@azure/msal-browser 5.10.0 → 5.11.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (255) hide show
  1. package/dist/app/IPublicClientApplication.mjs +1 -1
  2. package/dist/app/PublicClientApplication.mjs +1 -1
  3. package/dist/broker/nativeBroker/NativeStatusCodes.mjs +1 -1
  4. package/dist/broker/nativeBroker/PlatformAuthDOMHandler.mjs +1 -1
  5. package/dist/broker/nativeBroker/PlatformAuthExtensionHandler.mjs +1 -1
  6. package/dist/broker/nativeBroker/PlatformAuthProvider.mjs +18 -32
  7. package/dist/broker/nativeBroker/PlatformAuthProvider.mjs.map +1 -1
  8. package/dist/cache/AccountManager.mjs +1 -1
  9. package/dist/cache/AsyncMemoryStorage.mjs +1 -1
  10. package/dist/cache/BrowserCacheManager.mjs +1 -1
  11. package/dist/cache/CacheHelpers.mjs +1 -1
  12. package/dist/cache/CacheKeys.mjs +2 -3
  13. package/dist/cache/CacheKeys.mjs.map +1 -1
  14. package/dist/cache/CookieStorage.mjs +1 -1
  15. package/dist/cache/DatabaseStorage.mjs +1 -1
  16. package/dist/cache/EncryptedData.mjs +1 -1
  17. package/dist/cache/LocalStorage.mjs +1 -1
  18. package/dist/cache/MemoryStorage.mjs +1 -1
  19. package/dist/cache/SessionStorage.mjs +1 -1
  20. package/dist/cache/TokenCache.mjs +1 -1
  21. package/dist/config/Configuration.mjs +2 -1
  22. package/dist/config/Configuration.mjs.map +1 -1
  23. package/dist/controllers/NestedAppAuthController.mjs +1 -1
  24. package/dist/controllers/StandardController.mjs +2 -2
  25. package/dist/controllers/StandardController.mjs.map +1 -1
  26. package/dist/crypto/BrowserCrypto.mjs +1 -1
  27. package/dist/crypto/CryptoOps.mjs +1 -1
  28. package/dist/crypto/PkceGenerator.mjs +1 -1
  29. package/dist/crypto/SignedHttpRequest.mjs +1 -1
  30. package/dist/custom_auth/CustomAuthConstants.mjs +11 -2
  31. package/dist/custom_auth/CustomAuthConstants.mjs.map +1 -1
  32. package/dist/custom_auth/CustomAuthPublicClientApplication.mjs +1 -1
  33. package/dist/custom_auth/controller/CustomAuthStandardController.mjs +2 -2
  34. package/dist/custom_auth/controller/CustomAuthStandardController.mjs.map +1 -1
  35. package/dist/custom_auth/core/CustomAuthAuthority.mjs +1 -1
  36. package/dist/custom_auth/core/auth_flow/AuthFlowErrorBase.mjs +1 -1
  37. package/dist/custom_auth/core/auth_flow/AuthFlowResultBase.mjs +1 -1
  38. package/dist/custom_auth/core/auth_flow/AuthFlowState.mjs +1 -1
  39. package/dist/custom_auth/core/auth_flow/AuthFlowStateTypes.mjs +1 -1
  40. package/dist/custom_auth/core/auth_flow/jit/error_type/AuthMethodRegistrationError.mjs +1 -1
  41. package/dist/custom_auth/core/auth_flow/jit/result/AuthMethodRegistrationChallengeMethodResult.mjs +1 -1
  42. package/dist/custom_auth/core/auth_flow/jit/result/AuthMethodRegistrationSubmitChallengeResult.mjs +1 -1
  43. package/dist/custom_auth/core/auth_flow/jit/state/AuthMethodRegistrationCompletedState.mjs +1 -1
  44. package/dist/custom_auth/core/auth_flow/jit/state/AuthMethodRegistrationFailedState.mjs +1 -1
  45. package/dist/custom_auth/core/auth_flow/jit/state/AuthMethodRegistrationState.mjs +1 -1
  46. package/dist/custom_auth/core/auth_flow/mfa/error_type/MfaError.mjs +1 -1
  47. package/dist/custom_auth/core/auth_flow/mfa/result/MfaRequestChallengeResult.mjs +1 -1
  48. package/dist/custom_auth/core/auth_flow/mfa/result/MfaSubmitChallengeResult.mjs +1 -1
  49. package/dist/custom_auth/core/auth_flow/mfa/state/MfaCompletedState.mjs +1 -1
  50. package/dist/custom_auth/core/auth_flow/mfa/state/MfaFailedState.mjs +1 -1
  51. package/dist/custom_auth/core/auth_flow/mfa/state/MfaState.mjs +1 -1
  52. package/dist/custom_auth/core/error/CustomAuthApiError.mjs +1 -1
  53. package/dist/custom_auth/core/error/CustomAuthError.mjs +1 -1
  54. package/dist/custom_auth/core/error/HttpError.mjs +1 -1
  55. package/dist/custom_auth/core/error/HttpErrorCodes.mjs +1 -1
  56. package/dist/custom_auth/core/error/InvalidArgumentError.mjs +1 -1
  57. package/dist/custom_auth/core/error/InvalidConfigurationError.mjs +1 -1
  58. package/dist/custom_auth/core/error/InvalidConfigurationErrorCodes.mjs +1 -1
  59. package/dist/custom_auth/core/error/MethodNotImplementedError.mjs +1 -1
  60. package/dist/custom_auth/core/error/MsalCustomAuthError.mjs +1 -1
  61. package/dist/custom_auth/core/error/NoCachedAccountFoundError.mjs +1 -1
  62. package/dist/custom_auth/core/error/ParsedUrlError.mjs +1 -1
  63. package/dist/custom_auth/core/error/ParsedUrlErrorCodes.mjs +1 -1
  64. package/dist/custom_auth/core/error/UnexpectedError.mjs +1 -1
  65. package/dist/custom_auth/core/error/UnsupportedEnvironmentError.mjs +1 -1
  66. package/dist/custom_auth/core/error/UserAccountAttributeError.mjs +1 -1
  67. package/dist/custom_auth/core/error/UserAlreadySignedInError.mjs +1 -1
  68. package/dist/custom_auth/core/interaction_client/CustomAuthInteractionClientBase.mjs +1 -1
  69. package/dist/custom_auth/core/interaction_client/CustomAuthInterationClientFactory.mjs +1 -1
  70. package/dist/custom_auth/core/interaction_client/jit/JitClient.mjs +1 -1
  71. package/dist/custom_auth/core/interaction_client/jit/result/JitActionResult.mjs +1 -1
  72. package/dist/custom_auth/core/interaction_client/mfa/MfaClient.mjs +1 -1
  73. package/dist/custom_auth/core/interaction_client/mfa/result/MfaActionResult.mjs +1 -1
  74. package/dist/custom_auth/core/network_client/custom_auth_api/BaseApiClient.mjs +21 -3
  75. package/dist/custom_auth/core/network_client/custom_auth_api/BaseApiClient.mjs.map +1 -1
  76. package/dist/custom_auth/core/network_client/custom_auth_api/CustomAuthApiClient.mjs +6 -6
  77. package/dist/custom_auth/core/network_client/custom_auth_api/CustomAuthApiClient.mjs.map +1 -1
  78. package/dist/custom_auth/core/network_client/custom_auth_api/CustomAuthApiEndpoint.mjs +1 -1
  79. package/dist/custom_auth/core/network_client/custom_auth_api/RegisterApiClient.mjs +1 -1
  80. package/dist/custom_auth/core/network_client/custom_auth_api/ResetPasswordApiClient.mjs +3 -3
  81. package/dist/custom_auth/core/network_client/custom_auth_api/ResetPasswordApiClient.mjs.map +1 -1
  82. package/dist/custom_auth/core/network_client/custom_auth_api/SignInApiClient.mjs +3 -3
  83. package/dist/custom_auth/core/network_client/custom_auth_api/SignInApiClient.mjs.map +1 -1
  84. package/dist/custom_auth/core/network_client/custom_auth_api/SignupApiClient.mjs +3 -3
  85. package/dist/custom_auth/core/network_client/custom_auth_api/SignupApiClient.mjs.map +1 -1
  86. package/dist/custom_auth/core/network_client/custom_auth_api/types/ApiErrorCodes.mjs +1 -1
  87. package/dist/custom_auth/core/network_client/custom_auth_api/types/ApiSuberrors.mjs +1 -1
  88. package/dist/custom_auth/core/network_client/http_client/FetchHttpClient.mjs +1 -1
  89. package/dist/custom_auth/core/network_client/http_client/IHttpClient.mjs +1 -1
  90. package/dist/custom_auth/core/telemetry/PublicApiId.mjs +1 -1
  91. package/dist/custom_auth/core/utils/ArgumentValidator.mjs +1 -1
  92. package/dist/custom_auth/core/utils/CustomHeaderUtils.mjs +56 -0
  93. package/dist/custom_auth/core/utils/CustomHeaderUtils.mjs.map +1 -0
  94. package/dist/custom_auth/core/utils/UrlUtils.mjs +1 -1
  95. package/dist/custom_auth/get_account/auth_flow/CustomAuthAccountData.mjs +1 -1
  96. package/dist/custom_auth/get_account/auth_flow/error_type/GetAccountError.mjs +1 -1
  97. package/dist/custom_auth/get_account/auth_flow/result/GetAccessTokenResult.mjs +1 -1
  98. package/dist/custom_auth/get_account/auth_flow/result/GetAccountResult.mjs +1 -1
  99. package/dist/custom_auth/get_account/auth_flow/result/SignOutResult.mjs +1 -1
  100. package/dist/custom_auth/get_account/auth_flow/state/GetAccessTokenState.mjs +1 -1
  101. package/dist/custom_auth/get_account/auth_flow/state/GetAccountState.mjs +1 -1
  102. package/dist/custom_auth/get_account/auth_flow/state/SignOutState.mjs +1 -1
  103. package/dist/custom_auth/get_account/interaction_client/CustomAuthSilentCacheClient.mjs +1 -1
  104. package/dist/custom_auth/index.mjs +1 -1
  105. package/dist/custom_auth/operating_context/CustomAuthOperatingContext.mjs +1 -1
  106. package/dist/custom_auth/reset_password/auth_flow/error_type/ResetPasswordError.mjs +1 -1
  107. package/dist/custom_auth/reset_password/auth_flow/result/ResetPasswordResendCodeResult.mjs +1 -1
  108. package/dist/custom_auth/reset_password/auth_flow/result/ResetPasswordStartResult.mjs +1 -1
  109. package/dist/custom_auth/reset_password/auth_flow/result/ResetPasswordSubmitCodeResult.mjs +1 -1
  110. package/dist/custom_auth/reset_password/auth_flow/result/ResetPasswordSubmitPasswordResult.mjs +1 -1
  111. package/dist/custom_auth/reset_password/auth_flow/state/ResetPasswordCodeRequiredState.mjs +1 -1
  112. package/dist/custom_auth/reset_password/auth_flow/state/ResetPasswordCompletedState.mjs +1 -1
  113. package/dist/custom_auth/reset_password/auth_flow/state/ResetPasswordFailedState.mjs +1 -1
  114. package/dist/custom_auth/reset_password/auth_flow/state/ResetPasswordPasswordRequiredState.mjs +1 -1
  115. package/dist/custom_auth/reset_password/auth_flow/state/ResetPasswordState.mjs +1 -1
  116. package/dist/custom_auth/reset_password/interaction_client/ResetPasswordClient.mjs +1 -1
  117. package/dist/custom_auth/sign_in/auth_flow/SignInScenario.mjs +1 -1
  118. package/dist/custom_auth/sign_in/auth_flow/error_type/SignInError.mjs +1 -1
  119. package/dist/custom_auth/sign_in/auth_flow/result/SignInResendCodeResult.mjs +1 -1
  120. package/dist/custom_auth/sign_in/auth_flow/result/SignInResult.mjs +1 -1
  121. package/dist/custom_auth/sign_in/auth_flow/result/SignInSubmitCodeResult.mjs +1 -1
  122. package/dist/custom_auth/sign_in/auth_flow/result/SignInSubmitPasswordResult.mjs +1 -1
  123. package/dist/custom_auth/sign_in/auth_flow/state/SignInCodeRequiredState.mjs +1 -1
  124. package/dist/custom_auth/sign_in/auth_flow/state/SignInCompletedState.mjs +1 -1
  125. package/dist/custom_auth/sign_in/auth_flow/state/SignInContinuationState.mjs +1 -1
  126. package/dist/custom_auth/sign_in/auth_flow/state/SignInFailedState.mjs +1 -1
  127. package/dist/custom_auth/sign_in/auth_flow/state/SignInPasswordRequiredState.mjs +1 -1
  128. package/dist/custom_auth/sign_in/auth_flow/state/SignInState.mjs +1 -1
  129. package/dist/custom_auth/sign_in/interaction_client/SignInClient.mjs +1 -1
  130. package/dist/custom_auth/sign_in/interaction_client/result/SignInActionResult.mjs +1 -1
  131. package/dist/custom_auth/sign_up/auth_flow/error_type/SignUpError.mjs +1 -1
  132. package/dist/custom_auth/sign_up/auth_flow/result/SignUpResendCodeResult.mjs +1 -1
  133. package/dist/custom_auth/sign_up/auth_flow/result/SignUpResult.mjs +1 -1
  134. package/dist/custom_auth/sign_up/auth_flow/result/SignUpSubmitAttributesResult.mjs +1 -1
  135. package/dist/custom_auth/sign_up/auth_flow/result/SignUpSubmitCodeResult.mjs +1 -1
  136. package/dist/custom_auth/sign_up/auth_flow/result/SignUpSubmitPasswordResult.mjs +1 -1
  137. package/dist/custom_auth/sign_up/auth_flow/state/SignUpAttributesRequiredState.mjs +1 -1
  138. package/dist/custom_auth/sign_up/auth_flow/state/SignUpCodeRequiredState.mjs +1 -1
  139. package/dist/custom_auth/sign_up/auth_flow/state/SignUpCompletedState.mjs +1 -1
  140. package/dist/custom_auth/sign_up/auth_flow/state/SignUpFailedState.mjs +1 -1
  141. package/dist/custom_auth/sign_up/auth_flow/state/SignUpPasswordRequiredState.mjs +1 -1
  142. package/dist/custom_auth/sign_up/auth_flow/state/SignUpState.mjs +1 -1
  143. package/dist/custom_auth/sign_up/interaction_client/SignUpClient.mjs +1 -1
  144. package/dist/custom_auth/sign_up/interaction_client/result/SignUpActionResult.mjs +1 -1
  145. package/dist/encode/Base64Decode.mjs +1 -1
  146. package/dist/encode/Base64Encode.mjs +1 -1
  147. package/dist/error/BrowserAuthError.mjs +1 -1
  148. package/dist/error/BrowserAuthErrorCodes.mjs +1 -1
  149. package/dist/error/BrowserConfigurationAuthError.mjs +1 -1
  150. package/dist/error/BrowserConfigurationAuthErrorCodes.mjs +1 -1
  151. package/dist/error/NativeAuthError.mjs +1 -1
  152. package/dist/error/NativeAuthErrorCodes.mjs +1 -1
  153. package/dist/error/NestedAppAuthError.mjs +1 -1
  154. package/dist/event/EventHandler.mjs +1 -1
  155. package/dist/event/EventMessage.mjs +1 -1
  156. package/dist/event/EventType.mjs +1 -1
  157. package/dist/index.mjs +1 -1
  158. package/dist/interaction_client/BaseInteractionClient.mjs +1 -1
  159. package/dist/interaction_client/HybridSpaAuthorizationCodeClient.mjs +1 -1
  160. package/dist/interaction_client/PlatformAuthInteractionClient.mjs +1 -1
  161. package/dist/interaction_client/PopupClient.mjs +1 -1
  162. package/dist/interaction_client/RedirectClient.mjs +1 -1
  163. package/dist/interaction_client/SilentAuthCodeClient.mjs +1 -1
  164. package/dist/interaction_client/SilentCacheClient.mjs +1 -1
  165. package/dist/interaction_client/SilentIframeClient.mjs +1 -1
  166. package/dist/interaction_client/SilentRefreshClient.mjs +1 -1
  167. package/dist/interaction_client/StandardInteractionClient.mjs +6 -4
  168. package/dist/interaction_client/StandardInteractionClient.mjs.map +1 -1
  169. package/dist/interaction_handler/InteractionHandler.mjs +1 -1
  170. package/dist/interaction_handler/SilentHandler.mjs +1 -1
  171. package/dist/log-strings-mapping.json +21 -9
  172. package/dist/naa/BridgeError.mjs +1 -1
  173. package/dist/naa/BridgeProxy.mjs +1 -1
  174. package/dist/naa/BridgeStatusCode.mjs +1 -1
  175. package/dist/naa/mapping/NestedAppAuthAdapter.mjs +1 -1
  176. package/dist/navigation/NavigationClient.mjs +1 -1
  177. package/dist/network/FetchClient.mjs +1 -1
  178. package/dist/operatingcontext/BaseOperatingContext.mjs +1 -1
  179. package/dist/operatingcontext/NestedAppOperatingContext.mjs +1 -1
  180. package/dist/operatingcontext/StandardOperatingContext.mjs +1 -1
  181. package/dist/packageMetadata.mjs +2 -2
  182. package/dist/protocol/Authorize.mjs +1 -1
  183. package/dist/redirect_bridge/index.mjs +1 -1
  184. package/dist/request/RequestHelpers.mjs +1 -1
  185. package/dist/response/ResponseHandler.mjs +1 -1
  186. package/dist/telemetry/BrowserPerformanceClient.mjs +1 -1
  187. package/dist/telemetry/BrowserPerformanceEvents.mjs +1 -1
  188. package/dist/telemetry/BrowserPerformanceMeasurement.mjs +1 -1
  189. package/dist/telemetry/BrowserRootPerformanceEvents.mjs +1 -1
  190. package/dist/utils/BrowserConstants.mjs +1 -1
  191. package/dist/utils/BrowserProtocolUtils.mjs +1 -1
  192. package/dist/utils/BrowserUtils.mjs +1 -1
  193. package/dist/utils/Helpers.mjs +1 -1
  194. package/dist/utils/MsalFrameStatsUtils.mjs +1 -1
  195. package/lib/custom-auth-path/log-strings-mapping.json +21 -9
  196. package/lib/custom-auth-path/msal-custom-auth.cjs +319 -107
  197. package/lib/custom-auth-path/msal-custom-auth.cjs.map +1 -1
  198. package/lib/custom-auth-path/msal-custom-auth.js +319 -107
  199. package/lib/custom-auth-path/msal-custom-auth.js.map +1 -1
  200. package/lib/log-strings-mapping.json +8 -8
  201. package/lib/msal-browser.cjs +241 -104
  202. package/lib/msal-browser.cjs.map +1 -1
  203. package/lib/msal-browser.js +241 -104
  204. package/lib/msal-browser.js.map +1 -1
  205. package/lib/msal-browser.min.js +2 -2
  206. package/lib/redirect-bridge/msal-redirect-bridge.cjs +10 -10
  207. package/lib/redirect-bridge/msal-redirect-bridge.cjs.map +1 -1
  208. package/lib/redirect-bridge/msal-redirect-bridge.js +10 -10
  209. package/lib/redirect-bridge/msal-redirect-bridge.js.map +1 -1
  210. package/lib/redirect-bridge/msal-redirect-bridge.min.js +1 -1
  211. package/package.json +2 -2
  212. package/src/broker/nativeBroker/PlatformAuthProvider.ts +34 -30
  213. package/src/config/Configuration.ts +5 -0
  214. package/src/controllers/StandardController.ts +2 -1
  215. package/src/custom_auth/CustomAuthConstants.ts +10 -0
  216. package/src/custom_auth/configuration/CustomAuthConfiguration.ts +2 -0
  217. package/src/custom_auth/configuration/CustomAuthRequestInterceptor.ts +54 -0
  218. package/src/custom_auth/controller/CustomAuthStandardController.ts +3 -1
  219. package/src/custom_auth/core/network_client/custom_auth_api/BaseApiClient.ts +41 -2
  220. package/src/custom_auth/core/network_client/custom_auth_api/CustomAuthApiClient.ts +17 -5
  221. package/src/custom_auth/core/network_client/custom_auth_api/ResetPasswordApiClient.ts +8 -2
  222. package/src/custom_auth/core/network_client/custom_auth_api/SignInApiClient.ts +8 -3
  223. package/src/custom_auth/core/network_client/custom_auth_api/SignupApiClient.ts +8 -2
  224. package/src/custom_auth/core/utils/CustomHeaderUtils.ts +75 -0
  225. package/src/custom_auth/index.ts +4 -0
  226. package/src/interaction_client/StandardInteractionClient.ts +11 -5
  227. package/src/packageMetadata.ts +1 -1
  228. package/types/broker/nativeBroker/PlatformAuthProvider.d.ts +7 -12
  229. package/types/broker/nativeBroker/PlatformAuthProvider.d.ts.map +1 -1
  230. package/types/config/Configuration.d.ts +4 -0
  231. package/types/config/Configuration.d.ts.map +1 -1
  232. package/types/controllers/StandardController.d.ts.map +1 -1
  233. package/types/custom_auth/CustomAuthConstants.d.ts +5 -1
  234. package/types/custom_auth/CustomAuthConstants.d.ts.map +1 -1
  235. package/types/custom_auth/configuration/CustomAuthConfiguration.d.ts +2 -0
  236. package/types/custom_auth/configuration/CustomAuthConfiguration.d.ts.map +1 -1
  237. package/types/custom_auth/configuration/CustomAuthRequestInterceptor.d.ts +42 -0
  238. package/types/custom_auth/configuration/CustomAuthRequestInterceptor.d.ts.map +1 -0
  239. package/types/custom_auth/controller/CustomAuthStandardController.d.ts.map +1 -1
  240. package/types/custom_auth/core/network_client/custom_auth_api/BaseApiClient.d.ts +6 -2
  241. package/types/custom_auth/core/network_client/custom_auth_api/BaseApiClient.d.ts.map +1 -1
  242. package/types/custom_auth/core/network_client/custom_auth_api/CustomAuthApiClient.d.ts +3 -1
  243. package/types/custom_auth/core/network_client/custom_auth_api/CustomAuthApiClient.d.ts.map +1 -1
  244. package/types/custom_auth/core/network_client/custom_auth_api/ResetPasswordApiClient.d.ts +3 -1
  245. package/types/custom_auth/core/network_client/custom_auth_api/ResetPasswordApiClient.d.ts.map +1 -1
  246. package/types/custom_auth/core/network_client/custom_auth_api/SignInApiClient.d.ts +3 -1
  247. package/types/custom_auth/core/network_client/custom_auth_api/SignInApiClient.d.ts.map +1 -1
  248. package/types/custom_auth/core/network_client/custom_auth_api/SignupApiClient.d.ts +3 -1
  249. package/types/custom_auth/core/network_client/custom_auth_api/SignupApiClient.d.ts.map +1 -1
  250. package/types/custom_auth/core/utils/CustomHeaderUtils.d.ts +21 -0
  251. package/types/custom_auth/core/utils/CustomHeaderUtils.d.ts.map +1 -0
  252. package/types/custom_auth/index.d.ts +1 -0
  253. package/types/custom_auth/index.d.ts.map +1 -1
  254. package/types/interaction_client/StandardInteractionClient.d.ts.map +1 -1
  255. package/types/packageMetadata.d.ts +1 -1
@@ -1,4 +1,4 @@
1
- /*! @azure/msal-browser v5.10.0 2026-05-07 */
1
+ /*! @azure/msal-browser v5.11.0 2026-05-19 */
2
2
  'use strict';
3
3
  (function (global, factory) {
4
4
  typeof exports === 'object' && typeof module !== 'undefined' ? factory(exports) :
@@ -6,7 +6,7 @@
6
6
  (global = typeof globalThis !== 'undefined' ? globalThis : global || self, factory(global.msalCustomAuth = {}));
7
7
  })(this, (function (exports) { 'use strict';
8
8
 
9
- /*! @azure/msal-common v16.6.0 2026-05-07 */
9
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
10
10
  /*
11
11
  * Copyright (c) Microsoft Corporation. All rights reserved.
12
12
  * Licensed under the MIT License.
@@ -233,7 +233,7 @@
233
233
  // Token renewal offset default in seconds
234
234
  const DEFAULT_TOKEN_RENEWAL_OFFSET_SEC = 300;
235
235
 
236
- /*! @azure/msal-common v16.6.0 2026-05-07 */
236
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
237
237
  /*
238
238
  * Copyright (c) Microsoft Corporation. All rights reserved.
239
239
  * Licensed under the MIT License.
@@ -285,7 +285,7 @@
285
285
  const RESOURCE = "resource";
286
286
  const CLI_DATA = "clidata";
287
287
 
288
- /*! @azure/msal-common v16.6.0 2026-05-07 */
288
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
289
289
  /*
290
290
  * Copyright (c) Microsoft Corporation. All rights reserved.
291
291
  * Licensed under the MIT License.
@@ -316,7 +316,7 @@
316
316
  return new AuthError(code, additionalMessage || getDefaultErrorMessage$1(code));
317
317
  }
318
318
 
319
- /*! @azure/msal-common v16.6.0 2026-05-07 */
319
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
320
320
 
321
321
  /*
322
322
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -336,7 +336,7 @@
336
336
  return new ClientConfigurationError(errorCode);
337
337
  }
338
338
 
339
- /*! @azure/msal-common v16.6.0 2026-05-07 */
339
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
340
340
  /*
341
341
  * Copyright (c) Microsoft Corporation. All rights reserved.
342
342
  * Licensed under the MIT License.
@@ -416,7 +416,7 @@
416
416
  }
417
417
  }
418
418
 
419
- /*! @azure/msal-common v16.6.0 2026-05-07 */
419
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
420
420
 
421
421
  /*
422
422
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -439,7 +439,7 @@
439
439
  return new ClientAuthError(errorCode, additionalMessage);
440
440
  }
441
441
 
442
- /*! @azure/msal-common v16.6.0 2026-05-07 */
442
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
443
443
  /*
444
444
  * Copyright (c) Microsoft Corporation. All rights reserved.
445
445
  * Licensed under the MIT License.
@@ -461,9 +461,11 @@
461
461
  const cannotSetOIDCOptions = "cannot_set_OIDCOptions";
462
462
  const cannotAllowPlatformBroker = "cannot_allow_platform_broker";
463
463
  const authorityMismatch = "authority_mismatch";
464
- const invalidRequestMethodForEAR = "invalid_request_method_for_EAR";
464
+ const invalidRequestMethodForEAR = "invalid_request_method_for_EAR";
465
+ const invalidPlatformBrokerConfiguration = "invalid_platform_broker_configuration";
466
+ const issuerValidationFailed = "issuer_validation_failed";
465
467
 
466
- /*! @azure/msal-common v16.6.0 2026-05-07 */
468
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
467
469
  /*
468
470
  * Copyright (c) Microsoft Corporation. All rights reserved.
469
471
  * Licensed under the MIT License.
@@ -502,7 +504,7 @@
502
504
  const resourceParameterRequired = "resource_parameter_required";
503
505
  const misplacedResourceParam = "misplaced_resource_parameter";
504
506
 
505
- /*! @azure/msal-common v16.6.0 2026-05-07 */
507
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
506
508
 
507
509
  /*
508
510
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -697,7 +699,7 @@
697
699
  }
698
700
  }
699
701
 
700
- /*! @azure/msal-common v16.6.0 2026-05-07 */
702
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
701
703
 
702
704
  /*
703
705
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1086,7 +1088,7 @@
1086
1088
  }
1087
1089
  }
1088
1090
 
1089
- /*! @azure/msal-common v16.6.0 2026-05-07 */
1091
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
1090
1092
 
1091
1093
  /*
1092
1094
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1195,7 +1197,7 @@
1195
1197
  }
1196
1198
  }
1197
1199
 
1198
- /*! @azure/msal-common v16.6.0 2026-05-07 */
1200
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
1199
1201
 
1200
1202
  /*
1201
1203
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1234,7 +1236,7 @@
1234
1236
  },
1235
1237
  };
1236
1238
 
1237
- /*! @azure/msal-common v16.6.0 2026-05-07 */
1239
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
1238
1240
  /*
1239
1241
  * Copyright (c) Microsoft Corporation. All rights reserved.
1240
1242
  * Licensed under the MIT License.
@@ -1495,12 +1497,12 @@
1495
1497
  }
1496
1498
  }
1497
1499
 
1498
- /*! @azure/msal-common v16.6.0 2026-05-07 */
1500
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
1499
1501
  /* eslint-disable header/header */
1500
1502
  const name$1 = "@azure/msal-common";
1501
- const version$1 = "16.6.0";
1503
+ const version$1 = "16.6.2";
1502
1504
 
1503
- /*! @azure/msal-common v16.6.0 2026-05-07 */
1505
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
1504
1506
  /*
1505
1507
  * Copyright (c) Microsoft Corporation. All rights reserved.
1506
1508
  * Licensed under the MIT License.
@@ -1509,7 +1511,7 @@
1509
1511
  // AzureCloudInstance is not specified.
1510
1512
  None: "none"};
1511
1513
 
1512
- /*! @azure/msal-common v16.6.0 2026-05-07 */
1514
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
1513
1515
  /*
1514
1516
  * Copyright (c) Microsoft Corporation. All rights reserved.
1515
1517
  * Licensed under the MIT License.
@@ -1592,7 +1594,7 @@
1592
1594
  return updatedAccountInfo;
1593
1595
  }
1594
1596
 
1595
- /*! @azure/msal-common v16.6.0 2026-05-07 */
1597
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
1596
1598
 
1597
1599
  /*
1598
1600
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1672,7 +1674,7 @@
1672
1674
  }
1673
1675
  }
1674
1676
 
1675
- /*! @azure/msal-common v16.6.0 2026-05-07 */
1677
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
1676
1678
 
1677
1679
  /*
1678
1680
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1829,7 +1831,7 @@
1829
1831
  }
1830
1832
  }
1831
1833
 
1832
- /*! @azure/msal-common v16.6.0 2026-05-07 */
1834
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
1833
1835
 
1834
1836
  /*
1835
1837
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1915,6 +1917,15 @@
1915
1917
  preferred_cache: "login.sovcloud-identity.sg",
1916
1918
  aliases: ["login.sovcloud-identity.sg"],
1917
1919
  },
1920
+ {
1921
+ preferred_network: "login.windows-ppe.net",
1922
+ preferred_cache: "login.windows-ppe.net",
1923
+ aliases: [
1924
+ "login.windows-ppe.net",
1925
+ "sts.windows-ppe.net",
1926
+ "login.microsoft-ppe.com",
1927
+ ],
1928
+ },
1918
1929
  ],
1919
1930
  },
1920
1931
  };
@@ -1986,7 +1997,7 @@
1986
1997
  return null;
1987
1998
  }
1988
1999
 
1989
- /*! @azure/msal-common v16.6.0 2026-05-07 */
2000
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
1990
2001
  /*
1991
2002
  * Copyright (c) Microsoft Corporation. All rights reserved.
1992
2003
  * Licensed under the MIT License.
@@ -1994,7 +2005,7 @@
1994
2005
  const cacheQuotaExceeded = "cache_quota_exceeded";
1995
2006
  const cacheErrorUnknown = "cache_error_unknown";
1996
2007
 
1997
- /*! @azure/msal-common v16.6.0 2026-05-07 */
2008
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
1998
2009
 
1999
2010
  /*
2000
2011
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -2032,7 +2043,7 @@
2032
2043
  }
2033
2044
  }
2034
2045
 
2035
- /*! @azure/msal-common v16.6.0 2026-05-07 */
2046
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
2036
2047
 
2037
2048
  /*
2038
2049
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -2070,7 +2081,7 @@
2070
2081
  };
2071
2082
  }
2072
2083
 
2073
- /*! @azure/msal-common v16.6.0 2026-05-07 */
2084
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
2074
2085
  /*
2075
2086
  * Copyright (c) Microsoft Corporation. All rights reserved.
2076
2087
  * Licensed under the MIT License.
@@ -2085,7 +2096,7 @@
2085
2096
  Ciam: 3,
2086
2097
  };
2087
2098
 
2088
- /*! @azure/msal-common v16.6.0 2026-05-07 */
2099
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
2089
2100
  /*
2090
2101
  * Copyright (c) Microsoft Corporation. All rights reserved.
2091
2102
  * Licensed under the MIT License.
@@ -2107,7 +2118,7 @@
2107
2118
  return null;
2108
2119
  }
2109
2120
 
2110
- /*! @azure/msal-common v16.6.0 2026-05-07 */
2121
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
2111
2122
  /*
2112
2123
  * Copyright (c) Microsoft Corporation. All rights reserved.
2113
2124
  * Licensed under the MIT License.
@@ -2131,7 +2142,7 @@
2131
2142
  EAR: "EAR",
2132
2143
  };
2133
2144
 
2134
- /*! @azure/msal-common v16.6.0 2026-05-07 */
2145
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
2135
2146
  /**
2136
2147
  * Returns the AccountInfo interface for this account.
2137
2148
  */
@@ -2306,7 +2317,7 @@
2306
2317
  entity.hasOwnProperty("authorityType"));
2307
2318
  }
2308
2319
 
2309
- /*! @azure/msal-common v16.6.0 2026-05-07 */
2320
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
2310
2321
 
2311
2322
  /*
2312
2323
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -3437,7 +3448,7 @@
3437
3448
  }
3438
3449
  }
3439
3450
 
3440
- /*! @azure/msal-common v16.6.0 2026-05-07 */
3451
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
3441
3452
  /*
3442
3453
  * Copyright (c) Microsoft Corporation. All rights reserved.
3443
3454
  * Licensed under the MIT License.
@@ -3451,7 +3462,7 @@
3451
3462
  const PerformanceEventStatus = {
3452
3463
  InProgress: 1};
3453
3464
 
3454
- /*! @azure/msal-common v16.6.0 2026-05-07 */
3465
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
3455
3466
 
3456
3467
  /*
3457
3468
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -3506,7 +3517,7 @@
3506
3517
  }
3507
3518
  }
3508
3519
 
3509
- /*! @azure/msal-common v16.6.0 2026-05-07 */
3520
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
3510
3521
 
3511
3522
  /*
3512
3523
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -3601,7 +3612,7 @@
3601
3612
  return (config.authOptions.authority.options.protocolMode === ProtocolMode.OIDC);
3602
3613
  }
3603
3614
 
3604
- /*! @azure/msal-common v16.6.0 2026-05-07 */
3615
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
3605
3616
  /*
3606
3617
  * Copyright (c) Microsoft Corporation. All rights reserved.
3607
3618
  * Licensed under the MIT License.
@@ -3628,7 +3639,7 @@
3628
3639
  }
3629
3640
  }
3630
3641
 
3631
- /*! @azure/msal-common v16.6.0 2026-05-07 */
3642
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
3632
3643
  /*
3633
3644
  * Copyright (c) Microsoft Corporation. All rights reserved.
3634
3645
  * Licensed under the MIT License.
@@ -3693,7 +3704,7 @@
3693
3704
  return cachedAtSec > nowSeconds();
3694
3705
  }
3695
3706
 
3696
- /*! @azure/msal-common v16.6.0 2026-05-07 */
3707
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
3697
3708
 
3698
3709
  /*
3699
3710
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -3952,7 +3963,7 @@
3952
3963
  return metadata.expiresAt <= nowSeconds();
3953
3964
  }
3954
3965
 
3955
- /*! @azure/msal-common v16.6.0 2026-05-07 */
3966
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
3956
3967
  /*
3957
3968
  * Copyright (c) Microsoft Corporation. All rights reserved.
3958
3969
  * Licensed under the MIT License.
@@ -4023,7 +4034,7 @@
4023
4034
  const CacheManagerGetRefreshToken = "cacheManagerGetRefreshToken";
4024
4035
  const SetUserData = "setUserData";
4025
4036
 
4026
- /*! @azure/msal-common v16.6.0 2026-05-07 */
4037
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
4027
4038
  /*
4028
4039
  * Copyright (c) Microsoft Corporation. All rights reserved.
4029
4040
  * Licensed under the MIT License.
@@ -4116,7 +4127,7 @@
4116
4127
  };
4117
4128
  };
4118
4129
 
4119
- /*! @azure/msal-common v16.6.0 2026-05-07 */
4130
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
4120
4131
 
4121
4132
  /*
4122
4133
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4196,7 +4207,7 @@
4196
4207
  }
4197
4208
  }
4198
4209
 
4199
- /*! @azure/msal-common v16.6.0 2026-05-07 */
4210
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
4200
4211
  /*
4201
4212
  * Copyright (c) Microsoft Corporation. All rights reserved.
4202
4213
  * Licensed under the MIT License.
@@ -4247,7 +4258,7 @@
4247
4258
  */
4248
4259
  const interruptedUser = "interrupted_user";
4249
4260
 
4250
- /*! @azure/msal-common v16.6.0 2026-05-07 */
4261
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
4251
4262
 
4252
4263
  /*
4253
4264
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4315,7 +4326,7 @@
4315
4326
  return new InteractionRequiredAuthError(errorCode, errorMessage);
4316
4327
  }
4317
4328
 
4318
- /*! @azure/msal-common v16.6.0 2026-05-07 */
4329
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
4319
4330
 
4320
4331
  /*
4321
4332
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4334,7 +4345,7 @@
4334
4345
  }
4335
4346
  }
4336
4347
 
4337
- /*! @azure/msal-common v16.6.0 2026-05-07 */
4348
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
4338
4349
 
4339
4350
  /*
4340
4351
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4402,7 +4413,7 @@
4402
4413
  }
4403
4414
  }
4404
4415
 
4405
- /*! @azure/msal-common v16.6.0 2026-05-07 */
4416
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
4406
4417
 
4407
4418
  /*
4408
4419
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4750,7 +4761,7 @@
4750
4761
  return baseAccount;
4751
4762
  }
4752
4763
 
4753
- /*! @azure/msal-common v16.6.0 2026-05-07 */
4764
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
4754
4765
  /*
4755
4766
  * Copyright (c) Microsoft Corporation. All rights reserved.
4756
4767
  * Licensed under the MIT License.
@@ -4760,7 +4771,7 @@
4760
4771
  UPN: "UPN",
4761
4772
  };
4762
4773
 
4763
- /*! @azure/msal-common v16.6.0 2026-05-07 */
4774
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
4764
4775
  /*
4765
4776
  * Copyright (c) Microsoft Corporation. All rights reserved.
4766
4777
  * Licensed under the MIT License.
@@ -4778,7 +4789,7 @@
4778
4789
  }
4779
4790
  }
4780
4791
 
4781
- /*! @azure/msal-common v16.6.0 2026-05-07 */
4792
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
4782
4793
  /*
4783
4794
  * Copyright (c) Microsoft Corporation. All rights reserved.
4784
4795
  * Licensed under the MIT License.
@@ -4799,7 +4810,7 @@
4799
4810
  };
4800
4811
  }
4801
4812
 
4802
- /*! @azure/msal-common v16.6.0 2026-05-07 */
4813
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
4803
4814
 
4804
4815
  /*
4805
4816
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4885,7 +4896,7 @@
4885
4896
  }
4886
4897
  }
4887
4898
 
4888
- /*! @azure/msal-common v16.6.0 2026-05-07 */
4899
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
4889
4900
 
4890
4901
  /*
4891
4902
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4916,7 +4927,7 @@
4916
4927
  return new NetworkError(error, httpStatus, responseHeaders);
4917
4928
  }
4918
4929
 
4919
- /*! @azure/msal-common v16.6.0 2026-05-07 */
4930
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
4920
4931
 
4921
4932
  /*
4922
4933
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -5030,7 +5041,7 @@
5030
5041
  return response;
5031
5042
  }
5032
5043
 
5033
- /*! @azure/msal-common v16.6.0 2026-05-07 */
5044
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
5034
5045
  /*
5035
5046
  * Copyright (c) Microsoft Corporation. All rights reserved.
5036
5047
  * Licensed under the MIT License.
@@ -5042,7 +5053,7 @@
5042
5053
  response.hasOwnProperty("jwks_uri"));
5043
5054
  }
5044
5055
 
5045
- /*! @azure/msal-common v16.6.0 2026-05-07 */
5056
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
5046
5057
  /*
5047
5058
  * Copyright (c) Microsoft Corporation. All rights reserved.
5048
5059
  * Licensed under the MIT License.
@@ -5052,7 +5063,7 @@
5052
5063
  response.hasOwnProperty("metadata"));
5053
5064
  }
5054
5065
 
5055
- /*! @azure/msal-common v16.6.0 2026-05-07 */
5066
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
5056
5067
  /*
5057
5068
  * Copyright (c) Microsoft Corporation. All rights reserved.
5058
5069
  * Licensed under the MIT License.
@@ -5062,7 +5073,7 @@
5062
5073
  response.hasOwnProperty("error_description"));
5063
5074
  }
5064
5075
 
5065
- /*! @azure/msal-common v16.6.0 2026-05-07 */
5076
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
5066
5077
 
5067
5078
  /*
5068
5079
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -5167,7 +5178,7 @@
5167
5178
  },
5168
5179
  };
5169
5180
 
5170
- /*! @azure/msal-common v16.6.0 2026-05-07 */
5181
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
5171
5182
 
5172
5183
  /*
5173
5184
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -5422,7 +5433,7 @@
5422
5433
  }, this.correlationId);
5423
5434
  }
5424
5435
  /**
5425
- * Returns metadata entity from cache if it exists, otherwiser returns a new metadata entity built
5436
+ * Returns metadata entity from cache if it exists, otherwise returns a new metadata entity built
5426
5437
  * from the configured canonical authority
5427
5438
  * @returns
5428
5439
  */
@@ -5491,6 +5502,8 @@
5491
5502
  // Get metadata from network if local sources aren't available
5492
5503
  let metadata = await invokeAsync(this.getEndpointMetadataFromNetwork.bind(this), AuthorityGetEndpointMetadataFromNetwork, this.logger, this.performanceClient, this.correlationId)();
5493
5504
  if (metadata) {
5505
+ // Validate the issuer returned by the OIDC discovery document.
5506
+ this.validateIssuer(metadata.issuer);
5494
5507
  // If the user prefers to use an azure region replace the global endpoints with regional information.
5495
5508
  if (this.authorityOptions.azureRegionConfiguration?.azureRegion) {
5496
5509
  metadata = await invokeAsync(this.updateMetadataWithRegionalInformation.bind(this), AuthorityUpdateMetadataWithRegionalInformation, this.logger, this.performanceClient, this.correlationId)(metadata);
@@ -5659,7 +5672,7 @@
5659
5672
  throw createClientConfigurationError(untrustedAuthority);
5660
5673
  }
5661
5674
  updateCloudDiscoveryMetadataFromLocalSources(metadataEntity) {
5662
- this.logger.verbose("0jhlgt", this.correlationId);
5675
+ this.logger.verbose("1tpqlr", this.correlationId);
5663
5676
  this.logger.verbosePii("1fy7uz", this.correlationId);
5664
5677
  this.logger.verbosePii("08zabj", this.correlationId);
5665
5678
  this.logger.verbosePii("1o1kv3", this.correlationId);
@@ -5856,6 +5869,139 @@
5856
5869
  isAliasOfKnownMicrosoftAuthority(host) {
5857
5870
  return InstanceDiscoveryMetadataAliases.has(host);
5858
5871
  }
5872
+ /**
5873
+ * Validates the `issuer` returned by an OIDC discovery document against
5874
+ * this authority, per
5875
+ * https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationValidation
5876
+ *
5877
+ * The issuer is accepted when ANY of the following holds:
5878
+ * 1. The issuer scheme + host + port match the authority's (path may
5879
+ * differ). Applies to all authorities.
5880
+ * 2. The authority is a Microsoft cloud authority (public, sovereign,
5881
+ * or CIAM), the issuer is HTTPS, and the issuer host is in the known
5882
+ * Microsoft authority host set.
5883
+ * 3. Same as (2), but the issuer host is a single-label regional variant
5884
+ * of a known Microsoft host (e.g. `westus.login.microsoftonline.com`).
5885
+ * 4. Same as (2), but the issuer host matches the CIAM tenant pattern
5886
+ * `{tenant}.ciamlogin.com` with an optional `/{tenant}[.onmicrosoft.com][/v2.0]`
5887
+ * path.
5888
+ *
5889
+ * @param issuer The `issuer` value returned in the OIDC discovery document.
5890
+ * @throws ClientConfigurationError("issuer_validation_failed") on failure.
5891
+ */
5892
+ validateIssuer(issuer) {
5893
+ if (!issuer) {
5894
+ throw createClientConfigurationError(issuerValidationFailed);
5895
+ }
5896
+ // Parse with the WHATWG URL API. URL normalizes scheme + host to lowercase per RFC 3986.
5897
+ let issuerUrl;
5898
+ try {
5899
+ issuerUrl = new URL(issuer);
5900
+ }
5901
+ catch {
5902
+ throw createClientConfigurationError(issuerValidationFailed);
5903
+ }
5904
+ const issuerScheme = issuerUrl.protocol;
5905
+ const issuerHost = issuerUrl.host;
5906
+ const authorityScheme = (this.canonicalAuthorityUrlComponents.Protocol || "").toLowerCase();
5907
+ const authorityHost = (this.canonicalAuthorityUrlComponents.HostNameAndPort || "").toLowerCase();
5908
+ // Rule 1: Same scheme and host
5909
+ const matchesAuthorityOrigin = this.matchesAuthorityOrigin(issuerScheme, issuerHost, authorityScheme, authorityHost);
5910
+ // Rule 2: The issuer host is a well-known Microsoft authority host (HTTPS only)
5911
+ const matchesKnownMicrosoftHost = issuerScheme === "https:" &&
5912
+ this.isAliasOfKnownMicrosoftAuthority(issuerHost);
5913
+ /*
5914
+ * Rule 3: The issuer host is a regional variant ({region}.{host}) of a well-known host
5915
+ * (HTTPS only). E.g. westus2.login.microsoft.com
5916
+ */
5917
+ const matchesRegionalMicrosoftHost = issuerScheme === "https:" &&
5918
+ this.matchesRegionalMicrosoftHost(issuerHost);
5919
+ /*
5920
+ * Rule 4: CIAM-specific validation. In a CIAM scenario the issuer is expected to
5921
+ * have "{tenant}.ciamlogin.com" as the host, even when using a custom domain.
5922
+ */
5923
+ const matchesCiamTenantPattern = this.matchesCiamTenantPattern(issuerUrl, authorityHost, this.canonicalAuthorityUrlComponents.PathSegments);
5924
+ // Each rule is an independent boolean; the issuer is valid if ANY rule matches.
5925
+ if (matchesAuthorityOrigin ||
5926
+ matchesKnownMicrosoftHost ||
5927
+ matchesRegionalMicrosoftHost ||
5928
+ matchesCiamTenantPattern) {
5929
+ return;
5930
+ }
5931
+ // issuer validation fails if none of the above rules are satisfied
5932
+ throw createClientConfigurationError(issuerValidationFailed);
5933
+ }
5934
+ /**
5935
+ * Rule 1: The issuer scheme + host (and port) match the authority's. Path
5936
+ * may differ. Applies to all authorities.
5937
+ */
5938
+ matchesAuthorityOrigin(issuerScheme, issuerHost, authorityScheme, authorityHost) {
5939
+ return issuerScheme === authorityScheme && issuerHost === authorityHost;
5940
+ }
5941
+ /**
5942
+ * Rule 3: The issuer host is a regional variant
5943
+ * (`{region}.{host}`) of a known Microsoft authority host.
5944
+ * E.g. `westus2.login.microsoft.com`.
5945
+ */
5946
+ matchesRegionalMicrosoftHost(issuerHost) {
5947
+ const firstDot = issuerHost.indexOf(".");
5948
+ if (firstDot > 0 && firstDot < issuerHost.length - 1) {
5949
+ const hostWithoutRegion = issuerHost.substring(firstDot + 1);
5950
+ return this.isAliasOfKnownMicrosoftAuthority(hostWithoutRegion);
5951
+ }
5952
+ return false;
5953
+ }
5954
+ /**
5955
+ * Rule 4: The issuer matches one of the well-known CIAM tenant patterns
5956
+ * (`https://{tenant}.ciamlogin.com[/{tenant}[.onmicrosoft.com][/v2.0]]`).
5957
+ *
5958
+ * The bare tenant name is extracted from the authority's first path segment
5959
+ * when available (stripping the `.onmicrosoft.com` suffix that
5960
+ * `transformCIAMAuthority` adds), or otherwise from the leftmost label of
5961
+ * the authority host (to support CIAM custom domain scenarios).
5962
+ *
5963
+ * Both `/{tenant}` and `/{tenant}.onmicrosoft.com` path forms are accepted
5964
+ * because the OIDC issuer may use either form depending on the authority URL
5965
+ * that was used to trigger discovery.
5966
+ */
5967
+ matchesCiamTenantPattern(issuerUrl, authorityHost, authorityPathSegments) {
5968
+ /*
5969
+ * authorityPathSegments[0] is the first path segment of the *authority
5970
+ * URL* after transformCIAMAuthority runs (e.g. "contoso.onmicrosoft.com").
5971
+ * Additional CIAM issuer path segments such as "/v2.0" are part of the
5972
+ * issuer string, not the authority URL's PathSegments.
5973
+ */
5974
+ const pathSegment = authorityPathSegments[0];
5975
+ /*
5976
+ * Extract the bare tenant name: strip the .onmicrosoft.com suffix when
5977
+ * present (introduced by transformCIAMAuthority), or fall back to the
5978
+ * first label of the authority hostname for non-transformed/custom-domain
5979
+ * CIAM authorities.
5980
+ */
5981
+ const tenantName = pathSegment
5982
+ ? pathSegment.endsWith(AAD_TENANT_DOMAIN_SUFFIX)
5983
+ ? pathSegment.slice(0, -AAD_TENANT_DOMAIN_SUFFIX.length)
5984
+ : pathSegment
5985
+ : authorityHost.split(".")[0];
5986
+ if (!tenantName) {
5987
+ return false;
5988
+ }
5989
+ const ciamBaseURL = `https://${tenantName}${CIAM_AUTH_URL}`;
5990
+ const validCiamPatterns = [
5991
+ ciamBaseURL,
5992
+ `${ciamBaseURL}/${tenantName}`,
5993
+ `${ciamBaseURL}/${tenantName}/v2.0`,
5994
+ `${ciamBaseURL}/${tenantName}${AAD_TENANT_DOMAIN_SUFFIX}`,
5995
+ `${ciamBaseURL}/${tenantName}${AAD_TENANT_DOMAIN_SUFFIX}/v2.0`, // https://{tenant}.ciamlogin.com/{tenant}.onmicrosoft.com/v2.0
5996
+ ];
5997
+ /*
5998
+ * Compose the canonical issuer string from URL components and strip any
5999
+ * trailing slashes from the path so it can be compared to the pattern set.
6000
+ */
6001
+ const issuerPath = issuerUrl.pathname.replace(/\/+$/, "");
6002
+ const normalizedIssuer = `${issuerUrl.protocol}//${issuerUrl.host}${issuerPath}`;
6003
+ return validCiamPatterns.some((pattern) => pattern === normalizedIssuer);
6004
+ }
5859
6005
  /**
5860
6006
  * Checks whether the provided host is that of a public cloud authority
5861
6007
  *
@@ -5987,7 +6133,7 @@
5987
6133
  };
5988
6134
  }
5989
6135
 
5990
- /*! @azure/msal-common v16.6.0 2026-05-07 */
6136
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
5991
6137
 
5992
6138
  /*
5993
6139
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6021,7 +6167,7 @@
6021
6167
  }
6022
6168
  }
6023
6169
 
6024
- /*! @azure/msal-common v16.6.0 2026-05-07 */
6170
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
6025
6171
 
6026
6172
  /*
6027
6173
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6278,7 +6424,7 @@
6278
6424
  }
6279
6425
  }
6280
6426
 
6281
- /*! @azure/msal-common v16.6.0 2026-05-07 */
6427
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
6282
6428
 
6283
6429
  /*
6284
6430
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6499,7 +6645,7 @@
6499
6645
  }
6500
6646
  }
6501
6647
 
6502
- /*! @azure/msal-common v16.6.0 2026-05-07 */
6648
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
6503
6649
 
6504
6650
  /*
6505
6651
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6615,7 +6761,7 @@
6615
6761
  }
6616
6762
  }
6617
6763
 
6618
- /*! @azure/msal-common v16.6.0 2026-05-07 */
6764
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
6619
6765
 
6620
6766
  /*
6621
6767
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6630,7 +6776,7 @@
6630
6776
  },
6631
6777
  };
6632
6778
 
6633
- /*! @azure/msal-common v16.6.0 2026-05-07 */
6779
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
6634
6780
 
6635
6781
  /*
6636
6782
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6853,7 +6999,7 @@
6853
6999
  return account.loginHint || account.idTokenClaims?.login_hint || null;
6854
7000
  }
6855
7001
 
6856
- /*! @azure/msal-common v16.6.0 2026-05-07 */
7002
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
6857
7003
 
6858
7004
  /*
6859
7005
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6886,7 +7032,7 @@
6886
7032
  return Object.prototype.hasOwnProperty.call(params, "resource");
6887
7033
  }
6888
7034
 
6889
- /*! @azure/msal-common v16.6.0 2026-05-07 */
7035
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
6890
7036
  /*
6891
7037
  * Copyright (c) Microsoft Corporation. All rights reserved.
6892
7038
  * Licensed under the MIT License.
@@ -6896,7 +7042,7 @@
6896
7042
  */
6897
7043
  const unexpectedError = "unexpected_error";
6898
7044
 
6899
- /*! @azure/msal-common v16.6.0 2026-05-07 */
7045
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
6900
7046
 
6901
7047
  /*
6902
7048
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7157,7 +7303,7 @@
7157
7303
  }
7158
7304
  }
7159
7305
 
7160
- /*! @azure/msal-common v16.6.0 2026-05-07 */
7306
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
7161
7307
 
7162
7308
  /*
7163
7309
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7178,7 +7324,7 @@
7178
7324
  return new JoseHeaderError(code);
7179
7325
  }
7180
7326
 
7181
- /*! @azure/msal-common v16.6.0 2026-05-07 */
7327
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
7182
7328
  /*
7183
7329
  * Copyright (c) Microsoft Corporation. All rights reserved.
7184
7330
  * Licensed under the MIT License.
@@ -7186,7 +7332,7 @@
7186
7332
  const missingKidError = "missing_kid_error";
7187
7333
  const missingAlgError = "missing_alg_error";
7188
7334
 
7189
- /*! @azure/msal-common v16.6.0 2026-05-07 */
7335
+ /*! @azure/msal-common v16.6.2 2026-05-19 */
7190
7336
 
7191
7337
  /*
7192
7338
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7621,7 +7767,7 @@
7621
7767
 
7622
7768
  /* eslint-disable header/header */
7623
7769
  const name = "@azure/msal-browser";
7624
- const version = "5.10.0";
7770
+ const version = "5.11.0";
7625
7771
 
7626
7772
  /*
7627
7773
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7650,6 +7796,15 @@
7650
7796
  CONTENT_TYPE: "Content-Type",
7651
7797
  X_MS_REQUEST_ID: "x-ms-request-id",
7652
7798
  };
7799
+ const CustomHeaderConstants = {
7800
+ REQUIRED_PREFIX: "x-",
7801
+ RESERVED_PREFIXES: [
7802
+ "x-client-",
7803
+ "x-ms-",
7804
+ "x-broker-",
7805
+ "x-app-",
7806
+ ],
7807
+ };
7653
7808
  const DefaultPackageInfo = {
7654
7809
  SKU: "msal.browser",
7655
7810
  VERSION: version,
@@ -9473,12 +9628,13 @@
9473
9628
  * and logoutHint attribute wasn't manually set in logout request
9474
9629
  */
9475
9630
  if (logoutRequest) {
9476
- // If logoutHint isn't set and an account was passed in, try to extract logoutHint from ID Token Claims
9631
+ // If logoutHint isn't set and an account was passed in, try to extract logoutHint from account loginHint or ID Token Claims
9477
9632
  if (!logoutRequest.logoutHint) {
9478
9633
  if (logoutRequest.account) {
9479
- const logoutHint = this.getLogoutHintFromIdTokenClaims(logoutRequest.account);
9634
+ const logoutHint = logoutRequest.account.loginHint ||
9635
+ this.getLogoutHintFromIdTokenClaims(logoutRequest.account);
9480
9636
  if (logoutHint) {
9481
- this.logger.verbose("Setting logoutHint to login_hint ID Token Claim value for the account provided", this.correlationId);
9637
+ this.logger.verbose("Setting logoutHint value to loginHint of the account provided", this.correlationId);
9482
9638
  validLogoutRequest.logoutHint = logoutHint;
9483
9639
  }
9484
9640
  }
@@ -9531,6 +9687,7 @@
9531
9687
  const idTokenClaims = account.idTokenClaims;
9532
9688
  if (idTokenClaims) {
9533
9689
  if (idTokenClaims.login_hint) {
9690
+ this.logger.verbose("Extracted login_hint claim from account ID Token Claims to be used as logoutHint", this.correlationId);
9534
9691
  return idTokenClaims.login_hint;
9535
9692
  }
9536
9693
  else {
@@ -10822,15 +10979,67 @@
10822
10979
  }
10823
10980
  }
10824
10981
 
10982
+ /*
10983
+ * Copyright (c) Microsoft Corporation. All rights reserved.
10984
+ * Licensed under the MIT License.
10985
+ */
10986
+ /**
10987
+ * Filters the headers returned by a {@link CustomAuthRequestInterceptor},
10988
+ * keeping only those that conform to the custom-auth header naming rules.
10989
+ *
10990
+ * Rules (mirrors the iOS / Android native auth implementations):
10991
+ * - Header names must start with `x-` (case-insensitive); others are dropped.
10992
+ * - Header names that start with any reserved prefix (`x-client-`, `x-ms-`,
10993
+ * `x-broker-`, `x-app-`) are dropped.
10994
+ * - Headers with empty/whitespace-only names or null/undefined values are dropped.
10995
+ *
10996
+ * Dropped headers are logged as warnings (PII-safe) when a logger is provided.
10997
+ *
10998
+ * @param headers - Raw headers returned by the interceptor.
10999
+ * @param logger - Optional logger used to emit warnings for dropped headers.
11000
+ * @param correlationId - Optional correlation id forwarded to the logger.
11001
+ * @returns A new record containing only the headers that pass the filter,
11002
+ * preserving the original casing of header names.
11003
+ */
11004
+ function filterCustomHeaders(headers, logger, correlationId) {
11005
+ const filtered = {};
11006
+ if (!headers) {
11007
+ return filtered;
11008
+ }
11009
+ for (const [name, value] of Object.entries(headers)) {
11010
+ if (!name || value === undefined || value === null) {
11011
+ continue;
11012
+ }
11013
+ const trimmedName = name.trim();
11014
+ if (!trimmedName) {
11015
+ continue;
11016
+ }
11017
+ const lowerName = trimmedName.toLowerCase();
11018
+ if (!lowerName.startsWith(CustomHeaderConstants.REQUIRED_PREFIX)) {
11019
+ logger?.warningPii(`Additional header field "${trimmedName}" must start with the "${CustomHeaderConstants.REQUIRED_PREFIX}" prefix. Ignoring.`, correlationId ?? "");
11020
+ continue;
11021
+ }
11022
+ const reservedPrefix = CustomHeaderConstants.RESERVED_PREFIXES.find((prefix) => lowerName.startsWith(prefix));
11023
+ if (reservedPrefix) {
11024
+ logger?.warningPii(`Additional header field "${trimmedName}" uses reserved prefix "${reservedPrefix}". Ignoring.`, correlationId ?? "");
11025
+ continue;
11026
+ }
11027
+ filtered[trimmedName] = value;
11028
+ }
11029
+ return filtered;
11030
+ }
11031
+
10825
11032
  /*
10826
11033
  * Copyright (c) Microsoft Corporation. All rights reserved.
10827
11034
  * Licensed under the MIT License.
10828
11035
  */
10829
11036
  class BaseApiClient {
10830
- constructor(baseUrl, clientId, httpClient, customAuthApiQueryParams) {
11037
+ constructor(baseUrl, clientId, httpClient, customAuthApiQueryParams, requestInterceptor, logger) {
10831
11038
  this.clientId = clientId;
10832
11039
  this.httpClient = httpClient;
10833
11040
  this.customAuthApiQueryParams = customAuthApiQueryParams;
11041
+ this.requestInterceptor = requestInterceptor;
11042
+ this.logger = logger;
10834
11043
  this.baseRequestUrl = parseUrl(!baseUrl.endsWith("/") ? `${baseUrl}/` : baseUrl);
10835
11044
  }
10836
11045
  async request(endpoint, data, telemetryManager, correlationId) {
@@ -10838,8 +11047,10 @@
10838
11047
  client_id: this.clientId,
10839
11048
  ...data,
10840
11049
  });
10841
- const headers = this.getCommonHeaders(correlationId, telemetryManager);
11050
+ const commonHeaders = this.getCommonHeaders(correlationId, telemetryManager);
10842
11051
  const url = buildUrl(this.baseRequestUrl.href, endpoint, this.customAuthApiQueryParams);
11052
+ const additionalHeaders = await this.getAdditionalHeaders(url, correlationId);
11053
+ const headers = { ...commonHeaders, ...additionalHeaders };
10843
11054
  let response;
10844
11055
  try {
10845
11056
  response = await this.httpClient.post(url, formData, headers);
@@ -10897,6 +11108,19 @@
10897
11108
  : responseError.invalid_attributes ?? [];
10898
11109
  throw new CustomAuthApiError(responseError.error, responseError.error_description, responseError.correlation_id, responseError.error_codes, responseError.suberror, attributes, responseError.continuation_token, responseError.trace_id, responseError.timestamp);
10899
11110
  }
11111
+ async getAdditionalHeaders(url, correlationId) {
11112
+ if (!this.requestInterceptor) {
11113
+ return {};
11114
+ }
11115
+ try {
11116
+ const result = await Promise.resolve(this.requestInterceptor.addAdditionalHeaderFields(url));
11117
+ return filterCustomHeaders(result, this.logger, correlationId);
11118
+ }
11119
+ catch (e) {
11120
+ this.logger?.warningPii(`CustomAuthRequestInterceptor.addAdditionalHeaderFields threw an error; continuing without additional headers: ${e}`, correlationId);
11121
+ return {};
11122
+ }
11123
+ }
10900
11124
  }
10901
11125
 
10902
11126
  /*
@@ -10904,8 +11128,8 @@
10904
11128
  * Licensed under the MIT License.
10905
11129
  */
10906
11130
  class ResetPasswordApiClient extends BaseApiClient {
10907
- constructor(customAuthApiBaseUrl, clientId, httpClient, capabilities, customAuthApiQueryParams) {
10908
- super(customAuthApiBaseUrl, clientId, httpClient, customAuthApiQueryParams);
11131
+ constructor(customAuthApiBaseUrl, clientId, httpClient, capabilities, customAuthApiQueryParams, requestInterceptor, logger) {
11132
+ super(customAuthApiBaseUrl, clientId, httpClient, customAuthApiQueryParams, requestInterceptor, logger);
10909
11133
  this.capabilities = capabilities;
10910
11134
  }
10911
11135
  /**
@@ -10988,8 +11212,8 @@
10988
11212
  * Licensed under the MIT License.
10989
11213
  */
10990
11214
  class SignupApiClient extends BaseApiClient {
10991
- constructor(customAuthApiBaseUrl, clientId, httpClient, capabilities, customAuthApiQueryParams) {
10992
- super(customAuthApiBaseUrl, clientId, httpClient, customAuthApiQueryParams);
11215
+ constructor(customAuthApiBaseUrl, clientId, httpClient, capabilities, customAuthApiQueryParams, requestInterceptor, logger) {
11216
+ super(customAuthApiBaseUrl, clientId, httpClient, customAuthApiQueryParams, requestInterceptor, logger);
10993
11217
  this.capabilities = capabilities;
10994
11218
  }
10995
11219
  /**
@@ -11058,8 +11282,8 @@
11058
11282
  * Licensed under the MIT License.
11059
11283
  */
11060
11284
  class SignInApiClient extends BaseApiClient {
11061
- constructor(customAuthApiBaseUrl, clientId, httpClient, capabilities, customAuthApiQueryParams) {
11062
- super(customAuthApiBaseUrl, clientId, httpClient, customAuthApiQueryParams);
11285
+ constructor(customAuthApiBaseUrl, clientId, httpClient, capabilities, customAuthApiQueryParams, requestInterceptor, logger) {
11286
+ super(customAuthApiBaseUrl, clientId, httpClient, customAuthApiQueryParams, requestInterceptor, logger);
11063
11287
  this.capabilities = capabilities;
11064
11288
  }
11065
11289
  /**
@@ -11226,11 +11450,11 @@
11226
11450
  * Licensed under the MIT License.
11227
11451
  */
11228
11452
  class CustomAuthApiClient {
11229
- constructor(customAuthApiBaseUrl, clientId, httpClient, capabilities, customAuthApiQueryParams) {
11230
- this.signInApi = new SignInApiClient(customAuthApiBaseUrl, clientId, httpClient, capabilities, customAuthApiQueryParams);
11231
- this.signUpApi = new SignupApiClient(customAuthApiBaseUrl, clientId, httpClient, capabilities, customAuthApiQueryParams);
11232
- this.resetPasswordApi = new ResetPasswordApiClient(customAuthApiBaseUrl, clientId, httpClient, capabilities, customAuthApiQueryParams);
11233
- this.registerApi = new RegisterApiClient(customAuthApiBaseUrl, clientId, httpClient, customAuthApiQueryParams);
11453
+ constructor(customAuthApiBaseUrl, clientId, httpClient, capabilities, customAuthApiQueryParams, requestInterceptor, logger) {
11454
+ this.signInApi = new SignInApiClient(customAuthApiBaseUrl, clientId, httpClient, capabilities, customAuthApiQueryParams, requestInterceptor, logger);
11455
+ this.signUpApi = new SignupApiClient(customAuthApiBaseUrl, clientId, httpClient, capabilities, customAuthApiQueryParams, requestInterceptor, logger);
11456
+ this.resetPasswordApi = new ResetPasswordApiClient(customAuthApiBaseUrl, clientId, httpClient, capabilities, customAuthApiQueryParams, requestInterceptor, logger);
11457
+ this.registerApi = new RegisterApiClient(customAuthApiBaseUrl, clientId, httpClient, customAuthApiQueryParams, requestInterceptor, logger);
11234
11458
  }
11235
11459
  }
11236
11460
 
@@ -14241,7 +14465,6 @@
14241
14465
  const ACCOUNT_SCHEMA_VERSION = 3;
14242
14466
  const LOG_LEVEL_CACHE_KEY = `${PREFIX}.${BROWSER_PREFIX}.log.level`;
14243
14467
  const LOG_PII_CACHE_KEY = `${PREFIX}.${BROWSER_PREFIX}.log.pii`;
14244
- const PLATFORM_AUTH_DOM_SUPPORT = `${PREFIX}.${BROWSER_PREFIX}.platform.auth.dom`;
14245
14468
  const VERSION_CACHE_KEY = `${PREFIX}.version`;
14246
14469
  const ACCOUNT_KEYS = "account.keys";
14247
14470
  const TOKEN_KEYS = "token.keys";
@@ -17775,6 +17998,7 @@
17775
17998
  };
17776
17999
  const DEFAULT_EXPERIMENTAL_OPTIONS = {
17777
18000
  iframeTimeoutTelemetry: false,
18001
+ allowPlatformBrokerWithDOM: false,
17778
18002
  };
17779
18003
  // Throw an error if user has set OIDCOptions without being in OIDC protocol mode
17780
18004
  if (userInputSystem?.protocolMode !== ProtocolMode.OIDC &&
@@ -18219,9 +18443,8 @@
18219
18443
  * Copyright (c) Microsoft Corporation. All rights reserved.
18220
18444
  * Licensed under the MIT License.
18221
18445
  */
18222
- async function getPlatformAuthProvider(logger, performanceClient, correlationId, nativeBrokerHandshakeTimeout) {
18446
+ async function getPlatformAuthProvider(logger, performanceClient, correlationId, nativeBrokerHandshakeTimeout, enablePlatformBrokerDOMSupport) {
18223
18447
  logger.trace("getPlatformAuthProvider called", correlationId);
18224
- const enablePlatformBrokerDOMSupport = isDomEnabledForPlatformAuth();
18225
18448
  logger.trace(`Has client allowed platform auth via DOM API: '${enablePlatformBrokerDOMSupport}'`, correlationId);
18226
18449
  let platformAuthProvider;
18227
18450
  try {
@@ -18245,22 +18468,6 @@
18245
18468
  }
18246
18469
  return platformAuthProvider;
18247
18470
  }
18248
- /**
18249
- * Returns true if the DOM API support for platform auth is enabled in session storage
18250
- * @returns boolean
18251
- * @deprecated
18252
- */
18253
- function isDomEnabledForPlatformAuth() {
18254
- let sessionStorage;
18255
- try {
18256
- sessionStorage = window[BrowserCacheLocation.SessionStorage];
18257
- // Mute errors if it's a non-browser environment or cookies are blocked.
18258
- return sessionStorage?.getItem(PLATFORM_AUTH_DOM_SUPPORT) === "true";
18259
- }
18260
- catch (e) {
18261
- return false;
18262
- }
18263
- }
18264
18471
  /**
18265
18472
  * Returns boolean indicating whether or not the request should attempt to use platform broker
18266
18473
  * @param logger
@@ -18271,6 +18478,11 @@
18271
18478
  */
18272
18479
  function isPlatformAuthAllowed(config, logger, correlationId, platformAuthProvider, authenticationScheme) {
18273
18480
  logger.trace("isPlatformAuthAllowed called", correlationId);
18481
+ // throw an error if allowPlatformBroker is not enabled and allowPlatformBrokerWithDOM is enabled
18482
+ if (!config.system.allowPlatformBroker &&
18483
+ config.experimental.allowPlatformBrokerWithDOM) {
18484
+ throw createClientConfigurationError(invalidPlatformBrokerConfiguration);
18485
+ }
18274
18486
  if (!config.system.allowPlatformBroker) {
18275
18487
  logger.trace("isPlatformAuthAllowed: allowPlatformBroker is not enabled, returning false", correlationId);
18276
18488
  // Developer disabled WAM
@@ -19718,7 +19930,7 @@
19718
19930
  if (allowPlatformBroker) {
19719
19931
  try {
19720
19932
  // check if platform authentication is available via DOM or browser extension and create relevant handlers
19721
- this.platformAuthProvider = await getPlatformAuthProvider(this.logger, this.performanceClient, correlationId, this.config.system.nativeBrokerHandshakeTimeout);
19933
+ this.platformAuthProvider = await getPlatformAuthProvider(this.logger, this.performanceClient, correlationId, this.config.system.nativeBrokerHandshakeTimeout, this.config.experimental.allowPlatformBrokerWithDOM);
19722
19934
  }
19723
19935
  catch (e) {
19724
19936
  this.logger.verbose(e, correlationId);
@@ -21100,7 +21312,7 @@
21100
21312
  this.customAuthConfig = operatingContext.getCustomAuthConfig();
21101
21313
  this.authority = new CustomAuthAuthority(this.customAuthConfig.auth.authority, this.customAuthConfig, this.networkClient, this.browserStorage, this.logger, this.performanceClient, this.customAuthConfig.customAuth?.authApiProxyUrl);
21102
21314
  const interactionClientFactory = new CustomAuthInterationClientFactory(this.customAuthConfig, this.browserStorage, this.browserCrypto, this.logger, this.eventHandler, this.navigationClient, this.performanceClient, customAuthApiClient ??
21103
- new CustomAuthApiClient(this.authority.getCustomAuthApiDomain(), this.customAuthConfig.auth.clientId, new FetchHttpClient(this.logger), this.customAuthConfig.customAuth?.capabilities?.join(" "), this.customAuthConfig.customAuth?.customAuthApiQueryParams), this.authority);
21315
+ new CustomAuthApiClient(this.authority.getCustomAuthApiDomain(), this.customAuthConfig.auth.clientId, new FetchHttpClient(this.logger), this.customAuthConfig.customAuth?.capabilities?.join(" "), this.customAuthConfig.customAuth?.customAuthApiQueryParams, this.customAuthConfig.customAuth?.requestInterceptor, this.logger), this.authority);
21104
21316
  this.signInClient = interactionClientFactory.create(SignInClient);
21105
21317
  this.signUpClient = interactionClientFactory.create(SignUpClient);
21106
21318
  this.resetPasswordClient =