@azure/msal-browser 5.10.0 → 5.11.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (255) hide show
  1. package/dist/app/IPublicClientApplication.mjs +1 -1
  2. package/dist/app/PublicClientApplication.mjs +1 -1
  3. package/dist/broker/nativeBroker/NativeStatusCodes.mjs +1 -1
  4. package/dist/broker/nativeBroker/PlatformAuthDOMHandler.mjs +1 -1
  5. package/dist/broker/nativeBroker/PlatformAuthExtensionHandler.mjs +1 -1
  6. package/dist/broker/nativeBroker/PlatformAuthProvider.mjs +18 -32
  7. package/dist/broker/nativeBroker/PlatformAuthProvider.mjs.map +1 -1
  8. package/dist/cache/AccountManager.mjs +1 -1
  9. package/dist/cache/AsyncMemoryStorage.mjs +1 -1
  10. package/dist/cache/BrowserCacheManager.mjs +1 -1
  11. package/dist/cache/CacheHelpers.mjs +1 -1
  12. package/dist/cache/CacheKeys.mjs +2 -3
  13. package/dist/cache/CacheKeys.mjs.map +1 -1
  14. package/dist/cache/CookieStorage.mjs +1 -1
  15. package/dist/cache/DatabaseStorage.mjs +1 -1
  16. package/dist/cache/EncryptedData.mjs +1 -1
  17. package/dist/cache/LocalStorage.mjs +1 -1
  18. package/dist/cache/MemoryStorage.mjs +1 -1
  19. package/dist/cache/SessionStorage.mjs +1 -1
  20. package/dist/cache/TokenCache.mjs +1 -1
  21. package/dist/config/Configuration.mjs +2 -1
  22. package/dist/config/Configuration.mjs.map +1 -1
  23. package/dist/controllers/NestedAppAuthController.mjs +1 -1
  24. package/dist/controllers/StandardController.mjs +2 -2
  25. package/dist/controllers/StandardController.mjs.map +1 -1
  26. package/dist/crypto/BrowserCrypto.mjs +1 -1
  27. package/dist/crypto/CryptoOps.mjs +1 -1
  28. package/dist/crypto/PkceGenerator.mjs +1 -1
  29. package/dist/crypto/SignedHttpRequest.mjs +1 -1
  30. package/dist/custom_auth/CustomAuthConstants.mjs +11 -2
  31. package/dist/custom_auth/CustomAuthConstants.mjs.map +1 -1
  32. package/dist/custom_auth/CustomAuthPublicClientApplication.mjs +1 -1
  33. package/dist/custom_auth/controller/CustomAuthStandardController.mjs +2 -2
  34. package/dist/custom_auth/controller/CustomAuthStandardController.mjs.map +1 -1
  35. package/dist/custom_auth/core/CustomAuthAuthority.mjs +1 -1
  36. package/dist/custom_auth/core/auth_flow/AuthFlowErrorBase.mjs +1 -1
  37. package/dist/custom_auth/core/auth_flow/AuthFlowResultBase.mjs +1 -1
  38. package/dist/custom_auth/core/auth_flow/AuthFlowState.mjs +1 -1
  39. package/dist/custom_auth/core/auth_flow/AuthFlowStateTypes.mjs +1 -1
  40. package/dist/custom_auth/core/auth_flow/jit/error_type/AuthMethodRegistrationError.mjs +1 -1
  41. package/dist/custom_auth/core/auth_flow/jit/result/AuthMethodRegistrationChallengeMethodResult.mjs +1 -1
  42. package/dist/custom_auth/core/auth_flow/jit/result/AuthMethodRegistrationSubmitChallengeResult.mjs +1 -1
  43. package/dist/custom_auth/core/auth_flow/jit/state/AuthMethodRegistrationCompletedState.mjs +1 -1
  44. package/dist/custom_auth/core/auth_flow/jit/state/AuthMethodRegistrationFailedState.mjs +1 -1
  45. package/dist/custom_auth/core/auth_flow/jit/state/AuthMethodRegistrationState.mjs +1 -1
  46. package/dist/custom_auth/core/auth_flow/mfa/error_type/MfaError.mjs +1 -1
  47. package/dist/custom_auth/core/auth_flow/mfa/result/MfaRequestChallengeResult.mjs +1 -1
  48. package/dist/custom_auth/core/auth_flow/mfa/result/MfaSubmitChallengeResult.mjs +1 -1
  49. package/dist/custom_auth/core/auth_flow/mfa/state/MfaCompletedState.mjs +1 -1
  50. package/dist/custom_auth/core/auth_flow/mfa/state/MfaFailedState.mjs +1 -1
  51. package/dist/custom_auth/core/auth_flow/mfa/state/MfaState.mjs +1 -1
  52. package/dist/custom_auth/core/error/CustomAuthApiError.mjs +1 -1
  53. package/dist/custom_auth/core/error/CustomAuthError.mjs +1 -1
  54. package/dist/custom_auth/core/error/HttpError.mjs +1 -1
  55. package/dist/custom_auth/core/error/HttpErrorCodes.mjs +1 -1
  56. package/dist/custom_auth/core/error/InvalidArgumentError.mjs +1 -1
  57. package/dist/custom_auth/core/error/InvalidConfigurationError.mjs +1 -1
  58. package/dist/custom_auth/core/error/InvalidConfigurationErrorCodes.mjs +1 -1
  59. package/dist/custom_auth/core/error/MethodNotImplementedError.mjs +1 -1
  60. package/dist/custom_auth/core/error/MsalCustomAuthError.mjs +1 -1
  61. package/dist/custom_auth/core/error/NoCachedAccountFoundError.mjs +1 -1
  62. package/dist/custom_auth/core/error/ParsedUrlError.mjs +1 -1
  63. package/dist/custom_auth/core/error/ParsedUrlErrorCodes.mjs +1 -1
  64. package/dist/custom_auth/core/error/UnexpectedError.mjs +1 -1
  65. package/dist/custom_auth/core/error/UnsupportedEnvironmentError.mjs +1 -1
  66. package/dist/custom_auth/core/error/UserAccountAttributeError.mjs +1 -1
  67. package/dist/custom_auth/core/error/UserAlreadySignedInError.mjs +1 -1
  68. package/dist/custom_auth/core/interaction_client/CustomAuthInteractionClientBase.mjs +1 -1
  69. package/dist/custom_auth/core/interaction_client/CustomAuthInterationClientFactory.mjs +1 -1
  70. package/dist/custom_auth/core/interaction_client/jit/JitClient.mjs +1 -1
  71. package/dist/custom_auth/core/interaction_client/jit/result/JitActionResult.mjs +1 -1
  72. package/dist/custom_auth/core/interaction_client/mfa/MfaClient.mjs +1 -1
  73. package/dist/custom_auth/core/interaction_client/mfa/result/MfaActionResult.mjs +1 -1
  74. package/dist/custom_auth/core/network_client/custom_auth_api/BaseApiClient.mjs +21 -3
  75. package/dist/custom_auth/core/network_client/custom_auth_api/BaseApiClient.mjs.map +1 -1
  76. package/dist/custom_auth/core/network_client/custom_auth_api/CustomAuthApiClient.mjs +6 -6
  77. package/dist/custom_auth/core/network_client/custom_auth_api/CustomAuthApiClient.mjs.map +1 -1
  78. package/dist/custom_auth/core/network_client/custom_auth_api/CustomAuthApiEndpoint.mjs +1 -1
  79. package/dist/custom_auth/core/network_client/custom_auth_api/RegisterApiClient.mjs +1 -1
  80. package/dist/custom_auth/core/network_client/custom_auth_api/ResetPasswordApiClient.mjs +3 -3
  81. package/dist/custom_auth/core/network_client/custom_auth_api/ResetPasswordApiClient.mjs.map +1 -1
  82. package/dist/custom_auth/core/network_client/custom_auth_api/SignInApiClient.mjs +3 -3
  83. package/dist/custom_auth/core/network_client/custom_auth_api/SignInApiClient.mjs.map +1 -1
  84. package/dist/custom_auth/core/network_client/custom_auth_api/SignupApiClient.mjs +3 -3
  85. package/dist/custom_auth/core/network_client/custom_auth_api/SignupApiClient.mjs.map +1 -1
  86. package/dist/custom_auth/core/network_client/custom_auth_api/types/ApiErrorCodes.mjs +1 -1
  87. package/dist/custom_auth/core/network_client/custom_auth_api/types/ApiSuberrors.mjs +1 -1
  88. package/dist/custom_auth/core/network_client/http_client/FetchHttpClient.mjs +1 -1
  89. package/dist/custom_auth/core/network_client/http_client/IHttpClient.mjs +1 -1
  90. package/dist/custom_auth/core/telemetry/PublicApiId.mjs +1 -1
  91. package/dist/custom_auth/core/utils/ArgumentValidator.mjs +1 -1
  92. package/dist/custom_auth/core/utils/CustomHeaderUtils.mjs +56 -0
  93. package/dist/custom_auth/core/utils/CustomHeaderUtils.mjs.map +1 -0
  94. package/dist/custom_auth/core/utils/UrlUtils.mjs +1 -1
  95. package/dist/custom_auth/get_account/auth_flow/CustomAuthAccountData.mjs +1 -1
  96. package/dist/custom_auth/get_account/auth_flow/error_type/GetAccountError.mjs +1 -1
  97. package/dist/custom_auth/get_account/auth_flow/result/GetAccessTokenResult.mjs +1 -1
  98. package/dist/custom_auth/get_account/auth_flow/result/GetAccountResult.mjs +1 -1
  99. package/dist/custom_auth/get_account/auth_flow/result/SignOutResult.mjs +1 -1
  100. package/dist/custom_auth/get_account/auth_flow/state/GetAccessTokenState.mjs +1 -1
  101. package/dist/custom_auth/get_account/auth_flow/state/GetAccountState.mjs +1 -1
  102. package/dist/custom_auth/get_account/auth_flow/state/SignOutState.mjs +1 -1
  103. package/dist/custom_auth/get_account/interaction_client/CustomAuthSilentCacheClient.mjs +1 -1
  104. package/dist/custom_auth/index.mjs +1 -1
  105. package/dist/custom_auth/operating_context/CustomAuthOperatingContext.mjs +1 -1
  106. package/dist/custom_auth/reset_password/auth_flow/error_type/ResetPasswordError.mjs +1 -1
  107. package/dist/custom_auth/reset_password/auth_flow/result/ResetPasswordResendCodeResult.mjs +1 -1
  108. package/dist/custom_auth/reset_password/auth_flow/result/ResetPasswordStartResult.mjs +1 -1
  109. package/dist/custom_auth/reset_password/auth_flow/result/ResetPasswordSubmitCodeResult.mjs +1 -1
  110. package/dist/custom_auth/reset_password/auth_flow/result/ResetPasswordSubmitPasswordResult.mjs +1 -1
  111. package/dist/custom_auth/reset_password/auth_flow/state/ResetPasswordCodeRequiredState.mjs +1 -1
  112. package/dist/custom_auth/reset_password/auth_flow/state/ResetPasswordCompletedState.mjs +1 -1
  113. package/dist/custom_auth/reset_password/auth_flow/state/ResetPasswordFailedState.mjs +1 -1
  114. package/dist/custom_auth/reset_password/auth_flow/state/ResetPasswordPasswordRequiredState.mjs +1 -1
  115. package/dist/custom_auth/reset_password/auth_flow/state/ResetPasswordState.mjs +1 -1
  116. package/dist/custom_auth/reset_password/interaction_client/ResetPasswordClient.mjs +1 -1
  117. package/dist/custom_auth/sign_in/auth_flow/SignInScenario.mjs +1 -1
  118. package/dist/custom_auth/sign_in/auth_flow/error_type/SignInError.mjs +1 -1
  119. package/dist/custom_auth/sign_in/auth_flow/result/SignInResendCodeResult.mjs +1 -1
  120. package/dist/custom_auth/sign_in/auth_flow/result/SignInResult.mjs +1 -1
  121. package/dist/custom_auth/sign_in/auth_flow/result/SignInSubmitCodeResult.mjs +1 -1
  122. package/dist/custom_auth/sign_in/auth_flow/result/SignInSubmitPasswordResult.mjs +1 -1
  123. package/dist/custom_auth/sign_in/auth_flow/state/SignInCodeRequiredState.mjs +1 -1
  124. package/dist/custom_auth/sign_in/auth_flow/state/SignInCompletedState.mjs +1 -1
  125. package/dist/custom_auth/sign_in/auth_flow/state/SignInContinuationState.mjs +1 -1
  126. package/dist/custom_auth/sign_in/auth_flow/state/SignInFailedState.mjs +1 -1
  127. package/dist/custom_auth/sign_in/auth_flow/state/SignInPasswordRequiredState.mjs +1 -1
  128. package/dist/custom_auth/sign_in/auth_flow/state/SignInState.mjs +1 -1
  129. package/dist/custom_auth/sign_in/interaction_client/SignInClient.mjs +1 -1
  130. package/dist/custom_auth/sign_in/interaction_client/result/SignInActionResult.mjs +1 -1
  131. package/dist/custom_auth/sign_up/auth_flow/error_type/SignUpError.mjs +1 -1
  132. package/dist/custom_auth/sign_up/auth_flow/result/SignUpResendCodeResult.mjs +1 -1
  133. package/dist/custom_auth/sign_up/auth_flow/result/SignUpResult.mjs +1 -1
  134. package/dist/custom_auth/sign_up/auth_flow/result/SignUpSubmitAttributesResult.mjs +1 -1
  135. package/dist/custom_auth/sign_up/auth_flow/result/SignUpSubmitCodeResult.mjs +1 -1
  136. package/dist/custom_auth/sign_up/auth_flow/result/SignUpSubmitPasswordResult.mjs +1 -1
  137. package/dist/custom_auth/sign_up/auth_flow/state/SignUpAttributesRequiredState.mjs +1 -1
  138. package/dist/custom_auth/sign_up/auth_flow/state/SignUpCodeRequiredState.mjs +1 -1
  139. package/dist/custom_auth/sign_up/auth_flow/state/SignUpCompletedState.mjs +1 -1
  140. package/dist/custom_auth/sign_up/auth_flow/state/SignUpFailedState.mjs +1 -1
  141. package/dist/custom_auth/sign_up/auth_flow/state/SignUpPasswordRequiredState.mjs +1 -1
  142. package/dist/custom_auth/sign_up/auth_flow/state/SignUpState.mjs +1 -1
  143. package/dist/custom_auth/sign_up/interaction_client/SignUpClient.mjs +1 -1
  144. package/dist/custom_auth/sign_up/interaction_client/result/SignUpActionResult.mjs +1 -1
  145. package/dist/encode/Base64Decode.mjs +1 -1
  146. package/dist/encode/Base64Encode.mjs +1 -1
  147. package/dist/error/BrowserAuthError.mjs +1 -1
  148. package/dist/error/BrowserAuthErrorCodes.mjs +1 -1
  149. package/dist/error/BrowserConfigurationAuthError.mjs +1 -1
  150. package/dist/error/BrowserConfigurationAuthErrorCodes.mjs +1 -1
  151. package/dist/error/NativeAuthError.mjs +1 -1
  152. package/dist/error/NativeAuthErrorCodes.mjs +1 -1
  153. package/dist/error/NestedAppAuthError.mjs +1 -1
  154. package/dist/event/EventHandler.mjs +1 -1
  155. package/dist/event/EventMessage.mjs +1 -1
  156. package/dist/event/EventType.mjs +1 -1
  157. package/dist/index.mjs +1 -1
  158. package/dist/interaction_client/BaseInteractionClient.mjs +1 -1
  159. package/dist/interaction_client/HybridSpaAuthorizationCodeClient.mjs +1 -1
  160. package/dist/interaction_client/PlatformAuthInteractionClient.mjs +1 -1
  161. package/dist/interaction_client/PopupClient.mjs +1 -1
  162. package/dist/interaction_client/RedirectClient.mjs +1 -1
  163. package/dist/interaction_client/SilentAuthCodeClient.mjs +1 -1
  164. package/dist/interaction_client/SilentCacheClient.mjs +1 -1
  165. package/dist/interaction_client/SilentIframeClient.mjs +1 -1
  166. package/dist/interaction_client/SilentRefreshClient.mjs +1 -1
  167. package/dist/interaction_client/StandardInteractionClient.mjs +6 -4
  168. package/dist/interaction_client/StandardInteractionClient.mjs.map +1 -1
  169. package/dist/interaction_handler/InteractionHandler.mjs +1 -1
  170. package/dist/interaction_handler/SilentHandler.mjs +1 -1
  171. package/dist/log-strings-mapping.json +21 -9
  172. package/dist/naa/BridgeError.mjs +1 -1
  173. package/dist/naa/BridgeProxy.mjs +1 -1
  174. package/dist/naa/BridgeStatusCode.mjs +1 -1
  175. package/dist/naa/mapping/NestedAppAuthAdapter.mjs +1 -1
  176. package/dist/navigation/NavigationClient.mjs +1 -1
  177. package/dist/network/FetchClient.mjs +1 -1
  178. package/dist/operatingcontext/BaseOperatingContext.mjs +1 -1
  179. package/dist/operatingcontext/NestedAppOperatingContext.mjs +1 -1
  180. package/dist/operatingcontext/StandardOperatingContext.mjs +1 -1
  181. package/dist/packageMetadata.mjs +2 -2
  182. package/dist/protocol/Authorize.mjs +1 -1
  183. package/dist/redirect_bridge/index.mjs +1 -1
  184. package/dist/request/RequestHelpers.mjs +1 -1
  185. package/dist/response/ResponseHandler.mjs +1 -1
  186. package/dist/telemetry/BrowserPerformanceClient.mjs +1 -1
  187. package/dist/telemetry/BrowserPerformanceEvents.mjs +1 -1
  188. package/dist/telemetry/BrowserPerformanceMeasurement.mjs +1 -1
  189. package/dist/telemetry/BrowserRootPerformanceEvents.mjs +1 -1
  190. package/dist/utils/BrowserConstants.mjs +1 -1
  191. package/dist/utils/BrowserProtocolUtils.mjs +1 -1
  192. package/dist/utils/BrowserUtils.mjs +1 -1
  193. package/dist/utils/Helpers.mjs +1 -1
  194. package/dist/utils/MsalFrameStatsUtils.mjs +1 -1
  195. package/lib/custom-auth-path/log-strings-mapping.json +21 -9
  196. package/lib/custom-auth-path/msal-custom-auth.cjs +319 -107
  197. package/lib/custom-auth-path/msal-custom-auth.cjs.map +1 -1
  198. package/lib/custom-auth-path/msal-custom-auth.js +319 -107
  199. package/lib/custom-auth-path/msal-custom-auth.js.map +1 -1
  200. package/lib/log-strings-mapping.json +8 -8
  201. package/lib/msal-browser.cjs +241 -104
  202. package/lib/msal-browser.cjs.map +1 -1
  203. package/lib/msal-browser.js +241 -104
  204. package/lib/msal-browser.js.map +1 -1
  205. package/lib/msal-browser.min.js +2 -2
  206. package/lib/redirect-bridge/msal-redirect-bridge.cjs +10 -10
  207. package/lib/redirect-bridge/msal-redirect-bridge.cjs.map +1 -1
  208. package/lib/redirect-bridge/msal-redirect-bridge.js +10 -10
  209. package/lib/redirect-bridge/msal-redirect-bridge.js.map +1 -1
  210. package/lib/redirect-bridge/msal-redirect-bridge.min.js +1 -1
  211. package/package.json +2 -2
  212. package/src/broker/nativeBroker/PlatformAuthProvider.ts +34 -30
  213. package/src/config/Configuration.ts +5 -0
  214. package/src/controllers/StandardController.ts +2 -1
  215. package/src/custom_auth/CustomAuthConstants.ts +10 -0
  216. package/src/custom_auth/configuration/CustomAuthConfiguration.ts +2 -0
  217. package/src/custom_auth/configuration/CustomAuthRequestInterceptor.ts +54 -0
  218. package/src/custom_auth/controller/CustomAuthStandardController.ts +3 -1
  219. package/src/custom_auth/core/network_client/custom_auth_api/BaseApiClient.ts +41 -2
  220. package/src/custom_auth/core/network_client/custom_auth_api/CustomAuthApiClient.ts +17 -5
  221. package/src/custom_auth/core/network_client/custom_auth_api/ResetPasswordApiClient.ts +8 -2
  222. package/src/custom_auth/core/network_client/custom_auth_api/SignInApiClient.ts +8 -3
  223. package/src/custom_auth/core/network_client/custom_auth_api/SignupApiClient.ts +8 -2
  224. package/src/custom_auth/core/utils/CustomHeaderUtils.ts +75 -0
  225. package/src/custom_auth/index.ts +4 -0
  226. package/src/interaction_client/StandardInteractionClient.ts +11 -5
  227. package/src/packageMetadata.ts +1 -1
  228. package/types/broker/nativeBroker/PlatformAuthProvider.d.ts +7 -12
  229. package/types/broker/nativeBroker/PlatformAuthProvider.d.ts.map +1 -1
  230. package/types/config/Configuration.d.ts +4 -0
  231. package/types/config/Configuration.d.ts.map +1 -1
  232. package/types/controllers/StandardController.d.ts.map +1 -1
  233. package/types/custom_auth/CustomAuthConstants.d.ts +5 -1
  234. package/types/custom_auth/CustomAuthConstants.d.ts.map +1 -1
  235. package/types/custom_auth/configuration/CustomAuthConfiguration.d.ts +2 -0
  236. package/types/custom_auth/configuration/CustomAuthConfiguration.d.ts.map +1 -1
  237. package/types/custom_auth/configuration/CustomAuthRequestInterceptor.d.ts +42 -0
  238. package/types/custom_auth/configuration/CustomAuthRequestInterceptor.d.ts.map +1 -0
  239. package/types/custom_auth/controller/CustomAuthStandardController.d.ts.map +1 -1
  240. package/types/custom_auth/core/network_client/custom_auth_api/BaseApiClient.d.ts +6 -2
  241. package/types/custom_auth/core/network_client/custom_auth_api/BaseApiClient.d.ts.map +1 -1
  242. package/types/custom_auth/core/network_client/custom_auth_api/CustomAuthApiClient.d.ts +3 -1
  243. package/types/custom_auth/core/network_client/custom_auth_api/CustomAuthApiClient.d.ts.map +1 -1
  244. package/types/custom_auth/core/network_client/custom_auth_api/ResetPasswordApiClient.d.ts +3 -1
  245. package/types/custom_auth/core/network_client/custom_auth_api/ResetPasswordApiClient.d.ts.map +1 -1
  246. package/types/custom_auth/core/network_client/custom_auth_api/SignInApiClient.d.ts +3 -1
  247. package/types/custom_auth/core/network_client/custom_auth_api/SignInApiClient.d.ts.map +1 -1
  248. package/types/custom_auth/core/network_client/custom_auth_api/SignupApiClient.d.ts +3 -1
  249. package/types/custom_auth/core/network_client/custom_auth_api/SignupApiClient.d.ts.map +1 -1
  250. package/types/custom_auth/core/utils/CustomHeaderUtils.d.ts +21 -0
  251. package/types/custom_auth/core/utils/CustomHeaderUtils.d.ts.map +1 -0
  252. package/types/custom_auth/index.d.ts +1 -0
  253. package/types/custom_auth/index.d.ts.map +1 -1
  254. package/types/interaction_client/StandardInteractionClient.d.ts.map +1 -1
  255. package/types/packageMetadata.d.ts +1 -1
@@ -1,8 +1,8 @@
1
- /*! @azure/msal-browser v5.10.0 2026-05-07 */
1
+ /*! @azure/msal-browser v5.11.0 2026-05-19 */
2
2
  'use strict';
3
3
  'use strict';
4
4
 
5
- /*! @azure/msal-common v16.6.0 2026-05-07 */
5
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
6
6
  /*
7
7
  * Copyright (c) Microsoft Corporation. All rights reserved.
8
8
  * Licensed under the MIT License.
@@ -229,7 +229,7 @@ const JsonWebTokenTypes = {
229
229
  // Token renewal offset default in seconds
230
230
  const DEFAULT_TOKEN_RENEWAL_OFFSET_SEC = 300;
231
231
 
232
- /*! @azure/msal-common v16.6.0 2026-05-07 */
232
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
233
233
  /*
234
234
  * Copyright (c) Microsoft Corporation. All rights reserved.
235
235
  * Licensed under the MIT License.
@@ -281,7 +281,7 @@ const EAR_JWE_CRYPTO = "ear_jwe_crypto";
281
281
  const RESOURCE = "resource";
282
282
  const CLI_DATA = "clidata";
283
283
 
284
- /*! @azure/msal-common v16.6.0 2026-05-07 */
284
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
285
285
  /*
286
286
  * Copyright (c) Microsoft Corporation. All rights reserved.
287
287
  * Licensed under the MIT License.
@@ -312,7 +312,7 @@ function createAuthError(code, additionalMessage) {
312
312
  return new AuthError(code, additionalMessage || getDefaultErrorMessage$1(code));
313
313
  }
314
314
 
315
- /*! @azure/msal-common v16.6.0 2026-05-07 */
315
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
316
316
 
317
317
  /*
318
318
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -332,7 +332,7 @@ function createClientConfigurationError(errorCode) {
332
332
  return new ClientConfigurationError(errorCode);
333
333
  }
334
334
 
335
- /*! @azure/msal-common v16.6.0 2026-05-07 */
335
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
336
336
  /*
337
337
  * Copyright (c) Microsoft Corporation. All rights reserved.
338
338
  * Licensed under the MIT License.
@@ -412,7 +412,7 @@ class StringUtils {
412
412
  }
413
413
  }
414
414
 
415
- /*! @azure/msal-common v16.6.0 2026-05-07 */
415
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
416
416
 
417
417
  /*
418
418
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -435,7 +435,7 @@ function createClientAuthError(errorCode, additionalMessage) {
435
435
  return new ClientAuthError(errorCode, additionalMessage);
436
436
  }
437
437
 
438
- /*! @azure/msal-common v16.6.0 2026-05-07 */
438
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
439
439
  /*
440
440
  * Copyright (c) Microsoft Corporation. All rights reserved.
441
441
  * Licensed under the MIT License.
@@ -457,9 +457,11 @@ const missingSshKid = "missing_ssh_kid";
457
457
  const cannotSetOIDCOptions = "cannot_set_OIDCOptions";
458
458
  const cannotAllowPlatformBroker = "cannot_allow_platform_broker";
459
459
  const authorityMismatch = "authority_mismatch";
460
- const invalidRequestMethodForEAR = "invalid_request_method_for_EAR";
460
+ const invalidRequestMethodForEAR = "invalid_request_method_for_EAR";
461
+ const invalidPlatformBrokerConfiguration = "invalid_platform_broker_configuration";
462
+ const issuerValidationFailed = "issuer_validation_failed";
461
463
 
462
- /*! @azure/msal-common v16.6.0 2026-05-07 */
464
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
463
465
  /*
464
466
  * Copyright (c) Microsoft Corporation. All rights reserved.
465
467
  * Licensed under the MIT License.
@@ -498,7 +500,7 @@ const methodNotImplemented = "method_not_implemented";
498
500
  const resourceParameterRequired = "resource_parameter_required";
499
501
  const misplacedResourceParam = "misplaced_resource_parameter";
500
502
 
501
- /*! @azure/msal-common v16.6.0 2026-05-07 */
503
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
502
504
 
503
505
  /*
504
506
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -693,7 +695,7 @@ class ScopeSet {
693
695
  }
694
696
  }
695
697
 
696
- /*! @azure/msal-common v16.6.0 2026-05-07 */
698
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
697
699
 
698
700
  /*
699
701
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1082,7 +1084,7 @@ function addResource(parameters, resource) {
1082
1084
  }
1083
1085
  }
1084
1086
 
1085
- /*! @azure/msal-common v16.6.0 2026-05-07 */
1087
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
1086
1088
 
1087
1089
  /*
1088
1090
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1191,7 +1193,7 @@ function normalizeUrlForComparison(url) {
1191
1193
  }
1192
1194
  }
1193
1195
 
1194
- /*! @azure/msal-common v16.6.0 2026-05-07 */
1196
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
1195
1197
 
1196
1198
  /*
1197
1199
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1230,7 +1232,7 @@ const DEFAULT_CRYPTO_IMPLEMENTATION = {
1230
1232
  },
1231
1233
  };
1232
1234
 
1233
- /*! @azure/msal-common v16.6.0 2026-05-07 */
1235
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
1234
1236
  /*
1235
1237
  * Copyright (c) Microsoft Corporation. All rights reserved.
1236
1238
  * Licensed under the MIT License.
@@ -1491,12 +1493,12 @@ class Logger {
1491
1493
  }
1492
1494
  }
1493
1495
 
1494
- /*! @azure/msal-common v16.6.0 2026-05-07 */
1496
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
1495
1497
  /* eslint-disable header/header */
1496
1498
  const name$1 = "@azure/msal-common";
1497
- const version$1 = "16.6.0";
1499
+ const version$1 = "16.6.2";
1498
1500
 
1499
- /*! @azure/msal-common v16.6.0 2026-05-07 */
1501
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
1500
1502
  /*
1501
1503
  * Copyright (c) Microsoft Corporation. All rights reserved.
1502
1504
  * Licensed under the MIT License.
@@ -1505,7 +1507,7 @@ const AzureCloudInstance = {
1505
1507
  // AzureCloudInstance is not specified.
1506
1508
  None: "none"};
1507
1509
 
1508
- /*! @azure/msal-common v16.6.0 2026-05-07 */
1510
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
1509
1511
  /*
1510
1512
  * Copyright (c) Microsoft Corporation. All rights reserved.
1511
1513
  * Licensed under the MIT License.
@@ -1588,7 +1590,7 @@ function updateAccountTenantProfileData(baseAccountInfo, tenantProfile, idTokenC
1588
1590
  return updatedAccountInfo;
1589
1591
  }
1590
1592
 
1591
- /*! @azure/msal-common v16.6.0 2026-05-07 */
1593
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
1592
1594
 
1593
1595
  /*
1594
1596
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1668,7 +1670,7 @@ function checkMaxAge(authTime, maxAge) {
1668
1670
  }
1669
1671
  }
1670
1672
 
1671
- /*! @azure/msal-common v16.6.0 2026-05-07 */
1673
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
1672
1674
 
1673
1675
  /*
1674
1676
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1825,7 +1827,7 @@ class UrlString {
1825
1827
  }
1826
1828
  }
1827
1829
 
1828
- /*! @azure/msal-common v16.6.0 2026-05-07 */
1830
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
1829
1831
 
1830
1832
  /*
1831
1833
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1911,6 +1913,15 @@ const rawMetdataJSON = {
1911
1913
  preferred_cache: "login.sovcloud-identity.sg",
1912
1914
  aliases: ["login.sovcloud-identity.sg"],
1913
1915
  },
1916
+ {
1917
+ preferred_network: "login.windows-ppe.net",
1918
+ preferred_cache: "login.windows-ppe.net",
1919
+ aliases: [
1920
+ "login.windows-ppe.net",
1921
+ "sts.windows-ppe.net",
1922
+ "login.microsoft-ppe.com",
1923
+ ],
1924
+ },
1914
1925
  ],
1915
1926
  },
1916
1927
  };
@@ -1982,7 +1993,7 @@ function getCloudDiscoveryMetadataFromNetworkResponse(response, authorityHost) {
1982
1993
  return null;
1983
1994
  }
1984
1995
 
1985
- /*! @azure/msal-common v16.6.0 2026-05-07 */
1996
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
1986
1997
  /*
1987
1998
  * Copyright (c) Microsoft Corporation. All rights reserved.
1988
1999
  * Licensed under the MIT License.
@@ -1990,7 +2001,7 @@ function getCloudDiscoveryMetadataFromNetworkResponse(response, authorityHost) {
1990
2001
  const cacheQuotaExceeded = "cache_quota_exceeded";
1991
2002
  const cacheErrorUnknown = "cache_error_unknown";
1992
2003
 
1993
- /*! @azure/msal-common v16.6.0 2026-05-07 */
2004
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
1994
2005
 
1995
2006
  /*
1996
2007
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -2028,7 +2039,7 @@ function createCacheError(e) {
2028
2039
  }
2029
2040
  }
2030
2041
 
2031
- /*! @azure/msal-common v16.6.0 2026-05-07 */
2042
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
2032
2043
 
2033
2044
  /*
2034
2045
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -2066,7 +2077,7 @@ function buildClientInfoFromHomeAccountId(homeAccountId) {
2066
2077
  };
2067
2078
  }
2068
2079
 
2069
- /*! @azure/msal-common v16.6.0 2026-05-07 */
2080
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
2070
2081
  /*
2071
2082
  * Copyright (c) Microsoft Corporation. All rights reserved.
2072
2083
  * Licensed under the MIT License.
@@ -2081,7 +2092,7 @@ const AuthorityType = {
2081
2092
  Ciam: 3,
2082
2093
  };
2083
2094
 
2084
- /*! @azure/msal-common v16.6.0 2026-05-07 */
2095
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
2085
2096
  /*
2086
2097
  * Copyright (c) Microsoft Corporation. All rights reserved.
2087
2098
  * Licensed under the MIT License.
@@ -2103,7 +2114,7 @@ function getTenantIdFromIdTokenClaims(idTokenClaims) {
2103
2114
  return null;
2104
2115
  }
2105
2116
 
2106
- /*! @azure/msal-common v16.6.0 2026-05-07 */
2117
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
2107
2118
  /*
2108
2119
  * Copyright (c) Microsoft Corporation. All rights reserved.
2109
2120
  * Licensed under the MIT License.
@@ -2127,7 +2138,7 @@ const ProtocolMode = {
2127
2138
  EAR: "EAR",
2128
2139
  };
2129
2140
 
2130
- /*! @azure/msal-common v16.6.0 2026-05-07 */
2141
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
2131
2142
  /**
2132
2143
  * Returns the AccountInfo interface for this account.
2133
2144
  */
@@ -2302,7 +2313,7 @@ function isAccountEntity(entity) {
2302
2313
  entity.hasOwnProperty("authorityType"));
2303
2314
  }
2304
2315
 
2305
- /*! @azure/msal-common v16.6.0 2026-05-07 */
2316
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
2306
2317
 
2307
2318
  /*
2308
2319
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -3433,7 +3444,7 @@ class DefaultStorageClass extends CacheManager {
3433
3444
  }
3434
3445
  }
3435
3446
 
3436
- /*! @azure/msal-common v16.6.0 2026-05-07 */
3447
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
3437
3448
  /*
3438
3449
  * Copyright (c) Microsoft Corporation. All rights reserved.
3439
3450
  * Licensed under the MIT License.
@@ -3447,7 +3458,7 @@ class DefaultStorageClass extends CacheManager {
3447
3458
  const PerformanceEventStatus = {
3448
3459
  InProgress: 1};
3449
3460
 
3450
- /*! @azure/msal-common v16.6.0 2026-05-07 */
3461
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
3451
3462
 
3452
3463
  /*
3453
3464
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -3502,7 +3513,7 @@ class StubPerformanceClient {
3502
3513
  }
3503
3514
  }
3504
3515
 
3505
- /*! @azure/msal-common v16.6.0 2026-05-07 */
3516
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
3506
3517
 
3507
3518
  /*
3508
3519
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -3597,7 +3608,7 @@ function isOidcProtocolMode(config) {
3597
3608
  return (config.authOptions.authority.options.protocolMode === ProtocolMode.OIDC);
3598
3609
  }
3599
3610
 
3600
- /*! @azure/msal-common v16.6.0 2026-05-07 */
3611
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
3601
3612
  /*
3602
3613
  * Copyright (c) Microsoft Corporation. All rights reserved.
3603
3614
  * Licensed under the MIT License.
@@ -3624,7 +3635,7 @@ function isOidcProtocolMode(config) {
3624
3635
  }
3625
3636
  }
3626
3637
 
3627
- /*! @azure/msal-common v16.6.0 2026-05-07 */
3638
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
3628
3639
  /*
3629
3640
  * Copyright (c) Microsoft Corporation. All rights reserved.
3630
3641
  * Licensed under the MIT License.
@@ -3689,7 +3700,7 @@ function wasClockTurnedBack(cachedAt) {
3689
3700
  return cachedAtSec > nowSeconds();
3690
3701
  }
3691
3702
 
3692
- /*! @azure/msal-common v16.6.0 2026-05-07 */
3703
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
3693
3704
 
3694
3705
  /*
3695
3706
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -3948,7 +3959,7 @@ function isAuthorityMetadataExpired(metadata) {
3948
3959
  return metadata.expiresAt <= nowSeconds();
3949
3960
  }
3950
3961
 
3951
- /*! @azure/msal-common v16.6.0 2026-05-07 */
3962
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
3952
3963
  /*
3953
3964
  * Copyright (c) Microsoft Corporation. All rights reserved.
3954
3965
  * Licensed under the MIT License.
@@ -4019,7 +4030,7 @@ const RegionDiscoveryGetCurrentVersion = "regionDiscoveryGetCurrentVersion";
4019
4030
  const CacheManagerGetRefreshToken = "cacheManagerGetRefreshToken";
4020
4031
  const SetUserData = "setUserData";
4021
4032
 
4022
- /*! @azure/msal-common v16.6.0 2026-05-07 */
4033
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
4023
4034
  /*
4024
4035
  * Copyright (c) Microsoft Corporation. All rights reserved.
4025
4036
  * Licensed under the MIT License.
@@ -4112,7 +4123,7 @@ const invokeAsync = (callback, eventName, logger, telemetryClient, correlationId
4112
4123
  };
4113
4124
  };
4114
4125
 
4115
- /*! @azure/msal-common v16.6.0 2026-05-07 */
4126
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
4116
4127
 
4117
4128
  /*
4118
4129
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4192,7 +4203,7 @@ class PopTokenGenerator {
4192
4203
  }
4193
4204
  }
4194
4205
 
4195
- /*! @azure/msal-common v16.6.0 2026-05-07 */
4206
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
4196
4207
  /*
4197
4208
  * Copyright (c) Microsoft Corporation. All rights reserved.
4198
4209
  * Licensed under the MIT License.
@@ -4243,7 +4254,7 @@ const badToken = "bad_token";
4243
4254
  */
4244
4255
  const interruptedUser = "interrupted_user";
4245
4256
 
4246
- /*! @azure/msal-common v16.6.0 2026-05-07 */
4257
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
4247
4258
 
4248
4259
  /*
4249
4260
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4311,7 +4322,7 @@ function createInteractionRequiredAuthError(errorCode, errorMessage) {
4311
4322
  return new InteractionRequiredAuthError(errorCode, errorMessage);
4312
4323
  }
4313
4324
 
4314
- /*! @azure/msal-common v16.6.0 2026-05-07 */
4325
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
4315
4326
 
4316
4327
  /*
4317
4328
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4330,7 +4341,7 @@ class ServerError extends AuthError {
4330
4341
  }
4331
4342
  }
4332
4343
 
4333
- /*! @azure/msal-common v16.6.0 2026-05-07 */
4344
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
4334
4345
 
4335
4346
  /*
4336
4347
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4398,7 +4409,7 @@ function parseRequestState(base64Decode, state) {
4398
4409
  }
4399
4410
  }
4400
4411
 
4401
- /*! @azure/msal-common v16.6.0 2026-05-07 */
4412
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
4402
4413
 
4403
4414
  /*
4404
4415
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4746,7 +4757,7 @@ function buildAccountToCache(cacheStorage, authority, homeAccountId, base64Decod
4746
4757
  return baseAccount;
4747
4758
  }
4748
4759
 
4749
- /*! @azure/msal-common v16.6.0 2026-05-07 */
4760
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
4750
4761
  /*
4751
4762
  * Copyright (c) Microsoft Corporation. All rights reserved.
4752
4763
  * Licensed under the MIT License.
@@ -4756,7 +4767,7 @@ const CcsCredentialType = {
4756
4767
  UPN: "UPN",
4757
4768
  };
4758
4769
 
4759
- /*! @azure/msal-common v16.6.0 2026-05-07 */
4770
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
4760
4771
  /*
4761
4772
  * Copyright (c) Microsoft Corporation. All rights reserved.
4762
4773
  * Licensed under the MIT License.
@@ -4774,7 +4785,7 @@ async function getClientAssertion(clientAssertion, clientId, tokenEndpoint) {
4774
4785
  }
4775
4786
  }
4776
4787
 
4777
- /*! @azure/msal-common v16.6.0 2026-05-07 */
4788
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
4778
4789
  /*
4779
4790
  * Copyright (c) Microsoft Corporation. All rights reserved.
4780
4791
  * Licensed under the MIT License.
@@ -4795,7 +4806,7 @@ function getRequestThumbprint(clientId, request, homeAccountId) {
4795
4806
  };
4796
4807
  }
4797
4808
 
4798
- /*! @azure/msal-common v16.6.0 2026-05-07 */
4809
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
4799
4810
 
4800
4811
  /*
4801
4812
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4881,7 +4892,7 @@ class ThrottlingUtils {
4881
4892
  }
4882
4893
  }
4883
4894
 
4884
- /*! @azure/msal-common v16.6.0 2026-05-07 */
4895
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
4885
4896
 
4886
4897
  /*
4887
4898
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4912,7 +4923,7 @@ function createNetworkError(error, httpStatus, responseHeaders, additionalError)
4912
4923
  return new NetworkError(error, httpStatus, responseHeaders);
4913
4924
  }
4914
4925
 
4915
- /*! @azure/msal-common v16.6.0 2026-05-07 */
4926
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
4916
4927
 
4917
4928
  /*
4918
4929
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -5026,7 +5037,7 @@ async function sendPostRequest(thumbprint, tokenEndpoint, options, correlationId
5026
5037
  return response;
5027
5038
  }
5028
5039
 
5029
- /*! @azure/msal-common v16.6.0 2026-05-07 */
5040
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
5030
5041
  /*
5031
5042
  * Copyright (c) Microsoft Corporation. All rights reserved.
5032
5043
  * Licensed under the MIT License.
@@ -5038,7 +5049,7 @@ function isOpenIdConfigResponse(response) {
5038
5049
  response.hasOwnProperty("jwks_uri"));
5039
5050
  }
5040
5051
 
5041
- /*! @azure/msal-common v16.6.0 2026-05-07 */
5052
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
5042
5053
  /*
5043
5054
  * Copyright (c) Microsoft Corporation. All rights reserved.
5044
5055
  * Licensed under the MIT License.
@@ -5048,7 +5059,7 @@ function isCloudInstanceDiscoveryResponse(response) {
5048
5059
  response.hasOwnProperty("metadata"));
5049
5060
  }
5050
5061
 
5051
- /*! @azure/msal-common v16.6.0 2026-05-07 */
5062
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
5052
5063
  /*
5053
5064
  * Copyright (c) Microsoft Corporation. All rights reserved.
5054
5065
  * Licensed under the MIT License.
@@ -5058,7 +5069,7 @@ function isCloudInstanceDiscoveryErrorResponse(response) {
5058
5069
  response.hasOwnProperty("error_description"));
5059
5070
  }
5060
5071
 
5061
- /*! @azure/msal-common v16.6.0 2026-05-07 */
5072
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
5062
5073
 
5063
5074
  /*
5064
5075
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -5163,7 +5174,7 @@ RegionDiscovery.IMDS_OPTIONS = {
5163
5174
  },
5164
5175
  };
5165
5176
 
5166
- /*! @azure/msal-common v16.6.0 2026-05-07 */
5177
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
5167
5178
 
5168
5179
  /*
5169
5180
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -5418,7 +5429,7 @@ class Authority {
5418
5429
  }, this.correlationId);
5419
5430
  }
5420
5431
  /**
5421
- * Returns metadata entity from cache if it exists, otherwiser returns a new metadata entity built
5432
+ * Returns metadata entity from cache if it exists, otherwise returns a new metadata entity built
5422
5433
  * from the configured canonical authority
5423
5434
  * @returns
5424
5435
  */
@@ -5487,6 +5498,8 @@ class Authority {
5487
5498
  // Get metadata from network if local sources aren't available
5488
5499
  let metadata = await invokeAsync(this.getEndpointMetadataFromNetwork.bind(this), AuthorityGetEndpointMetadataFromNetwork, this.logger, this.performanceClient, this.correlationId)();
5489
5500
  if (metadata) {
5501
+ // Validate the issuer returned by the OIDC discovery document.
5502
+ this.validateIssuer(metadata.issuer);
5490
5503
  // If the user prefers to use an azure region replace the global endpoints with regional information.
5491
5504
  if (this.authorityOptions.azureRegionConfiguration?.azureRegion) {
5492
5505
  metadata = await invokeAsync(this.updateMetadataWithRegionalInformation.bind(this), AuthorityUpdateMetadataWithRegionalInformation, this.logger, this.performanceClient, this.correlationId)(metadata);
@@ -5655,7 +5668,7 @@ class Authority {
5655
5668
  throw createClientConfigurationError(untrustedAuthority);
5656
5669
  }
5657
5670
  updateCloudDiscoveryMetadataFromLocalSources(metadataEntity) {
5658
- this.logger.verbose("0jhlgt", this.correlationId);
5671
+ this.logger.verbose("1tpqlr", this.correlationId);
5659
5672
  this.logger.verbosePii("1fy7uz", this.correlationId);
5660
5673
  this.logger.verbosePii("08zabj", this.correlationId);
5661
5674
  this.logger.verbosePii("1o1kv3", this.correlationId);
@@ -5852,6 +5865,139 @@ class Authority {
5852
5865
  isAliasOfKnownMicrosoftAuthority(host) {
5853
5866
  return InstanceDiscoveryMetadataAliases.has(host);
5854
5867
  }
5868
+ /**
5869
+ * Validates the `issuer` returned by an OIDC discovery document against
5870
+ * this authority, per
5871
+ * https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationValidation
5872
+ *
5873
+ * The issuer is accepted when ANY of the following holds:
5874
+ * 1. The issuer scheme + host + port match the authority's (path may
5875
+ * differ). Applies to all authorities.
5876
+ * 2. The authority is a Microsoft cloud authority (public, sovereign,
5877
+ * or CIAM), the issuer is HTTPS, and the issuer host is in the known
5878
+ * Microsoft authority host set.
5879
+ * 3. Same as (2), but the issuer host is a single-label regional variant
5880
+ * of a known Microsoft host (e.g. `westus.login.microsoftonline.com`).
5881
+ * 4. Same as (2), but the issuer host matches the CIAM tenant pattern
5882
+ * `{tenant}.ciamlogin.com` with an optional `/{tenant}[.onmicrosoft.com][/v2.0]`
5883
+ * path.
5884
+ *
5885
+ * @param issuer The `issuer` value returned in the OIDC discovery document.
5886
+ * @throws ClientConfigurationError("issuer_validation_failed") on failure.
5887
+ */
5888
+ validateIssuer(issuer) {
5889
+ if (!issuer) {
5890
+ throw createClientConfigurationError(issuerValidationFailed);
5891
+ }
5892
+ // Parse with the WHATWG URL API. URL normalizes scheme + host to lowercase per RFC 3986.
5893
+ let issuerUrl;
5894
+ try {
5895
+ issuerUrl = new URL(issuer);
5896
+ }
5897
+ catch {
5898
+ throw createClientConfigurationError(issuerValidationFailed);
5899
+ }
5900
+ const issuerScheme = issuerUrl.protocol;
5901
+ const issuerHost = issuerUrl.host;
5902
+ const authorityScheme = (this.canonicalAuthorityUrlComponents.Protocol || "").toLowerCase();
5903
+ const authorityHost = (this.canonicalAuthorityUrlComponents.HostNameAndPort || "").toLowerCase();
5904
+ // Rule 1: Same scheme and host
5905
+ const matchesAuthorityOrigin = this.matchesAuthorityOrigin(issuerScheme, issuerHost, authorityScheme, authorityHost);
5906
+ // Rule 2: The issuer host is a well-known Microsoft authority host (HTTPS only)
5907
+ const matchesKnownMicrosoftHost = issuerScheme === "https:" &&
5908
+ this.isAliasOfKnownMicrosoftAuthority(issuerHost);
5909
+ /*
5910
+ * Rule 3: The issuer host is a regional variant ({region}.{host}) of a well-known host
5911
+ * (HTTPS only). E.g. westus2.login.microsoft.com
5912
+ */
5913
+ const matchesRegionalMicrosoftHost = issuerScheme === "https:" &&
5914
+ this.matchesRegionalMicrosoftHost(issuerHost);
5915
+ /*
5916
+ * Rule 4: CIAM-specific validation. In a CIAM scenario the issuer is expected to
5917
+ * have "{tenant}.ciamlogin.com" as the host, even when using a custom domain.
5918
+ */
5919
+ const matchesCiamTenantPattern = this.matchesCiamTenantPattern(issuerUrl, authorityHost, this.canonicalAuthorityUrlComponents.PathSegments);
5920
+ // Each rule is an independent boolean; the issuer is valid if ANY rule matches.
5921
+ if (matchesAuthorityOrigin ||
5922
+ matchesKnownMicrosoftHost ||
5923
+ matchesRegionalMicrosoftHost ||
5924
+ matchesCiamTenantPattern) {
5925
+ return;
5926
+ }
5927
+ // issuer validation fails if none of the above rules are satisfied
5928
+ throw createClientConfigurationError(issuerValidationFailed);
5929
+ }
5930
+ /**
5931
+ * Rule 1: The issuer scheme + host (and port) match the authority's. Path
5932
+ * may differ. Applies to all authorities.
5933
+ */
5934
+ matchesAuthorityOrigin(issuerScheme, issuerHost, authorityScheme, authorityHost) {
5935
+ return issuerScheme === authorityScheme && issuerHost === authorityHost;
5936
+ }
5937
+ /**
5938
+ * Rule 3: The issuer host is a regional variant
5939
+ * (`{region}.{host}`) of a known Microsoft authority host.
5940
+ * E.g. `westus2.login.microsoft.com`.
5941
+ */
5942
+ matchesRegionalMicrosoftHost(issuerHost) {
5943
+ const firstDot = issuerHost.indexOf(".");
5944
+ if (firstDot > 0 && firstDot < issuerHost.length - 1) {
5945
+ const hostWithoutRegion = issuerHost.substring(firstDot + 1);
5946
+ return this.isAliasOfKnownMicrosoftAuthority(hostWithoutRegion);
5947
+ }
5948
+ return false;
5949
+ }
5950
+ /**
5951
+ * Rule 4: The issuer matches one of the well-known CIAM tenant patterns
5952
+ * (`https://{tenant}.ciamlogin.com[/{tenant}[.onmicrosoft.com][/v2.0]]`).
5953
+ *
5954
+ * The bare tenant name is extracted from the authority's first path segment
5955
+ * when available (stripping the `.onmicrosoft.com` suffix that
5956
+ * `transformCIAMAuthority` adds), or otherwise from the leftmost label of
5957
+ * the authority host (to support CIAM custom domain scenarios).
5958
+ *
5959
+ * Both `/{tenant}` and `/{tenant}.onmicrosoft.com` path forms are accepted
5960
+ * because the OIDC issuer may use either form depending on the authority URL
5961
+ * that was used to trigger discovery.
5962
+ */
5963
+ matchesCiamTenantPattern(issuerUrl, authorityHost, authorityPathSegments) {
5964
+ /*
5965
+ * authorityPathSegments[0] is the first path segment of the *authority
5966
+ * URL* after transformCIAMAuthority runs (e.g. "contoso.onmicrosoft.com").
5967
+ * Additional CIAM issuer path segments such as "/v2.0" are part of the
5968
+ * issuer string, not the authority URL's PathSegments.
5969
+ */
5970
+ const pathSegment = authorityPathSegments[0];
5971
+ /*
5972
+ * Extract the bare tenant name: strip the .onmicrosoft.com suffix when
5973
+ * present (introduced by transformCIAMAuthority), or fall back to the
5974
+ * first label of the authority hostname for non-transformed/custom-domain
5975
+ * CIAM authorities.
5976
+ */
5977
+ const tenantName = pathSegment
5978
+ ? pathSegment.endsWith(AAD_TENANT_DOMAIN_SUFFIX)
5979
+ ? pathSegment.slice(0, -AAD_TENANT_DOMAIN_SUFFIX.length)
5980
+ : pathSegment
5981
+ : authorityHost.split(".")[0];
5982
+ if (!tenantName) {
5983
+ return false;
5984
+ }
5985
+ const ciamBaseURL = `https://${tenantName}${CIAM_AUTH_URL}`;
5986
+ const validCiamPatterns = [
5987
+ ciamBaseURL,
5988
+ `${ciamBaseURL}/${tenantName}`,
5989
+ `${ciamBaseURL}/${tenantName}/v2.0`,
5990
+ `${ciamBaseURL}/${tenantName}${AAD_TENANT_DOMAIN_SUFFIX}`,
5991
+ `${ciamBaseURL}/${tenantName}${AAD_TENANT_DOMAIN_SUFFIX}/v2.0`, // https://{tenant}.ciamlogin.com/{tenant}.onmicrosoft.com/v2.0
5992
+ ];
5993
+ /*
5994
+ * Compose the canonical issuer string from URL components and strip any
5995
+ * trailing slashes from the path so it can be compared to the pattern set.
5996
+ */
5997
+ const issuerPath = issuerUrl.pathname.replace(/\/+$/, "");
5998
+ const normalizedIssuer = `${issuerUrl.protocol}//${issuerUrl.host}${issuerPath}`;
5999
+ return validCiamPatterns.some((pattern) => pattern === normalizedIssuer);
6000
+ }
5855
6001
  /**
5856
6002
  * Checks whether the provided host is that of a public cloud authority
5857
6003
  *
@@ -5983,7 +6129,7 @@ function buildStaticAuthorityOptions(authOptions) {
5983
6129
  };
5984
6130
  }
5985
6131
 
5986
- /*! @azure/msal-common v16.6.0 2026-05-07 */
6132
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
5987
6133
 
5988
6134
  /*
5989
6135
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6017,7 +6163,7 @@ async function createDiscoveredInstance(authorityUri, networkClient, cacheManage
6017
6163
  }
6018
6164
  }
6019
6165
 
6020
- /*! @azure/msal-common v16.6.0 2026-05-07 */
6166
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
6021
6167
 
6022
6168
  /*
6023
6169
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6274,7 +6420,7 @@ class AuthorizationCodeClient {
6274
6420
  }
6275
6421
  }
6276
6422
 
6277
- /*! @azure/msal-common v16.6.0 2026-05-07 */
6423
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
6278
6424
 
6279
6425
  /*
6280
6426
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6495,7 +6641,7 @@ class RefreshTokenClient {
6495
6641
  }
6496
6642
  }
6497
6643
 
6498
- /*! @azure/msal-common v16.6.0 2026-05-07 */
6644
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
6499
6645
 
6500
6646
  /*
6501
6647
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6611,7 +6757,7 @@ class SilentFlowClient {
6611
6757
  }
6612
6758
  }
6613
6759
 
6614
- /*! @azure/msal-common v16.6.0 2026-05-07 */
6760
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
6615
6761
 
6616
6762
  /*
6617
6763
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6626,7 +6772,7 @@ const StubbedNetworkModule = {
6626
6772
  },
6627
6773
  };
6628
6774
 
6629
- /*! @azure/msal-common v16.6.0 2026-05-07 */
6775
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
6630
6776
 
6631
6777
  /*
6632
6778
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6849,7 +6995,7 @@ function extractLoginHint(account) {
6849
6995
  return account.loginHint || account.idTokenClaims?.login_hint || null;
6850
6996
  }
6851
6997
 
6852
- /*! @azure/msal-common v16.6.0 2026-05-07 */
6998
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
6853
6999
 
6854
7000
  /*
6855
7001
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6882,7 +7028,7 @@ function containsResourceParam(params) {
6882
7028
  return Object.prototype.hasOwnProperty.call(params, "resource");
6883
7029
  }
6884
7030
 
6885
- /*! @azure/msal-common v16.6.0 2026-05-07 */
7031
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
6886
7032
  /*
6887
7033
  * Copyright (c) Microsoft Corporation. All rights reserved.
6888
7034
  * Licensed under the MIT License.
@@ -6892,7 +7038,7 @@ function containsResourceParam(params) {
6892
7038
  */
6893
7039
  const unexpectedError = "unexpected_error";
6894
7040
 
6895
- /*! @azure/msal-common v16.6.0 2026-05-07 */
7041
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
6896
7042
 
6897
7043
  /*
6898
7044
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7153,7 +7299,7 @@ class ServerTelemetryManager {
7153
7299
  }
7154
7300
  }
7155
7301
 
7156
- /*! @azure/msal-common v16.6.0 2026-05-07 */
7302
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
7157
7303
 
7158
7304
  /*
7159
7305
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7174,7 +7320,7 @@ function createJoseHeaderError(code) {
7174
7320
  return new JoseHeaderError(code);
7175
7321
  }
7176
7322
 
7177
- /*! @azure/msal-common v16.6.0 2026-05-07 */
7323
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
7178
7324
  /*
7179
7325
  * Copyright (c) Microsoft Corporation. All rights reserved.
7180
7326
  * Licensed under the MIT License.
@@ -7182,7 +7328,7 @@ function createJoseHeaderError(code) {
7182
7328
  const missingKidError = "missing_kid_error";
7183
7329
  const missingAlgError = "missing_alg_error";
7184
7330
 
7185
- /*! @azure/msal-common v16.6.0 2026-05-07 */
7331
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
7186
7332
 
7187
7333
  /*
7188
7334
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7617,7 +7763,7 @@ function ensureArgumentIsJSONString(argName, argValue, correlationId) {
7617
7763
 
7618
7764
  /* eslint-disable header/header */
7619
7765
  const name = "@azure/msal-browser";
7620
- const version = "5.10.0";
7766
+ const version = "5.11.0";
7621
7767
 
7622
7768
  /*
7623
7769
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7646,6 +7792,15 @@ const HttpHeaderKeys = {
7646
7792
  CONTENT_TYPE: "Content-Type",
7647
7793
  X_MS_REQUEST_ID: "x-ms-request-id",
7648
7794
  };
7795
+ const CustomHeaderConstants = {
7796
+ REQUIRED_PREFIX: "x-",
7797
+ RESERVED_PREFIXES: [
7798
+ "x-client-",
7799
+ "x-ms-",
7800
+ "x-broker-",
7801
+ "x-app-",
7802
+ ],
7803
+ };
7649
7804
  const DefaultPackageInfo = {
7650
7805
  SKU: "msal.browser",
7651
7806
  VERSION: version,
@@ -9469,12 +9624,13 @@ class StandardInteractionClient extends BaseInteractionClient {
9469
9624
  * and logoutHint attribute wasn't manually set in logout request
9470
9625
  */
9471
9626
  if (logoutRequest) {
9472
- // If logoutHint isn't set and an account was passed in, try to extract logoutHint from ID Token Claims
9627
+ // If logoutHint isn't set and an account was passed in, try to extract logoutHint from account loginHint or ID Token Claims
9473
9628
  if (!logoutRequest.logoutHint) {
9474
9629
  if (logoutRequest.account) {
9475
- const logoutHint = this.getLogoutHintFromIdTokenClaims(logoutRequest.account);
9630
+ const logoutHint = logoutRequest.account.loginHint ||
9631
+ this.getLogoutHintFromIdTokenClaims(logoutRequest.account);
9476
9632
  if (logoutHint) {
9477
- this.logger.verbose("0st5di", this.correlationId);
9633
+ this.logger.verbose("0d7s8p", this.correlationId);
9478
9634
  validLogoutRequest.logoutHint = logoutHint;
9479
9635
  }
9480
9636
  }
@@ -9527,6 +9683,7 @@ class StandardInteractionClient extends BaseInteractionClient {
9527
9683
  const idTokenClaims = account.idTokenClaims;
9528
9684
  if (idTokenClaims) {
9529
9685
  if (idTokenClaims.login_hint) {
9686
+ this.logger.verbose("0u5bmc", this.correlationId);
9530
9687
  return idTokenClaims.login_hint;
9531
9688
  }
9532
9689
  else {
@@ -10818,15 +10975,67 @@ class CustomAuthInterationClientFactory {
10818
10975
  }
10819
10976
  }
10820
10977
 
10978
+ /*
10979
+ * Copyright (c) Microsoft Corporation. All rights reserved.
10980
+ * Licensed under the MIT License.
10981
+ */
10982
+ /**
10983
+ * Filters the headers returned by a {@link CustomAuthRequestInterceptor},
10984
+ * keeping only those that conform to the custom-auth header naming rules.
10985
+ *
10986
+ * Rules (mirrors the iOS / Android native auth implementations):
10987
+ * - Header names must start with `x-` (case-insensitive); others are dropped.
10988
+ * - Header names that start with any reserved prefix (`x-client-`, `x-ms-`,
10989
+ * `x-broker-`, `x-app-`) are dropped.
10990
+ * - Headers with empty/whitespace-only names or null/undefined values are dropped.
10991
+ *
10992
+ * Dropped headers are logged as warnings (PII-safe) when a logger is provided.
10993
+ *
10994
+ * @param headers - Raw headers returned by the interceptor.
10995
+ * @param logger - Optional logger used to emit warnings for dropped headers.
10996
+ * @param correlationId - Optional correlation id forwarded to the logger.
10997
+ * @returns A new record containing only the headers that pass the filter,
10998
+ * preserving the original casing of header names.
10999
+ */
11000
+ function filterCustomHeaders(headers, logger, correlationId) {
11001
+ const filtered = {};
11002
+ if (!headers) {
11003
+ return filtered;
11004
+ }
11005
+ for (const [name, value] of Object.entries(headers)) {
11006
+ if (!name || value === undefined || value === null) {
11007
+ continue;
11008
+ }
11009
+ const trimmedName = name.trim();
11010
+ if (!trimmedName) {
11011
+ continue;
11012
+ }
11013
+ const lowerName = trimmedName.toLowerCase();
11014
+ if (!lowerName.startsWith(CustomHeaderConstants.REQUIRED_PREFIX)) {
11015
+ logger?.warningPii("0vzpop", correlationId ?? "");
11016
+ continue;
11017
+ }
11018
+ const reservedPrefix = CustomHeaderConstants.RESERVED_PREFIXES.find((prefix) => lowerName.startsWith(prefix));
11019
+ if (reservedPrefix) {
11020
+ logger?.warningPii("1m3lhk", correlationId ?? "");
11021
+ continue;
11022
+ }
11023
+ filtered[trimmedName] = value;
11024
+ }
11025
+ return filtered;
11026
+ }
11027
+
10821
11028
  /*
10822
11029
  * Copyright (c) Microsoft Corporation. All rights reserved.
10823
11030
  * Licensed under the MIT License.
10824
11031
  */
10825
11032
  class BaseApiClient {
10826
- constructor(baseUrl, clientId, httpClient, customAuthApiQueryParams) {
11033
+ constructor(baseUrl, clientId, httpClient, customAuthApiQueryParams, requestInterceptor, logger) {
10827
11034
  this.clientId = clientId;
10828
11035
  this.httpClient = httpClient;
10829
11036
  this.customAuthApiQueryParams = customAuthApiQueryParams;
11037
+ this.requestInterceptor = requestInterceptor;
11038
+ this.logger = logger;
10830
11039
  this.baseRequestUrl = parseUrl(!baseUrl.endsWith("/") ? `${baseUrl}/` : baseUrl);
10831
11040
  }
10832
11041
  async request(endpoint, data, telemetryManager, correlationId) {
@@ -10834,8 +11043,10 @@ class BaseApiClient {
10834
11043
  client_id: this.clientId,
10835
11044
  ...data,
10836
11045
  });
10837
- const headers = this.getCommonHeaders(correlationId, telemetryManager);
11046
+ const commonHeaders = this.getCommonHeaders(correlationId, telemetryManager);
10838
11047
  const url = buildUrl(this.baseRequestUrl.href, endpoint, this.customAuthApiQueryParams);
11048
+ const additionalHeaders = await this.getAdditionalHeaders(url, correlationId);
11049
+ const headers = { ...commonHeaders, ...additionalHeaders };
10839
11050
  let response;
10840
11051
  try {
10841
11052
  response = await this.httpClient.post(url, formData, headers);
@@ -10893,6 +11104,19 @@ class BaseApiClient {
10893
11104
  : responseError.invalid_attributes ?? [];
10894
11105
  throw new CustomAuthApiError(responseError.error, responseError.error_description, responseError.correlation_id, responseError.error_codes, responseError.suberror, attributes, responseError.continuation_token, responseError.trace_id, responseError.timestamp);
10895
11106
  }
11107
+ async getAdditionalHeaders(url, correlationId) {
11108
+ if (!this.requestInterceptor) {
11109
+ return {};
11110
+ }
11111
+ try {
11112
+ const result = await Promise.resolve(this.requestInterceptor.addAdditionalHeaderFields(url));
11113
+ return filterCustomHeaders(result, this.logger, correlationId);
11114
+ }
11115
+ catch (e) {
11116
+ this.logger?.warningPii("1ptwx4", correlationId);
11117
+ return {};
11118
+ }
11119
+ }
10896
11120
  }
10897
11121
 
10898
11122
  /*
@@ -10900,8 +11124,8 @@ class BaseApiClient {
10900
11124
  * Licensed under the MIT License.
10901
11125
  */
10902
11126
  class ResetPasswordApiClient extends BaseApiClient {
10903
- constructor(customAuthApiBaseUrl, clientId, httpClient, capabilities, customAuthApiQueryParams) {
10904
- super(customAuthApiBaseUrl, clientId, httpClient, customAuthApiQueryParams);
11127
+ constructor(customAuthApiBaseUrl, clientId, httpClient, capabilities, customAuthApiQueryParams, requestInterceptor, logger) {
11128
+ super(customAuthApiBaseUrl, clientId, httpClient, customAuthApiQueryParams, requestInterceptor, logger);
10905
11129
  this.capabilities = capabilities;
10906
11130
  }
10907
11131
  /**
@@ -10984,8 +11208,8 @@ class ResetPasswordApiClient extends BaseApiClient {
10984
11208
  * Licensed under the MIT License.
10985
11209
  */
10986
11210
  class SignupApiClient extends BaseApiClient {
10987
- constructor(customAuthApiBaseUrl, clientId, httpClient, capabilities, customAuthApiQueryParams) {
10988
- super(customAuthApiBaseUrl, clientId, httpClient, customAuthApiQueryParams);
11211
+ constructor(customAuthApiBaseUrl, clientId, httpClient, capabilities, customAuthApiQueryParams, requestInterceptor, logger) {
11212
+ super(customAuthApiBaseUrl, clientId, httpClient, customAuthApiQueryParams, requestInterceptor, logger);
10989
11213
  this.capabilities = capabilities;
10990
11214
  }
10991
11215
  /**
@@ -11054,8 +11278,8 @@ class SignupApiClient extends BaseApiClient {
11054
11278
  * Licensed under the MIT License.
11055
11279
  */
11056
11280
  class SignInApiClient extends BaseApiClient {
11057
- constructor(customAuthApiBaseUrl, clientId, httpClient, capabilities, customAuthApiQueryParams) {
11058
- super(customAuthApiBaseUrl, clientId, httpClient, customAuthApiQueryParams);
11281
+ constructor(customAuthApiBaseUrl, clientId, httpClient, capabilities, customAuthApiQueryParams, requestInterceptor, logger) {
11282
+ super(customAuthApiBaseUrl, clientId, httpClient, customAuthApiQueryParams, requestInterceptor, logger);
11059
11283
  this.capabilities = capabilities;
11060
11284
  }
11061
11285
  /**
@@ -11222,11 +11446,11 @@ class RegisterApiClient extends BaseApiClient {
11222
11446
  * Licensed under the MIT License.
11223
11447
  */
11224
11448
  class CustomAuthApiClient {
11225
- constructor(customAuthApiBaseUrl, clientId, httpClient, capabilities, customAuthApiQueryParams) {
11226
- this.signInApi = new SignInApiClient(customAuthApiBaseUrl, clientId, httpClient, capabilities, customAuthApiQueryParams);
11227
- this.signUpApi = new SignupApiClient(customAuthApiBaseUrl, clientId, httpClient, capabilities, customAuthApiQueryParams);
11228
- this.resetPasswordApi = new ResetPasswordApiClient(customAuthApiBaseUrl, clientId, httpClient, capabilities, customAuthApiQueryParams);
11229
- this.registerApi = new RegisterApiClient(customAuthApiBaseUrl, clientId, httpClient, customAuthApiQueryParams);
11449
+ constructor(customAuthApiBaseUrl, clientId, httpClient, capabilities, customAuthApiQueryParams, requestInterceptor, logger) {
11450
+ this.signInApi = new SignInApiClient(customAuthApiBaseUrl, clientId, httpClient, capabilities, customAuthApiQueryParams, requestInterceptor, logger);
11451
+ this.signUpApi = new SignupApiClient(customAuthApiBaseUrl, clientId, httpClient, capabilities, customAuthApiQueryParams, requestInterceptor, logger);
11452
+ this.resetPasswordApi = new ResetPasswordApiClient(customAuthApiBaseUrl, clientId, httpClient, capabilities, customAuthApiQueryParams, requestInterceptor, logger);
11453
+ this.registerApi = new RegisterApiClient(customAuthApiBaseUrl, clientId, httpClient, customAuthApiQueryParams, requestInterceptor, logger);
11230
11454
  }
11231
11455
  }
11232
11456
 
@@ -14237,7 +14461,6 @@ const CREDENTIAL_SCHEMA_VERSION = 3;
14237
14461
  const ACCOUNT_SCHEMA_VERSION = 3;
14238
14462
  const LOG_LEVEL_CACHE_KEY = `${PREFIX}.${BROWSER_PREFIX}.log.level`;
14239
14463
  const LOG_PII_CACHE_KEY = `${PREFIX}.${BROWSER_PREFIX}.log.pii`;
14240
- const PLATFORM_AUTH_DOM_SUPPORT = `${PREFIX}.${BROWSER_PREFIX}.platform.auth.dom`;
14241
14464
  const VERSION_CACHE_KEY = `${PREFIX}.version`;
14242
14465
  const ACCOUNT_KEYS = "account.keys";
14243
14466
  const TOKEN_KEYS = "token.keys";
@@ -17771,6 +17994,7 @@ function buildConfiguration({ auth: userInputAuth, cache: userInputCache, system
17771
17994
  };
17772
17995
  const DEFAULT_EXPERIMENTAL_OPTIONS = {
17773
17996
  iframeTimeoutTelemetry: false,
17997
+ allowPlatformBrokerWithDOM: false,
17774
17998
  };
17775
17999
  // Throw an error if user has set OIDCOptions without being in OIDC protocol mode
17776
18000
  if (userInputSystem?.protocolMode !== ProtocolMode.OIDC &&
@@ -18215,9 +18439,8 @@ class PlatformAuthDOMHandler {
18215
18439
  * Copyright (c) Microsoft Corporation. All rights reserved.
18216
18440
  * Licensed under the MIT License.
18217
18441
  */
18218
- async function getPlatformAuthProvider(logger, performanceClient, correlationId, nativeBrokerHandshakeTimeout) {
18442
+ async function getPlatformAuthProvider(logger, performanceClient, correlationId, nativeBrokerHandshakeTimeout, enablePlatformBrokerDOMSupport) {
18219
18443
  logger.trace("134j0v", correlationId);
18220
- const enablePlatformBrokerDOMSupport = isDomEnabledForPlatformAuth();
18221
18444
  logger.trace("04c81g", correlationId);
18222
18445
  let platformAuthProvider;
18223
18446
  try {
@@ -18241,22 +18464,6 @@ async function getPlatformAuthProvider(logger, performanceClient, correlationId,
18241
18464
  }
18242
18465
  return platformAuthProvider;
18243
18466
  }
18244
- /**
18245
- * Returns true if the DOM API support for platform auth is enabled in session storage
18246
- * @returns boolean
18247
- * @deprecated
18248
- */
18249
- function isDomEnabledForPlatformAuth() {
18250
- let sessionStorage;
18251
- try {
18252
- sessionStorage = window[BrowserCacheLocation.SessionStorage];
18253
- // Mute errors if it's a non-browser environment or cookies are blocked.
18254
- return sessionStorage?.getItem(PLATFORM_AUTH_DOM_SUPPORT) === "true";
18255
- }
18256
- catch (e) {
18257
- return false;
18258
- }
18259
- }
18260
18467
  /**
18261
18468
  * Returns boolean indicating whether or not the request should attempt to use platform broker
18262
18469
  * @param logger
@@ -18267,6 +18474,11 @@ function isDomEnabledForPlatformAuth() {
18267
18474
  */
18268
18475
  function isPlatformAuthAllowed(config, logger, correlationId, platformAuthProvider, authenticationScheme) {
18269
18476
  logger.trace("0uko3r", correlationId);
18477
+ // throw an error if allowPlatformBroker is not enabled and allowPlatformBrokerWithDOM is enabled
18478
+ if (!config.system.allowPlatformBroker &&
18479
+ config.experimental.allowPlatformBrokerWithDOM) {
18480
+ throw createClientConfigurationError(invalidPlatformBrokerConfiguration);
18481
+ }
18270
18482
  if (!config.system.allowPlatformBroker) {
18271
18483
  logger.trace("04hozs", correlationId);
18272
18484
  // Developer disabled WAM
@@ -19714,7 +19926,7 @@ class StandardController {
19714
19926
  if (allowPlatformBroker) {
19715
19927
  try {
19716
19928
  // check if platform authentication is available via DOM or browser extension and create relevant handlers
19717
- this.platformAuthProvider = await getPlatformAuthProvider(this.logger, this.performanceClient, correlationId, this.config.system.nativeBrokerHandshakeTimeout);
19929
+ this.platformAuthProvider = await getPlatformAuthProvider(this.logger, this.performanceClient, correlationId, this.config.system.nativeBrokerHandshakeTimeout, this.config.experimental.allowPlatformBrokerWithDOM);
19718
19930
  }
19719
19931
  catch (e) {
19720
19932
  this.logger.verbose(e, correlationId);
@@ -21096,7 +21308,7 @@ class CustomAuthStandardController extends StandardController {
21096
21308
  this.customAuthConfig = operatingContext.getCustomAuthConfig();
21097
21309
  this.authority = new CustomAuthAuthority(this.customAuthConfig.auth.authority, this.customAuthConfig, this.networkClient, this.browserStorage, this.logger, this.performanceClient, this.customAuthConfig.customAuth?.authApiProxyUrl);
21098
21310
  const interactionClientFactory = new CustomAuthInterationClientFactory(this.customAuthConfig, this.browserStorage, this.browserCrypto, this.logger, this.eventHandler, this.navigationClient, this.performanceClient, customAuthApiClient ??
21099
- new CustomAuthApiClient(this.authority.getCustomAuthApiDomain(), this.customAuthConfig.auth.clientId, new FetchHttpClient(this.logger), this.customAuthConfig.customAuth?.capabilities?.join(" "), this.customAuthConfig.customAuth?.customAuthApiQueryParams), this.authority);
21311
+ new CustomAuthApiClient(this.authority.getCustomAuthApiDomain(), this.customAuthConfig.auth.clientId, new FetchHttpClient(this.logger), this.customAuthConfig.customAuth?.capabilities?.join(" "), this.customAuthConfig.customAuth?.customAuthApiQueryParams, this.customAuthConfig.customAuth?.requestInterceptor, this.logger), this.authority);
21100
21312
  this.signInClient = interactionClientFactory.create(SignInClient);
21101
21313
  this.signUpClient = interactionClientFactory.create(SignUpClient);
21102
21314
  this.resetPasswordClient =