@azure/msal-browser 5.11.0 → 5.13.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (267) hide show
  1. package/README.md +1 -0
  2. package/dist/app/IPublicClientApplication.mjs +1 -1
  3. package/dist/app/PublicClientApplication.mjs +44 -2
  4. package/dist/app/PublicClientApplication.mjs.map +1 -1
  5. package/dist/broker/nativeBroker/NativeStatusCodes.mjs +3 -3
  6. package/dist/broker/nativeBroker/PlatformAuthDOMHandler.mjs +1 -1
  7. package/dist/broker/nativeBroker/PlatformAuthExtensionHandler.mjs +1 -1
  8. package/dist/broker/nativeBroker/PlatformAuthProvider.mjs +1 -1
  9. package/dist/cache/AccountManager.mjs +1 -1
  10. package/dist/cache/AsyncMemoryStorage.mjs +1 -1
  11. package/dist/cache/BrowserCacheManager.mjs +99 -15
  12. package/dist/cache/BrowserCacheManager.mjs.map +1 -1
  13. package/dist/cache/CacheHelpers.mjs +1 -1
  14. package/dist/cache/CacheKeys.mjs +1 -1
  15. package/dist/cache/CookieStorage.mjs +1 -1
  16. package/dist/cache/DatabaseStorage.mjs +1 -1
  17. package/dist/cache/EncryptedData.mjs +1 -1
  18. package/dist/cache/LocalStorage.mjs +1 -1
  19. package/dist/cache/MemoryStorage.mjs +1 -1
  20. package/dist/cache/SessionStorage.mjs +1 -1
  21. package/dist/cache/TokenCache.mjs +1 -1
  22. package/dist/config/Configuration.mjs +3 -2
  23. package/dist/config/Configuration.mjs.map +1 -1
  24. package/dist/controllers/NestedAppAuthController.mjs +1 -1
  25. package/dist/controllers/StandardController.mjs +5 -5
  26. package/dist/controllers/StandardController.mjs.map +1 -1
  27. package/dist/crypto/BrowserCrypto.mjs +1 -1
  28. package/dist/crypto/CryptoOps.mjs +1 -1
  29. package/dist/crypto/PkceGenerator.mjs +1 -1
  30. package/dist/crypto/SignedHttpRequest.mjs +1 -1
  31. package/dist/custom_auth/CustomAuthConstants.mjs +1 -1
  32. package/dist/custom_auth/CustomAuthPublicClientApplication.mjs +1 -1
  33. package/dist/custom_auth/controller/CustomAuthStandardController.mjs +1 -1
  34. package/dist/custom_auth/core/CustomAuthAuthority.mjs +1 -1
  35. package/dist/custom_auth/core/auth_flow/AuthFlowErrorBase.mjs +1 -1
  36. package/dist/custom_auth/core/auth_flow/AuthFlowResultBase.mjs +1 -1
  37. package/dist/custom_auth/core/auth_flow/AuthFlowState.mjs +1 -1
  38. package/dist/custom_auth/core/auth_flow/AuthFlowStateTypes.mjs +1 -1
  39. package/dist/custom_auth/core/auth_flow/jit/error_type/AuthMethodRegistrationError.mjs +1 -1
  40. package/dist/custom_auth/core/auth_flow/jit/result/AuthMethodRegistrationChallengeMethodResult.mjs +1 -1
  41. package/dist/custom_auth/core/auth_flow/jit/result/AuthMethodRegistrationSubmitChallengeResult.mjs +1 -1
  42. package/dist/custom_auth/core/auth_flow/jit/state/AuthMethodRegistrationCompletedState.mjs +1 -1
  43. package/dist/custom_auth/core/auth_flow/jit/state/AuthMethodRegistrationFailedState.mjs +1 -1
  44. package/dist/custom_auth/core/auth_flow/jit/state/AuthMethodRegistrationState.mjs +1 -1
  45. package/dist/custom_auth/core/auth_flow/mfa/error_type/MfaError.mjs +1 -1
  46. package/dist/custom_auth/core/auth_flow/mfa/result/MfaRequestChallengeResult.mjs +1 -1
  47. package/dist/custom_auth/core/auth_flow/mfa/result/MfaSubmitChallengeResult.mjs +1 -1
  48. package/dist/custom_auth/core/auth_flow/mfa/state/MfaCompletedState.mjs +1 -1
  49. package/dist/custom_auth/core/auth_flow/mfa/state/MfaFailedState.mjs +1 -1
  50. package/dist/custom_auth/core/auth_flow/mfa/state/MfaState.mjs +1 -1
  51. package/dist/custom_auth/core/error/CustomAuthApiError.mjs +1 -1
  52. package/dist/custom_auth/core/error/CustomAuthError.mjs +1 -1
  53. package/dist/custom_auth/core/error/HttpError.mjs +1 -1
  54. package/dist/custom_auth/core/error/HttpErrorCodes.mjs +1 -1
  55. package/dist/custom_auth/core/error/InvalidArgumentError.mjs +1 -1
  56. package/dist/custom_auth/core/error/InvalidConfigurationError.mjs +1 -1
  57. package/dist/custom_auth/core/error/InvalidConfigurationErrorCodes.mjs +1 -1
  58. package/dist/custom_auth/core/error/MethodNotImplementedError.mjs +1 -1
  59. package/dist/custom_auth/core/error/MsalCustomAuthError.mjs +1 -1
  60. package/dist/custom_auth/core/error/NoCachedAccountFoundError.mjs +1 -1
  61. package/dist/custom_auth/core/error/ParsedUrlError.mjs +1 -1
  62. package/dist/custom_auth/core/error/ParsedUrlErrorCodes.mjs +1 -1
  63. package/dist/custom_auth/core/error/UnexpectedError.mjs +1 -1
  64. package/dist/custom_auth/core/error/UnsupportedEnvironmentError.mjs +1 -1
  65. package/dist/custom_auth/core/error/UserAccountAttributeError.mjs +1 -1
  66. package/dist/custom_auth/core/error/UserAlreadySignedInError.mjs +1 -1
  67. package/dist/custom_auth/core/interaction_client/CustomAuthInteractionClientBase.mjs +1 -1
  68. package/dist/custom_auth/core/interaction_client/CustomAuthInterationClientFactory.mjs +1 -1
  69. package/dist/custom_auth/core/interaction_client/jit/JitClient.mjs +1 -1
  70. package/dist/custom_auth/core/interaction_client/jit/result/JitActionResult.mjs +1 -1
  71. package/dist/custom_auth/core/interaction_client/mfa/MfaClient.mjs +1 -1
  72. package/dist/custom_auth/core/interaction_client/mfa/result/MfaActionResult.mjs +1 -1
  73. package/dist/custom_auth/core/network_client/custom_auth_api/BaseApiClient.mjs +1 -1
  74. package/dist/custom_auth/core/network_client/custom_auth_api/CustomAuthApiClient.mjs +1 -1
  75. package/dist/custom_auth/core/network_client/custom_auth_api/CustomAuthApiEndpoint.mjs +1 -1
  76. package/dist/custom_auth/core/network_client/custom_auth_api/RegisterApiClient.mjs +1 -1
  77. package/dist/custom_auth/core/network_client/custom_auth_api/ResetPasswordApiClient.mjs +1 -1
  78. package/dist/custom_auth/core/network_client/custom_auth_api/SignInApiClient.mjs +1 -1
  79. package/dist/custom_auth/core/network_client/custom_auth_api/SignupApiClient.mjs +1 -1
  80. package/dist/custom_auth/core/network_client/custom_auth_api/types/ApiErrorCodes.mjs +1 -1
  81. package/dist/custom_auth/core/network_client/custom_auth_api/types/ApiSuberrors.mjs +1 -1
  82. package/dist/custom_auth/core/network_client/http_client/FetchHttpClient.mjs +1 -1
  83. package/dist/custom_auth/core/network_client/http_client/IHttpClient.mjs +1 -1
  84. package/dist/custom_auth/core/telemetry/PublicApiId.mjs +1 -1
  85. package/dist/custom_auth/core/utils/ArgumentValidator.mjs +1 -1
  86. package/dist/custom_auth/core/utils/CustomHeaderUtils.mjs +1 -1
  87. package/dist/custom_auth/core/utils/UrlUtils.mjs +1 -1
  88. package/dist/custom_auth/get_account/auth_flow/CustomAuthAccountData.mjs +1 -1
  89. package/dist/custom_auth/get_account/auth_flow/error_type/GetAccountError.mjs +1 -1
  90. package/dist/custom_auth/get_account/auth_flow/result/GetAccessTokenResult.mjs +1 -1
  91. package/dist/custom_auth/get_account/auth_flow/result/GetAccountResult.mjs +1 -1
  92. package/dist/custom_auth/get_account/auth_flow/result/SignOutResult.mjs +1 -1
  93. package/dist/custom_auth/get_account/auth_flow/state/GetAccessTokenState.mjs +1 -1
  94. package/dist/custom_auth/get_account/auth_flow/state/GetAccountState.mjs +1 -1
  95. package/dist/custom_auth/get_account/auth_flow/state/SignOutState.mjs +1 -1
  96. package/dist/custom_auth/get_account/interaction_client/CustomAuthSilentCacheClient.mjs +1 -1
  97. package/dist/custom_auth/index.mjs +1 -1
  98. package/dist/custom_auth/operating_context/CustomAuthOperatingContext.mjs +1 -1
  99. package/dist/custom_auth/reset_password/auth_flow/error_type/ResetPasswordError.mjs +1 -1
  100. package/dist/custom_auth/reset_password/auth_flow/result/ResetPasswordResendCodeResult.mjs +1 -1
  101. package/dist/custom_auth/reset_password/auth_flow/result/ResetPasswordStartResult.mjs +1 -1
  102. package/dist/custom_auth/reset_password/auth_flow/result/ResetPasswordSubmitCodeResult.mjs +1 -1
  103. package/dist/custom_auth/reset_password/auth_flow/result/ResetPasswordSubmitPasswordResult.mjs +1 -1
  104. package/dist/custom_auth/reset_password/auth_flow/state/ResetPasswordCodeRequiredState.mjs +1 -1
  105. package/dist/custom_auth/reset_password/auth_flow/state/ResetPasswordCompletedState.mjs +1 -1
  106. package/dist/custom_auth/reset_password/auth_flow/state/ResetPasswordFailedState.mjs +1 -1
  107. package/dist/custom_auth/reset_password/auth_flow/state/ResetPasswordPasswordRequiredState.mjs +1 -1
  108. package/dist/custom_auth/reset_password/auth_flow/state/ResetPasswordState.mjs +1 -1
  109. package/dist/custom_auth/reset_password/interaction_client/ResetPasswordClient.mjs +1 -1
  110. package/dist/custom_auth/sign_in/auth_flow/SignInScenario.mjs +1 -1
  111. package/dist/custom_auth/sign_in/auth_flow/error_type/SignInError.mjs +1 -1
  112. package/dist/custom_auth/sign_in/auth_flow/result/SignInResendCodeResult.mjs +1 -1
  113. package/dist/custom_auth/sign_in/auth_flow/result/SignInResult.mjs +1 -1
  114. package/dist/custom_auth/sign_in/auth_flow/result/SignInSubmitCodeResult.mjs +1 -1
  115. package/dist/custom_auth/sign_in/auth_flow/result/SignInSubmitPasswordResult.mjs +1 -1
  116. package/dist/custom_auth/sign_in/auth_flow/state/SignInCodeRequiredState.mjs +1 -1
  117. package/dist/custom_auth/sign_in/auth_flow/state/SignInCompletedState.mjs +1 -1
  118. package/dist/custom_auth/sign_in/auth_flow/state/SignInContinuationState.mjs +1 -1
  119. package/dist/custom_auth/sign_in/auth_flow/state/SignInFailedState.mjs +1 -1
  120. package/dist/custom_auth/sign_in/auth_flow/state/SignInPasswordRequiredState.mjs +1 -1
  121. package/dist/custom_auth/sign_in/auth_flow/state/SignInState.mjs +1 -1
  122. package/dist/custom_auth/sign_in/interaction_client/SignInClient.mjs +1 -1
  123. package/dist/custom_auth/sign_in/interaction_client/result/SignInActionResult.mjs +1 -1
  124. package/dist/custom_auth/sign_up/auth_flow/error_type/SignUpError.mjs +1 -1
  125. package/dist/custom_auth/sign_up/auth_flow/result/SignUpResendCodeResult.mjs +1 -1
  126. package/dist/custom_auth/sign_up/auth_flow/result/SignUpResult.mjs +1 -1
  127. package/dist/custom_auth/sign_up/auth_flow/result/SignUpSubmitAttributesResult.mjs +1 -1
  128. package/dist/custom_auth/sign_up/auth_flow/result/SignUpSubmitCodeResult.mjs +1 -1
  129. package/dist/custom_auth/sign_up/auth_flow/result/SignUpSubmitPasswordResult.mjs +1 -1
  130. package/dist/custom_auth/sign_up/auth_flow/state/SignUpAttributesRequiredState.mjs +1 -1
  131. package/dist/custom_auth/sign_up/auth_flow/state/SignUpCodeRequiredState.mjs +1 -1
  132. package/dist/custom_auth/sign_up/auth_flow/state/SignUpCompletedState.mjs +1 -1
  133. package/dist/custom_auth/sign_up/auth_flow/state/SignUpFailedState.mjs +1 -1
  134. package/dist/custom_auth/sign_up/auth_flow/state/SignUpPasswordRequiredState.mjs +1 -1
  135. package/dist/custom_auth/sign_up/auth_flow/state/SignUpState.mjs +1 -1
  136. package/dist/custom_auth/sign_up/interaction_client/SignUpClient.mjs +1 -1
  137. package/dist/custom_auth/sign_up/interaction_client/result/SignUpActionResult.mjs +1 -1
  138. package/dist/encode/Base64Decode.mjs +1 -1
  139. package/dist/encode/Base64Encode.mjs +1 -1
  140. package/dist/error/BrowserAuthError.mjs +1 -1
  141. package/dist/error/BrowserAuthErrorCodes.mjs +1 -1
  142. package/dist/error/BrowserConfigurationAuthError.mjs +1 -1
  143. package/dist/error/BrowserConfigurationAuthErrorCodes.mjs +1 -1
  144. package/dist/error/NativeAuthError.mjs +4 -4
  145. package/dist/error/NativeAuthError.mjs.map +1 -1
  146. package/dist/error/NativeAuthErrorCodes.mjs +1 -1
  147. package/dist/error/NestedAppAuthError.mjs +1 -1
  148. package/dist/event/EventHandler.mjs +1 -1
  149. package/dist/event/EventMessage.mjs +1 -1
  150. package/dist/event/EventType.mjs +1 -1
  151. package/dist/index.mjs +1 -1
  152. package/dist/interaction_client/BaseInteractionClient.mjs +8 -3
  153. package/dist/interaction_client/BaseInteractionClient.mjs.map +1 -1
  154. package/dist/interaction_client/HybridSpaAuthorizationCodeClient.mjs +1 -1
  155. package/dist/interaction_client/PlatformAuthInteractionClient.mjs +7 -6
  156. package/dist/interaction_client/PlatformAuthInteractionClient.mjs.map +1 -1
  157. package/dist/interaction_client/PopupClient.mjs +30 -10
  158. package/dist/interaction_client/PopupClient.mjs.map +1 -1
  159. package/dist/interaction_client/RedirectClient.mjs +17 -9
  160. package/dist/interaction_client/RedirectClient.mjs.map +1 -1
  161. package/dist/interaction_client/SilentAuthCodeClient.mjs +2 -2
  162. package/dist/interaction_client/SilentAuthCodeClient.mjs.map +1 -1
  163. package/dist/interaction_client/SilentCacheClient.mjs +2 -2
  164. package/dist/interaction_client/SilentCacheClient.mjs.map +1 -1
  165. package/dist/interaction_client/SilentIframeClient.mjs +49 -20
  166. package/dist/interaction_client/SilentIframeClient.mjs.map +1 -1
  167. package/dist/interaction_client/SilentRefreshClient.mjs +2 -2
  168. package/dist/interaction_client/SilentRefreshClient.mjs.map +1 -1
  169. package/dist/interaction_client/StandardInteractionClient.mjs +1 -1
  170. package/dist/interaction_handler/InteractionHandler.mjs +1 -1
  171. package/dist/interaction_handler/SilentHandler.mjs +13 -26
  172. package/dist/interaction_handler/SilentHandler.mjs.map +1 -1
  173. package/dist/log-strings-mapping.json +1202 -1194
  174. package/dist/naa/BridgeError.mjs +1 -1
  175. package/dist/naa/BridgeProxy.mjs +1 -1
  176. package/dist/naa/BridgeStatusCode.mjs +1 -1
  177. package/dist/naa/mapping/NestedAppAuthAdapter.mjs +1 -1
  178. package/dist/navigation/NavigationClient.mjs +1 -1
  179. package/dist/network/FetchClient.mjs +1 -1
  180. package/dist/operatingcontext/BaseOperatingContext.mjs +10 -2
  181. package/dist/operatingcontext/BaseOperatingContext.mjs.map +1 -1
  182. package/dist/operatingcontext/NestedAppOperatingContext.mjs +1 -1
  183. package/dist/operatingcontext/StandardOperatingContext.mjs +1 -1
  184. package/dist/packageMetadata.mjs +2 -2
  185. package/dist/protocol/Authorize.mjs +1 -1
  186. package/dist/redirect_bridge/index.mjs +4 -5
  187. package/dist/redirect_bridge/index.mjs.map +1 -1
  188. package/dist/request/RequestHelpers.mjs +1 -1
  189. package/dist/response/ResponseHandler.mjs +1 -1
  190. package/dist/telemetry/BrowserPerformanceClient.mjs +1 -1
  191. package/dist/telemetry/BrowserPerformanceEvents.mjs +2 -3
  192. package/dist/telemetry/BrowserPerformanceEvents.mjs.map +1 -1
  193. package/dist/telemetry/BrowserPerformanceMeasurement.mjs +1 -1
  194. package/dist/telemetry/BrowserRootPerformanceEvents.mjs +1 -1
  195. package/dist/utils/BrowserConstants.mjs +1 -1
  196. package/dist/utils/BrowserProtocolUtils.mjs +1 -1
  197. package/dist/utils/BrowserUtils.mjs +15 -5
  198. package/dist/utils/BrowserUtils.mjs.map +1 -1
  199. package/dist/utils/Helpers.mjs +1 -1
  200. package/dist/utils/MsalFrameStatsUtils.mjs +1 -1
  201. package/lib/custom-auth-path/log-strings-mapping.json +19 -11
  202. package/lib/custom-auth-path/msal-custom-auth.cjs +511 -263
  203. package/lib/custom-auth-path/msal-custom-auth.cjs.map +1 -1
  204. package/lib/custom-auth-path/msal-custom-auth.js +511 -263
  205. package/lib/custom-auth-path/msal-custom-auth.js.map +1 -1
  206. package/lib/log-strings-mapping.json +11 -3
  207. package/lib/msal-browser.cjs +539 -267
  208. package/lib/msal-browser.cjs.map +1 -1
  209. package/lib/msal-browser.js +539 -267
  210. package/lib/msal-browser.js.map +1 -1
  211. package/lib/msal-browser.min.js +2 -2
  212. package/lib/redirect-bridge/msal-redirect-bridge.cjs +59 -50
  213. package/lib/redirect-bridge/msal-redirect-bridge.cjs.map +1 -1
  214. package/lib/redirect-bridge/msal-redirect-bridge.js +59 -50
  215. package/lib/redirect-bridge/msal-redirect-bridge.js.map +1 -1
  216. package/lib/redirect-bridge/msal-redirect-bridge.min.js +2 -2
  217. package/package.json +2 -2
  218. package/src/app/PublicClientApplication.ts +85 -1
  219. package/src/broker/nativeBroker/NativeStatusCodes.ts +1 -1
  220. package/src/cache/BrowserCacheManager.ts +157 -33
  221. package/src/config/Configuration.ts +6 -0
  222. package/src/controllers/StandardController.ts +10 -8
  223. package/src/error/NativeAuthError.ts +2 -2
  224. package/src/interaction_client/BaseInteractionClient.ts +12 -1
  225. package/src/interaction_client/PlatformAuthInteractionClient.ts +14 -4
  226. package/src/interaction_client/PopupClient.ts +74 -30
  227. package/src/interaction_client/RedirectClient.ts +32 -8
  228. package/src/interaction_client/SilentAuthCodeClient.ts +3 -1
  229. package/src/interaction_client/SilentCacheClient.ts +3 -1
  230. package/src/interaction_client/SilentIframeClient.ts +140 -74
  231. package/src/interaction_client/SilentRefreshClient.ts +3 -1
  232. package/src/interaction_handler/SilentHandler.ts +12 -32
  233. package/src/operatingcontext/BaseOperatingContext.ts +15 -1
  234. package/src/packageMetadata.ts +1 -1
  235. package/src/redirect_bridge/index.ts +3 -7
  236. package/src/telemetry/BrowserPerformanceEvents.ts +0 -1
  237. package/src/utils/BrowserUtils.ts +28 -7
  238. package/types/app/PublicClientApplication.d.ts +37 -1
  239. package/types/app/PublicClientApplication.d.ts.map +1 -1
  240. package/types/broker/nativeBroker/NativeStatusCodes.d.ts +1 -1
  241. package/types/cache/BrowserCacheManager.d.ts +18 -1
  242. package/types/cache/BrowserCacheManager.d.ts.map +1 -1
  243. package/types/config/Configuration.d.ts +5 -0
  244. package/types/config/Configuration.d.ts.map +1 -1
  245. package/types/controllers/StandardController.d.ts.map +1 -1
  246. package/types/custom_auth/CustomAuthConstants.d.ts +1 -1
  247. package/types/interaction_client/BaseInteractionClient.d.ts +2 -1
  248. package/types/interaction_client/BaseInteractionClient.d.ts.map +1 -1
  249. package/types/interaction_client/PlatformAuthInteractionClient.d.ts.map +1 -1
  250. package/types/interaction_client/PopupClient.d.ts +11 -1
  251. package/types/interaction_client/PopupClient.d.ts.map +1 -1
  252. package/types/interaction_client/RedirectClient.d.ts.map +1 -1
  253. package/types/interaction_client/SilentAuthCodeClient.d.ts.map +1 -1
  254. package/types/interaction_client/SilentCacheClient.d.ts.map +1 -1
  255. package/types/interaction_client/SilentIframeClient.d.ts +20 -1
  256. package/types/interaction_client/SilentIframeClient.d.ts.map +1 -1
  257. package/types/interaction_client/SilentRefreshClient.d.ts.map +1 -1
  258. package/types/interaction_handler/SilentHandler.d.ts +13 -6
  259. package/types/interaction_handler/SilentHandler.d.ts.map +1 -1
  260. package/types/operatingcontext/BaseOperatingContext.d.ts +8 -1
  261. package/types/operatingcontext/BaseOperatingContext.d.ts.map +1 -1
  262. package/types/packageMetadata.d.ts +1 -1
  263. package/types/redirect_bridge/index.d.ts.map +1 -1
  264. package/types/telemetry/BrowserPerformanceEvents.d.ts +0 -1
  265. package/types/telemetry/BrowserPerformanceEvents.d.ts.map +1 -1
  266. package/types/utils/BrowserUtils.d.ts +17 -2
  267. package/types/utils/BrowserUtils.d.ts.map +1 -1
@@ -1,8 +1,8 @@
1
- /*! @azure/msal-browser v5.11.0 2026-05-19 */
1
+ /*! @azure/msal-browser v5.13.0 2026-06-10 */
2
2
  'use strict';
3
3
  'use strict';
4
4
 
5
- /*! @azure/msal-common v16.6.2 2026-05-19 */
5
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
6
6
  /*
7
7
  * Copyright (c) Microsoft Corporation. All rights reserved.
8
8
  * Licensed under the MIT License.
@@ -234,7 +234,7 @@ const JsonWebTokenTypes$1 = {
234
234
  // Token renewal offset default in seconds
235
235
  const DEFAULT_TOKEN_RENEWAL_OFFSET_SEC = 300;
236
236
 
237
- /*! @azure/msal-common v16.6.2 2026-05-19 */
237
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
238
238
  /*
239
239
  * Copyright (c) Microsoft Corporation. All rights reserved.
240
240
  * Licensed under the MIT License.
@@ -286,7 +286,7 @@ const EAR_JWE_CRYPTO = "ear_jwe_crypto";
286
286
  const RESOURCE = "resource";
287
287
  const CLI_DATA = "clidata";
288
288
 
289
- /*! @azure/msal-common v16.6.2 2026-05-19 */
289
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
290
290
  /*
291
291
  * Copyright (c) Microsoft Corporation. All rights reserved.
292
292
  * Licensed under the MIT License.
@@ -317,7 +317,7 @@ function createAuthError(code, additionalMessage) {
317
317
  return new AuthError(code, additionalMessage || getDefaultErrorMessage$1(code));
318
318
  }
319
319
 
320
- /*! @azure/msal-common v16.6.2 2026-05-19 */
320
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
321
321
 
322
322
  /*
323
323
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -337,7 +337,7 @@ function createClientConfigurationError(errorCode) {
337
337
  return new ClientConfigurationError(errorCode);
338
338
  }
339
339
 
340
- /*! @azure/msal-common v16.6.2 2026-05-19 */
340
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
341
341
  /*
342
342
  * Copyright (c) Microsoft Corporation. All rights reserved.
343
343
  * Licensed under the MIT License.
@@ -417,7 +417,7 @@ class StringUtils {
417
417
  }
418
418
  }
419
419
 
420
- /*! @azure/msal-common v16.6.2 2026-05-19 */
420
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
421
421
 
422
422
  /*
423
423
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -440,7 +440,7 @@ function createClientAuthError(errorCode, additionalMessage) {
440
440
  return new ClientAuthError(errorCode, additionalMessage);
441
441
  }
442
442
 
443
- /*! @azure/msal-common v16.6.2 2026-05-19 */
443
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
444
444
  /*
445
445
  * Copyright (c) Microsoft Corporation. All rights reserved.
446
446
  * Licensed under the MIT License.
@@ -498,7 +498,7 @@ var ClientConfigurationErrorCodes = /*#__PURE__*/Object.freeze({
498
498
  urlParseError: urlParseError
499
499
  });
500
500
 
501
- /*! @azure/msal-common v16.6.2 2026-05-19 */
501
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
502
502
  /*
503
503
  * Copyright (c) Microsoft Corporation. All rights reserved.
504
504
  * Licensed under the MIT License.
@@ -586,7 +586,7 @@ var ClientAuthErrorCodes = /*#__PURE__*/Object.freeze({
586
586
  userCanceled: userCanceled
587
587
  });
588
588
 
589
- /*! @azure/msal-common v16.6.2 2026-05-19 */
589
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
590
590
 
591
591
  /*
592
592
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -781,7 +781,7 @@ class ScopeSet {
781
781
  }
782
782
  }
783
783
 
784
- /*! @azure/msal-common v16.6.2 2026-05-19 */
784
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
785
785
 
786
786
  /*
787
787
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1130,8 +1130,14 @@ function addSshJwk(parameters, sshJwkString) {
1130
1130
  * @param serverTelemetryManager
1131
1131
  */
1132
1132
  function addServerTelemetry(parameters, serverTelemetryManager) {
1133
- parameters.set(X_CLIENT_CURR_TELEM, serverTelemetryManager.generateCurrentRequestHeaderValue());
1134
- parameters.set(X_CLIENT_LAST_TELEM, serverTelemetryManager.generateLastRequestHeaderValue());
1133
+ const currentTelemetryHeader = serverTelemetryManager.generateCurrentRequestHeaderValue();
1134
+ const lastTelemetryHeader = serverTelemetryManager.generateLastRequestHeaderValue();
1135
+ if (currentTelemetryHeader) {
1136
+ parameters.set(X_CLIENT_CURR_TELEM, currentTelemetryHeader);
1137
+ }
1138
+ if (lastTelemetryHeader) {
1139
+ parameters.set(X_CLIENT_LAST_TELEM, lastTelemetryHeader);
1140
+ }
1135
1141
  }
1136
1142
  /**
1137
1143
  * Adds parameter that indicates to the server that throttling is supported
@@ -1170,34 +1176,12 @@ function addResource(parameters, resource) {
1170
1176
  }
1171
1177
  }
1172
1178
 
1173
- /*! @azure/msal-common v16.6.2 2026-05-19 */
1179
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
1174
1180
 
1175
1181
  /*
1176
1182
  * Copyright (c) Microsoft Corporation. All rights reserved.
1177
1183
  * Licensed under the MIT License.
1178
1184
  */
1179
- /**
1180
- * Canonicalizes a URL by making it lowercase and ensuring it ends with /
1181
- * Inlined version of UrlString.canonicalizeUri to avoid circular dependency
1182
- * @param url - URL to canonicalize
1183
- * @returns Canonicalized URL
1184
- */
1185
- function canonicalizeUrl(url) {
1186
- if (!url) {
1187
- return url;
1188
- }
1189
- let lowerCaseUrl = url.toLowerCase();
1190
- if (StringUtils.endsWith(lowerCaseUrl, "?")) {
1191
- lowerCaseUrl = lowerCaseUrl.slice(0, -1);
1192
- }
1193
- else if (StringUtils.endsWith(lowerCaseUrl, "?/")) {
1194
- lowerCaseUrl = lowerCaseUrl.slice(0, -2);
1195
- }
1196
- if (!StringUtils.endsWith(lowerCaseUrl, "/")) {
1197
- lowerCaseUrl += "/";
1198
- }
1199
- return lowerCaseUrl;
1200
- }
1201
1185
  /**
1202
1186
  * Parses hash string from given string. Returns empty string if no hash symbol is found.
1203
1187
  * @param hashString
@@ -1250,36 +1234,71 @@ function mapToQueryString(parameters) {
1250
1234
  return queryParameterArray.join("&");
1251
1235
  }
1252
1236
  /**
1253
- * Normalizes URLs for comparison by removing hash, canonicalizing,
1254
- * and ensuring consistent URL encoding in query parameters.
1255
- * This fixes redirect loops when URLs contain encoded characters like apostrophes (%27).
1237
+ * Normalizes URLs for comparison per MDN & RFC 3986 standards:
1238
+ * - Hash/fragment is removed
1239
+ * - Scheme and host are lowercased (case-insensitive per spec)
1240
+ * - Path and query parameters preserve original casing (case-sensitive per spec)
1241
+ * - Percent-encoding in pathname is normalized (e.g., %27 and ' are treated equivalently)
1242
+ * - Ensures pathname ends with /
1243
+ * Throws a urlParseError if the provided URL is malformed and cannot be parsed.
1256
1244
  * @param url - URL to normalize
1245
+ * @param logger - Optional logger used to log parse failures
1246
+ * @param correlationId - Optional correlationId associated with the log entry
1257
1247
  * @returns Normalized URL string for comparison
1258
1248
  */
1259
- function normalizeUrlForComparison(url) {
1249
+ function normalizeUrlForComparison(url, logger, correlationId) {
1260
1250
  if (!url) {
1261
1251
  return url;
1262
1252
  }
1263
- // Remove hash first
1264
1253
  const urlWithoutHash = url.split("#")[0];
1254
+ if (!urlWithoutHash) {
1255
+ return urlWithoutHash;
1256
+ }
1265
1257
  try {
1266
- // Parse the URL to handle encoding consistently
1267
1258
  const urlObj = new URL(urlWithoutHash);
1268
- /*
1269
- * Reconstruct the URL with properly decoded query parameters
1270
- * This ensures that %27 and ' are treated as equivalent
1271
- */
1272
- const normalizedUrl = urlObj.origin + urlObj.pathname + urlObj.search;
1273
- // Apply canonicalization logic inline to avoid circular dependency
1274
- return canonicalizeUrl(normalizedUrl);
1259
+ // Treat an empty query string (a bare trailing "?") as equivalent to no query
1260
+ if (!urlObj.search) {
1261
+ urlObj.search = "";
1262
+ }
1263
+ // Decode the pathname to normalize percent-encoding and ensure trailing slash
1264
+ let pathname;
1265
+ try {
1266
+ pathname = decodeURIComponent(urlObj.pathname);
1267
+ }
1268
+ catch (e) {
1269
+ pathname = urlObj.pathname;
1270
+ }
1271
+ if (!pathname.endsWith("/")) {
1272
+ pathname += "/";
1273
+ }
1274
+ urlObj.pathname = pathname;
1275
+ return urlObj.href;
1276
+ }
1277
+ catch (e) {
1278
+ logger?.error("15apdm", correlationId || "");
1279
+ throw createClientConfigurationError(urlParseError);
1280
+ }
1281
+ }
1282
+ /**
1283
+ * Validates that the provided value is a well-formed, parseable absolute URL.
1284
+ * Throws a urlParseError if the value cannot be parsed by the URL API (e.g. the
1285
+ * literal string "null", an empty string, or any malformed/relative URL). Use this
1286
+ * to guard against persisting an invalid value (such as a redirect URL) to the cache.
1287
+ * @param url - URL to validate
1288
+ * @param logger - Optional logger used to log validation failures
1289
+ * @param correlationId - Optional correlationId associated with the log entry
1290
+ */
1291
+ function validateUrl(url, logger, correlationId) {
1292
+ try {
1293
+ new URL(url);
1275
1294
  }
1276
1295
  catch (e) {
1277
- // Fallback to original logic if URL parsing fails
1278
- return canonicalizeUrl(urlWithoutHash);
1296
+ logger?.error("1lrjz7", correlationId || "");
1297
+ throw createClientConfigurationError(urlParseError);
1279
1298
  }
1280
1299
  }
1281
1300
 
1282
- /*! @azure/msal-common v16.6.2 2026-05-19 */
1301
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
1283
1302
 
1284
1303
  /*
1285
1304
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1318,7 +1337,7 @@ const DEFAULT_CRYPTO_IMPLEMENTATION = {
1318
1337
  },
1319
1338
  };
1320
1339
 
1321
- /*! @azure/msal-common v16.6.2 2026-05-19 */
1340
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
1322
1341
  /*
1323
1342
  * Copyright (c) Microsoft Corporation. All rights reserved.
1324
1343
  * Licensed under the MIT License.
@@ -1366,7 +1385,7 @@ function addLogToCache(correlationId, loggedMessage) {
1366
1385
  // Remove LRU (first entry) if capacity exceeded
1367
1386
  if (correlationCache.size > CACHE_CAPACITY) {
1368
1387
  const firstKey = correlationCache.keys().next().value;
1369
- if (firstKey) {
1388
+ if (firstKey !== undefined) {
1370
1389
  correlationCache.delete(firstKey);
1371
1390
  }
1372
1391
  }
@@ -1593,12 +1612,12 @@ class Logger {
1593
1612
  }
1594
1613
  }
1595
1614
 
1596
- /*! @azure/msal-common v16.6.2 2026-05-19 */
1615
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
1597
1616
  /* eslint-disable header/header */
1598
1617
  const name$1 = "@azure/msal-common";
1599
- const version$1 = "16.6.2";
1618
+ const version$1 = "16.8.0";
1600
1619
 
1601
- /*! @azure/msal-common v16.6.2 2026-05-19 */
1620
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
1602
1621
  /*
1603
1622
  * Copyright (c) Microsoft Corporation. All rights reserved.
1604
1623
  * Licensed under the MIT License.
@@ -1618,7 +1637,7 @@ const AzureCloudInstance = {
1618
1637
  AzureUsGovernment: "https://login.microsoftonline.us",
1619
1638
  };
1620
1639
 
1621
- /*! @azure/msal-common v16.6.2 2026-05-19 */
1640
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
1622
1641
  /*
1623
1642
  * Copyright (c) Microsoft Corporation. All rights reserved.
1624
1643
  * Licensed under the MIT License.
@@ -1701,7 +1720,7 @@ function updateAccountTenantProfileData(baseAccountInfo, tenantProfile, idTokenC
1701
1720
  return updatedAccountInfo;
1702
1721
  }
1703
1722
 
1704
- /*! @azure/msal-common v16.6.2 2026-05-19 */
1723
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
1705
1724
 
1706
1725
  /*
1707
1726
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1781,7 +1800,7 @@ function checkMaxAge(authTime, maxAge) {
1781
1800
  }
1782
1801
  }
1783
1802
 
1784
- /*! @azure/msal-common v16.6.2 2026-05-19 */
1803
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
1785
1804
 
1786
1805
  /*
1787
1806
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1938,7 +1957,7 @@ class UrlString {
1938
1957
  }
1939
1958
  }
1940
1959
 
1941
- /*! @azure/msal-common v16.6.2 2026-05-19 */
1960
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
1942
1961
 
1943
1962
  /*
1944
1963
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -2104,7 +2123,7 @@ function getCloudDiscoveryMetadataFromNetworkResponse(response, authorityHost) {
2104
2123
  return null;
2105
2124
  }
2106
2125
 
2107
- /*! @azure/msal-common v16.6.2 2026-05-19 */
2126
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
2108
2127
  /*
2109
2128
  * Copyright (c) Microsoft Corporation. All rights reserved.
2110
2129
  * Licensed under the MIT License.
@@ -2112,7 +2131,7 @@ function getCloudDiscoveryMetadataFromNetworkResponse(response, authorityHost) {
2112
2131
  const cacheQuotaExceeded = "cache_quota_exceeded";
2113
2132
  const cacheErrorUnknown = "cache_error_unknown";
2114
2133
 
2115
- /*! @azure/msal-common v16.6.2 2026-05-19 */
2134
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
2116
2135
 
2117
2136
  /*
2118
2137
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -2150,7 +2169,7 @@ function createCacheError(e) {
2150
2169
  }
2151
2170
  }
2152
2171
 
2153
- /*! @azure/msal-common v16.6.2 2026-05-19 */
2172
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
2154
2173
 
2155
2174
  /*
2156
2175
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -2188,7 +2207,7 @@ function buildClientInfoFromHomeAccountId(homeAccountId) {
2188
2207
  };
2189
2208
  }
2190
2209
 
2191
- /*! @azure/msal-common v16.6.2 2026-05-19 */
2210
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
2192
2211
  /*
2193
2212
  * Copyright (c) Microsoft Corporation. All rights reserved.
2194
2213
  * Licensed under the MIT License.
@@ -2203,7 +2222,7 @@ const AuthorityType = {
2203
2222
  Ciam: 3,
2204
2223
  };
2205
2224
 
2206
- /*! @azure/msal-common v16.6.2 2026-05-19 */
2225
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
2207
2226
  /*
2208
2227
  * Copyright (c) Microsoft Corporation. All rights reserved.
2209
2228
  * Licensed under the MIT License.
@@ -2225,7 +2244,7 @@ function getTenantIdFromIdTokenClaims(idTokenClaims) {
2225
2244
  return null;
2226
2245
  }
2227
2246
 
2228
- /*! @azure/msal-common v16.6.2 2026-05-19 */
2247
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
2229
2248
  /*
2230
2249
  * Copyright (c) Microsoft Corporation. All rights reserved.
2231
2250
  * Licensed under the MIT License.
@@ -2249,7 +2268,7 @@ const ProtocolMode = {
2249
2268
  EAR: "EAR",
2250
2269
  };
2251
2270
 
2252
- /*! @azure/msal-common v16.6.2 2026-05-19 */
2271
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
2253
2272
  /**
2254
2273
  * Returns the AccountInfo interface for this account.
2255
2274
  */
@@ -2424,7 +2443,7 @@ function isAccountEntity(entity) {
2424
2443
  entity.hasOwnProperty("authorityType"));
2425
2444
  }
2426
2445
 
2427
- /*! @azure/msal-common v16.6.2 2026-05-19 */
2446
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
2428
2447
 
2429
2448
  /*
2430
2449
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -2564,8 +2583,8 @@ class CacheManager {
2564
2583
  return false;
2565
2584
  }
2566
2585
  if (!!tenantProfileFilter.username &&
2567
- !(this.matchUsername(tenantProfile.username, tenantProfileFilter.username) ||
2568
- !this.matchUsername(tenantProfile.upn, tenantProfileFilter.username))) {
2586
+ !this.matchUsername(tenantProfile.username, tenantProfileFilter.username) &&
2587
+ !this.matchUsername(tenantProfile.upn, tenantProfileFilter.username)) {
2569
2588
  return false;
2570
2589
  }
2571
2590
  if (!!tenantProfileFilter.loginHint &&
@@ -3556,7 +3575,7 @@ class DefaultStorageClass extends CacheManager {
3556
3575
  }
3557
3576
  }
3558
3577
 
3559
- /*! @azure/msal-common v16.6.2 2026-05-19 */
3578
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
3560
3579
  /*
3561
3580
  * Copyright (c) Microsoft Corporation. All rights reserved.
3562
3581
  * Licensed under the MIT License.
@@ -3599,7 +3618,20 @@ const IntFields = new Set([
3599
3618
  "currAccessCount",
3600
3619
  "currIdCount",
3601
3620
  "currRefreshCount",
3602
- "expiredCacheRemovedCount",
3621
+ "ttlExpiredAcntCount",
3622
+ "ttlExpiredITCount",
3623
+ "ttlExpiredATCount",
3624
+ "ttlExpiredRTCount",
3625
+ "decryptFailedAcntCount",
3626
+ "decryptFailedITCount",
3627
+ "decryptFailedATCount",
3628
+ "decryptFailedRTCount",
3629
+ "invalidAcntCount",
3630
+ "invalidITCount",
3631
+ "invalidATCount",
3632
+ "invalidRTCount",
3633
+ "expiredATCount",
3634
+ "expiredRTCount",
3603
3635
  "upgradedCacheCount",
3604
3636
  "cacheMatchedAccounts",
3605
3637
  "networkRtt",
@@ -3607,7 +3639,7 @@ const IntFields = new Set([
3607
3639
  "redirectBridgeMessageVersion",
3608
3640
  ]);
3609
3641
 
3610
- /*! @azure/msal-common v16.6.2 2026-05-19 */
3642
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
3611
3643
 
3612
3644
  /*
3613
3645
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -3662,7 +3694,7 @@ class StubPerformanceClient {
3662
3694
  }
3663
3695
  }
3664
3696
 
3665
- /*! @azure/msal-common v16.6.2 2026-05-19 */
3697
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
3666
3698
 
3667
3699
  /*
3668
3700
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -3757,7 +3789,7 @@ function isOidcProtocolMode(config) {
3757
3789
  return (config.authOptions.authority.options.protocolMode === ProtocolMode.OIDC);
3758
3790
  }
3759
3791
 
3760
- /*! @azure/msal-common v16.6.2 2026-05-19 */
3792
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
3761
3793
  /*
3762
3794
  * Copyright (c) Microsoft Corporation. All rights reserved.
3763
3795
  * Licensed under the MIT License.
@@ -3784,7 +3816,7 @@ function isOidcProtocolMode(config) {
3784
3816
  }
3785
3817
  }
3786
3818
 
3787
- /*! @azure/msal-common v16.6.2 2026-05-19 */
3819
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
3788
3820
  /*
3789
3821
  * Copyright (c) Microsoft Corporation. All rights reserved.
3790
3822
  * Licensed under the MIT License.
@@ -3849,7 +3881,7 @@ function wasClockTurnedBack(cachedAt) {
3849
3881
  return cachedAtSec > nowSeconds();
3850
3882
  }
3851
3883
 
3852
- /*! @azure/msal-common v16.6.2 2026-05-19 */
3884
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
3853
3885
 
3854
3886
  /*
3855
3887
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4108,7 +4140,7 @@ function isAuthorityMetadataExpired(metadata) {
4108
4140
  return metadata.expiresAt <= nowSeconds();
4109
4141
  }
4110
4142
 
4111
- /*! @azure/msal-common v16.6.2 2026-05-19 */
4143
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
4112
4144
  /*
4113
4145
  * Copyright (c) Microsoft Corporation. All rights reserved.
4114
4146
  * Licensed under the MIT License.
@@ -4179,7 +4211,7 @@ const RegionDiscoveryGetCurrentVersion = "regionDiscoveryGetCurrentVersion";
4179
4211
  const CacheManagerGetRefreshToken = "cacheManagerGetRefreshToken";
4180
4212
  const SetUserData = "setUserData";
4181
4213
 
4182
- /*! @azure/msal-common v16.6.2 2026-05-19 */
4214
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
4183
4215
  /*
4184
4216
  * Copyright (c) Microsoft Corporation. All rights reserved.
4185
4217
  * Licensed under the MIT License.
@@ -4272,7 +4304,7 @@ const invokeAsync = (callback, eventName, logger, telemetryClient, correlationId
4272
4304
  };
4273
4305
  };
4274
4306
 
4275
- /*! @azure/msal-common v16.6.2 2026-05-19 */
4307
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
4276
4308
 
4277
4309
  /*
4278
4310
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4352,7 +4384,7 @@ class PopTokenGenerator {
4352
4384
  }
4353
4385
  }
4354
4386
 
4355
- /*! @azure/msal-common v16.6.2 2026-05-19 */
4387
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
4356
4388
  /*
4357
4389
  * Copyright (c) Microsoft Corporation. All rights reserved.
4358
4390
  * Licensed under the MIT License.
@@ -4376,7 +4408,7 @@ const refreshTokenExpired = "refresh_token_expired";
4376
4408
  * MSAL-defined error code indicating UI/UX is not allowed (e.g., blocked by policy), requiring alternate interaction.
4377
4409
  * @public
4378
4410
  */
4379
- const uxNotAllowed = "ux_not_allowed";
4411
+ const uiNotAllowed = "ui_not_allowed";
4380
4412
  /**
4381
4413
  * Server-originated error code indicating interaction is required to complete the request.
4382
4414
  * @public
@@ -4413,10 +4445,10 @@ var InteractionRequiredAuthErrorCodes = /*#__PURE__*/Object.freeze({
4413
4445
  nativeAccountUnavailable: nativeAccountUnavailable,
4414
4446
  noTokensFound: noTokensFound,
4415
4447
  refreshTokenExpired: refreshTokenExpired,
4416
- uxNotAllowed: uxNotAllowed
4448
+ uiNotAllowed: uiNotAllowed
4417
4449
  });
4418
4450
 
4419
- /*! @azure/msal-common v16.6.2 2026-05-19 */
4451
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
4420
4452
 
4421
4453
  /*
4422
4454
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4430,7 +4462,7 @@ const InteractionRequiredServerErrorMessage = [
4430
4462
  consentRequired,
4431
4463
  loginRequired,
4432
4464
  badToken,
4433
- uxNotAllowed,
4465
+ uiNotAllowed,
4434
4466
  interruptedUser,
4435
4467
  ];
4436
4468
  const InteractionRequiredAuthSubErrorMessage = [
@@ -4440,7 +4472,7 @@ const InteractionRequiredAuthSubErrorMessage = [
4440
4472
  "user_password_expired",
4441
4473
  "consent_required",
4442
4474
  "bad_token",
4443
- "ux_not_allowed",
4475
+ "ui_not_allowed",
4444
4476
  "interrupted_user",
4445
4477
  ];
4446
4478
  /**
@@ -4484,7 +4516,7 @@ function createInteractionRequiredAuthError(errorCode, errorMessage) {
4484
4516
  return new InteractionRequiredAuthError(errorCode, errorMessage);
4485
4517
  }
4486
4518
 
4487
- /*! @azure/msal-common v16.6.2 2026-05-19 */
4519
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
4488
4520
 
4489
4521
  /*
4490
4522
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4503,7 +4535,7 @@ class ServerError extends AuthError {
4503
4535
  }
4504
4536
  }
4505
4537
 
4506
- /*! @azure/msal-common v16.6.2 2026-05-19 */
4538
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
4507
4539
 
4508
4540
  /*
4509
4541
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4571,7 +4603,7 @@ function parseRequestState(base64Decode, state) {
4571
4603
  }
4572
4604
  }
4573
4605
 
4574
- /*! @azure/msal-common v16.6.2 2026-05-19 */
4606
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
4575
4607
 
4576
4608
  /*
4577
4609
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4919,7 +4951,7 @@ function buildAccountToCache(cacheStorage, authority, homeAccountId, base64Decod
4919
4951
  return baseAccount;
4920
4952
  }
4921
4953
 
4922
- /*! @azure/msal-common v16.6.2 2026-05-19 */
4954
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
4923
4955
  /*
4924
4956
  * Copyright (c) Microsoft Corporation. All rights reserved.
4925
4957
  * Licensed under the MIT License.
@@ -4929,7 +4961,7 @@ const CcsCredentialType = {
4929
4961
  UPN: "UPN",
4930
4962
  };
4931
4963
 
4932
- /*! @azure/msal-common v16.6.2 2026-05-19 */
4964
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
4933
4965
  /*
4934
4966
  * Copyright (c) Microsoft Corporation. All rights reserved.
4935
4967
  * Licensed under the MIT License.
@@ -4947,7 +4979,7 @@ async function getClientAssertion(clientAssertion, clientId, tokenEndpoint) {
4947
4979
  }
4948
4980
  }
4949
4981
 
4950
- /*! @azure/msal-common v16.6.2 2026-05-19 */
4982
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
4951
4983
  /*
4952
4984
  * Copyright (c) Microsoft Corporation. All rights reserved.
4953
4985
  * Licensed under the MIT License.
@@ -4968,7 +5000,7 @@ function getRequestThumbprint(clientId, request, homeAccountId) {
4968
5000
  };
4969
5001
  }
4970
5002
 
4971
- /*! @azure/msal-common v16.6.2 2026-05-19 */
5003
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
4972
5004
 
4973
5005
  /*
4974
5006
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -5054,7 +5086,7 @@ class ThrottlingUtils {
5054
5086
  }
5055
5087
  }
5056
5088
 
5057
- /*! @azure/msal-common v16.6.2 2026-05-19 */
5089
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
5058
5090
 
5059
5091
  /*
5060
5092
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -5085,7 +5117,7 @@ function createNetworkError(error, httpStatus, responseHeaders, additionalError)
5085
5117
  return new NetworkError(error, httpStatus, responseHeaders);
5086
5118
  }
5087
5119
 
5088
- /*! @azure/msal-common v16.6.2 2026-05-19 */
5120
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
5089
5121
 
5090
5122
  /*
5091
5123
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -5199,7 +5231,7 @@ async function sendPostRequest(thumbprint, tokenEndpoint, options, correlationId
5199
5231
  return response;
5200
5232
  }
5201
5233
 
5202
- /*! @azure/msal-common v16.6.2 2026-05-19 */
5234
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
5203
5235
  /*
5204
5236
  * Copyright (c) Microsoft Corporation. All rights reserved.
5205
5237
  * Licensed under the MIT License.
@@ -5211,7 +5243,7 @@ function isOpenIdConfigResponse(response) {
5211
5243
  response.hasOwnProperty("jwks_uri"));
5212
5244
  }
5213
5245
 
5214
- /*! @azure/msal-common v16.6.2 2026-05-19 */
5246
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
5215
5247
  /*
5216
5248
  * Copyright (c) Microsoft Corporation. All rights reserved.
5217
5249
  * Licensed under the MIT License.
@@ -5221,7 +5253,7 @@ function isCloudInstanceDiscoveryResponse(response) {
5221
5253
  response.hasOwnProperty("metadata"));
5222
5254
  }
5223
5255
 
5224
- /*! @azure/msal-common v16.6.2 2026-05-19 */
5256
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
5225
5257
  /*
5226
5258
  * Copyright (c) Microsoft Corporation. All rights reserved.
5227
5259
  * Licensed under the MIT License.
@@ -5231,7 +5263,7 @@ function isCloudInstanceDiscoveryErrorResponse(response) {
5231
5263
  response.hasOwnProperty("error_description"));
5232
5264
  }
5233
5265
 
5234
- /*! @azure/msal-common v16.6.2 2026-05-19 */
5266
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
5235
5267
 
5236
5268
  /*
5237
5269
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -5336,7 +5368,7 @@ RegionDiscovery.IMDS_OPTIONS = {
5336
5368
  },
5337
5369
  };
5338
5370
 
5339
- /*! @azure/msal-common v16.6.2 2026-05-19 */
5371
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
5340
5372
 
5341
5373
  /*
5342
5374
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -5893,7 +5925,7 @@ class Authority {
5893
5925
  }
5894
5926
  }
5895
5927
  // If cloudDiscoveryMetadata is empty or does not contain the host, check knownAuthorities
5896
- if (this.isInKnownAuthorities()) {
5928
+ if (this.isInKnownAuthorities(this.hostnameAndPort)) {
5897
5929
  this.logger.verbose("0mt9al", this.correlationId);
5898
5930
  return Authority.createCloudDiscoveryMetadataFromHost(this.hostnameAndPort);
5899
5931
  }
@@ -5960,13 +5992,14 @@ class Authority {
5960
5992
  return match;
5961
5993
  }
5962
5994
  /**
5963
- * Helper function to determine if this host is included in the knownAuthorities config option
5995
+ * Helper function to determine if a host is included in the knownAuthorities config option.
5964
5996
  */
5965
- isInKnownAuthorities() {
5997
+ isInKnownAuthorities(host) {
5998
+ const normalizedHost = host.toLowerCase();
5966
5999
  const matches = this.authorityOptions.knownAuthorities.filter((authority) => {
5967
6000
  return (authority &&
5968
6001
  UrlString.getDomainFromUrl(authority).toLowerCase() ===
5969
- this.hostnameAndPort);
6002
+ normalizedHost);
5970
6003
  });
5971
6004
  return matches.length > 0;
5972
6005
  }
@@ -6043,6 +6076,10 @@ class Authority {
6043
6076
  * 4. Same as (2), but the issuer host matches the CIAM tenant pattern
6044
6077
  * `{tenant}.ciamlogin.com` with an optional `/{tenant}[.onmicrosoft.com][/v2.0]`
6045
6078
  * path.
6079
+ * 5. The issuer host is HTTPS and is explicitly listed in the
6080
+ * developer-configured `knownAuthorities`. This covers scenarios where
6081
+ * the OIDC discovery document returns an issuer host that differs from
6082
+ * the authority (e.g., a GUID-based issuer for a name-based CIAM authority).
6046
6083
  *
6047
6084
  * @param issuer The `issuer` value returned in the OIDC discovery document.
6048
6085
  * @throws ClientConfigurationError("issuer_validation_failed") on failure.
@@ -6079,11 +6116,19 @@ class Authority {
6079
6116
  * have "{tenant}.ciamlogin.com" as the host, even when using a custom domain.
6080
6117
  */
6081
6118
  const matchesCiamTenantPattern = this.matchesCiamTenantPattern(issuerUrl, authorityHost, this.canonicalAuthorityUrlComponents.PathSegments);
6119
+ /*
6120
+ * Rule 5: The issuer host is explicitly listed in the developer-configured
6121
+ * knownAuthorities. This covers scenarios where the OIDC discovery document
6122
+ * returns an issuer with a different host than the authority
6123
+ * (e.g., a GUID-based issuer for a name-based authority).
6124
+ */
6125
+ const matchesKnownAuthority = issuerScheme === "https:" && this.isInKnownAuthorities(issuerHost);
6082
6126
  // Each rule is an independent boolean; the issuer is valid if ANY rule matches.
6083
6127
  if (matchesAuthorityOrigin ||
6084
6128
  matchesKnownMicrosoftHost ||
6085
6129
  matchesRegionalMicrosoftHost ||
6086
- matchesCiamTenantPattern) {
6130
+ matchesCiamTenantPattern ||
6131
+ matchesKnownAuthority) {
6087
6132
  return;
6088
6133
  }
6089
6134
  // issuer validation fails if none of the above rules are satisfied
@@ -6291,7 +6336,7 @@ function buildStaticAuthorityOptions(authOptions) {
6291
6336
  };
6292
6337
  }
6293
6338
 
6294
- /*! @azure/msal-common v16.6.2 2026-05-19 */
6339
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
6295
6340
 
6296
6341
  /*
6297
6342
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6325,7 +6370,7 @@ async function createDiscoveredInstance(authorityUri, networkClient, cacheManage
6325
6370
  }
6326
6371
  }
6327
6372
 
6328
- /*! @azure/msal-common v16.6.2 2026-05-19 */
6373
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
6329
6374
 
6330
6375
  /*
6331
6376
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6582,7 +6627,7 @@ class AuthorizationCodeClient {
6582
6627
  }
6583
6628
  }
6584
6629
 
6585
- /*! @azure/msal-common v16.6.2 2026-05-19 */
6630
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
6586
6631
 
6587
6632
  /*
6588
6633
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6803,7 +6848,7 @@ class RefreshTokenClient {
6803
6848
  }
6804
6849
  }
6805
6850
 
6806
- /*! @azure/msal-common v16.6.2 2026-05-19 */
6851
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
6807
6852
 
6808
6853
  /*
6809
6854
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6919,7 +6964,7 @@ class SilentFlowClient {
6919
6964
  }
6920
6965
  }
6921
6966
 
6922
- /*! @azure/msal-common v16.6.2 2026-05-19 */
6967
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
6923
6968
 
6924
6969
  /*
6925
6970
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6934,7 +6979,7 @@ const StubbedNetworkModule = {
6934
6979
  },
6935
6980
  };
6936
6981
 
6937
- /*! @azure/msal-common v16.6.2 2026-05-19 */
6982
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
6938
6983
 
6939
6984
  /*
6940
6985
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7157,7 +7202,7 @@ function extractLoginHint(account) {
7157
7202
  return account.loginHint || account.idTokenClaims?.login_hint || null;
7158
7203
  }
7159
7204
 
7160
- /*! @azure/msal-common v16.6.2 2026-05-19 */
7205
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
7161
7206
 
7162
7207
  /*
7163
7208
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7190,7 +7235,7 @@ function containsResourceParam(params) {
7190
7235
  return Object.prototype.hasOwnProperty.call(params, "resource");
7191
7236
  }
7192
7237
 
7193
- /*! @azure/msal-common v16.6.2 2026-05-19 */
7238
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
7194
7239
 
7195
7240
  /*
7196
7241
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7248,7 +7293,7 @@ class AuthenticationHeaderParser {
7248
7293
  }
7249
7294
  }
7250
7295
 
7251
- /*! @azure/msal-common v16.6.2 2026-05-19 */
7296
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
7252
7297
  /*
7253
7298
  * Copyright (c) Microsoft Corporation. All rights reserved.
7254
7299
  * Licensed under the MIT License.
@@ -7265,7 +7310,7 @@ var AuthErrorCodes = /*#__PURE__*/Object.freeze({
7265
7310
  unexpectedError: unexpectedError
7266
7311
  });
7267
7312
 
7268
- /*! @azure/msal-common v16.6.2 2026-05-19 */
7313
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
7269
7314
 
7270
7315
  /*
7271
7316
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7376,35 +7421,40 @@ class ServerTelemetryManager {
7376
7421
  * @param error
7377
7422
  */
7378
7423
  cacheFailedRequest(error) {
7379
- const lastRequests = this.getLastRequests();
7380
- if (lastRequests.errors.length >=
7381
- SERVER_TELEM_MAX_CACHED_ERRORS) {
7382
- // Remove a cached error to make room, first in first out
7383
- lastRequests.failedRequests.shift(); // apiId
7384
- lastRequests.failedRequests.shift(); // correlationId
7385
- lastRequests.errors.shift();
7386
- }
7387
- lastRequests.failedRequests.push(this.apiId, this.correlationId);
7388
- if (error instanceof Error && !!error && error.toString()) {
7389
- if (error instanceof AuthError) {
7390
- if (error.subError) {
7391
- lastRequests.errors.push(error.subError);
7392
- }
7393
- else if (error.errorCode) {
7394
- lastRequests.errors.push(error.errorCode);
7424
+ try {
7425
+ const lastRequests = this.getLastRequests();
7426
+ if (lastRequests.errors.length >=
7427
+ SERVER_TELEM_MAX_CACHED_ERRORS) {
7428
+ // Remove a cached error to make room, first in first out
7429
+ lastRequests.failedRequests.shift(); // apiId
7430
+ lastRequests.failedRequests.shift(); // correlationId
7431
+ lastRequests.errors.shift();
7432
+ }
7433
+ lastRequests.failedRequests.push(this.apiId, this.correlationId);
7434
+ if (error instanceof Error && !!error && error.toString()) {
7435
+ if (error instanceof AuthError) {
7436
+ if (error.subError) {
7437
+ lastRequests.errors.push(error.subError);
7438
+ }
7439
+ else if (error.errorCode) {
7440
+ lastRequests.errors.push(error.errorCode);
7441
+ }
7442
+ else {
7443
+ lastRequests.errors.push(error.toString());
7444
+ }
7395
7445
  }
7396
7446
  else {
7397
7447
  lastRequests.errors.push(error.toString());
7398
7448
  }
7399
7449
  }
7400
7450
  else {
7401
- lastRequests.errors.push(error.toString());
7451
+ lastRequests.errors.push(SERVER_TELEM_UNKNOWN_ERROR);
7402
7452
  }
7453
+ this.cacheManager.setServerTelemetry(this.telemetryCacheKey, lastRequests, this.correlationId);
7403
7454
  }
7404
- else {
7405
- lastRequests.errors.push(SERVER_TELEM_UNKNOWN_ERROR);
7455
+ catch {
7456
+ // Ignore telemetry cache failures to avoid masking the original auth error path.
7406
7457
  }
7407
- this.cacheManager.setServerTelemetry(this.telemetryCacheKey, lastRequests, this.correlationId);
7408
7458
  return;
7409
7459
  }
7410
7460
  /**
@@ -7524,9 +7574,36 @@ class ServerTelemetryManager {
7524
7574
  static makeExtraSkuString(params) {
7525
7575
  return makeExtraSkuString(params);
7526
7576
  }
7577
+ }
7578
+ /** @internal */
7579
+ class StubServerTelemetryManager extends ServerTelemetryManager {
7580
+ constructor() {
7581
+ super({ clientId: "", apiId: 0, correlationId: "", forceRefresh: false }, {});
7582
+ }
7583
+ generateCurrentRequestHeaderValue() {
7584
+ return "";
7585
+ }
7586
+ generateLastRequestHeaderValue() {
7587
+ return "";
7588
+ }
7589
+ cacheFailedRequest() { }
7590
+ incrementCacheHits() {
7591
+ return 0;
7592
+ }
7593
+ clearTelemetryCache() { }
7594
+ getRegionDiscoveryFields() {
7595
+ return "";
7596
+ }
7597
+ updateRegionDiscoveryMetadata() { }
7598
+ setCacheOutcome() { }
7599
+ setNativeBrokerErrorCode() { }
7600
+ getNativeBrokerErrorCode() {
7601
+ return undefined;
7602
+ }
7603
+ clearNativeBrokerErrorCode() { }
7527
7604
  }
7528
7605
 
7529
- /*! @azure/msal-common v16.6.2 2026-05-19 */
7606
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
7530
7607
 
7531
7608
  /*
7532
7609
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7547,7 +7624,7 @@ function createJoseHeaderError(code) {
7547
7624
  return new JoseHeaderError(code);
7548
7625
  }
7549
7626
 
7550
- /*! @azure/msal-common v16.6.2 2026-05-19 */
7627
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
7551
7628
  /*
7552
7629
  * Copyright (c) Microsoft Corporation. All rights reserved.
7553
7630
  * Licensed under the MIT License.
@@ -7555,7 +7632,7 @@ function createJoseHeaderError(code) {
7555
7632
  const missingKidError = "missing_kid_error";
7556
7633
  const missingAlgError = "missing_alg_error";
7557
7634
 
7558
- /*! @azure/msal-common v16.6.2 2026-05-19 */
7635
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
7559
7636
 
7560
7637
  /*
7561
7638
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7595,7 +7672,7 @@ class JoseHeader {
7595
7672
  }
7596
7673
  }
7597
7674
 
7598
- /*! @azure/msal-common v16.6.2 2026-05-19 */
7675
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
7599
7676
 
7600
7677
  /*
7601
7678
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -8208,7 +8285,6 @@ const SilentIframeClientTokenHelper = "silentIframeClientTokenHelper";
8208
8285
  */
8209
8286
  const SilentHandlerInitiateAuthRequest = "silentHandlerInitiateAuthRequest";
8210
8287
  const SilentHandlerMonitorIframeForHash = "silentHandlerMonitorIframeForHash";
8211
- const SilentHandlerLoadFrameSync = "silentHandlerLoadFrameSync";
8212
8288
  /**
8213
8289
  * Helper functions in StandardInteractionClient class (msal-browser)
8214
8290
  */
@@ -8390,6 +8466,43 @@ function createBrowserAuthError(errorCode, subError) {
8390
8466
  return new BrowserAuthError(errorCode, subError);
8391
8467
  }
8392
8468
 
8469
+ /*
8470
+ * Copyright (c) Microsoft Corporation. All rights reserved.
8471
+ * Licensed under the MIT License.
8472
+ */
8473
+ /**
8474
+ * Class which exposes APIs to decode base64 strings to plaintext. See here for implementation details:
8475
+ * https://developer.mozilla.org/en-US/docs/Glossary/Base64#the_unicode_problem
8476
+ */
8477
+ /**
8478
+ * Returns a URL-safe plaintext decoded string from b64 encoded input.
8479
+ * @param input
8480
+ */
8481
+ function base64Decode(input) {
8482
+ return new TextDecoder().decode(base64DecToArr(input));
8483
+ }
8484
+ /**
8485
+ * Decodes base64 into Uint8Array
8486
+ * @param base64String
8487
+ */
8488
+ function base64DecToArr(base64String) {
8489
+ let encodedString = base64String.replace(/-/g, "+").replace(/_/g, "/");
8490
+ switch (encodedString.length % 4) {
8491
+ case 0:
8492
+ break;
8493
+ case 2:
8494
+ encodedString += "==";
8495
+ break;
8496
+ case 3:
8497
+ encodedString += "=";
8498
+ break;
8499
+ default:
8500
+ throw createBrowserAuthError(invalidBase64String);
8501
+ }
8502
+ const binString = atob(encodedString);
8503
+ return Uint8Array.from(binString, (m) => m.codePointAt(0) || 0);
8504
+ }
8505
+
8393
8506
  /*
8394
8507
  * Copyright (c) Microsoft Corporation. All rights reserved.
8395
8508
  * Licensed under the MIT License.
@@ -8649,43 +8762,6 @@ function base64EncArr(aBytes) {
8649
8762
  return btoa(binString);
8650
8763
  }
8651
8764
 
8652
- /*
8653
- * Copyright (c) Microsoft Corporation. All rights reserved.
8654
- * Licensed under the MIT License.
8655
- */
8656
- /**
8657
- * Class which exposes APIs to decode base64 strings to plaintext. See here for implementation details:
8658
- * https://developer.mozilla.org/en-US/docs/Glossary/Base64#the_unicode_problem
8659
- */
8660
- /**
8661
- * Returns a URL-safe plaintext decoded string from b64 encoded input.
8662
- * @param input
8663
- */
8664
- function base64Decode(input) {
8665
- return new TextDecoder().decode(base64DecToArr(input));
8666
- }
8667
- /**
8668
- * Decodes base64 into Uint8Array
8669
- * @param base64String
8670
- */
8671
- function base64DecToArr(base64String) {
8672
- let encodedString = base64String.replace(/-/g, "+").replace(/_/g, "/");
8673
- switch (encodedString.length % 4) {
8674
- case 0:
8675
- break;
8676
- case 2:
8677
- encodedString += "==";
8678
- break;
8679
- case 3:
8680
- encodedString += "=";
8681
- break;
8682
- default:
8683
- throw createBrowserAuthError(invalidBase64String);
8684
- }
8685
- const binString = atob(encodedString);
8686
- return Uint8Array.from(binString, (m) => m.codePointAt(0) || 0);
8687
- }
8688
-
8689
8765
  /*
8690
8766
  * Copyright (c) Microsoft Corporation. All rights reserved.
8691
8767
  * Licensed under the MIT License.
@@ -9104,6 +9180,16 @@ function clearHash(contentWindow) {
9104
9180
  contentWindow.history.replaceState(null, "", `${contentWindow.location.origin}${contentWindow.location.pathname}${contentWindow.location.search}`);
9105
9181
  }
9106
9182
  }
9183
+ /**
9184
+ * Strips both hash and query string from the given window's URL by replacing
9185
+ * with origin + pathname only. Used to remove auth response parameters
9186
+ * (auth code, state, etc.) before the window is closed or navigated away.
9187
+ */
9188
+ function clearAuthResponseFromUrl(contentWindow) {
9189
+ if (typeof contentWindow.history?.replaceState === "function") {
9190
+ contentWindow.history.replaceState(null, "", `${contentWindow.location.origin}${contentWindow.location.pathname}`);
9191
+ }
9192
+ }
9107
9193
  /**
9108
9194
  * Replaces current hash with hash from provided url
9109
9195
  */
@@ -9162,7 +9248,7 @@ function cancelPendingBridgeResponse(logger, correlationId) {
9162
9248
  activeBridgeMonitor = null;
9163
9249
  }
9164
9250
  }
9165
- async function waitForBridgeResponse(timeoutMs, logger, browserCrypto, request, performanceClient, experimentalConfig) {
9251
+ async function waitForBridgeResponse(timeoutMs, logger, request, performanceClient, experimentalConfig) {
9166
9252
  return new Promise((resolve, reject) => {
9167
9253
  logger.verbose("1rf6em", request.correlationId);
9168
9254
  const correlationId = request.correlationId;
@@ -9170,7 +9256,7 @@ async function waitForBridgeResponse(timeoutMs, logger, browserCrypto, request,
9170
9256
  redirectBridgeTimeoutMs: timeoutMs,
9171
9257
  lateResponseExperimentEnabled: experimentalConfig?.iframeTimeoutTelemetry || false,
9172
9258
  }, correlationId);
9173
- const { libraryState } = parseRequestState(browserCrypto.base64Decode, request.state || "");
9259
+ const { libraryState } = parseRequestState(base64Decode, request.state || "");
9174
9260
  const channel = new BroadcastChannel(libraryState.id);
9175
9261
  let responseString = undefined;
9176
9262
  let timedOut$1 = false;
@@ -9358,6 +9444,7 @@ var BrowserUtils = /*#__PURE__*/Object.freeze({
9358
9444
  blockRedirectInIframe: blockRedirectInIframe,
9359
9445
  blockReloadInHiddenIframes: blockReloadInHiddenIframes,
9360
9446
  cancelPendingBridgeResponse: cancelPendingBridgeResponse,
9447
+ clearAuthResponseFromUrl: clearAuthResponseFromUrl,
9361
9448
  clearHash: clearHash,
9362
9449
  createGuid: createGuid,
9363
9450
  getCurrentUri: getCurrentUri,
@@ -10532,7 +10619,7 @@ const EventType = {
10532
10619
 
10533
10620
  /* eslint-disable header/header */
10534
10621
  const name = "@azure/msal-browser";
10535
- const version = "5.11.0";
10622
+ const version = "5.13.0";
10536
10623
 
10537
10624
  /*
10538
10625
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -10554,6 +10641,15 @@ function removeElementFromArray(array, element) {
10554
10641
  * Copyright (c) Microsoft Corporation. All rights reserved.
10555
10642
  * Licensed under the MIT License.
10556
10643
  */
10644
+ /**
10645
+ * Reason an old-schema cache entry was removed during migration.
10646
+ */
10647
+ const MigrationRemovalReason = {
10648
+ Invalid: "invalid",
10649
+ TtlExpired: "ttlExpired",
10650
+ DecryptFailed: "decryptFailed",
10651
+ Expired: "expired",
10652
+ };
10557
10653
  /**
10558
10654
  * This class implements the cache storage interface for MSAL through browser local or session storage.
10559
10655
  */
@@ -10623,7 +10719,10 @@ class BrowserCacheManager extends CacheManager {
10623
10719
  const parsedValue = this.validateAndParseJson(rawValue || "");
10624
10720
  if (!parsedValue) {
10625
10721
  this.browserStorage.removeItem(key);
10626
- return null;
10722
+ return {
10723
+ entry: null,
10724
+ removalReason: MigrationRemovalReason.Invalid,
10725
+ };
10627
10726
  }
10628
10727
  if (!parsedValue.lastUpdatedAt) {
10629
10728
  // Add lastUpdatedAt to the existing v0 entry if it doesnt exist so we know when it's safe to remove it
@@ -10632,25 +10731,42 @@ class BrowserCacheManager extends CacheManager {
10632
10731
  }
10633
10732
  else if (isCacheExpired(parsedValue.lastUpdatedAt, this.cacheConfig.cacheRetentionDays)) {
10634
10733
  this.browserStorage.removeItem(key);
10635
- this.performanceClient.incrementFields({ expiredCacheRemovedCount: 1 }, correlationId);
10636
- return null;
10734
+ return {
10735
+ entry: null,
10736
+ removalReason: MigrationRemovalReason.TtlExpired,
10737
+ };
10637
10738
  }
10638
- const decryptedData = isEncrypted(parsedValue)
10739
+ const wasEncrypted = isEncrypted(parsedValue);
10740
+ const decryptedData = wasEncrypted
10639
10741
  ? await this.browserStorage.decryptData(key, parsedValue, correlationId)
10640
10742
  : parsedValue;
10641
- if (!decryptedData || !isCredentialEntity(decryptedData)) {
10642
- this.performanceClient.incrementFields({ invalidCacheCount: 1 }, correlationId);
10643
- return null;
10743
+ if (!decryptedData) {
10744
+ this.browserStorage.removeItem(key);
10745
+ return {
10746
+ entry: null,
10747
+ removalReason: wasEncrypted
10748
+ ? MigrationRemovalReason.DecryptFailed
10749
+ : MigrationRemovalReason.Invalid,
10750
+ };
10751
+ }
10752
+ if (!isCredentialEntity(decryptedData)) {
10753
+ this.browserStorage.removeItem(key);
10754
+ return {
10755
+ entry: null,
10756
+ removalReason: MigrationRemovalReason.Invalid,
10757
+ };
10644
10758
  }
10645
10759
  if ((isAccessTokenEntity(decryptedData) ||
10646
10760
  isRefreshTokenEntity(decryptedData)) &&
10647
10761
  decryptedData.expiresOn &&
10648
10762
  isTokenExpired(decryptedData.expiresOn, DEFAULT_TOKEN_RENEWAL_OFFSET_SEC)) {
10649
10763
  this.browserStorage.removeItem(key);
10650
- this.performanceClient.incrementFields({ expiredCacheRemovedCount: 1 }, correlationId);
10651
- return null;
10764
+ return {
10765
+ entry: null,
10766
+ removalReason: MigrationRemovalReason.Expired,
10767
+ };
10652
10768
  }
10653
- return decryptedData;
10769
+ return { entry: decryptedData };
10654
10770
  }
10655
10771
  /**
10656
10772
  * Remove accounts from the cache for older schema versions if they have not been updated in the last cacheRetentionDays
@@ -10669,6 +10785,8 @@ class BrowserCacheManager extends CacheManager {
10669
10785
  const rawValue = this.browserStorage.getItem(accountKey);
10670
10786
  const parsedValue = this.validateAndParseJson(rawValue || "");
10671
10787
  if (!parsedValue) {
10788
+ this.browserStorage.removeItem(accountKey);
10789
+ this.performanceClient.incrementFields({ invalidAcntCount: 1 }, correlationId);
10672
10790
  removeElementFromArray(accountKeysToCheck, accountKey);
10673
10791
  continue;
10674
10792
  }
@@ -10681,8 +10799,20 @@ class BrowserCacheManager extends CacheManager {
10681
10799
  else if (isCacheExpired(parsedValue.lastUpdatedAt, this.cacheConfig.cacheRetentionDays)) {
10682
10800
  // Cache expired remove account and associated tokens
10683
10801
  await this.removeAccountOldSchema(accountKey, parsedValue, credentialSchema, correlationId);
10802
+ this.performanceClient.incrementFields({ ttlExpiredAcntCount: 1 }, correlationId);
10684
10803
  removeElementFromArray(accountKeysToCheck, accountKey);
10685
10804
  }
10805
+ else if (isEncrypted(parsedValue)) {
10806
+ // Remove accounts encrypted with a different key (session cookie expired/changed)
10807
+ const decrypted = await this.browserStorage.decryptData(accountKey, parsedValue, correlationId);
10808
+ if (!decrypted) {
10809
+ this.browserStorage.removeItem(accountKey);
10810
+ this.performanceClient.incrementFields({
10811
+ decryptFailedAcntCount: 1,
10812
+ }, correlationId);
10813
+ removeElementFromArray(accountKeysToCheck, accountKey);
10814
+ }
10815
+ }
10686
10816
  }
10687
10817
  this.setAccountKeys(accountKeysToCheck, correlationId, accountSchema);
10688
10818
  }
@@ -10720,7 +10850,6 @@ class BrowserCacheManager extends CacheManager {
10720
10850
  });
10721
10851
  this.setTokenKeys(tokenKeys, correlationId, credentialSchema);
10722
10852
  }
10723
- this.performanceClient.incrementFields({ expiredAcntRemovedCount: 1 }, correlationId);
10724
10853
  this.browserStorage.removeItem(accountKey);
10725
10854
  }
10726
10855
  /**
@@ -10759,8 +10888,20 @@ class BrowserCacheManager extends CacheManager {
10759
10888
  const previousAccountKeys = getAccountKeys(this.browserStorage, accountSchema);
10760
10889
  for (const idTokenKey of [...credentialKeysToMigrate.idToken]) {
10761
10890
  this.performanceClient.incrementFields({ oldITCount: 1 }, correlationId);
10762
- const oldSchemaData = (await this.updateOldEntry(idTokenKey, correlationId));
10891
+ const result = await this.updateOldEntry(idTokenKey, correlationId);
10892
+ const oldSchemaData = result.entry;
10763
10893
  if (!oldSchemaData) {
10894
+ switch (result.removalReason) {
10895
+ case MigrationRemovalReason.TtlExpired:
10896
+ this.performanceClient.incrementFields({ ttlExpiredITCount: 1 }, correlationId);
10897
+ break;
10898
+ case MigrationRemovalReason.DecryptFailed:
10899
+ this.performanceClient.incrementFields({ decryptFailedITCount: 1 }, correlationId);
10900
+ break;
10901
+ case MigrationRemovalReason.Invalid:
10902
+ this.performanceClient.incrementFields({ invalidITCount: 1 }, correlationId);
10903
+ break;
10904
+ }
10764
10905
  removeElementFromArray(credentialKeysToMigrate.idToken, idTokenKey);
10765
10906
  continue;
10766
10907
  }
@@ -10839,8 +10980,23 @@ class BrowserCacheManager extends CacheManager {
10839
10980
  const currentCredentialKeys = getTokenKeys(this.clientId, this.browserStorage, CREDENTIAL_SCHEMA_VERSION);
10840
10981
  for (const accessTokenKey of [...credentialKeysToMigrate.accessToken]) {
10841
10982
  this.performanceClient.incrementFields({ oldATCount: 1 }, correlationId);
10842
- const oldSchemaData = (await this.updateOldEntry(accessTokenKey, correlationId));
10983
+ const result = await this.updateOldEntry(accessTokenKey, correlationId);
10984
+ const oldSchemaData = result.entry;
10843
10985
  if (!oldSchemaData) {
10986
+ switch (result.removalReason) {
10987
+ case MigrationRemovalReason.TtlExpired:
10988
+ this.performanceClient.incrementFields({ ttlExpiredATCount: 1 }, correlationId);
10989
+ break;
10990
+ case MigrationRemovalReason.DecryptFailed:
10991
+ this.performanceClient.incrementFields({ decryptFailedATCount: 1 }, correlationId);
10992
+ break;
10993
+ case MigrationRemovalReason.Expired:
10994
+ this.performanceClient.incrementFields({ expiredATCount: 1 }, correlationId);
10995
+ break;
10996
+ case MigrationRemovalReason.Invalid:
10997
+ this.performanceClient.incrementFields({ invalidATCount: 1 }, correlationId);
10998
+ break;
10999
+ }
10844
11000
  removeElementFromArray(credentialKeysToMigrate.accessToken, accessTokenKey);
10845
11001
  continue;
10846
11002
  }
@@ -10886,8 +11042,23 @@ class BrowserCacheManager extends CacheManager {
10886
11042
  ...credentialKeysToMigrate.refreshToken,
10887
11043
  ]) {
10888
11044
  this.performanceClient.incrementFields({ oldRTCount: 1 }, correlationId);
10889
- const oldSchemaData = (await this.updateOldEntry(refreshTokenKey, correlationId));
11045
+ const result = await this.updateOldEntry(refreshTokenKey, correlationId);
11046
+ const oldSchemaData = result.entry;
10890
11047
  if (!oldSchemaData) {
11048
+ switch (result.removalReason) {
11049
+ case MigrationRemovalReason.TtlExpired:
11050
+ this.performanceClient.incrementFields({ ttlExpiredRTCount: 1 }, correlationId);
11051
+ break;
11052
+ case MigrationRemovalReason.DecryptFailed:
11053
+ this.performanceClient.incrementFields({ decryptFailedRTCount: 1 }, correlationId);
11054
+ break;
11055
+ case MigrationRemovalReason.Expired:
11056
+ this.performanceClient.incrementFields({ expiredRTCount: 1 }, correlationId);
11057
+ break;
11058
+ case MigrationRemovalReason.Invalid:
11059
+ this.performanceClient.incrementFields({ invalidRTCount: 1 }, correlationId);
11060
+ break;
11061
+ }
10891
11062
  removeElementFromArray(credentialKeysToMigrate.refreshToken, refreshTokenKey);
10892
11063
  continue;
10893
11064
  }
@@ -12087,10 +12258,15 @@ function getRedirectUri(requestRedirectUri, clientConfigRedirectUri, logger, cor
12087
12258
  * @param browserStorage - Browser cache manager instance for storing telemetry data
12088
12259
  * @param logger - Optional logger instance for verbose logging
12089
12260
  * @param forceRefresh - Optional flag to force refresh of telemetry data
12261
+ * @param enabled - Optional flag to enable or disable server telemetry (default: true for custom_auth flows, false for standard flows)
12090
12262
  * @returns Configured ServerTelemetryManager instance
12091
12263
  */
12092
- function initializeServerTelemetryManager(apiId, clientId, correlationId, browserStorage, logger, forceRefresh) {
12264
+ function initializeServerTelemetryManager(apiId, clientId, correlationId, browserStorage, logger, forceRefresh, enabled = true) {
12093
12265
  logger.verbose("1p12tq", correlationId);
12266
+ if (!enabled) {
12267
+ logger.verbose("0tajnr", correlationId);
12268
+ return new StubServerTelemetryManager();
12269
+ }
12094
12270
  const telemetryPayload = {
12095
12271
  clientId: clientId,
12096
12272
  correlationId: correlationId,
@@ -12626,7 +12802,7 @@ const USER_CANCEL = "USER_CANCEL";
12626
12802
  const NO_NETWORK = "NO_NETWORK";
12627
12803
  const DISABLED = "DISABLED";
12628
12804
  const ACCOUNT_UNAVAILABLE = "ACCOUNT_UNAVAILABLE";
12629
- const UX_NOT_ALLOWED = "UX_NOT_ALLOWED";
12805
+ const UI_NOT_ALLOWED = "UI_NOT_ALLOWED";
12630
12806
 
12631
12807
  /*
12632
12808
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -12681,8 +12857,8 @@ function createNativeAuthError(code, description, ext) {
12681
12857
  return createBrowserAuthError(userCancelled);
12682
12858
  case NO_NETWORK:
12683
12859
  return createBrowserAuthError(noNetworkConnectivity);
12684
- case UX_NOT_ALLOWED:
12685
- return createInteractionRequiredAuthError(uxNotAllowed);
12860
+ case UI_NOT_ALLOWED:
12861
+ return createInteractionRequiredAuthError(uiNotAllowed);
12686
12862
  }
12687
12863
  }
12688
12864
  return new NativeAuthError(code, description, ext);
@@ -12699,7 +12875,7 @@ class SilentCacheClient extends StandardInteractionClient {
12699
12875
  */
12700
12876
  async acquireToken(silentRequest) {
12701
12877
  // Telemetry manager only used to increment cacheHits here
12702
- const serverTelemetryManager = initializeServerTelemetryManager(ApiId.acquireTokenSilent_silentFlow, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger);
12878
+ const serverTelemetryManager = initializeServerTelemetryManager(ApiId.acquireTokenSilent_silentFlow, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger, undefined, this.config.system.serverTelemetryEnabled);
12703
12879
  const clientConfig = await invokeAsync(this.getClientConfiguration.bind(this), StandardInteractionClientGetClientConfiguration, this.logger, this.performanceClient, this.correlationId)({
12704
12880
  serverTelemetryManager,
12705
12881
  requestAuthority: silentRequest.authority,
@@ -12775,7 +12951,7 @@ class PlatformAuthInteractionClient extends BaseInteractionClient {
12775
12951
  // start the perf measurement
12776
12952
  const nativeATMeasurement = this.performanceClient.startMeasurement(NativeInteractionClientAcquireToken, this.correlationId);
12777
12953
  const reqTimestamp = nowSeconds();
12778
- const serverTelemetryManager = initializeServerTelemetryManager(this.apiId, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger);
12954
+ const serverTelemetryManager = initializeServerTelemetryManager(this.apiId, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger, undefined, this.config.system.serverTelemetryEnabled);
12779
12955
  try {
12780
12956
  // initialize native request
12781
12957
  const nativeRequest = await this.initializePlatformRequest(request);
@@ -12899,7 +13075,7 @@ class PlatformAuthInteractionClient extends BaseInteractionClient {
12899
13075
  catch (e) {
12900
13076
  // Only throw fatal errors here to allow application to fallback to regular redirect. Otherwise proceed and the error will be thrown in handleRedirectPromise
12901
13077
  if (e instanceof NativeAuthError) {
12902
- const serverTelemetryManager = initializeServerTelemetryManager(this.apiId, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger);
13078
+ const serverTelemetryManager = initializeServerTelemetryManager(this.apiId, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger, undefined, this.config.system.serverTelemetryEnabled);
12903
13079
  serverTelemetryManager.setNativeBrokerErrorCode(e.errorCode);
12904
13080
  if (isFatalNativeAuthError(e)) {
12905
13081
  throw e;
@@ -12913,7 +13089,7 @@ class PlatformAuthInteractionClient extends BaseInteractionClient {
12913
13089
  noHistory: false,
12914
13090
  };
12915
13091
  const redirectUri = navigateToLoginRequestUrl
12916
- ? window.location.href
13092
+ ? UrlString.getAbsoluteUrl(request.redirectStartPage || window.location.href, getCurrentUri())
12917
13093
  : getRedirectUri(request.redirectUri, this.config.auth.redirectUri, this.logger, this.correlationId);
12918
13094
  rootMeasurement.end({ success: true });
12919
13095
  await this.navigationClient.navigateExternal(redirectUri, navigationOptions); // Need to treat this as external to ensure handleRedirectPromise is run again
@@ -12946,7 +13122,7 @@ class PlatformAuthInteractionClient extends BaseInteractionClient {
12946
13122
  this.logger.verbose("003x5a", this.correlationId);
12947
13123
  const response = await this.platformAuthProvider.sendMessage(request);
12948
13124
  const authResult = await this.handleNativeResponse(response, request, reqTimestamp);
12949
- const serverTelemetryManager = initializeServerTelemetryManager(this.apiId, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger);
13125
+ const serverTelemetryManager = initializeServerTelemetryManager(this.apiId, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger, undefined, this.config.system.serverTelemetryEnabled);
12950
13126
  serverTelemetryManager.clearNativeBrokerErrorCode();
12951
13127
  this.performanceClient?.addFields({ isNativeBroker: true }, this.correlationId);
12952
13128
  return authResult;
@@ -13953,6 +14129,7 @@ function buildConfiguration({ auth: userInputAuth, cache: userInputCache, system
13953
14129
  nativeBrokerHandshakeTimeout: userInputSystem?.nativeBrokerHandshakeTimeout ||
13954
14130
  DEFAULT_NATIVE_BROKER_HANDSHAKE_TIMEOUT_MS,
13955
14131
  protocolMode: ProtocolMode.AAD,
14132
+ serverTelemetryEnabled: false,
13956
14133
  };
13957
14134
  const providedSystemOptions = {
13958
14135
  ...DEFAULT_BROWSER_SYSTEM_OPTIONS,
@@ -14499,10 +14676,11 @@ function isPlatformAuthAllowed(config, logger, correlationId, platformAuthProvid
14499
14676
  * Licensed under the MIT License.
14500
14677
  */
14501
14678
  class PopupClient extends StandardInteractionClient {
14502
- constructor(config, storageImpl, browserCrypto, logger, eventHandler, navigationClient, performanceClient, nativeStorageImpl, correlationId, platformAuthHandler) {
14679
+ constructor(config, storageImpl, browserCrypto, logger, eventHandler, navigationClient, performanceClient, nativeStorageImpl, correlationId, platformAuthHandler, waitForPopupResponseHook) {
14503
14680
  super(config, storageImpl, browserCrypto, logger, eventHandler, navigationClient, performanceClient, correlationId, platformAuthHandler);
14504
14681
  this.nativeStorage = nativeStorageImpl;
14505
14682
  this.eventHandler = eventHandler;
14683
+ this.waitForPopupResponseHook = waitForPopupResponseHook;
14506
14684
  }
14507
14685
  /**
14508
14686
  * Acquires tokens by opening a popup window to the /authorize endpoint of the authority
@@ -14610,7 +14788,7 @@ class PopupClient extends StandardInteractionClient {
14610
14788
  */
14611
14789
  async executeCodeFlow(request, popupParams, pkceCodes) {
14612
14790
  const correlationId = request.correlationId;
14613
- const serverTelemetryManager = initializeServerTelemetryManager(ApiId.acquireTokenPopup, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger);
14791
+ const serverTelemetryManager = initializeServerTelemetryManager(ApiId.acquireTokenPopup, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger, undefined, this.config.system.serverTelemetryEnabled);
14614
14792
  const pkce = pkceCodes ||
14615
14793
  (await invokeAsync(generatePkceCodes, GeneratePkceCodes, this.logger, this.performanceClient, correlationId)(this.performanceClient, this.logger, correlationId));
14616
14794
  const popupRequest = {
@@ -14636,7 +14814,7 @@ class PopupClient extends StandardInteractionClient {
14636
14814
  const popupWindow = this.initiateAuthRequest(navigateUrl, popupParams);
14637
14815
  this.eventHandler.emitEvent(EventType.POPUP_OPENED, correlationId, exports.InteractionType.Popup, { popupWindow }, null);
14638
14816
  // Wait for the redirect bridge response
14639
- const responseString = await waitForBridgeResponse(this.config.system.popupBridgeTimeout, this.logger, this.browserCrypto, request, this.performanceClient);
14817
+ const responseString = await this.waitForPopupResponse(request, popupWindow, popupParams.popupWindowParent);
14640
14818
  const serverParams = invoke(deserializeResponse, DeserializeResponse, this.logger, this.performanceClient, this.correlationId)(responseString, this.config.auth.OIDCOptions.responseMode, this.logger, this.correlationId);
14641
14819
  return await invokeAsync(handleResponseCode, HandleResponseCode, this.logger, this.performanceClient, correlationId)(request, serverParams, pkce.verifier, ApiId.acquireTokenPopup, this.config, authClient, this.browserStorage, this.nativeStorage, this.eventHandler, this.logger, this.performanceClient, this.platformAuthProvider);
14642
14820
  }
@@ -14671,11 +14849,11 @@ class PopupClient extends StandardInteractionClient {
14671
14849
  const form = await getEARForm(popupWindow.document, this.config, discoveredAuthority, popupRequest, this.logger, this.performanceClient);
14672
14850
  form.submit();
14673
14851
  // Monitor the popup for the hash. Return the string value and close the popup when the hash is received. Default timeout is 60 seconds.
14674
- const responseString = await invokeAsync(waitForBridgeResponse, SilentHandlerMonitorIframeForHash, this.logger, this.performanceClient, correlationId)(this.config.system.popupBridgeTimeout, this.logger, this.browserCrypto, popupRequest, this.performanceClient);
14852
+ const responseString = await invokeAsync(this.waitForPopupResponse.bind(this), SilentHandlerMonitorIframeForHash, this.logger, this.performanceClient, correlationId)(popupRequest, popupWindow, popupParams.popupWindowParent);
14675
14853
  const serverParams = invoke(deserializeResponse, DeserializeResponse, this.logger, this.performanceClient, this.correlationId)(responseString, this.config.auth.OIDCOptions.responseMode, this.logger, this.correlationId);
14676
14854
  if (!serverParams.ear_jwe && serverParams.code) {
14677
14855
  const authClient = await invokeAsync(this.createAuthCodeClient.bind(this), StandardInteractionClientCreateAuthCodeClient, this.logger, this.performanceClient, correlationId)({
14678
- serverTelemetryManager: initializeServerTelemetryManager(ApiId.acquireTokenPopup, this.config.auth.clientId, correlationId, this.browserStorage, this.logger),
14856
+ serverTelemetryManager: initializeServerTelemetryManager(ApiId.acquireTokenPopup, this.config.auth.clientId, correlationId, this.browserStorage, this.logger, undefined, this.config.system.serverTelemetryEnabled),
14679
14857
  requestAuthority: request.authority,
14680
14858
  requestAzureCloudOptions: request.azureCloudOptions,
14681
14859
  requestExtraQueryParameters: request.extraQueryParameters,
@@ -14696,7 +14874,7 @@ class PopupClient extends StandardInteractionClient {
14696
14874
  const form = await getCodeForm(popupWindow.document, this.config, discoveredAuthority, request, this.logger, this.performanceClient);
14697
14875
  form.submit();
14698
14876
  // Monitor the popup for the hash. Return the string value and close the popup when the hash is received. Default timeout is 60 seconds.
14699
- const responseString = await invokeAsync(waitForBridgeResponse, SilentHandlerMonitorIframeForHash, this.logger, this.performanceClient, correlationId)(this.config.system.popupBridgeTimeout, this.logger, this.browserCrypto, request, this.performanceClient);
14877
+ const responseString = await invokeAsync(this.waitForPopupResponse.bind(this), SilentHandlerMonitorIframeForHash, this.logger, this.performanceClient, correlationId)(request, popupWindow, popupParams.popupWindowParent);
14700
14878
  const serverParams = invoke(deserializeResponse, DeserializeResponse, this.logger, this.performanceClient, this.correlationId)(responseString, this.config.auth.OIDCOptions.responseMode, this.logger, this.correlationId);
14701
14879
  return invokeAsync(handleResponseCode, HandleResponseCode, this.logger, this.performanceClient, correlationId)(request, serverParams, pkceVerifier, ApiId.acquireTokenPopup, this.config, authClient, this.browserStorage, this.nativeStorage, this.eventHandler, this.logger, this.performanceClient, this.platformAuthProvider);
14702
14880
  }
@@ -14712,7 +14890,7 @@ class PopupClient extends StandardInteractionClient {
14712
14890
  async logoutPopupAsync(validRequest, popupParams, requestAuthority, mainWindowRedirectUri) {
14713
14891
  this.logger.verbose("0b7yrk", this.correlationId);
14714
14892
  this.eventHandler.emitEvent(EventType.LOGOUT_START, this.correlationId, exports.InteractionType.Popup, validRequest);
14715
- const serverTelemetryManager = initializeServerTelemetryManager(ApiId.logoutPopup, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger);
14893
+ const serverTelemetryManager = initializeServerTelemetryManager(ApiId.logoutPopup, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger, undefined, this.config.system.serverTelemetryEnabled);
14716
14894
  try {
14717
14895
  // Clear cache on logout
14718
14896
  await clearCacheOnLogout(this.browserStorage, this.browserCrypto, this.logger, this.correlationId, validRequest.account);
@@ -14753,7 +14931,7 @@ class PopupClient extends StandardInteractionClient {
14753
14931
  // Open the popup window to requestUrl.
14754
14932
  const popupWindow = this.openPopup(logoutUri, popupParams);
14755
14933
  this.eventHandler.emitEvent(EventType.POPUP_OPENED, validRequest.correlationId, exports.InteractionType.Popup, { popupWindow }, null);
14756
- await waitForBridgeResponse(this.config.system.popupBridgeTimeout, this.logger, this.browserCrypto, validRequest, this.performanceClient).catch(() => {
14934
+ await this.waitForPopupResponse(validRequest, popupWindow, popupParams.popupWindowParent).catch(() => {
14757
14935
  // Swallow any errors related to monitoring the window. Server logout is best effort
14758
14936
  });
14759
14937
  if (mainWindowRedirectUri) {
@@ -14832,6 +15010,19 @@ class PopupClient extends StandardInteractionClient {
14832
15010
  if (!popupWindow) {
14833
15011
  throw createBrowserAuthError(emptyWindowError);
14834
15012
  }
15013
+ try {
15014
+ popupWindow.document.title = "Microsoft Authentication";
15015
+ }
15016
+ catch (e) {
15017
+ if (typeof DOMException !== "undefined" &&
15018
+ e instanceof DOMException &&
15019
+ e.name === "SecurityError") {
15020
+ // Cross-origin - title cannot be set
15021
+ }
15022
+ else {
15023
+ this.logger.verbose("1s1yfs", this.correlationId);
15024
+ }
15025
+ }
14835
15026
  if (popupWindow.focus) {
14836
15027
  popupWindow.focus();
14837
15028
  }
@@ -14910,6 +15101,12 @@ class PopupClient extends StandardInteractionClient {
14910
15101
  const homeAccountId = request.account && request.account.homeAccountId;
14911
15102
  return `${BrowserConstants.POPUP_NAME_PREFIX}.${this.config.auth.clientId}.${homeAccountId}.${this.correlationId}`;
14912
15103
  }
15104
+ async waitForPopupResponse(request, popupWindow, popupWindowParent) {
15105
+ if (this.waitForPopupResponseHook) {
15106
+ return this.waitForPopupResponseHook(request, popupWindow, popupWindowParent);
15107
+ }
15108
+ return waitForBridgeResponse(this.config.system.popupBridgeTimeout, this.logger, request, this.performanceClient);
15109
+ }
14913
15110
  }
14914
15111
 
14915
15112
  /*
@@ -14977,7 +15174,7 @@ class RedirectClient extends StandardInteractionClient {
14977
15174
  */
14978
15175
  async executeCodeFlow(request) {
14979
15176
  const correlationId = request.correlationId;
14980
- const serverTelemetryManager = initializeServerTelemetryManager(ApiId.acquireTokenRedirect, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger);
15177
+ const serverTelemetryManager = initializeServerTelemetryManager(ApiId.acquireTokenRedirect, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger, undefined, this.config.system.serverTelemetryEnabled);
14981
15178
  const pkceCodes = await invokeAsync(generatePkceCodes, GeneratePkceCodes, this.logger, this.performanceClient, correlationId)(this.performanceClient, this.logger, correlationId);
14982
15179
  const redirectRequest = {
14983
15180
  ...request,
@@ -15063,7 +15260,9 @@ class RedirectClient extends StandardInteractionClient {
15063
15260
  * @param options {HandleRedirectPromiseOptions} options for handling redirect promise
15064
15261
  */
15065
15262
  async handleRedirectPromise(request, pkceVerifier, parentMeasurement, options) {
15066
- const serverTelemetryManager = initializeServerTelemetryManager(ApiId.handleRedirectPromise, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger);
15263
+ const originalTitle = document.title;
15264
+ document.title = "Microsoft Authentication";
15265
+ const serverTelemetryManager = initializeServerTelemetryManager(ApiId.handleRedirectPromise, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger, undefined, this.config.system.serverTelemetryEnabled);
15067
15266
  const navigateToLoginRequestUrl = options?.navigateToLoginRequestUrl ?? true;
15068
15267
  try {
15069
15268
  const [serverParams, responseString] = this.getRedirectResponse(options?.hash || "");
@@ -15082,8 +15281,8 @@ class RedirectClient extends StandardInteractionClient {
15082
15281
  }
15083
15282
  // If navigateToLoginRequestUrl is true, get the url where the redirect request was initiated
15084
15283
  const loginRequestUrl = this.browserStorage.getTemporaryCache(TemporaryCacheKeys.ORIGIN_URI, this.correlationId, true) || "";
15085
- const loginRequestUrlNormalized = normalizeUrlForComparison(loginRequestUrl);
15086
- const currentUrlNormalized = normalizeUrlForComparison(window.location.href);
15284
+ const loginRequestUrlNormalized = normalizeUrlForComparison(loginRequestUrl, this.logger, this.correlationId);
15285
+ const currentUrlNormalized = normalizeUrlForComparison(window.location.href, this.logger, this.correlationId);
15087
15286
  if (loginRequestUrlNormalized === currentUrlNormalized &&
15088
15287
  navigateToLoginRequestUrl) {
15089
15288
  // We are on the page we need to navigate to - handle hash
@@ -15116,8 +15315,8 @@ class RedirectClient extends StandardInteractionClient {
15116
15315
  * The start page is expected to also call handleRedirectPromise which will process the hash in one of the checks above.
15117
15316
  */
15118
15317
  let processHashOnRedirect = true;
15119
- if (!loginRequestUrl || loginRequestUrl === "null") {
15120
- // Redirect to home page if login request url is null (real null or the string null)
15318
+ if (!loginRequestUrl) {
15319
+ // Redirect to home page if login request url is empty
15121
15320
  const homepage = getHomepage();
15122
15321
  // Cache the homepage under ORIGIN_URI to ensure cached hash is processed on homepage
15123
15322
  this.browserStorage.setTemporaryCache(TemporaryCacheKeys.ORIGIN_URI, homepage, true);
@@ -15145,6 +15344,9 @@ class RedirectClient extends StandardInteractionClient {
15145
15344
  }
15146
15345
  throw e;
15147
15346
  }
15347
+ finally {
15348
+ document.title = originalTitle;
15349
+ }
15148
15350
  }
15149
15351
  /**
15150
15352
  * Gets the response hash for a redirect request
@@ -15260,7 +15462,7 @@ class RedirectClient extends StandardInteractionClient {
15260
15462
  async logout(logoutRequest) {
15261
15463
  this.logger.verbose("1rkurh", this.correlationId);
15262
15464
  const validLogoutRequest = this.initializeLogoutRequest(logoutRequest);
15263
- const serverTelemetryManager = initializeServerTelemetryManager(ApiId.logout, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger);
15465
+ const serverTelemetryManager = initializeServerTelemetryManager(ApiId.logout, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger, undefined, this.config.system.serverTelemetryEnabled);
15264
15466
  try {
15265
15467
  this.eventHandler.emitEvent(EventType.LOGOUT_START, this.correlationId, exports.InteractionType.Redirect, logoutRequest);
15266
15468
  // Clear cache on logout
@@ -15341,7 +15543,10 @@ class RedirectClient extends StandardInteractionClient {
15341
15543
  */
15342
15544
  getRedirectStartPage(requestStartPage) {
15343
15545
  const redirectStartPage = requestStartPage || window.location.href;
15344
- return UrlString.getAbsoluteUrl(redirectStartPage, getCurrentUri());
15546
+ const absoluteRedirectStartPage = UrlString.getAbsoluteUrl(redirectStartPage, getCurrentUri());
15547
+ // Sanity check the URL before it is cached so we never persist a malformed value (e.g. the literal string "null")
15548
+ validateUrl(absoluteRedirectStartPage, this.logger, this.correlationId);
15549
+ return absoluteRedirectStartPage;
15345
15550
  }
15346
15551
  }
15347
15552
 
@@ -15350,20 +15555,20 @@ class RedirectClient extends StandardInteractionClient {
15350
15555
  * Licensed under the MIT License.
15351
15556
  */
15352
15557
  /**
15353
- * Creates a hidden iframe to given URL using user-requested scopes as an id.
15354
- * @param urlNavigate
15355
- * @param userRequestScopes
15558
+ * Navigates the given hidden iframe to the provided URL.
15559
+ * @param frame
15560
+ * @param requestUrl
15356
15561
  */
15357
- async function initiateCodeRequest(requestUrl, performanceClient, logger, correlationId) {
15562
+ async function initiateCodeRequest(frame, requestUrl, logger, correlationId) {
15358
15563
  if (!requestUrl) {
15359
15564
  // Throw error if request URL is empty.
15360
15565
  logger.info("1l7hyp", correlationId);
15361
15566
  throw createBrowserAuthError(emptyNavigateUri);
15362
15567
  }
15363
- return invoke(loadFrameSync, SilentHandlerLoadFrameSync, logger, performanceClient, correlationId)(requestUrl);
15568
+ frame.src = requestUrl;
15569
+ return frame;
15364
15570
  }
15365
- async function initiateCodeFlowWithPost(config, authority, request, logger, performanceClient) {
15366
- const frame = createHiddenIframe();
15571
+ async function initiateCodeFlowWithPost(frame, config, authority, request, logger, performanceClient) {
15367
15572
  if (!frame.contentDocument) {
15368
15573
  throw "No document associated with iframe!";
15369
15574
  }
@@ -15371,8 +15576,7 @@ async function initiateCodeFlowWithPost(config, authority, request, logger, perf
15371
15576
  form.submit();
15372
15577
  return frame;
15373
15578
  }
15374
- async function initiateEarRequest(config, authority, request, logger, performanceClient) {
15375
- const frame = createHiddenIframe();
15579
+ async function initiateEarRequest(frame, config, authority, request, logger, performanceClient) {
15376
15580
  if (!frame.contentDocument) {
15377
15581
  throw "No document associated with iframe!";
15378
15582
  }
@@ -15382,24 +15586,14 @@ async function initiateEarRequest(config, authority, request, logger, performanc
15382
15586
  }
15383
15587
  /**
15384
15588
  * @hidden
15385
- * Loads the iframe synchronously when the navigateTimeFrame is set to `0`
15386
- * @param urlNavigate
15387
- * @param frameName
15388
- * @param logger
15389
- */
15390
- function loadFrameSync(urlNavigate) {
15391
- const frameHandle = createHiddenIframe();
15392
- frameHandle.src = urlNavigate;
15393
- return frameHandle;
15394
- }
15395
- /**
15396
- * @hidden
15397
- * Creates a new hidden iframe or gets an existing one for silent token renewal.
15589
+ * Creates a new hidden iframe for silent token renewal. Callers navigate it
15590
+ * (set `src` or submit a form) after registering the response listener.
15398
15591
  * @ignore
15399
15592
  */
15400
15593
  function createHiddenIframe() {
15401
15594
  const authFrame = document.createElement("iframe");
15402
15595
  authFrame.className = "msalSilentIframe";
15596
+ authFrame.title = "Microsoft Authentication";
15403
15597
  authFrame.style.visibility = "hidden";
15404
15598
  authFrame.style.position = "absolute";
15405
15599
  authFrame.style.width = authFrame.style.height = "0";
@@ -15425,10 +15619,11 @@ function removeHiddenIframe(iframe) {
15425
15619
  * Licensed under the MIT License.
15426
15620
  */
15427
15621
  class SilentIframeClient extends StandardInteractionClient {
15428
- constructor(config, storageImpl, browserCrypto, logger, eventHandler, navigationClient, apiId, performanceClient, nativeStorageImpl, correlationId, platformAuthProvider) {
15622
+ constructor(config, storageImpl, browserCrypto, logger, eventHandler, navigationClient, apiId, performanceClient, nativeStorageImpl, correlationId, platformAuthProvider, waitForIframeResponseHook) {
15429
15623
  super(config, storageImpl, browserCrypto, logger, eventHandler, navigationClient, performanceClient, correlationId, platformAuthProvider);
15430
15624
  this.apiId = apiId;
15431
15625
  this.nativeStorage = nativeStorageImpl;
15626
+ this.waitForIframeResponseHook = waitForIframeResponseHook;
15432
15627
  }
15433
15628
  /**
15434
15629
  * Acquires a token silently by opening a hidden iframe to the /authorize endpoint with prompt=none or prompt=no_session
@@ -15471,7 +15666,7 @@ class SilentIframeClient extends StandardInteractionClient {
15471
15666
  */
15472
15667
  async executeCodeFlow(request) {
15473
15668
  let authClient;
15474
- const serverTelemetryManager = initializeServerTelemetryManager(this.apiId, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger);
15669
+ const serverTelemetryManager = initializeServerTelemetryManager(this.apiId, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger, undefined, this.config.system.serverTelemetryEnabled);
15475
15670
  try {
15476
15671
  // Initialize the client
15477
15672
  authClient = await invokeAsync(this.createAuthCodeClient.bind(this), StandardInteractionClientCreateAuthCodeClient, this.logger, this.performanceClient, request.correlationId)({
@@ -15513,11 +15708,22 @@ class SilentIframeClient extends StandardInteractionClient {
15513
15708
  earJwk: earJwk,
15514
15709
  codeChallenge: pkceCodes.challenge,
15515
15710
  };
15516
- const iframe = await invokeAsync(initiateEarRequest, SilentHandlerInitiateAuthRequest, this.logger, this.performanceClient, correlationId)(this.config, discoveredAuthority, silentRequest, this.logger, this.performanceClient);
15711
+ // Create the iframe, register the response listener, then navigate, so the listener is active before the iframe can respond.
15712
+ const iframe = createHiddenIframe();
15517
15713
  const responseType = this.config.auth.OIDCOptions.responseMode;
15518
15714
  let responseString;
15519
15715
  try {
15520
- responseString = await invokeAsync(waitForBridgeResponse, SilentHandlerMonitorIframeForHash, this.logger, this.performanceClient, correlationId)(this.config.system.iframeBridgeTimeout, this.logger, this.browserCrypto, request, this.performanceClient, this.config.experimental);
15716
+ const responsePromise = invokeAsync(this.waitForIframeResponse.bind(this), SilentHandlerMonitorIframeForHash, this.logger, this.performanceClient, correlationId)(iframe, request);
15717
+ responsePromise.catch(() => {
15718
+ /*
15719
+ * If navigation below throws before responsePromise is awaited,
15720
+ * the listener still rejects on timeout. Swallow it here so it
15721
+ * does not surface as an unhandled rejection; the navigation
15722
+ * error is propagated instead.
15723
+ */
15724
+ });
15725
+ await invokeAsync(initiateEarRequest, SilentHandlerInitiateAuthRequest, this.logger, this.performanceClient, correlationId)(iframe, this.config, discoveredAuthority, silentRequest, this.logger, this.performanceClient);
15726
+ responseString = await responsePromise;
15521
15727
  }
15522
15728
  finally {
15523
15729
  invoke(removeHiddenIframe, RemoveHiddenIframe, this.logger, this.performanceClient, correlationId)(iframe);
@@ -15526,7 +15732,7 @@ class SilentIframeClient extends StandardInteractionClient {
15526
15732
  if (!serverParams.ear_jwe && serverParams.code) {
15527
15733
  // If server doesn't support EAR, they may fallback to auth code flow instead
15528
15734
  const authClient = await invokeAsync(this.createAuthCodeClient.bind(this), StandardInteractionClientCreateAuthCodeClient, this.logger, this.performanceClient, correlationId)({
15529
- serverTelemetryManager: initializeServerTelemetryManager(this.apiId, this.config.auth.clientId, correlationId, this.browserStorage, this.logger),
15735
+ serverTelemetryManager: initializeServerTelemetryManager(this.apiId, this.config.auth.clientId, correlationId, this.browserStorage, this.logger, undefined, this.config.system.serverTelemetryEnabled),
15530
15736
  requestAuthority: request.authority,
15531
15737
  requestAzureCloudOptions: request.azureCloudOptions,
15532
15738
  requestExtraQueryParameters: request.extraQueryParameters,
@@ -15553,7 +15759,7 @@ class SilentIframeClient extends StandardInteractionClient {
15553
15759
  // Create silent request
15554
15760
  const silentRequest = await invokeAsync(initializeAuthorizationRequest, StandardInteractionClientInitializeAuthorizationRequest, this.logger, this.performanceClient, this.correlationId)(inputRequest, exports.InteractionType.Silent, this.config, this.browserCrypto, this.browserStorage, this.logger, this.performanceClient, this.correlationId);
15555
15761
  const authClient = await invokeAsync(this.createAuthCodeClient.bind(this), StandardInteractionClientCreateAuthCodeClient, this.logger, this.performanceClient, this.correlationId)({
15556
- serverTelemetryManager: initializeServerTelemetryManager(this.apiId, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger),
15762
+ serverTelemetryManager: initializeServerTelemetryManager(this.apiId, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger, undefined, this.config.system.serverTelemetryEnabled),
15557
15763
  requestAuthority: silentRequest.authority,
15558
15764
  requestAzureCloudOptions: silentRequest.azureCloudOptions,
15559
15765
  requestExtraQueryParameters: silentRequest.extraQueryParameters,
@@ -15601,21 +15807,32 @@ class SilentIframeClient extends StandardInteractionClient {
15601
15807
  ...request,
15602
15808
  codeChallenge: pkceCodes.challenge,
15603
15809
  };
15604
- let iframe;
15605
- if (request.httpMethod === HttpMethod.POST) {
15606
- iframe = await invokeAsync(initiateCodeFlowWithPost, SilentHandlerInitiateAuthRequest, this.logger, this.performanceClient, correlationId)(this.config, authClient.authority, silentRequest, this.logger, this.performanceClient);
15607
- }
15608
- else {
15609
- // Create authorize request url
15610
- const navigateUrl = await invokeAsync(getAuthCodeRequestUrl, GetAuthCodeUrl, this.logger, this.performanceClient, correlationId)(this.config, authClient.authority, silentRequest, this.logger, this.performanceClient);
15611
- // Get the frame handle for the silent request
15612
- iframe = await invokeAsync(initiateCodeRequest, SilentHandlerInitiateAuthRequest, this.logger, this.performanceClient, correlationId)(navigateUrl, this.performanceClient, this.logger, correlationId);
15613
- }
15810
+ // Create the iframe, register the response listener, then navigate, so the listener is active before the iframe can respond.
15811
+ const iframe = createHiddenIframe();
15614
15812
  const responseType = this.config.auth.OIDCOptions.responseMode;
15615
15813
  // Wait for response from the redirect bridge.
15616
15814
  let responseString;
15617
15815
  try {
15618
- responseString = await invokeAsync(waitForBridgeResponse, SilentHandlerMonitorIframeForHash, this.logger, this.performanceClient, correlationId)(this.config.system.iframeBridgeTimeout, this.logger, this.browserCrypto, request, this.performanceClient, this.config.experimental);
15816
+ const responsePromise = invokeAsync(this.waitForIframeResponse.bind(this), SilentHandlerMonitorIframeForHash, this.logger, this.performanceClient, correlationId)(iframe, request);
15817
+ responsePromise.catch(() => {
15818
+ /*
15819
+ * If URL creation or navigation below throws before
15820
+ * responsePromise is awaited, the listener still rejects on
15821
+ * timeout. Swallow it here so it does not surface as an
15822
+ * unhandled rejection; the navigation error is propagated
15823
+ * instead.
15824
+ */
15825
+ });
15826
+ if (request.httpMethod === HttpMethod.POST) {
15827
+ await invokeAsync(initiateCodeFlowWithPost, SilentHandlerInitiateAuthRequest, this.logger, this.performanceClient, correlationId)(iframe, this.config, authClient.authority, silentRequest, this.logger, this.performanceClient);
15828
+ }
15829
+ else {
15830
+ // Create authorize request url
15831
+ const navigateUrl = await invokeAsync(getAuthCodeRequestUrl, GetAuthCodeUrl, this.logger, this.performanceClient, correlationId)(this.config, authClient.authority, silentRequest, this.logger, this.performanceClient);
15832
+ // Navigate the iframe to the authorize request url
15833
+ await invokeAsync(initiateCodeRequest, SilentHandlerInitiateAuthRequest, this.logger, this.performanceClient, correlationId)(iframe, navigateUrl, this.logger, correlationId);
15834
+ }
15835
+ responseString = await responsePromise;
15619
15836
  }
15620
15837
  finally {
15621
15838
  invoke(removeHiddenIframe, RemoveHiddenIframe, this.logger, this.performanceClient, correlationId)(iframe);
@@ -15623,6 +15840,12 @@ class SilentIframeClient extends StandardInteractionClient {
15623
15840
  const serverParams = invoke(deserializeResponse, DeserializeResponse, this.logger, this.performanceClient, correlationId)(responseString, responseType, this.logger, this.correlationId);
15624
15841
  return { serverParams, pkceCodes, silentRequest };
15625
15842
  }
15843
+ async waitForIframeResponse(iframe, request) {
15844
+ if (this.waitForIframeResponseHook) {
15845
+ return this.waitForIframeResponseHook(iframe, request);
15846
+ }
15847
+ return waitForBridgeResponse(this.config.system.iframeBridgeTimeout, this.logger, request, this.performanceClient, this.config.experimental);
15848
+ }
15626
15849
  }
15627
15850
 
15628
15851
  /*
@@ -15644,7 +15867,7 @@ class SilentRefreshClient extends StandardInteractionClient {
15644
15867
  // Make sure any passed redirectUri is converted to an absolute URL - redirectUri is not a required parameter for refresh token redemption so only include if explicitly provided
15645
15868
  silentRequest.redirectUri = getRedirectUri(request.redirectUri, this.config.auth.redirectUri, this.logger, this.correlationId);
15646
15869
  }
15647
- const serverTelemetryManager = initializeServerTelemetryManager(ApiId.acquireTokenSilent_silentFlow, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger);
15870
+ const serverTelemetryManager = initializeServerTelemetryManager(ApiId.acquireTokenSilent_silentFlow, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger, undefined, this.config.system.serverTelemetryEnabled);
15648
15871
  const refreshTokenClient = await this.createRefreshTokenClient({
15649
15872
  serverTelemetryManager,
15650
15873
  authorityUrl: silentRequest.authority,
@@ -15724,7 +15947,7 @@ class SilentAuthCodeClient extends StandardInteractionClient {
15724
15947
  * Each auth request creates a new instance of *Client so we can safely use this.correlationId.
15725
15948
  */
15726
15949
  this.correlationId);
15727
- const serverTelemetryManager = initializeServerTelemetryManager(this.apiId, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger);
15950
+ const serverTelemetryManager = initializeServerTelemetryManager(this.apiId, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger, undefined, this.config.system.serverTelemetryEnabled);
15728
15951
  try {
15729
15952
  // Create auth code request (PKCE not needed)
15730
15953
  const authCodeRequest = {
@@ -16089,6 +16312,8 @@ class StandardController {
16089
16312
  // Preflight request
16090
16313
  const correlationId = this.getRequestCorrelationId(request);
16091
16314
  this.logger.verbose("0os66p", correlationId);
16315
+ redirectPreflightCheck(this.initialized, this.config);
16316
+ this.browserStorage.setInteractionInProgress(true, INTERACTION_TYPE.SIGNIN);
16092
16317
  const atrMeasurement = this.performanceClient.startMeasurement(AcquireTokenPreRedirect, correlationId);
16093
16318
  atrMeasurement.add({
16094
16319
  scenarioId: request.scenarioId,
@@ -16106,9 +16331,7 @@ class StandardController {
16106
16331
  return navigate;
16107
16332
  };
16108
16333
  try {
16109
- redirectPreflightCheck(this.initialized, this.config);
16110
16334
  enforceResourceParameter(this.config.auth.isMcp, request);
16111
- this.browserStorage.setInteractionInProgress(true, INTERACTION_TYPE.SIGNIN);
16112
16335
  this.eventHandler.emitEvent(EventType.ACQUIRE_TOKEN_START, correlationId, exports.InteractionType.Redirect, request);
16113
16336
  let result;
16114
16337
  if (this.platformAuthProvider &&
@@ -16836,7 +17059,7 @@ class StandardController {
16836
17059
  * @param correlationId
16837
17060
  */
16838
17061
  createPopupClient(correlationId) {
16839
- return new PopupClient(this.config, this.browserStorage, this.browserCrypto, this.logger, this.eventHandler, this.navigationClient, this.performanceClient, this.nativeInternalStorage, correlationId, this.platformAuthProvider);
17062
+ return new PopupClient(this.config, this.browserStorage, this.browserCrypto, this.logger, this.eventHandler, this.navigationClient, this.performanceClient, this.nativeInternalStorage, correlationId, this.platformAuthProvider, this.operatingContext.getResponseHandlers()?.waitForPopupResponse);
16840
17063
  }
16841
17064
  /**
16842
17065
  * Returns new instance of the Redirect Interaction Client
@@ -16850,7 +17073,7 @@ class StandardController {
16850
17073
  * @param correlationId
16851
17074
  */
16852
17075
  createSilentIframeClient(correlationId) {
16853
- return new SilentIframeClient(this.config, this.browserStorage, this.browserCrypto, this.logger, this.eventHandler, this.navigationClient, ApiId.ssoSilent, this.performanceClient, this.nativeInternalStorage, correlationId, this.platformAuthProvider);
17076
+ return new SilentIframeClient(this.config, this.browserStorage, this.browserCrypto, this.logger, this.eventHandler, this.navigationClient, ApiId.ssoSilent, this.performanceClient, this.nativeInternalStorage, correlationId, this.platformAuthProvider, this.operatingContext.getResponseHandlers()?.waitForIframeResponse);
16854
17077
  }
16855
17078
  /**
16856
17079
  * Returns new instance of the Silent Cache Interaction Client
@@ -17324,7 +17547,7 @@ class BaseOperatingContext {
17324
17547
  return;
17325
17548
  }
17326
17549
  }
17327
- constructor(config) {
17550
+ constructor(config, responseHandlers) {
17328
17551
  /*
17329
17552
  * If loaded in an environment where window is not available,
17330
17553
  * set internal flag to false so that further requests fail.
@@ -17332,6 +17555,7 @@ class BaseOperatingContext {
17332
17555
  */
17333
17556
  this.browserEnvironment = typeof window !== "undefined";
17334
17557
  this.config = buildConfiguration(config, this.browserEnvironment);
17558
+ this.responseHandlers = responseHandlers;
17335
17559
  let sessionStorage;
17336
17560
  try {
17337
17561
  sessionStorage = window[BrowserCacheLocation.SessionStorage];
@@ -17368,6 +17592,13 @@ class BaseOperatingContext {
17368
17592
  getConfig() {
17369
17593
  return this.config;
17370
17594
  }
17595
+ /**
17596
+ * Returns the internal response handlers supplied by PublicClientApplication, if any.
17597
+ * @returns AuthResponseHandlers | undefined
17598
+ */
17599
+ getResponseHandlers() {
17600
+ return this.responseHandlers;
17601
+ }
17371
17602
  /**
17372
17603
  * Returns the MSAL Logger
17373
17604
  * @returns Logger
@@ -18389,7 +18620,48 @@ class PublicClientApplication {
18389
18620
  constructor(configuration, controller) {
18390
18621
  this.controller =
18391
18622
  controller ||
18392
- new StandardController(new StandardOperatingContext(configuration));
18623
+ new StandardController(new StandardOperatingContext(configuration, {
18624
+ waitForPopupResponse: this.waitForPopupResponse.bind(this),
18625
+ waitForIframeResponse: this.waitForIframeResponse.bind(this),
18626
+ }));
18627
+ }
18628
+ /**
18629
+ * Waits for the auth response from a popup window opened by MSAL.
18630
+ *
18631
+ * The default implementation delegates to MSAL's `BroadcastChannel`-based bridge.
18632
+ * Subclasses must return the raw response string (hash/query/fragment), or reject
18633
+ * with an `AuthError` on failure.
18634
+ *
18635
+ * @internal
18636
+ * @param request The in-flight authorization or end-session request.
18637
+ * @param popupWindow The popup window opened by MSAL.
18638
+ * @param popupWindowParent The parent window that opened the popup.
18639
+ */
18640
+ async waitForPopupResponse(request,
18641
+ // eslint-disable-next-line @typescript-eslint/no-unused-vars
18642
+ popupWindow,
18643
+ // eslint-disable-next-line @typescript-eslint/no-unused-vars
18644
+ popupWindowParent) {
18645
+ const controller = this.controller;
18646
+ return waitForBridgeResponse(controller.getConfiguration().system.popupBridgeTimeout, controller.getLogger(), request, controller.getPerformanceClient());
18647
+ }
18648
+ /**
18649
+ * Waits for the auth response from a hidden iframe used by MSAL silent flows.
18650
+ *
18651
+ * The default implementation delegates to MSAL's `BroadcastChannel`-based bridge.
18652
+ * Subclasses must return the raw response string (hash/query/fragment), or reject
18653
+ * with an `AuthError` on failure.
18654
+ *
18655
+ * @internal
18656
+ * @param iframe The hidden iframe MSAL attached to the document.
18657
+ * @param request The in-flight authorization request.
18658
+ */
18659
+ async waitForIframeResponse(
18660
+ // eslint-disable-next-line @typescript-eslint/no-unused-vars
18661
+ iframe, request) {
18662
+ const controller = this.controller;
18663
+ const config = controller.getConfiguration();
18664
+ return waitForBridgeResponse(config.system.iframeBridgeTimeout, controller.getLogger(), request, controller.getPerformanceClient(), config.experimental);
18393
18665
  }
18394
18666
  /**
18395
18667
  * Initializer function to perform async startup tasks such as connecting to WAM extension