05-07 */
7301
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
7157
7302
 
7158
7303
  /*
7159
7304
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7174,7 +7319,7 @@ function createJoseHeaderError(code) {
7174
7319
  return new JoseHeaderError(code);
7175
7320
  }
7176
7321
 
7177
- /*! @azure/msal-common v16.6.0 2026-05-07 */
7322
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
7178
7323
  /*
7179
7324
  * Copyright (c) Microsoft Corporation. All rights reserved.
7180
7325
  * Licensed under the MIT License.
@@ -7182,7 +7327,7 @@ function createJoseHeaderError(code) {
7182
7327
  const missingKidError = "missing_kid_error";
7183
7328
  const missingAlgError = "missing_alg_error";
7184
7329
 
7185
- /*! @azure/msal-common v16.6.0 2026-05-07 */
7330
+ /*! @azure/msal-common v16.6.1 2026-05-11 */
7186
7331
 
7187
7332
  /*
7188
7333
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7617,7 +7762,7 @@ function ensureArgumentIsJSONString(argName, argValue, correlationId) {
7617
7762
 
7618
7763
  /* eslint-disable header/header */
7619
7764
  const name = "@azure/msal-browser";
7620
- const version = "5.10.0";
7765
+ const version = "5.10.1";
7621
7766
 
7622
7767
  /*
7623
7768
  * Copyright (c) Microsoft Corporation. All rights reserved.