@azure/msal-browser 5.11.0 → 5.13.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (267) hide show
  1. package/README.md +1 -0
  2. package/dist/app/IPublicClientApplication.mjs +1 -1
  3. package/dist/app/PublicClientApplication.mjs +44 -2
  4. package/dist/app/PublicClientApplication.mjs.map +1 -1
  5. package/dist/broker/nativeBroker/NativeStatusCodes.mjs +3 -3
  6. package/dist/broker/nativeBroker/PlatformAuthDOMHandler.mjs +1 -1
  7. package/dist/broker/nativeBroker/PlatformAuthExtensionHandler.mjs +1 -1
  8. package/dist/broker/nativeBroker/PlatformAuthProvider.mjs +1 -1
  9. package/dist/cache/AccountManager.mjs +1 -1
  10. package/dist/cache/AsyncMemoryStorage.mjs +1 -1
  11. package/dist/cache/BrowserCacheManager.mjs +99 -15
  12. package/dist/cache/BrowserCacheManager.mjs.map +1 -1
  13. package/dist/cache/CacheHelpers.mjs +1 -1
  14. package/dist/cache/CacheKeys.mjs +1 -1
  15. package/dist/cache/CookieStorage.mjs +1 -1
  16. package/dist/cache/DatabaseStorage.mjs +1 -1
  17. package/dist/cache/EncryptedData.mjs +1 -1
  18. package/dist/cache/LocalStorage.mjs +1 -1
  19. package/dist/cache/MemoryStorage.mjs +1 -1
  20. package/dist/cache/SessionStorage.mjs +1 -1
  21. package/dist/cache/TokenCache.mjs +1 -1
  22. package/dist/config/Configuration.mjs +3 -2
  23. package/dist/config/Configuration.mjs.map +1 -1
  24. package/dist/controllers/NestedAppAuthController.mjs +1 -1
  25. package/dist/controllers/StandardController.mjs +5 -5
  26. package/dist/controllers/StandardController.mjs.map +1 -1
  27. package/dist/crypto/BrowserCrypto.mjs +1 -1
  28. package/dist/crypto/CryptoOps.mjs +1 -1
  29. package/dist/crypto/PkceGenerator.mjs +1 -1
  30. package/dist/crypto/SignedHttpRequest.mjs +1 -1
  31. package/dist/custom_auth/CustomAuthConstants.mjs +1 -1
  32. package/dist/custom_auth/CustomAuthPublicClientApplication.mjs +1 -1
  33. package/dist/custom_auth/controller/CustomAuthStandardController.mjs +1 -1
  34. package/dist/custom_auth/core/CustomAuthAuthority.mjs +1 -1
  35. package/dist/custom_auth/core/auth_flow/AuthFlowErrorBase.mjs +1 -1
  36. package/dist/custom_auth/core/auth_flow/AuthFlowResultBase.mjs +1 -1
  37. package/dist/custom_auth/core/auth_flow/AuthFlowState.mjs +1 -1
  38. package/dist/custom_auth/core/auth_flow/AuthFlowStateTypes.mjs +1 -1
  39. package/dist/custom_auth/core/auth_flow/jit/error_type/AuthMethodRegistrationError.mjs +1 -1
  40. package/dist/custom_auth/core/auth_flow/jit/result/AuthMethodRegistrationChallengeMethodResult.mjs +1 -1
  41. package/dist/custom_auth/core/auth_flow/jit/result/AuthMethodRegistrationSubmitChallengeResult.mjs +1 -1
  42. package/dist/custom_auth/core/auth_flow/jit/state/AuthMethodRegistrationCompletedState.mjs +1 -1
  43. package/dist/custom_auth/core/auth_flow/jit/state/AuthMethodRegistrationFailedState.mjs +1 -1
  44. package/dist/custom_auth/core/auth_flow/jit/state/AuthMethodRegistrationState.mjs +1 -1
  45. package/dist/custom_auth/core/auth_flow/mfa/error_type/MfaError.mjs +1 -1
  46. package/dist/custom_auth/core/auth_flow/mfa/result/MfaRequestChallengeResult.mjs +1 -1
  47. package/dist/custom_auth/core/auth_flow/mfa/result/MfaSubmitChallengeResult.mjs +1 -1
  48. package/dist/custom_auth/core/auth_flow/mfa/state/MfaCompletedState.mjs +1 -1
  49. package/dist/custom_auth/core/auth_flow/mfa/state/MfaFailedState.mjs +1 -1
  50. package/dist/custom_auth/core/auth_flow/mfa/state/MfaState.mjs +1 -1
  51. package/dist/custom_auth/core/error/CustomAuthApiError.mjs +1 -1
  52. package/dist/custom_auth/core/error/CustomAuthError.mjs +1 -1
  53. package/dist/custom_auth/core/error/HttpError.mjs +1 -1
  54. package/dist/custom_auth/core/error/HttpErrorCodes.mjs +1 -1
  55. package/dist/custom_auth/core/error/InvalidArgumentError.mjs +1 -1
  56. package/dist/custom_auth/core/error/InvalidConfigurationError.mjs +1 -1
  57. package/dist/custom_auth/core/error/InvalidConfigurationErrorCodes.mjs +1 -1
  58. package/dist/custom_auth/core/error/MethodNotImplementedError.mjs +1 -1
  59. package/dist/custom_auth/core/error/MsalCustomAuthError.mjs +1 -1
  60. package/dist/custom_auth/core/error/NoCachedAccountFoundError.mjs +1 -1
  61. package/dist/custom_auth/core/error/ParsedUrlError.mjs +1 -1
  62. package/dist/custom_auth/core/error/ParsedUrlErrorCodes.mjs +1 -1
  63. package/dist/custom_auth/core/error/UnexpectedError.mjs +1 -1
  64. package/dist/custom_auth/core/error/UnsupportedEnvironmentError.mjs +1 -1
  65. package/dist/custom_auth/core/error/UserAccountAttributeError.mjs +1 -1
  66. package/dist/custom_auth/core/error/UserAlreadySignedInError.mjs +1 -1
  67. package/dist/custom_auth/core/interaction_client/CustomAuthInteractionClientBase.mjs +1 -1
  68. package/dist/custom_auth/core/interaction_client/CustomAuthInterationClientFactory.mjs +1 -1
  69. package/dist/custom_auth/core/interaction_client/jit/JitClient.mjs +1 -1
  70. package/dist/custom_auth/core/interaction_client/jit/result/JitActionResult.mjs +1 -1
  71. package/dist/custom_auth/core/interaction_client/mfa/MfaClient.mjs +1 -1
  72. package/dist/custom_auth/core/interaction_client/mfa/result/MfaActionResult.mjs +1 -1
  73. package/dist/custom_auth/core/network_client/custom_auth_api/BaseApiClient.mjs +1 -1
  74. package/dist/custom_auth/core/network_client/custom_auth_api/CustomAuthApiClient.mjs +1 -1
  75. package/dist/custom_auth/core/network_client/custom_auth_api/CustomAuthApiEndpoint.mjs +1 -1
  76. package/dist/custom_auth/core/network_client/custom_auth_api/RegisterApiClient.mjs +1 -1
  77. package/dist/custom_auth/core/network_client/custom_auth_api/ResetPasswordApiClient.mjs +1 -1
  78. package/dist/custom_auth/core/network_client/custom_auth_api/SignInApiClient.mjs +1 -1
  79. package/dist/custom_auth/core/network_client/custom_auth_api/SignupApiClient.mjs +1 -1
  80. package/dist/custom_auth/core/network_client/custom_auth_api/types/ApiErrorCodes.mjs +1 -1
  81. package/dist/custom_auth/core/network_client/custom_auth_api/types/ApiSuberrors.mjs +1 -1
  82. package/dist/custom_auth/core/network_client/http_client/FetchHttpClient.mjs +1 -1
  83. package/dist/custom_auth/core/network_client/http_client/IHttpClient.mjs +1 -1
  84. package/dist/custom_auth/core/telemetry/PublicApiId.mjs +1 -1
  85. package/dist/custom_auth/core/utils/ArgumentValidator.mjs +1 -1
  86. package/dist/custom_auth/core/utils/CustomHeaderUtils.mjs +1 -1
  87. package/dist/custom_auth/core/utils/UrlUtils.mjs +1 -1
  88. package/dist/custom_auth/get_account/auth_flow/CustomAuthAccountData.mjs +1 -1
  89. package/dist/custom_auth/get_account/auth_flow/error_type/GetAccountError.mjs +1 -1
  90. package/dist/custom_auth/get_account/auth_flow/result/GetAccessTokenResult.mjs +1 -1
  91. package/dist/custom_auth/get_account/auth_flow/result/GetAccountResult.mjs +1 -1
  92. package/dist/custom_auth/get_account/auth_flow/result/SignOutResult.mjs +1 -1
  93. package/dist/custom_auth/get_account/auth_flow/state/GetAccessTokenState.mjs +1 -1
  94. package/dist/custom_auth/get_account/auth_flow/state/GetAccountState.mjs +1 -1
  95. package/dist/custom_auth/get_account/auth_flow/state/SignOutState.mjs +1 -1
  96. package/dist/custom_auth/get_account/interaction_client/CustomAuthSilentCacheClient.mjs +1 -1
  97. package/dist/custom_auth/index.mjs +1 -1
  98. package/dist/custom_auth/operating_context/CustomAuthOperatingContext.mjs +1 -1
  99. package/dist/custom_auth/reset_password/auth_flow/error_type/ResetPasswordError.mjs +1 -1
  100. package/dist/custom_auth/reset_password/auth_flow/result/ResetPasswordResendCodeResult.mjs +1 -1
  101. package/dist/custom_auth/reset_password/auth_flow/result/ResetPasswordStartResult.mjs +1 -1
  102. package/dist/custom_auth/reset_password/auth_flow/result/ResetPasswordSubmitCodeResult.mjs +1 -1
  103. package/dist/custom_auth/reset_password/auth_flow/result/ResetPasswordSubmitPasswordResult.mjs +1 -1
  104. package/dist/custom_auth/reset_password/auth_flow/state/ResetPasswordCodeRequiredState.mjs +1 -1
  105. package/dist/custom_auth/reset_password/auth_flow/state/ResetPasswordCompletedState.mjs +1 -1
  106. package/dist/custom_auth/reset_password/auth_flow/state/ResetPasswordFailedState.mjs +1 -1
  107. package/dist/custom_auth/reset_password/auth_flow/state/ResetPasswordPasswordRequiredState.mjs +1 -1
  108. package/dist/custom_auth/reset_password/auth_flow/state/ResetPasswordState.mjs +1 -1
  109. package/dist/custom_auth/reset_password/interaction_client/ResetPasswordClient.mjs +1 -1
  110. package/dist/custom_auth/sign_in/auth_flow/SignInScenario.mjs +1 -1
  111. package/dist/custom_auth/sign_in/auth_flow/error_type/SignInError.mjs +1 -1
  112. package/dist/custom_auth/sign_in/auth_flow/result/SignInResendCodeResult.mjs +1 -1
  113. package/dist/custom_auth/sign_in/auth_flow/result/SignInResult.mjs +1 -1
  114. package/dist/custom_auth/sign_in/auth_flow/result/SignInSubmitCodeResult.mjs +1 -1
  115. package/dist/custom_auth/sign_in/auth_flow/result/SignInSubmitPasswordResult.mjs +1 -1
  116. package/dist/custom_auth/sign_in/auth_flow/state/SignInCodeRequiredState.mjs +1 -1
  117. package/dist/custom_auth/sign_in/auth_flow/state/SignInCompletedState.mjs +1 -1
  118. package/dist/custom_auth/sign_in/auth_flow/state/SignInContinuationState.mjs +1 -1
  119. package/dist/custom_auth/sign_in/auth_flow/state/SignInFailedState.mjs +1 -1
  120. package/dist/custom_auth/sign_in/auth_flow/state/SignInPasswordRequiredState.mjs +1 -1
  121. package/dist/custom_auth/sign_in/auth_flow/state/SignInState.mjs +1 -1
  122. package/dist/custom_auth/sign_in/interaction_client/SignInClient.mjs +1 -1
  123. package/dist/custom_auth/sign_in/interaction_client/result/SignInActionResult.mjs +1 -1
  124. package/dist/custom_auth/sign_up/auth_flow/error_type/SignUpError.mjs +1 -1
  125. package/dist/custom_auth/sign_up/auth_flow/result/SignUpResendCodeResult.mjs +1 -1
  126. package/dist/custom_auth/sign_up/auth_flow/result/SignUpResult.mjs +1 -1
  127. package/dist/custom_auth/sign_up/auth_flow/result/SignUpSubmitAttributesResult.mjs +1 -1
  128. package/dist/custom_auth/sign_up/auth_flow/result/SignUpSubmitCodeResult.mjs +1 -1
  129. package/dist/custom_auth/sign_up/auth_flow/result/SignUpSubmitPasswordResult.mjs +1 -1
  130. package/dist/custom_auth/sign_up/auth_flow/state/SignUpAttributesRequiredState.mjs +1 -1
  131. package/dist/custom_auth/sign_up/auth_flow/state/SignUpCodeRequiredState.mjs +1 -1
  132. package/dist/custom_auth/sign_up/auth_flow/state/SignUpCompletedState.mjs +1 -1
  133. package/dist/custom_auth/sign_up/auth_flow/state/SignUpFailedState.mjs +1 -1
  134. package/dist/custom_auth/sign_up/auth_flow/state/SignUpPasswordRequiredState.mjs +1 -1
  135. package/dist/custom_auth/sign_up/auth_flow/state/SignUpState.mjs +1 -1
  136. package/dist/custom_auth/sign_up/interaction_client/SignUpClient.mjs +1 -1
  137. package/dist/custom_auth/sign_up/interaction_client/result/SignUpActionResult.mjs +1 -1
  138. package/dist/encode/Base64Decode.mjs +1 -1
  139. package/dist/encode/Base64Encode.mjs +1 -1
  140. package/dist/error/BrowserAuthError.mjs +1 -1
  141. package/dist/error/BrowserAuthErrorCodes.mjs +1 -1
  142. package/dist/error/BrowserConfigurationAuthError.mjs +1 -1
  143. package/dist/error/BrowserConfigurationAuthErrorCodes.mjs +1 -1
  144. package/dist/error/NativeAuthError.mjs +4 -4
  145. package/dist/error/NativeAuthError.mjs.map +1 -1
  146. package/dist/error/NativeAuthErrorCodes.mjs +1 -1
  147. package/dist/error/NestedAppAuthError.mjs +1 -1
  148. package/dist/event/EventHandler.mjs +1 -1
  149. package/dist/event/EventMessage.mjs +1 -1
  150. package/dist/event/EventType.mjs +1 -1
  151. package/dist/index.mjs +1 -1
  152. package/dist/interaction_client/BaseInteractionClient.mjs +8 -3
  153. package/dist/interaction_client/BaseInteractionClient.mjs.map +1 -1
  154. package/dist/interaction_client/HybridSpaAuthorizationCodeClient.mjs +1 -1
  155. package/dist/interaction_client/PlatformAuthInteractionClient.mjs +7 -6
  156. package/dist/interaction_client/PlatformAuthInteractionClient.mjs.map +1 -1
  157. package/dist/interaction_client/PopupClient.mjs +30 -10
  158. package/dist/interaction_client/PopupClient.mjs.map +1 -1
  159. package/dist/interaction_client/RedirectClient.mjs +17 -9
  160. package/dist/interaction_client/RedirectClient.mjs.map +1 -1
  161. package/dist/interaction_client/SilentAuthCodeClient.mjs +2 -2
  162. package/dist/interaction_client/SilentAuthCodeClient.mjs.map +1 -1
  163. package/dist/interaction_client/SilentCacheClient.mjs +2 -2
  164. package/dist/interaction_client/SilentCacheClient.mjs.map +1 -1
  165. package/dist/interaction_client/SilentIframeClient.mjs +49 -20
  166. package/dist/interaction_client/SilentIframeClient.mjs.map +1 -1
  167. package/dist/interaction_client/SilentRefreshClient.mjs +2 -2
  168. package/dist/interaction_client/SilentRefreshClient.mjs.map +1 -1
  169. package/dist/interaction_client/StandardInteractionClient.mjs +1 -1
  170. package/dist/interaction_handler/InteractionHandler.mjs +1 -1
  171. package/dist/interaction_handler/SilentHandler.mjs +13 -26
  172. package/dist/interaction_handler/SilentHandler.mjs.map +1 -1
  173. package/dist/log-strings-mapping.json +1202 -1194
  174. package/dist/naa/BridgeError.mjs +1 -1
  175. package/dist/naa/BridgeProxy.mjs +1 -1
  176. package/dist/naa/BridgeStatusCode.mjs +1 -1
  177. package/dist/naa/mapping/NestedAppAuthAdapter.mjs +1 -1
  178. package/dist/navigation/NavigationClient.mjs +1 -1
  179. package/dist/network/FetchClient.mjs +1 -1
  180. package/dist/operatingcontext/BaseOperatingContext.mjs +10 -2
  181. package/dist/operatingcontext/BaseOperatingContext.mjs.map +1 -1
  182. package/dist/operatingcontext/NestedAppOperatingContext.mjs +1 -1
  183. package/dist/operatingcontext/StandardOperatingContext.mjs +1 -1
  184. package/dist/packageMetadata.mjs +2 -2
  185. package/dist/protocol/Authorize.mjs +1 -1
  186. package/dist/redirect_bridge/index.mjs +4 -5
  187. package/dist/redirect_bridge/index.mjs.map +1 -1
  188. package/dist/request/RequestHelpers.mjs +1 -1
  189. package/dist/response/ResponseHandler.mjs +1 -1
  190. package/dist/telemetry/BrowserPerformanceClient.mjs +1 -1
  191. package/dist/telemetry/BrowserPerformanceEvents.mjs +2 -3
  192. package/dist/telemetry/BrowserPerformanceEvents.mjs.map +1 -1
  193. package/dist/telemetry/BrowserPerformanceMeasurement.mjs +1 -1
  194. package/dist/telemetry/BrowserRootPerformanceEvents.mjs +1 -1
  195. package/dist/utils/BrowserConstants.mjs +1 -1
  196. package/dist/utils/BrowserProtocolUtils.mjs +1 -1
  197. package/dist/utils/BrowserUtils.mjs +15 -5
  198. package/dist/utils/BrowserUtils.mjs.map +1 -1
  199. package/dist/utils/Helpers.mjs +1 -1
  200. package/dist/utils/MsalFrameStatsUtils.mjs +1 -1
  201. package/lib/custom-auth-path/log-strings-mapping.json +19 -11
  202. package/lib/custom-auth-path/msal-custom-auth.cjs +511 -263
  203. package/lib/custom-auth-path/msal-custom-auth.cjs.map +1 -1
  204. package/lib/custom-auth-path/msal-custom-auth.js +511 -263
  205. package/lib/custom-auth-path/msal-custom-auth.js.map +1 -1
  206. package/lib/log-strings-mapping.json +11 -3
  207. package/lib/msal-browser.cjs +539 -267
  208. package/lib/msal-browser.cjs.map +1 -1
  209. package/lib/msal-browser.js +539 -267
  210. package/lib/msal-browser.js.map +1 -1
  211. package/lib/msal-browser.min.js +2 -2
  212. package/lib/redirect-bridge/msal-redirect-bridge.cjs +59 -50
  213. package/lib/redirect-bridge/msal-redirect-bridge.cjs.map +1 -1
  214. package/lib/redirect-bridge/msal-redirect-bridge.js +59 -50
  215. package/lib/redirect-bridge/msal-redirect-bridge.js.map +1 -1
  216. package/lib/redirect-bridge/msal-redirect-bridge.min.js +2 -2
  217. package/package.json +2 -2
  218. package/src/app/PublicClientApplication.ts +85 -1
  219. package/src/broker/nativeBroker/NativeStatusCodes.ts +1 -1
  220. package/src/cache/BrowserCacheManager.ts +157 -33
  221. package/src/config/Configuration.ts +6 -0
  222. package/src/controllers/StandardController.ts +10 -8
  223. package/src/error/NativeAuthError.ts +2 -2
  224. package/src/interaction_client/BaseInteractionClient.ts +12 -1
  225. package/src/interaction_client/PlatformAuthInteractionClient.ts +14 -4
  226. package/src/interaction_client/PopupClient.ts +74 -30
  227. package/src/interaction_client/RedirectClient.ts +32 -8
  228. package/src/interaction_client/SilentAuthCodeClient.ts +3 -1
  229. package/src/interaction_client/SilentCacheClient.ts +3 -1
  230. package/src/interaction_client/SilentIframeClient.ts +140 -74
  231. package/src/interaction_client/SilentRefreshClient.ts +3 -1
  232. package/src/interaction_handler/SilentHandler.ts +12 -32
  233. package/src/operatingcontext/BaseOperatingContext.ts +15 -1
  234. package/src/packageMetadata.ts +1 -1
  235. package/src/redirect_bridge/index.ts +3 -7
  236. package/src/telemetry/BrowserPerformanceEvents.ts +0 -1
  237. package/src/utils/BrowserUtils.ts +28 -7
  238. package/types/app/PublicClientApplication.d.ts +37 -1
  239. package/types/app/PublicClientApplication.d.ts.map +1 -1
  240. package/types/broker/nativeBroker/NativeStatusCodes.d.ts +1 -1
  241. package/types/cache/BrowserCacheManager.d.ts +18 -1
  242. package/types/cache/BrowserCacheManager.d.ts.map +1 -1
  243. package/types/config/Configuration.d.ts +5 -0
  244. package/types/config/Configuration.d.ts.map +1 -1
  245. package/types/controllers/StandardController.d.ts.map +1 -1
  246. package/types/custom_auth/CustomAuthConstants.d.ts +1 -1
  247. package/types/interaction_client/BaseInteractionClient.d.ts +2 -1
  248. package/types/interaction_client/BaseInteractionClient.d.ts.map +1 -1
  249. package/types/interaction_client/PlatformAuthInteractionClient.d.ts.map +1 -1
  250. package/types/interaction_client/PopupClient.d.ts +11 -1
  251. package/types/interaction_client/PopupClient.d.ts.map +1 -1
  252. package/types/interaction_client/RedirectClient.d.ts.map +1 -1
  253. package/types/interaction_client/SilentAuthCodeClient.d.ts.map +1 -1
  254. package/types/interaction_client/SilentCacheClient.d.ts.map +1 -1
  255. package/types/interaction_client/SilentIframeClient.d.ts +20 -1
  256. package/types/interaction_client/SilentIframeClient.d.ts.map +1 -1
  257. package/types/interaction_client/SilentRefreshClient.d.ts.map +1 -1
  258. package/types/interaction_handler/SilentHandler.d.ts +13 -6
  259. package/types/interaction_handler/SilentHandler.d.ts.map +1 -1
  260. package/types/operatingcontext/BaseOperatingContext.d.ts +8 -1
  261. package/types/operatingcontext/BaseOperatingContext.d.ts.map +1 -1
  262. package/types/packageMetadata.d.ts +1 -1
  263. package/types/redirect_bridge/index.d.ts.map +1 -1
  264. package/types/telemetry/BrowserPerformanceEvents.d.ts +0 -1
  265. package/types/telemetry/BrowserPerformanceEvents.d.ts.map +1 -1
  266. package/types/utils/BrowserUtils.d.ts +17 -2
  267. package/types/utils/BrowserUtils.d.ts.map +1 -1
@@ -1,4 +1,4 @@
1
- /*! @azure/msal-browser v5.11.0 2026-05-19 */
1
+ /*! @azure/msal-browser v5.13.0 2026-06-10 */
2
2
  'use strict';
3
3
  (function (global, factory) {
4
4
  typeof exports === 'object' && typeof module !== 'undefined' ? factory(exports) :
@@ -6,7 +6,7 @@
6
6
  (global = typeof globalThis !== 'undefined' ? globalThis : global || self, factory(global.msal = {}));
7
7
  })(this, (function (exports) { 'use strict';
8
8
 
9
- /*! @azure/msal-common v16.6.2 2026-05-19 */
9
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
10
10
  /*
11
11
  * Copyright (c) Microsoft Corporation. All rights reserved.
12
12
  * Licensed under the MIT License.
@@ -238,7 +238,7 @@
238
238
  // Token renewal offset default in seconds
239
239
  const DEFAULT_TOKEN_RENEWAL_OFFSET_SEC = 300;
240
240
 
241
- /*! @azure/msal-common v16.6.2 2026-05-19 */
241
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
242
242
  /*
243
243
  * Copyright (c) Microsoft Corporation. All rights reserved.
244
244
  * Licensed under the MIT License.
@@ -290,7 +290,7 @@
290
290
  const RESOURCE = "resource";
291
291
  const CLI_DATA = "clidata";
292
292
 
293
- /*! @azure/msal-common v16.6.2 2026-05-19 */
293
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
294
294
  /*
295
295
  * Copyright (c) Microsoft Corporation. All rights reserved.
296
296
  * Licensed under the MIT License.
@@ -321,7 +321,7 @@
321
321
  return new AuthError(code, additionalMessage || getDefaultErrorMessage$1(code));
322
322
  }
323
323
 
324
- /*! @azure/msal-common v16.6.2 2026-05-19 */
324
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
325
325
 
326
326
  /*
327
327
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -341,7 +341,7 @@
341
341
  return new ClientConfigurationError(errorCode);
342
342
  }
343
343
 
344
- /*! @azure/msal-common v16.6.2 2026-05-19 */
344
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
345
345
  /*
346
346
  * Copyright (c) Microsoft Corporation. All rights reserved.
347
347
  * Licensed under the MIT License.
@@ -421,7 +421,7 @@
421
421
  }
422
422
  }
423
423
 
424
- /*! @azure/msal-common v16.6.2 2026-05-19 */
424
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
425
425
 
426
426
  /*
427
427
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -444,7 +444,7 @@
444
444
  return new ClientAuthError(errorCode, additionalMessage);
445
445
  }
446
446
 
447
- /*! @azure/msal-common v16.6.2 2026-05-19 */
447
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
448
448
  /*
449
449
  * Copyright (c) Microsoft Corporation. All rights reserved.
450
450
  * Licensed under the MIT License.
@@ -502,7 +502,7 @@
502
502
  urlParseError: urlParseError
503
503
  });
504
504
 
505
- /*! @azure/msal-common v16.6.2 2026-05-19 */
505
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
506
506
  /*
507
507
  * Copyright (c) Microsoft Corporation. All rights reserved.
508
508
  * Licensed under the MIT License.
@@ -590,7 +590,7 @@
590
590
  userCanceled: userCanceled
591
591
  });
592
592
 
593
- /*! @azure/msal-common v16.6.2 2026-05-19 */
593
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
594
594
 
595
595
  /*
596
596
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -785,7 +785,7 @@
785
785
  }
786
786
  }
787
787
 
788
- /*! @azure/msal-common v16.6.2 2026-05-19 */
788
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
789
789
 
790
790
  /*
791
791
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1134,8 +1134,14 @@
1134
1134
  * @param serverTelemetryManager
1135
1135
  */
1136
1136
  function addServerTelemetry(parameters, serverTelemetryManager) {
1137
- parameters.set(X_CLIENT_CURR_TELEM, serverTelemetryManager.generateCurrentRequestHeaderValue());
1138
- parameters.set(X_CLIENT_LAST_TELEM, serverTelemetryManager.generateLastRequestHeaderValue());
1137
+ const currentTelemetryHeader = serverTelemetryManager.generateCurrentRequestHeaderValue();
1138
+ const lastTelemetryHeader = serverTelemetryManager.generateLastRequestHeaderValue();
1139
+ if (currentTelemetryHeader) {
1140
+ parameters.set(X_CLIENT_CURR_TELEM, currentTelemetryHeader);
1141
+ }
1142
+ if (lastTelemetryHeader) {
1143
+ parameters.set(X_CLIENT_LAST_TELEM, lastTelemetryHeader);
1144
+ }
1139
1145
  }
1140
1146
  /**
1141
1147
  * Adds parameter that indicates to the server that throttling is supported
@@ -1174,34 +1180,12 @@
1174
1180
  }
1175
1181
  }
1176
1182
 
1177
- /*! @azure/msal-common v16.6.2 2026-05-19 */
1183
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
1178
1184
 
1179
1185
  /*
1180
1186
  * Copyright (c) Microsoft Corporation. All rights reserved.
1181
1187
  * Licensed under the MIT License.
1182
1188
  */
1183
- /**
1184
- * Canonicalizes a URL by making it lowercase and ensuring it ends with /
1185
- * Inlined version of UrlString.canonicalizeUri to avoid circular dependency
1186
- * @param url - URL to canonicalize
1187
- * @returns Canonicalized URL
1188
- */
1189
- function canonicalizeUrl(url) {
1190
- if (!url) {
1191
- return url;
1192
- }
1193
- let lowerCaseUrl = url.toLowerCase();
1194
- if (StringUtils.endsWith(lowerCaseUrl, "?")) {
1195
- lowerCaseUrl = lowerCaseUrl.slice(0, -1);
1196
- }
1197
- else if (StringUtils.endsWith(lowerCaseUrl, "?/")) {
1198
- lowerCaseUrl = lowerCaseUrl.slice(0, -2);
1199
- }
1200
- if (!StringUtils.endsWith(lowerCaseUrl, "/")) {
1201
- lowerCaseUrl += "/";
1202
- }
1203
- return lowerCaseUrl;
1204
- }
1205
1189
  /**
1206
1190
  * Parses hash string from given string. Returns empty string if no hash symbol is found.
1207
1191
  * @param hashString
@@ -1254,36 +1238,71 @@
1254
1238
  return queryParameterArray.join("&");
1255
1239
  }
1256
1240
  /**
1257
- * Normalizes URLs for comparison by removing hash, canonicalizing,
1258
- * and ensuring consistent URL encoding in query parameters.
1259
- * This fixes redirect loops when URLs contain encoded characters like apostrophes (%27).
1241
+ * Normalizes URLs for comparison per MDN & RFC 3986 standards:
1242
+ * - Hash/fragment is removed
1243
+ * - Scheme and host are lowercased (case-insensitive per spec)
1244
+ * - Path and query parameters preserve original casing (case-sensitive per spec)
1245
+ * - Percent-encoding in pathname is normalized (e.g., %27 and ' are treated equivalently)
1246
+ * - Ensures pathname ends with /
1247
+ * Throws a urlParseError if the provided URL is malformed and cannot be parsed.
1260
1248
  * @param url - URL to normalize
1249
+ * @param logger - Optional logger used to log parse failures
1250
+ * @param correlationId - Optional correlationId associated with the log entry
1261
1251
  * @returns Normalized URL string for comparison
1262
1252
  */
1263
- function normalizeUrlForComparison(url) {
1253
+ function normalizeUrlForComparison(url, logger, correlationId) {
1264
1254
  if (!url) {
1265
1255
  return url;
1266
1256
  }
1267
- // Remove hash first
1268
1257
  const urlWithoutHash = url.split("#")[0];
1258
+ if (!urlWithoutHash) {
1259
+ return urlWithoutHash;
1260
+ }
1269
1261
  try {
1270
- // Parse the URL to handle encoding consistently
1271
1262
  const urlObj = new URL(urlWithoutHash);
1272
- /*
1273
- * Reconstruct the URL with properly decoded query parameters
1274
- * This ensures that %27 and ' are treated as equivalent
1275
- */
1276
- const normalizedUrl = urlObj.origin + urlObj.pathname + urlObj.search;
1277
- // Apply canonicalization logic inline to avoid circular dependency
1278
- return canonicalizeUrl(normalizedUrl);
1263
+ // Treat an empty query string (a bare trailing "?") as equivalent to no query
1264
+ if (!urlObj.search) {
1265
+ urlObj.search = "";
1266
+ }
1267
+ // Decode the pathname to normalize percent-encoding and ensure trailing slash
1268
+ let pathname;
1269
+ try {
1270
+ pathname = decodeURIComponent(urlObj.pathname);
1271
+ }
1272
+ catch (e) {
1273
+ pathname = urlObj.pathname;
1274
+ }
1275
+ if (!pathname.endsWith("/")) {
1276
+ pathname += "/";
1277
+ }
1278
+ urlObj.pathname = pathname;
1279
+ return urlObj.href;
1280
+ }
1281
+ catch (e) {
1282
+ logger?.error("15apdm", correlationId || "");
1283
+ throw createClientConfigurationError(urlParseError);
1284
+ }
1285
+ }
1286
+ /**
1287
+ * Validates that the provided value is a well-formed, parseable absolute URL.
1288
+ * Throws a urlParseError if the value cannot be parsed by the URL API (e.g. the
1289
+ * literal string "null", an empty string, or any malformed/relative URL). Use this
1290
+ * to guard against persisting an invalid value (such as a redirect URL) to the cache.
1291
+ * @param url - URL to validate
1292
+ * @param logger - Optional logger used to log validation failures
1293
+ * @param correlationId - Optional correlationId associated with the log entry
1294
+ */
1295
+ function validateUrl(url, logger, correlationId) {
1296
+ try {
1297
+ new URL(url);
1279
1298
  }
1280
1299
  catch (e) {
1281
- // Fallback to original logic if URL parsing fails
1282
- return canonicalizeUrl(urlWithoutHash);
1300
+ logger?.error("1lrjz7", correlationId || "");
1301
+ throw createClientConfigurationError(urlParseError);
1283
1302
  }
1284
1303
  }
1285
1304
 
1286
- /*! @azure/msal-common v16.6.2 2026-05-19 */
1305
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
1287
1306
 
1288
1307
  /*
1289
1308
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1322,7 +1341,7 @@
1322
1341
  },
1323
1342
  };
1324
1343
 
1325
- /*! @azure/msal-common v16.6.2 2026-05-19 */
1344
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
1326
1345
  /*
1327
1346
  * Copyright (c) Microsoft Corporation. All rights reserved.
1328
1347
  * Licensed under the MIT License.
@@ -1370,7 +1389,7 @@
1370
1389
  // Remove LRU (first entry) if capacity exceeded
1371
1390
  if (correlationCache.size > CACHE_CAPACITY) {
1372
1391
  const firstKey = correlationCache.keys().next().value;
1373
- if (firstKey) {
1392
+ if (firstKey !== undefined) {
1374
1393
  correlationCache.delete(firstKey);
1375
1394
  }
1376
1395
  }
@@ -1597,12 +1616,12 @@
1597
1616
  }
1598
1617
  }
1599
1618
 
1600
- /*! @azure/msal-common v16.6.2 2026-05-19 */
1619
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
1601
1620
  /* eslint-disable header/header */
1602
1621
  const name$1 = "@azure/msal-common";
1603
- const version$1 = "16.6.2";
1622
+ const version$1 = "16.8.0";
1604
1623
 
1605
- /*! @azure/msal-common v16.6.2 2026-05-19 */
1624
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
1606
1625
  /*
1607
1626
  * Copyright (c) Microsoft Corporation. All rights reserved.
1608
1627
  * Licensed under the MIT License.
@@ -1622,7 +1641,7 @@
1622
1641
  AzureUsGovernment: "https://login.microsoftonline.us",
1623
1642
  };
1624
1643
 
1625
- /*! @azure/msal-common v16.6.2 2026-05-19 */
1644
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
1626
1645
  /*
1627
1646
  * Copyright (c) Microsoft Corporation. All rights reserved.
1628
1647
  * Licensed under the MIT License.
@@ -1705,7 +1724,7 @@
1705
1724
  return updatedAccountInfo;
1706
1725
  }
1707
1726
 
1708
- /*! @azure/msal-common v16.6.2 2026-05-19 */
1727
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
1709
1728
 
1710
1729
  /*
1711
1730
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1785,7 +1804,7 @@
1785
1804
  }
1786
1805
  }
1787
1806
 
1788
- /*! @azure/msal-common v16.6.2 2026-05-19 */
1807
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
1789
1808
 
1790
1809
  /*
1791
1810
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1942,7 +1961,7 @@
1942
1961
  }
1943
1962
  }
1944
1963
 
1945
- /*! @azure/msal-common v16.6.2 2026-05-19 */
1964
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
1946
1965
 
1947
1966
  /*
1948
1967
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -2108,7 +2127,7 @@
2108
2127
  return null;
2109
2128
  }
2110
2129
 
2111
- /*! @azure/msal-common v16.6.2 2026-05-19 */
2130
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
2112
2131
  /*
2113
2132
  * Copyright (c) Microsoft Corporation. All rights reserved.
2114
2133
  * Licensed under the MIT License.
@@ -2116,7 +2135,7 @@
2116
2135
  const cacheQuotaExceeded = "cache_quota_exceeded";
2117
2136
  const cacheErrorUnknown = "cache_error_unknown";
2118
2137
 
2119
- /*! @azure/msal-common v16.6.2 2026-05-19 */
2138
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
2120
2139
 
2121
2140
  /*
2122
2141
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -2154,7 +2173,7 @@
2154
2173
  }
2155
2174
  }
2156
2175
 
2157
- /*! @azure/msal-common v16.6.2 2026-05-19 */
2176
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
2158
2177
 
2159
2178
  /*
2160
2179
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -2192,7 +2211,7 @@
2192
2211
  };
2193
2212
  }
2194
2213
 
2195
- /*! @azure/msal-common v16.6.2 2026-05-19 */
2214
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
2196
2215
  /*
2197
2216
  * Copyright (c) Microsoft Corporation. All rights reserved.
2198
2217
  * Licensed under the MIT License.
@@ -2207,7 +2226,7 @@
2207
2226
  Ciam: 3,
2208
2227
  };
2209
2228
 
2210
- /*! @azure/msal-common v16.6.2 2026-05-19 */
2229
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
2211
2230
  /*
2212
2231
  * Copyright (c) Microsoft Corporation. All rights reserved.
2213
2232
  * Licensed under the MIT License.
@@ -2229,7 +2248,7 @@
2229
2248
  return null;
2230
2249
  }
2231
2250
 
2232
- /*! @azure/msal-common v16.6.2 2026-05-19 */
2251
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
2233
2252
  /*
2234
2253
  * Copyright (c) Microsoft Corporation. All rights reserved.
2235
2254
  * Licensed under the MIT License.
@@ -2253,7 +2272,7 @@
2253
2272
  EAR: "EAR",
2254
2273
  };
2255
2274
 
2256
- /*! @azure/msal-common v16.6.2 2026-05-19 */
2275
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
2257
2276
  /**
2258
2277
  * Returns the AccountInfo interface for this account.
2259
2278
  */
@@ -2428,7 +2447,7 @@
2428
2447
  entity.hasOwnProperty("authorityType"));
2429
2448
  }
2430
2449
 
2431
- /*! @azure/msal-common v16.6.2 2026-05-19 */
2450
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
2432
2451
 
2433
2452
  /*
2434
2453
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -2568,8 +2587,8 @@
2568
2587
  return false;
2569
2588
  }
2570
2589
  if (!!tenantProfileFilter.username &&
2571
- !(this.matchUsername(tenantProfile.username, tenantProfileFilter.username) ||
2572
- !this.matchUsername(tenantProfile.upn, tenantProfileFilter.username))) {
2590
+ !this.matchUsername(tenantProfile.username, tenantProfileFilter.username) &&
2591
+ !this.matchUsername(tenantProfile.upn, tenantProfileFilter.username)) {
2573
2592
  return false;
2574
2593
  }
2575
2594
  if (!!tenantProfileFilter.loginHint &&
@@ -3560,7 +3579,7 @@
3560
3579
  }
3561
3580
  }
3562
3581
 
3563
- /*! @azure/msal-common v16.6.2 2026-05-19 */
3582
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
3564
3583
  /*
3565
3584
  * Copyright (c) Microsoft Corporation. All rights reserved.
3566
3585
  * Licensed under the MIT License.
@@ -3603,7 +3622,20 @@
3603
3622
  "currAccessCount",
3604
3623
  "currIdCount",
3605
3624
  "currRefreshCount",
3606
- "expiredCacheRemovedCount",
3625
+ "ttlExpiredAcntCount",
3626
+ "ttlExpiredITCount",
3627
+ "ttlExpiredATCount",
3628
+ "ttlExpiredRTCount",
3629
+ "decryptFailedAcntCount",
3630
+ "decryptFailedITCount",
3631
+ "decryptFailedATCount",
3632
+ "decryptFailedRTCount",
3633
+ "invalidAcntCount",
3634
+ "invalidITCount",
3635
+ "invalidATCount",
3636
+ "invalidRTCount",
3637
+ "expiredATCount",
3638
+ "expiredRTCount",
3607
3639
  "upgradedCacheCount",
3608
3640
  "cacheMatchedAccounts",
3609
3641
  "networkRtt",
@@ -3611,7 +3643,7 @@
3611
3643
  "redirectBridgeMessageVersion",
3612
3644
  ]);
3613
3645
 
3614
- /*! @azure/msal-common v16.6.2 2026-05-19 */
3646
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
3615
3647
 
3616
3648
  /*
3617
3649
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -3666,7 +3698,7 @@
3666
3698
  }
3667
3699
  }
3668
3700
 
3669
- /*! @azure/msal-common v16.6.2 2026-05-19 */
3701
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
3670
3702
 
3671
3703
  /*
3672
3704
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -3761,7 +3793,7 @@
3761
3793
  return (config.authOptions.authority.options.protocolMode === ProtocolMode.OIDC);
3762
3794
  }
3763
3795
 
3764
- /*! @azure/msal-common v16.6.2 2026-05-19 */
3796
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
3765
3797
  /*
3766
3798
  * Copyright (c) Microsoft Corporation. All rights reserved.
3767
3799
  * Licensed under the MIT License.
@@ -3788,7 +3820,7 @@
3788
3820
  }
3789
3821
  }
3790
3822
 
3791
- /*! @azure/msal-common v16.6.2 2026-05-19 */
3823
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
3792
3824
  /*
3793
3825
  * Copyright (c) Microsoft Corporation. All rights reserved.
3794
3826
  * Licensed under the MIT License.
@@ -3853,7 +3885,7 @@
3853
3885
  return cachedAtSec > nowSeconds();
3854
3886
  }
3855
3887
 
3856
- /*! @azure/msal-common v16.6.2 2026-05-19 */
3888
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
3857
3889
 
3858
3890
  /*
3859
3891
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4112,7 +4144,7 @@
4112
4144
  return metadata.expiresAt <= nowSeconds();
4113
4145
  }
4114
4146
 
4115
- /*! @azure/msal-common v16.6.2 2026-05-19 */
4147
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
4116
4148
  /*
4117
4149
  * Copyright (c) Microsoft Corporation. All rights reserved.
4118
4150
  * Licensed under the MIT License.
@@ -4183,7 +4215,7 @@
4183
4215
  const CacheManagerGetRefreshToken = "cacheManagerGetRefreshToken";
4184
4216
  const SetUserData = "setUserData";
4185
4217
 
4186
- /*! @azure/msal-common v16.6.2 2026-05-19 */
4218
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
4187
4219
  /*
4188
4220
  * Copyright (c) Microsoft Corporation. All rights reserved.
4189
4221
  * Licensed under the MIT License.
@@ -4276,7 +4308,7 @@
4276
4308
  };
4277
4309
  };
4278
4310
 
4279
- /*! @azure/msal-common v16.6.2 2026-05-19 */
4311
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
4280
4312
 
4281
4313
  /*
4282
4314
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4356,7 +4388,7 @@
4356
4388
  }
4357
4389
  }
4358
4390
 
4359
- /*! @azure/msal-common v16.6.2 2026-05-19 */
4391
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
4360
4392
  /*
4361
4393
  * Copyright (c) Microsoft Corporation. All rights reserved.
4362
4394
  * Licensed under the MIT License.
@@ -4380,7 +4412,7 @@
4380
4412
  * MSAL-defined error code indicating UI/UX is not allowed (e.g., blocked by policy), requiring alternate interaction.
4381
4413
  * @public
4382
4414
  */
4383
- const uxNotAllowed = "ux_not_allowed";
4415
+ const uiNotAllowed = "ui_not_allowed";
4384
4416
  /**
4385
4417
  * Server-originated error code indicating interaction is required to complete the request.
4386
4418
  * @public
@@ -4417,10 +4449,10 @@
4417
4449
  nativeAccountUnavailable: nativeAccountUnavailable,
4418
4450
  noTokensFound: noTokensFound,
4419
4451
  refreshTokenExpired: refreshTokenExpired,
4420
- uxNotAllowed: uxNotAllowed
4452
+ uiNotAllowed: uiNotAllowed
4421
4453
  });
4422
4454
 
4423
- /*! @azure/msal-common v16.6.2 2026-05-19 */
4455
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
4424
4456
 
4425
4457
  /*
4426
4458
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4434,7 +4466,7 @@
4434
4466
  consentRequired,
4435
4467
  loginRequired,
4436
4468
  badToken,
4437
- uxNotAllowed,
4469
+ uiNotAllowed,
4438
4470
  interruptedUser,
4439
4471
  ];
4440
4472
  const InteractionRequiredAuthSubErrorMessage = [
@@ -4444,7 +4476,7 @@
4444
4476
  "user_password_expired",
4445
4477
  "consent_required",
4446
4478
  "bad_token",
4447
- "ux_not_allowed",
4479
+ "ui_not_allowed",
4448
4480
  "interrupted_user",
4449
4481
  ];
4450
4482
  /**
@@ -4488,7 +4520,7 @@
4488
4520
  return new InteractionRequiredAuthError(errorCode, errorMessage);
4489
4521
  }
4490
4522
 
4491
- /*! @azure/msal-common v16.6.2 2026-05-19 */
4523
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
4492
4524
 
4493
4525
  /*
4494
4526
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4507,7 +4539,7 @@
4507
4539
  }
4508
4540
  }
4509
4541
 
4510
- /*! @azure/msal-common v16.6.2 2026-05-19 */
4542
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
4511
4543
 
4512
4544
  /*
4513
4545
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4575,7 +4607,7 @@
4575
4607
  }
4576
4608
  }
4577
4609
 
4578
- /*! @azure/msal-common v16.6.2 2026-05-19 */
4610
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
4579
4611
 
4580
4612
  /*
4581
4613
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4923,7 +4955,7 @@
4923
4955
  return baseAccount;
4924
4956
  }
4925
4957
 
4926
- /*! @azure/msal-common v16.6.2 2026-05-19 */
4958
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
4927
4959
  /*
4928
4960
  * Copyright (c) Microsoft Corporation. All rights reserved.
4929
4961
  * Licensed under the MIT License.
@@ -4933,7 +4965,7 @@
4933
4965
  UPN: "UPN",
4934
4966
  };
4935
4967
 
4936
- /*! @azure/msal-common v16.6.2 2026-05-19 */
4968
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
4937
4969
  /*
4938
4970
  * Copyright (c) Microsoft Corporation. All rights reserved.
4939
4971
  * Licensed under the MIT License.
@@ -4951,7 +4983,7 @@
4951
4983
  }
4952
4984
  }
4953
4985
 
4954
- /*! @azure/msal-common v16.6.2 2026-05-19 */
4986
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
4955
4987
  /*
4956
4988
  * Copyright (c) Microsoft Corporation. All rights reserved.
4957
4989
  * Licensed under the MIT License.
@@ -4972,7 +5004,7 @@
4972
5004
  };
4973
5005
  }
4974
5006
 
4975
- /*! @azure/msal-common v16.6.2 2026-05-19 */
5007
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
4976
5008
 
4977
5009
  /*
4978
5010
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -5058,7 +5090,7 @@
5058
5090
  }
5059
5091
  }
5060
5092
 
5061
- /*! @azure/msal-common v16.6.2 2026-05-19 */
5093
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
5062
5094
 
5063
5095
  /*
5064
5096
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -5089,7 +5121,7 @@
5089
5121
  return new NetworkError(error, httpStatus, responseHeaders);
5090
5122
  }
5091
5123
 
5092
- /*! @azure/msal-common v16.6.2 2026-05-19 */
5124
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
5093
5125
 
5094
5126
  /*
5095
5127
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -5203,7 +5235,7 @@
5203
5235
  return response;
5204
5236
  }
5205
5237
 
5206
- /*! @azure/msal-common v16.6.2 2026-05-19 */
5238
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
5207
5239
  /*
5208
5240
  * Copyright (c) Microsoft Corporation. All rights reserved.
5209
5241
  * Licensed under the MIT License.
@@ -5215,7 +5247,7 @@
5215
5247
  response.hasOwnProperty("jwks_uri"));
5216
5248
  }
5217
5249
 
5218
- /*! @azure/msal-common v16.6.2 2026-05-19 */
5250
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
5219
5251
  /*
5220
5252
  * Copyright (c) Microsoft Corporation. All rights reserved.
5221
5253
  * Licensed under the MIT License.
@@ -5225,7 +5257,7 @@
5225
5257
  response.hasOwnProperty("metadata"));
5226
5258
  }
5227
5259
 
5228
- /*! @azure/msal-common v16.6.2 2026-05-19 */
5260
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
5229
5261
  /*
5230
5262
  * Copyright (c) Microsoft Corporation. All rights reserved.
5231
5263
  * Licensed under the MIT License.
@@ -5235,7 +5267,7 @@
5235
5267
  response.hasOwnProperty("error_description"));
5236
5268
  }
5237
5269
 
5238
- /*! @azure/msal-common v16.6.2 2026-05-19 */
5270
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
5239
5271
 
5240
5272
  /*
5241
5273
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -5340,7 +5372,7 @@
5340
5372
  },
5341
5373
  };
5342
5374
 
5343
- /*! @azure/msal-common v16.6.2 2026-05-19 */
5375
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
5344
5376
 
5345
5377
  /*
5346
5378
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -5897,7 +5929,7 @@
5897
5929
  }
5898
5930
  }
5899
5931
  // If cloudDiscoveryMetadata is empty or does not contain the host, check knownAuthorities
5900
- if (this.isInKnownAuthorities()) {
5932
+ if (this.isInKnownAuthorities(this.hostnameAndPort)) {
5901
5933
  this.logger.verbose("0mt9al", this.correlationId);
5902
5934
  return Authority.createCloudDiscoveryMetadataFromHost(this.hostnameAndPort);
5903
5935
  }
@@ -5964,13 +5996,14 @@
5964
5996
  return match;
5965
5997
  }
5966
5998
  /**
5967
- * Helper function to determine if this host is included in the knownAuthorities config option
5999
+ * Helper function to determine if a host is included in the knownAuthorities config option.
5968
6000
  */
5969
- isInKnownAuthorities() {
6001
+ isInKnownAuthorities(host) {
6002
+ const normalizedHost = host.toLowerCase();
5970
6003
  const matches = this.authorityOptions.knownAuthorities.filter((authority) => {
5971
6004
  return (authority &&
5972
6005
  UrlString.getDomainFromUrl(authority).toLowerCase() ===
5973
- this.hostnameAndPort);
6006
+ normalizedHost);
5974
6007
  });
5975
6008
  return matches.length > 0;
5976
6009
  }
@@ -6047,6 +6080,10 @@
6047
6080
  * 4. Same as (2), but the issuer host matches the CIAM tenant pattern
6048
6081
  * `{tenant}.ciamlogin.com` with an optional `/{tenant}[.onmicrosoft.com][/v2.0]`
6049
6082
  * path.
6083
+ * 5. The issuer host is HTTPS and is explicitly listed in the
6084
+ * developer-configured `knownAuthorities`. This covers scenarios where
6085
+ * the OIDC discovery document returns an issuer host that differs from
6086
+ * the authority (e.g., a GUID-based issuer for a name-based CIAM authority).
6050
6087
  *
6051
6088
  * @param issuer The `issuer` value returned in the OIDC discovery document.
6052
6089
  * @throws ClientConfigurationError("issuer_validation_failed") on failure.
@@ -6083,11 +6120,19 @@
6083
6120
  * have "{tenant}.ciamlogin.com" as the host, even when using a custom domain.
6084
6121
  */
6085
6122
  const matchesCiamTenantPattern = this.matchesCiamTenantPattern(issuerUrl, authorityHost, this.canonicalAuthorityUrlComponents.PathSegments);
6123
+ /*
6124
+ * Rule 5: The issuer host is explicitly listed in the developer-configured
6125
+ * knownAuthorities. This covers scenarios where the OIDC discovery document
6126
+ * returns an issuer with a different host than the authority
6127
+ * (e.g., a GUID-based issuer for a name-based authority).
6128
+ */
6129
+ const matchesKnownAuthority = issuerScheme === "https:" && this.isInKnownAuthorities(issuerHost);
6086
6130
  // Each rule is an independent boolean; the issuer is valid if ANY rule matches.
6087
6131
  if (matchesAuthorityOrigin ||
6088
6132
  matchesKnownMicrosoftHost ||
6089
6133
  matchesRegionalMicrosoftHost ||
6090
- matchesCiamTenantPattern) {
6134
+ matchesCiamTenantPattern ||
6135
+ matchesKnownAuthority) {
6091
6136
  return;
6092
6137
  }
6093
6138
  // issuer validation fails if none of the above rules are satisfied
@@ -6295,7 +6340,7 @@
6295
6340
  };
6296
6341
  }
6297
6342
 
6298
- /*! @azure/msal-common v16.6.2 2026-05-19 */
6343
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
6299
6344
 
6300
6345
  /*
6301
6346
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6329,7 +6374,7 @@
6329
6374
  }
6330
6375
  }
6331
6376
 
6332
- /*! @azure/msal-common v16.6.2 2026-05-19 */
6377
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
6333
6378
 
6334
6379
  /*
6335
6380
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6586,7 +6631,7 @@
6586
6631
  }
6587
6632
  }
6588
6633
 
6589
- /*! @azure/msal-common v16.6.2 2026-05-19 */
6634
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
6590
6635
 
6591
6636
  /*
6592
6637
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6807,7 +6852,7 @@
6807
6852
  }
6808
6853
  }
6809
6854
 
6810
- /*! @azure/msal-common v16.6.2 2026-05-19 */
6855
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
6811
6856
 
6812
6857
  /*
6813
6858
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6923,7 +6968,7 @@
6923
6968
  }
6924
6969
  }
6925
6970
 
6926
- /*! @azure/msal-common v16.6.2 2026-05-19 */
6971
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
6927
6972
 
6928
6973
  /*
6929
6974
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6938,7 +6983,7 @@
6938
6983
  },
6939
6984
  };
6940
6985
 
6941
- /*! @azure/msal-common v16.6.2 2026-05-19 */
6986
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
6942
6987
 
6943
6988
  /*
6944
6989
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7161,7 +7206,7 @@
7161
7206
  return account.loginHint || account.idTokenClaims?.login_hint || null;
7162
7207
  }
7163
7208
 
7164
- /*! @azure/msal-common v16.6.2 2026-05-19 */
7209
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
7165
7210
 
7166
7211
  /*
7167
7212
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7194,7 +7239,7 @@
7194
7239
  return Object.prototype.hasOwnProperty.call(params, "resource");
7195
7240
  }
7196
7241
 
7197
- /*! @azure/msal-common v16.6.2 2026-05-19 */
7242
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
7198
7243
 
7199
7244
  /*
7200
7245
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7252,7 +7297,7 @@
7252
7297
  }
7253
7298
  }
7254
7299
 
7255
- /*! @azure/msal-common v16.6.2 2026-05-19 */
7300
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
7256
7301
  /*
7257
7302
  * Copyright (c) Microsoft Corporation. All rights reserved.
7258
7303
  * Licensed under the MIT License.
@@ -7269,7 +7314,7 @@
7269
7314
  unexpectedError: unexpectedError
7270
7315
  });
7271
7316
 
7272
- /*! @azure/msal-common v16.6.2 2026-05-19 */
7317
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
7273
7318
 
7274
7319
  /*
7275
7320
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7380,35 +7425,40 @@
7380
7425
  * @param error
7381
7426
  */
7382
7427
  cacheFailedRequest(error) {
7383
- const lastRequests = this.getLastRequests();
7384
- if (lastRequests.errors.length >=
7385
- SERVER_TELEM_MAX_CACHED_ERRORS) {
7386
- // Remove a cached error to make room, first in first out
7387
- lastRequests.failedRequests.shift(); // apiId
7388
- lastRequests.failedRequests.shift(); // correlationId
7389
- lastRequests.errors.shift();
7390
- }
7391
- lastRequests.failedRequests.push(this.apiId, this.correlationId);
7392
- if (error instanceof Error && !!error && error.toString()) {
7393
- if (error instanceof AuthError) {
7394
- if (error.subError) {
7395
- lastRequests.errors.push(error.subError);
7396
- }
7397
- else if (error.errorCode) {
7398
- lastRequests.errors.push(error.errorCode);
7428
+ try {
7429
+ const lastRequests = this.getLastRequests();
7430
+ if (lastRequests.errors.length >=
7431
+ SERVER_TELEM_MAX_CACHED_ERRORS) {
7432
+ // Remove a cached error to make room, first in first out
7433
+ lastRequests.failedRequests.shift(); // apiId
7434
+ lastRequests.failedRequests.shift(); // correlationId
7435
+ lastRequests.errors.shift();
7436
+ }
7437
+ lastRequests.failedRequests.push(this.apiId, this.correlationId);
7438
+ if (error instanceof Error && !!error && error.toString()) {
7439
+ if (error instanceof AuthError) {
7440
+ if (error.subError) {
7441
+ lastRequests.errors.push(error.subError);
7442
+ }
7443
+ else if (error.errorCode) {
7444
+ lastRequests.errors.push(error.errorCode);
7445
+ }
7446
+ else {
7447
+ lastRequests.errors.push(error.toString());
7448
+ }
7399
7449
  }
7400
7450
  else {
7401
7451
  lastRequests.errors.push(error.toString());
7402
7452
  }
7403
7453
  }
7404
7454
  else {
7405
- lastRequests.errors.push(error.toString());
7455
+ lastRequests.errors.push(SERVER_TELEM_UNKNOWN_ERROR);
7406
7456
  }
7457
+ this.cacheManager.setServerTelemetry(this.telemetryCacheKey, lastRequests, this.correlationId);
7407
7458
  }
7408
- else {
7409
- lastRequests.errors.push(SERVER_TELEM_UNKNOWN_ERROR);
7459
+ catch {
7460
+ // Ignore telemetry cache failures to avoid masking the original auth error path.
7410
7461
  }
7411
- this.cacheManager.setServerTelemetry(this.telemetryCacheKey, lastRequests, this.correlationId);
7412
7462
  return;
7413
7463
  }
7414
7464
  /**
@@ -7528,9 +7578,36 @@
7528
7578
  static makeExtraSkuString(params) {
7529
7579
  return makeExtraSkuString(params);
7530
7580
  }
7581
+ }
7582
+ /** @internal */
7583
+ class StubServerTelemetryManager extends ServerTelemetryManager {
7584
+ constructor() {
7585
+ super({ clientId: "", apiId: 0, correlationId: "", forceRefresh: false }, {});
7586
+ }
7587
+ generateCurrentRequestHeaderValue() {
7588
+ return "";
7589
+ }
7590
+ generateLastRequestHeaderValue() {
7591
+ return "";
7592
+ }
7593
+ cacheFailedRequest() { }
7594
+ incrementCacheHits() {
7595
+ return 0;
7596
+ }
7597
+ clearTelemetryCache() { }
7598
+ getRegionDiscoveryFields() {
7599
+ return "";
7600
+ }
7601
+ updateRegionDiscoveryMetadata() { }
7602
+ setCacheOutcome() { }
7603
+ setNativeBrokerErrorCode() { }
7604
+ getNativeBrokerErrorCode() {
7605
+ return undefined;
7606
+ }
7607
+ clearNativeBrokerErrorCode() { }
7531
7608
  }
7532
7609
 
7533
- /*! @azure/msal-common v16.6.2 2026-05-19 */
7610
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
7534
7611
 
7535
7612
  /*
7536
7613
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7551,7 +7628,7 @@
7551
7628
  return new JoseHeaderError(code);
7552
7629
  }
7553
7630
 
7554
- /*! @azure/msal-common v16.6.2 2026-05-19 */
7631
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
7555
7632
  /*
7556
7633
  * Copyright (c) Microsoft Corporation. All rights reserved.
7557
7634
  * Licensed under the MIT License.
@@ -7559,7 +7636,7 @@
7559
7636
  const missingKidError = "missing_kid_error";
7560
7637
  const missingAlgError = "missing_alg_error";
7561
7638
 
7562
- /*! @azure/msal-common v16.6.2 2026-05-19 */
7639
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
7563
7640
 
7564
7641
  /*
7565
7642
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7599,7 +7676,7 @@
7599
7676
  }
7600
7677
  }
7601
7678
 
7602
- /*! @azure/msal-common v16.6.2 2026-05-19 */
7679
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
7603
7680
 
7604
7681
  /*
7605
7682
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -8212,7 +8289,6 @@
8212
8289
  */
8213
8290
  const SilentHandlerInitiateAuthRequest = "silentHandlerInitiateAuthRequest";
8214
8291
  const SilentHandlerMonitorIframeForHash = "silentHandlerMonitorIframeForHash";
8215
- const SilentHandlerLoadFrameSync = "silentHandlerLoadFrameSync";
8216
8292
  /**
8217
8293
  * Helper functions in StandardInteractionClient class (msal-browser)
8218
8294
  */
@@ -8394,6 +8470,43 @@
8394
8470
  return new BrowserAuthError(errorCode, subError);
8395
8471
  }
8396
8472
 
8473
+ /*
8474
+ * Copyright (c) Microsoft Corporation. All rights reserved.
8475
+ * Licensed under the MIT License.
8476
+ */
8477
+ /**
8478
+ * Class which exposes APIs to decode base64 strings to plaintext. See here for implementation details:
8479
+ * https://developer.mozilla.org/en-US/docs/Glossary/Base64#the_unicode_problem
8480
+ */
8481
+ /**
8482
+ * Returns a URL-safe plaintext decoded string from b64 encoded input.
8483
+ * @param input
8484
+ */
8485
+ function base64Decode(input) {
8486
+ return new TextDecoder().decode(base64DecToArr(input));
8487
+ }
8488
+ /**
8489
+ * Decodes base64 into Uint8Array
8490
+ * @param base64String
8491
+ */
8492
+ function base64DecToArr(base64String) {
8493
+ let encodedString = base64String.replace(/-/g, "+").replace(/_/g, "/");
8494
+ switch (encodedString.length % 4) {
8495
+ case 0:
8496
+ break;
8497
+ case 2:
8498
+ encodedString += "==";
8499
+ break;
8500
+ case 3:
8501
+ encodedString += "=";
8502
+ break;
8503
+ default:
8504
+ throw createBrowserAuthError(invalidBase64String);
8505
+ }
8506
+ const binString = atob(encodedString);
8507
+ return Uint8Array.from(binString, (m) => m.codePointAt(0) || 0);
8508
+ }
8509
+
8397
8510
  /*
8398
8511
  * Copyright (c) Microsoft Corporation. All rights reserved.
8399
8512
  * Licensed under the MIT License.
@@ -8653,43 +8766,6 @@
8653
8766
  return btoa(binString);
8654
8767
  }
8655
8768
 
8656
- /*
8657
- * Copyright (c) Microsoft Corporation. All rights reserved.
8658
- * Licensed under the MIT License.
8659
- */
8660
- /**
8661
- * Class which exposes APIs to decode base64 strings to plaintext. See here for implementation details:
8662
- * https://developer.mozilla.org/en-US/docs/Glossary/Base64#the_unicode_problem
8663
- */
8664
- /**
8665
- * Returns a URL-safe plaintext decoded string from b64 encoded input.
8666
- * @param input
8667
- */
8668
- function base64Decode(input) {
8669
- return new TextDecoder().decode(base64DecToArr(input));
8670
- }
8671
- /**
8672
- * Decodes base64 into Uint8Array
8673
- * @param base64String
8674
- */
8675
- function base64DecToArr(base64String) {
8676
- let encodedString = base64String.replace(/-/g, "+").replace(/_/g, "/");
8677
- switch (encodedString.length % 4) {
8678
- case 0:
8679
- break;
8680
- case 2:
8681
- encodedString += "==";
8682
- break;
8683
- case 3:
8684
- encodedString += "=";
8685
- break;
8686
- default:
8687
- throw createBrowserAuthError(invalidBase64String);
8688
- }
8689
- const binString = atob(encodedString);
8690
- return Uint8Array.from(binString, (m) => m.codePointAt(0) || 0);
8691
- }
8692
-
8693
8769
  /*
8694
8770
  * Copyright (c) Microsoft Corporation. All rights reserved.
8695
8771
  * Licensed under the MIT License.
@@ -9108,6 +9184,16 @@
9108
9184
  contentWindow.history.replaceState(null, "", `${contentWindow.location.origin}${contentWindow.location.pathname}${contentWindow.location.search}`);
9109
9185
  }
9110
9186
  }
9187
+ /**
9188
+ * Strips both hash and query string from the given window's URL by replacing
9189
+ * with origin + pathname only. Used to remove auth response parameters
9190
+ * (auth code, state, etc.) before the window is closed or navigated away.
9191
+ */
9192
+ function clearAuthResponseFromUrl(contentWindow) {
9193
+ if (typeof contentWindow.history?.replaceState === "function") {
9194
+ contentWindow.history.replaceState(null, "", `${contentWindow.location.origin}${contentWindow.location.pathname}`);
9195
+ }
9196
+ }
9111
9197
  /**
9112
9198
  * Replaces current hash with hash from provided url
9113
9199
  */
@@ -9166,7 +9252,7 @@
9166
9252
  activeBridgeMonitor = null;
9167
9253
  }
9168
9254
  }
9169
- async function waitForBridgeResponse(timeoutMs, logger, browserCrypto, request, performanceClient, experimentalConfig) {
9255
+ async function waitForBridgeResponse(timeoutMs, logger, request, performanceClient, experimentalConfig) {
9170
9256
  return new Promise((resolve, reject) => {
9171
9257
  logger.verbose("1rf6em", request.correlationId);
9172
9258
  const correlationId = request.correlationId;
@@ -9174,7 +9260,7 @@
9174
9260
  redirectBridgeTimeoutMs: timeoutMs,
9175
9261
  lateResponseExperimentEnabled: experimentalConfig?.iframeTimeoutTelemetry || false,
9176
9262
  }, correlationId);
9177
- const { libraryState } = parseRequestState(browserCrypto.base64Decode, request.state || "");
9263
+ const { libraryState } = parseRequestState(base64Decode, request.state || "");
9178
9264
  const channel = new BroadcastChannel(libraryState.id);
9179
9265
  let responseString = undefined;
9180
9266
  let timedOut$1 = false;
@@ -9362,6 +9448,7 @@
9362
9448
  blockRedirectInIframe: blockRedirectInIframe,
9363
9449
  blockReloadInHiddenIframes: blockReloadInHiddenIframes,
9364
9450
  cancelPendingBridgeResponse: cancelPendingBridgeResponse,
9451
+ clearAuthResponseFromUrl: clearAuthResponseFromUrl,
9365
9452
  clearHash: clearHash,
9366
9453
  createGuid: createGuid,
9367
9454
  getCurrentUri: getCurrentUri,
@@ -10536,7 +10623,7 @@
10536
10623
 
10537
10624
  /* eslint-disable header/header */
10538
10625
  const name = "@azure/msal-browser";
10539
- const version = "5.11.0";
10626
+ const version = "5.13.0";
10540
10627
 
10541
10628
  /*
10542
10629
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -10558,6 +10645,15 @@
10558
10645
  * Copyright (c) Microsoft Corporation. All rights reserved.
10559
10646
  * Licensed under the MIT License.
10560
10647
  */
10648
+ /**
10649
+ * Reason an old-schema cache entry was removed during migration.
10650
+ */
10651
+ const MigrationRemovalReason = {
10652
+ Invalid: "invalid",
10653
+ TtlExpired: "ttlExpired",
10654
+ DecryptFailed: "decryptFailed",
10655
+ Expired: "expired",
10656
+ };
10561
10657
  /**
10562
10658
  * This class implements the cache storage interface for MSAL through browser local or session storage.
10563
10659
  */
@@ -10627,7 +10723,10 @@
10627
10723
  const parsedValue = this.validateAndParseJson(rawValue || "");
10628
10724
  if (!parsedValue) {
10629
10725
  this.browserStorage.removeItem(key);
10630
- return null;
10726
+ return {
10727
+ entry: null,
10728
+ removalReason: MigrationRemovalReason.Invalid,
10729
+ };
10631
10730
  }
10632
10731
  if (!parsedValue.lastUpdatedAt) {
10633
10732
  // Add lastUpdatedAt to the existing v0 entry if it doesnt exist so we know when it's safe to remove it
@@ -10636,25 +10735,42 @@
10636
10735
  }
10637
10736
  else if (isCacheExpired(parsedValue.lastUpdatedAt, this.cacheConfig.cacheRetentionDays)) {
10638
10737
  this.browserStorage.removeItem(key);
10639
- this.performanceClient.incrementFields({ expiredCacheRemovedCount: 1 }, correlationId);
10640
- return null;
10738
+ return {
10739
+ entry: null,
10740
+ removalReason: MigrationRemovalReason.TtlExpired,
10741
+ };
10641
10742
  }
10642
- const decryptedData = isEncrypted(parsedValue)
10743
+ const wasEncrypted = isEncrypted(parsedValue);
10744
+ const decryptedData = wasEncrypted
10643
10745
  ? await this.browserStorage.decryptData(key, parsedValue, correlationId)
10644
10746
  : parsedValue;
10645
- if (!decryptedData || !isCredentialEntity(decryptedData)) {
10646
- this.performanceClient.incrementFields({ invalidCacheCount: 1 }, correlationId);
10647
- return null;
10747
+ if (!decryptedData) {
10748
+ this.browserStorage.removeItem(key);
10749
+ return {
10750
+ entry: null,
10751
+ removalReason: wasEncrypted
10752
+ ? MigrationRemovalReason.DecryptFailed
10753
+ : MigrationRemovalReason.Invalid,
10754
+ };
10755
+ }
10756
+ if (!isCredentialEntity(decryptedData)) {
10757
+ this.browserStorage.removeItem(key);
10758
+ return {
10759
+ entry: null,
10760
+ removalReason: MigrationRemovalReason.Invalid,
10761
+ };
10648
10762
  }
10649
10763
  if ((isAccessTokenEntity(decryptedData) ||
10650
10764
  isRefreshTokenEntity(decryptedData)) &&
10651
10765
  decryptedData.expiresOn &&
10652
10766
  isTokenExpired(decryptedData.expiresOn, DEFAULT_TOKEN_RENEWAL_OFFSET_SEC)) {
10653
10767
  this.browserStorage.removeItem(key);
10654
- this.performanceClient.incrementFields({ expiredCacheRemovedCount: 1 }, correlationId);
10655
- return null;
10768
+ return {
10769
+ entry: null,
10770
+ removalReason: MigrationRemovalReason.Expired,
10771
+ };
10656
10772
  }
10657
- return decryptedData;
10773
+ return { entry: decryptedData };
10658
10774
  }
10659
10775
  /**
10660
10776
  * Remove accounts from the cache for older schema versions if they have not been updated in the last cacheRetentionDays
@@ -10673,6 +10789,8 @@
10673
10789
  const rawValue = this.browserStorage.getItem(accountKey);
10674
10790
  const parsedValue = this.validateAndParseJson(rawValue || "");
10675
10791
  if (!parsedValue) {
10792
+ this.browserStorage.removeItem(accountKey);
10793
+ this.performanceClient.incrementFields({ invalidAcntCount: 1 }, correlationId);
10676
10794
  removeElementFromArray(accountKeysToCheck, accountKey);
10677
10795
  continue;
10678
10796
  }
@@ -10685,8 +10803,20 @@
10685
10803
  else if (isCacheExpired(parsedValue.lastUpdatedAt, this.cacheConfig.cacheRetentionDays)) {
10686
10804
  // Cache expired remove account and associated tokens
10687
10805
  await this.removeAccountOldSchema(accountKey, parsedValue, credentialSchema, correlationId);
10806
+ this.performanceClient.incrementFields({ ttlExpiredAcntCount: 1 }, correlationId);
10688
10807
  removeElementFromArray(accountKeysToCheck, accountKey);
10689
10808
  }
10809
+ else if (isEncrypted(parsedValue)) {
10810
+ // Remove accounts encrypted with a different key (session cookie expired/changed)
10811
+ const decrypted = await this.browserStorage.decryptData(accountKey, parsedValue, correlationId);
10812
+ if (!decrypted) {
10813
+ this.browserStorage.removeItem(accountKey);
10814
+ this.performanceClient.incrementFields({
10815
+ decryptFailedAcntCount: 1,
10816
+ }, correlationId);
10817
+ removeElementFromArray(accountKeysToCheck, accountKey);
10818
+ }
10819
+ }
10690
10820
  }
10691
10821
  this.setAccountKeys(accountKeysToCheck, correlationId, accountSchema);
10692
10822
  }
@@ -10724,7 +10854,6 @@
10724
10854
  });
10725
10855
  this.setTokenKeys(tokenKeys, correlationId, credentialSchema);
10726
10856
  }
10727
- this.performanceClient.incrementFields({ expiredAcntRemovedCount: 1 }, correlationId);
10728
10857
  this.browserStorage.removeItem(accountKey);
10729
10858
  }
10730
10859
  /**
@@ -10763,8 +10892,20 @@
10763
10892
  const previousAccountKeys = getAccountKeys(this.browserStorage, accountSchema);
10764
10893
  for (const idTokenKey of [...credentialKeysToMigrate.idToken]) {
10765
10894
  this.performanceClient.incrementFields({ oldITCount: 1 }, correlationId);
10766
- const oldSchemaData = (await this.updateOldEntry(idTokenKey, correlationId));
10895
+ const result = await this.updateOldEntry(idTokenKey, correlationId);
10896
+ const oldSchemaData = result.entry;
10767
10897
  if (!oldSchemaData) {
10898
+ switch (result.removalReason) {
10899
+ case MigrationRemovalReason.TtlExpired:
10900
+ this.performanceClient.incrementFields({ ttlExpiredITCount: 1 }, correlationId);
10901
+ break;
10902
+ case MigrationRemovalReason.DecryptFailed:
10903
+ this.performanceClient.incrementFields({ decryptFailedITCount: 1 }, correlationId);
10904
+ break;
10905
+ case MigrationRemovalReason.Invalid:
10906
+ this.performanceClient.incrementFields({ invalidITCount: 1 }, correlationId);
10907
+ break;
10908
+ }
10768
10909
  removeElementFromArray(credentialKeysToMigrate.idToken, idTokenKey);
10769
10910
  continue;
10770
10911
  }
@@ -10843,8 +10984,23 @@
10843
10984
  const currentCredentialKeys = getTokenKeys(this.clientId, this.browserStorage, CREDENTIAL_SCHEMA_VERSION);
10844
10985
  for (const accessTokenKey of [...credentialKeysToMigrate.accessToken]) {
10845
10986
  this.performanceClient.incrementFields({ oldATCount: 1 }, correlationId);
10846
- const oldSchemaData = (await this.updateOldEntry(accessTokenKey, correlationId));
10987
+ const result = await this.updateOldEntry(accessTokenKey, correlationId);
10988
+ const oldSchemaData = result.entry;
10847
10989
  if (!oldSchemaData) {
10990
+ switch (result.removalReason) {
10991
+ case MigrationRemovalReason.TtlExpired:
10992
+ this.performanceClient.incrementFields({ ttlExpiredATCount: 1 }, correlationId);
10993
+ break;
10994
+ case MigrationRemovalReason.DecryptFailed:
10995
+ this.performanceClient.incrementFields({ decryptFailedATCount: 1 }, correlationId);
10996
+ break;
10997
+ case MigrationRemovalReason.Expired:
10998
+ this.performanceClient.incrementFields({ expiredATCount: 1 }, correlationId);
10999
+ break;
11000
+ case MigrationRemovalReason.Invalid:
11001
+ this.performanceClient.incrementFields({ invalidATCount: 1 }, correlationId);
11002
+ break;
11003
+ }
10848
11004
  removeElementFromArray(credentialKeysToMigrate.accessToken, accessTokenKey);
10849
11005
  continue;
10850
11006
  }
@@ -10890,8 +11046,23 @@
10890
11046
  ...credentialKeysToMigrate.refreshToken,
10891
11047
  ]) {
10892
11048
  this.performanceClient.incrementFields({ oldRTCount: 1 }, correlationId);
10893
- const oldSchemaData = (await this.updateOldEntry(refreshTokenKey, correlationId));
11049
+ const result = await this.updateOldEntry(refreshTokenKey, correlationId);
11050
+ const oldSchemaData = result.entry;
10894
11051
  if (!oldSchemaData) {
11052
+ switch (result.removalReason) {
11053
+ case MigrationRemovalReason.TtlExpired:
11054
+ this.performanceClient.incrementFields({ ttlExpiredRTCount: 1 }, correlationId);
11055
+ break;
11056
+ case MigrationRemovalReason.DecryptFailed:
11057
+ this.performanceClient.incrementFields({ decryptFailedRTCount: 1 }, correlationId);
11058
+ break;
11059
+ case MigrationRemovalReason.Expired:
11060
+ this.performanceClient.incrementFields({ expiredRTCount: 1 }, correlationId);
11061
+ break;
11062
+ case MigrationRemovalReason.Invalid:
11063
+ this.performanceClient.incrementFields({ invalidRTCount: 1 }, correlationId);
11064
+ break;
11065
+ }
10895
11066
  removeElementFromArray(credentialKeysToMigrate.refreshToken, refreshTokenKey);
10896
11067
  continue;
10897
11068
  }
@@ -12091,10 +12262,15 @@
12091
12262
  * @param browserStorage - Browser cache manager instance for storing telemetry data
12092
12263
  * @param logger - Optional logger instance for verbose logging
12093
12264
  * @param forceRefresh - Optional flag to force refresh of telemetry data
12265
+ * @param enabled - Optional flag to enable or disable server telemetry (default: true for custom_auth flows, false for standard flows)
12094
12266
  * @returns Configured ServerTelemetryManager instance
12095
12267
  */
12096
- function initializeServerTelemetryManager(apiId, clientId, correlationId, browserStorage, logger, forceRefresh) {
12268
+ function initializeServerTelemetryManager(apiId, clientId, correlationId, browserStorage, logger, forceRefresh, enabled = true) {
12097
12269
  logger.verbose("1p12tq", correlationId);
12270
+ if (!enabled) {
12271
+ logger.verbose("0tajnr", correlationId);
12272
+ return new StubServerTelemetryManager();
12273
+ }
12098
12274
  const telemetryPayload = {
12099
12275
  clientId: clientId,
12100
12276
  correlationId: correlationId,
@@ -12630,7 +12806,7 @@
12630
12806
  const NO_NETWORK = "NO_NETWORK";
12631
12807
  const DISABLED = "DISABLED";
12632
12808
  const ACCOUNT_UNAVAILABLE = "ACCOUNT_UNAVAILABLE";
12633
- const UX_NOT_ALLOWED = "UX_NOT_ALLOWED";
12809
+ const UI_NOT_ALLOWED = "UI_NOT_ALLOWED";
12634
12810
 
12635
12811
  /*
12636
12812
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -12685,8 +12861,8 @@
12685
12861
  return createBrowserAuthError(userCancelled);
12686
12862
  case NO_NETWORK:
12687
12863
  return createBrowserAuthError(noNetworkConnectivity);
12688
- case UX_NOT_ALLOWED:
12689
- return createInteractionRequiredAuthError(uxNotAllowed);
12864
+ case UI_NOT_ALLOWED:
12865
+ return createInteractionRequiredAuthError(uiNotAllowed);
12690
12866
  }
12691
12867
  }
12692
12868
  return new NativeAuthError(code, description, ext);
@@ -12703,7 +12879,7 @@
12703
12879
  */
12704
12880
  async acquireToken(silentRequest) {
12705
12881
  // Telemetry manager only used to increment cacheHits here
12706
- const serverTelemetryManager = initializeServerTelemetryManager(ApiId.acquireTokenSilent_silentFlow, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger);
12882
+ const serverTelemetryManager = initializeServerTelemetryManager(ApiId.acquireTokenSilent_silentFlow, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger, undefined, this.config.system.serverTelemetryEnabled);
12707
12883
  const clientConfig = await invokeAsync(this.getClientConfiguration.bind(this), StandardInteractionClientGetClientConfiguration, this.logger, this.performanceClient, this.correlationId)({
12708
12884
  serverTelemetryManager,
12709
12885
  requestAuthority: silentRequest.authority,
@@ -12779,7 +12955,7 @@
12779
12955
  // start the perf measurement
12780
12956
  const nativeATMeasurement = this.performanceClient.startMeasurement(NativeInteractionClientAcquireToken, this.correlationId);
12781
12957
  const reqTimestamp = nowSeconds();
12782
- const serverTelemetryManager = initializeServerTelemetryManager(this.apiId, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger);
12958
+ const serverTelemetryManager = initializeServerTelemetryManager(this.apiId, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger, undefined, this.config.system.serverTelemetryEnabled);
12783
12959
  try {
12784
12960
  // initialize native request
12785
12961
  const nativeRequest = await this.initializePlatformRequest(request);
@@ -12903,7 +13079,7 @@
12903
13079
  catch (e) {
12904
13080
  // Only throw fatal errors here to allow application to fallback to regular redirect. Otherwise proceed and the error will be thrown in handleRedirectPromise
12905
13081
  if (e instanceof NativeAuthError) {
12906
- const serverTelemetryManager = initializeServerTelemetryManager(this.apiId, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger);
13082
+ const serverTelemetryManager = initializeServerTelemetryManager(this.apiId, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger, undefined, this.config.system.serverTelemetryEnabled);
12907
13083
  serverTelemetryManager.setNativeBrokerErrorCode(e.errorCode);
12908
13084
  if (isFatalNativeAuthError(e)) {
12909
13085
  throw e;
@@ -12917,7 +13093,7 @@
12917
13093
  noHistory: false,
12918
13094
  };
12919
13095
  const redirectUri = navigateToLoginRequestUrl
12920
- ? window.location.href
13096
+ ? UrlString.getAbsoluteUrl(request.redirectStartPage || window.location.href, getCurrentUri())
12921
13097
  : getRedirectUri(request.redirectUri, this.config.auth.redirectUri, this.logger, this.correlationId);
12922
13098
  rootMeasurement.end({ success: true });
12923
13099
  await this.navigationClient.navigateExternal(redirectUri, navigationOptions); // Need to treat this as external to ensure handleRedirectPromise is run again
@@ -12950,7 +13126,7 @@
12950
13126
  this.logger.verbose("003x5a", this.correlationId);
12951
13127
  const response = await this.platformAuthProvider.sendMessage(request);
12952
13128
  const authResult = await this.handleNativeResponse(response, request, reqTimestamp);
12953
- const serverTelemetryManager = initializeServerTelemetryManager(this.apiId, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger);
13129
+ const serverTelemetryManager = initializeServerTelemetryManager(this.apiId, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger, undefined, this.config.system.serverTelemetryEnabled);
12954
13130
  serverTelemetryManager.clearNativeBrokerErrorCode();
12955
13131
  this.performanceClient?.addFields({ isNativeBroker: true }, this.correlationId);
12956
13132
  return authResult;
@@ -13957,6 +14133,7 @@
13957
14133
  nativeBrokerHandshakeTimeout: userInputSystem?.nativeBrokerHandshakeTimeout ||
13958
14134
  DEFAULT_NATIVE_BROKER_HANDSHAKE_TIMEOUT_MS,
13959
14135
  protocolMode: ProtocolMode.AAD,
14136
+ serverTelemetryEnabled: false,
13960
14137
  };
13961
14138
  const providedSystemOptions = {
13962
14139
  ...DEFAULT_BROWSER_SYSTEM_OPTIONS,
@@ -14503,10 +14680,11 @@
14503
14680
  * Licensed under the MIT License.
14504
14681
  */
14505
14682
  class PopupClient extends StandardInteractionClient {
14506
- constructor(config, storageImpl, browserCrypto, logger, eventHandler, navigationClient, performanceClient, nativeStorageImpl, correlationId, platformAuthHandler) {
14683
+ constructor(config, storageImpl, browserCrypto, logger, eventHandler, navigationClient, performanceClient, nativeStorageImpl, correlationId, platformAuthHandler, waitForPopupResponseHook) {
14507
14684
  super(config, storageImpl, browserCrypto, logger, eventHandler, navigationClient, performanceClient, correlationId, platformAuthHandler);
14508
14685
  this.nativeStorage = nativeStorageImpl;
14509
14686
  this.eventHandler = eventHandler;
14687
+ this.waitForPopupResponseHook = waitForPopupResponseHook;
14510
14688
  }
14511
14689
  /**
14512
14690
  * Acquires tokens by opening a popup window to the /authorize endpoint of the authority
@@ -14614,7 +14792,7 @@
14614
14792
  */
14615
14793
  async executeCodeFlow(request, popupParams, pkceCodes) {
14616
14794
  const correlationId = request.correlationId;
14617
- const serverTelemetryManager = initializeServerTelemetryManager(ApiId.acquireTokenPopup, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger);
14795
+ const serverTelemetryManager = initializeServerTelemetryManager(ApiId.acquireTokenPopup, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger, undefined, this.config.system.serverTelemetryEnabled);
14618
14796
  const pkce = pkceCodes ||
14619
14797
  (await invokeAsync(generatePkceCodes, GeneratePkceCodes, this.logger, this.performanceClient, correlationId)(this.performanceClient, this.logger, correlationId));
14620
14798
  const popupRequest = {
@@ -14640,7 +14818,7 @@
14640
14818
  const popupWindow = this.initiateAuthRequest(navigateUrl, popupParams);
14641
14819
  this.eventHandler.emitEvent(EventType.POPUP_OPENED, correlationId, exports.InteractionType.Popup, { popupWindow }, null);
14642
14820
  // Wait for the redirect bridge response
14643
- const responseString = await waitForBridgeResponse(this.config.system.popupBridgeTimeout, this.logger, this.browserCrypto, request, this.performanceClient);
14821
+ const responseString = await this.waitForPopupResponse(request, popupWindow, popupParams.popupWindowParent);
14644
14822
  const serverParams = invoke(deserializeResponse, DeserializeResponse, this.logger, this.performanceClient, this.correlationId)(responseString, this.config.auth.OIDCOptions.responseMode, this.logger, this.correlationId);
14645
14823
  return await invokeAsync(handleResponseCode, HandleResponseCode, this.logger, this.performanceClient, correlationId)(request, serverParams, pkce.verifier, ApiId.acquireTokenPopup, this.config, authClient, this.browserStorage, this.nativeStorage, this.eventHandler, this.logger, this.performanceClient, this.platformAuthProvider);
14646
14824
  }
@@ -14675,11 +14853,11 @@
14675
14853
  const form = await getEARForm(popupWindow.document, this.config, discoveredAuthority, popupRequest, this.logger, this.performanceClient);
14676
14854
  form.submit();
14677
14855
  // Monitor the popup for the hash. Return the string value and close the popup when the hash is received. Default timeout is 60 seconds.
14678
- const responseString = await invokeAsync(waitForBridgeResponse, SilentHandlerMonitorIframeForHash, this.logger, this.performanceClient, correlationId)(this.config.system.popupBridgeTimeout, this.logger, this.browserCrypto, popupRequest, this.performanceClient);
14856
+ const responseString = await invokeAsync(this.waitForPopupResponse.bind(this), SilentHandlerMonitorIframeForHash, this.logger, this.performanceClient, correlationId)(popupRequest, popupWindow, popupParams.popupWindowParent);
14679
14857
  const serverParams = invoke(deserializeResponse, DeserializeResponse, this.logger, this.performanceClient, this.correlationId)(responseString, this.config.auth.OIDCOptions.responseMode, this.logger, this.correlationId);
14680
14858
  if (!serverParams.ear_jwe && serverParams.code) {
14681
14859
  const authClient = await invokeAsync(this.createAuthCodeClient.bind(this), StandardInteractionClientCreateAuthCodeClient, this.logger, this.performanceClient, correlationId)({
14682
- serverTelemetryManager: initializeServerTelemetryManager(ApiId.acquireTokenPopup, this.config.auth.clientId, correlationId, this.browserStorage, this.logger),
14860
+ serverTelemetryManager: initializeServerTelemetryManager(ApiId.acquireTokenPopup, this.config.auth.clientId, correlationId, this.browserStorage, this.logger, undefined, this.config.system.serverTelemetryEnabled),
14683
14861
  requestAuthority: request.authority,
14684
14862
  requestAzureCloudOptions: request.azureCloudOptions,
14685
14863
  requestExtraQueryParameters: request.extraQueryParameters,
@@ -14700,7 +14878,7 @@
14700
14878
  const form = await getCodeForm(popupWindow.document, this.config, discoveredAuthority, request, this.logger, this.performanceClient);
14701
14879
  form.submit();
14702
14880
  // Monitor the popup for the hash. Return the string value and close the popup when the hash is received. Default timeout is 60 seconds.
14703
- const responseString = await invokeAsync(waitForBridgeResponse, SilentHandlerMonitorIframeForHash, this.logger, this.performanceClient, correlationId)(this.config.system.popupBridgeTimeout, this.logger, this.browserCrypto, request, this.performanceClient);
14881
+ const responseString = await invokeAsync(this.waitForPopupResponse.bind(this), SilentHandlerMonitorIframeForHash, this.logger, this.performanceClient, correlationId)(request, popupWindow, popupParams.popupWindowParent);
14704
14882
  const serverParams = invoke(deserializeResponse, DeserializeResponse, this.logger, this.performanceClient, this.correlationId)(responseString, this.config.auth.OIDCOptions.responseMode, this.logger, this.correlationId);
14705
14883
  return invokeAsync(handleResponseCode, HandleResponseCode, this.logger, this.performanceClient, correlationId)(request, serverParams, pkceVerifier, ApiId.acquireTokenPopup, this.config, authClient, this.browserStorage, this.nativeStorage, this.eventHandler, this.logger, this.performanceClient, this.platformAuthProvider);
14706
14884
  }
@@ -14716,7 +14894,7 @@
14716
14894
  async logoutPopupAsync(validRequest, popupParams, requestAuthority, mainWindowRedirectUri) {
14717
14895
  this.logger.verbose("0b7yrk", this.correlationId);
14718
14896
  this.eventHandler.emitEvent(EventType.LOGOUT_START, this.correlationId, exports.InteractionType.Popup, validRequest);
14719
- const serverTelemetryManager = initializeServerTelemetryManager(ApiId.logoutPopup, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger);
14897
+ const serverTelemetryManager = initializeServerTelemetryManager(ApiId.logoutPopup, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger, undefined, this.config.system.serverTelemetryEnabled);
14720
14898
  try {
14721
14899
  // Clear cache on logout
14722
14900
  await clearCacheOnLogout(this.browserStorage, this.browserCrypto, this.logger, this.correlationId, validRequest.account);
@@ -14757,7 +14935,7 @@
14757
14935
  // Open the popup window to requestUrl.
14758
14936
  const popupWindow = this.openPopup(logoutUri, popupParams);
14759
14937
  this.eventHandler.emitEvent(EventType.POPUP_OPENED, validRequest.correlationId, exports.InteractionType.Popup, { popupWindow }, null);
14760
- await waitForBridgeResponse(this.config.system.popupBridgeTimeout, this.logger, this.browserCrypto, validRequest, this.performanceClient).catch(() => {
14938
+ await this.waitForPopupResponse(validRequest, popupWindow, popupParams.popupWindowParent).catch(() => {
14761
14939
  // Swallow any errors related to monitoring the window. Server logout is best effort
14762
14940
  });
14763
14941
  if (mainWindowRedirectUri) {
@@ -14836,6 +15014,19 @@
14836
15014
  if (!popupWindow) {
14837
15015
  throw createBrowserAuthError(emptyWindowError);
14838
15016
  }
15017
+ try {
15018
+ popupWindow.document.title = "Microsoft Authentication";
15019
+ }
15020
+ catch (e) {
15021
+ if (typeof DOMException !== "undefined" &&
15022
+ e instanceof DOMException &&
15023
+ e.name === "SecurityError") {
15024
+ // Cross-origin - title cannot be set
15025
+ }
15026
+ else {
15027
+ this.logger.verbose("1s1yfs", this.correlationId);
15028
+ }
15029
+ }
14839
15030
  if (popupWindow.focus) {
14840
15031
  popupWindow.focus();
14841
15032
  }
@@ -14914,6 +15105,12 @@
14914
15105
  const homeAccountId = request.account && request.account.homeAccountId;
14915
15106
  return `${BrowserConstants.POPUP_NAME_PREFIX}.${this.config.auth.clientId}.${homeAccountId}.${this.correlationId}`;
14916
15107
  }
15108
+ async waitForPopupResponse(request, popupWindow, popupWindowParent) {
15109
+ if (this.waitForPopupResponseHook) {
15110
+ return this.waitForPopupResponseHook(request, popupWindow, popupWindowParent);
15111
+ }
15112
+ return waitForBridgeResponse(this.config.system.popupBridgeTimeout, this.logger, request, this.performanceClient);
15113
+ }
14917
15114
  }
14918
15115
 
14919
15116
  /*
@@ -14981,7 +15178,7 @@
14981
15178
  */
14982
15179
  async executeCodeFlow(request) {
14983
15180
  const correlationId = request.correlationId;
14984
- const serverTelemetryManager = initializeServerTelemetryManager(ApiId.acquireTokenRedirect, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger);
15181
+ const serverTelemetryManager = initializeServerTelemetryManager(ApiId.acquireTokenRedirect, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger, undefined, this.config.system.serverTelemetryEnabled);
14985
15182
  const pkceCodes = await invokeAsync(generatePkceCodes, GeneratePkceCodes, this.logger, this.performanceClient, correlationId)(this.performanceClient, this.logger, correlationId);
14986
15183
  const redirectRequest = {
14987
15184
  ...request,
@@ -15067,7 +15264,9 @@
15067
15264
  * @param options {HandleRedirectPromiseOptions} options for handling redirect promise
15068
15265
  */
15069
15266
  async handleRedirectPromise(request, pkceVerifier, parentMeasurement, options) {
15070
- const serverTelemetryManager = initializeServerTelemetryManager(ApiId.handleRedirectPromise, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger);
15267
+ const originalTitle = document.title;
15268
+ document.title = "Microsoft Authentication";
15269
+ const serverTelemetryManager = initializeServerTelemetryManager(ApiId.handleRedirectPromise, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger, undefined, this.config.system.serverTelemetryEnabled);
15071
15270
  const navigateToLoginRequestUrl = options?.navigateToLoginRequestUrl ?? true;
15072
15271
  try {
15073
15272
  const [serverParams, responseString] = this.getRedirectResponse(options?.hash || "");
@@ -15086,8 +15285,8 @@
15086
15285
  }
15087
15286
  // If navigateToLoginRequestUrl is true, get the url where the redirect request was initiated
15088
15287
  const loginRequestUrl = this.browserStorage.getTemporaryCache(TemporaryCacheKeys.ORIGIN_URI, this.correlationId, true) || "";
15089
- const loginRequestUrlNormalized = normalizeUrlForComparison(loginRequestUrl);
15090
- const currentUrlNormalized = normalizeUrlForComparison(window.location.href);
15288
+ const loginRequestUrlNormalized = normalizeUrlForComparison(loginRequestUrl, this.logger, this.correlationId);
15289
+ const currentUrlNormalized = normalizeUrlForComparison(window.location.href, this.logger, this.correlationId);
15091
15290
  if (loginRequestUrlNormalized === currentUrlNormalized &&
15092
15291
  navigateToLoginRequestUrl) {
15093
15292
  // We are on the page we need to navigate to - handle hash
@@ -15120,8 +15319,8 @@
15120
15319
  * The start page is expected to also call handleRedirectPromise which will process the hash in one of the checks above.
15121
15320
  */
15122
15321
  let processHashOnRedirect = true;
15123
- if (!loginRequestUrl || loginRequestUrl === "null") {
15124
- // Redirect to home page if login request url is null (real null or the string null)
15322
+ if (!loginRequestUrl) {
15323
+ // Redirect to home page if login request url is empty
15125
15324
  const homepage = getHomepage();
15126
15325
  // Cache the homepage under ORIGIN_URI to ensure cached hash is processed on homepage
15127
15326
  this.browserStorage.setTemporaryCache(TemporaryCacheKeys.ORIGIN_URI, homepage, true);
@@ -15149,6 +15348,9 @@
15149
15348
  }
15150
15349
  throw e;
15151
15350
  }
15351
+ finally {
15352
+ document.title = originalTitle;
15353
+ }
15152
15354
  }
15153
15355
  /**
15154
15356
  * Gets the response hash for a redirect request
@@ -15264,7 +15466,7 @@
15264
15466
  async logout(logoutRequest) {
15265
15467
  this.logger.verbose("1rkurh", this.correlationId);
15266
15468
  const validLogoutRequest = this.initializeLogoutRequest(logoutRequest);
15267
- const serverTelemetryManager = initializeServerTelemetryManager(ApiId.logout, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger);
15469
+ const serverTelemetryManager = initializeServerTelemetryManager(ApiId.logout, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger, undefined, this.config.system.serverTelemetryEnabled);
15268
15470
  try {
15269
15471
  this.eventHandler.emitEvent(EventType.LOGOUT_START, this.correlationId, exports.InteractionType.Redirect, logoutRequest);
15270
15472
  // Clear cache on logout
@@ -15345,7 +15547,10 @@
15345
15547
  */
15346
15548
  getRedirectStartPage(requestStartPage) {
15347
15549
  const redirectStartPage = requestStartPage || window.location.href;
15348
- return UrlString.getAbsoluteUrl(redirectStartPage, getCurrentUri());
15550
+ const absoluteRedirectStartPage = UrlString.getAbsoluteUrl(redirectStartPage, getCurrentUri());
15551
+ // Sanity check the URL before it is cached so we never persist a malformed value (e.g. the literal string "null")
15552
+ validateUrl(absoluteRedirectStartPage, this.logger, this.correlationId);
15553
+ return absoluteRedirectStartPage;
15349
15554
  }
15350
15555
  }
15351
15556
 
@@ -15354,20 +15559,20 @@
15354
15559
  * Licensed under the MIT License.
15355
15560
  */
15356
15561
  /**
15357
- * Creates a hidden iframe to given URL using user-requested scopes as an id.
15358
- * @param urlNavigate
15359
- * @param userRequestScopes
15562
+ * Navigates the given hidden iframe to the provided URL.
15563
+ * @param frame
15564
+ * @param requestUrl
15360
15565
  */
15361
- async function initiateCodeRequest(requestUrl, performanceClient, logger, correlationId) {
15566
+ async function initiateCodeRequest(frame, requestUrl, logger, correlationId) {
15362
15567
  if (!requestUrl) {
15363
15568
  // Throw error if request URL is empty.
15364
15569
  logger.info("1l7hyp", correlationId);
15365
15570
  throw createBrowserAuthError(emptyNavigateUri);
15366
15571
  }
15367
- return invoke(loadFrameSync, SilentHandlerLoadFrameSync, logger, performanceClient, correlationId)(requestUrl);
15572
+ frame.src = requestUrl;
15573
+ return frame;
15368
15574
  }
15369
- async function initiateCodeFlowWithPost(config, authority, request, logger, performanceClient) {
15370
- const frame = createHiddenIframe();
15575
+ async function initiateCodeFlowWithPost(frame, config, authority, request, logger, performanceClient) {
15371
15576
  if (!frame.contentDocument) {
15372
15577
  throw "No document associated with iframe!";
15373
15578
  }
@@ -15375,8 +15580,7 @@
15375
15580
  form.submit();
15376
15581
  return frame;
15377
15582
  }
15378
- async function initiateEarRequest(config, authority, request, logger, performanceClient) {
15379
- const frame = createHiddenIframe();
15583
+ async function initiateEarRequest(frame, config, authority, request, logger, performanceClient) {
15380
15584
  if (!frame.contentDocument) {
15381
15585
  throw "No document associated with iframe!";
15382
15586
  }
@@ -15386,24 +15590,14 @@
15386
15590
  }
15387
15591
  /**
15388
15592
  * @hidden
15389
- * Loads the iframe synchronously when the navigateTimeFrame is set to `0`
15390
- * @param urlNavigate
15391
- * @param frameName
15392
- * @param logger
15393
- */
15394
- function loadFrameSync(urlNavigate) {
15395
- const frameHandle = createHiddenIframe();
15396
- frameHandle.src = urlNavigate;
15397
- return frameHandle;
15398
- }
15399
- /**
15400
- * @hidden
15401
- * Creates a new hidden iframe or gets an existing one for silent token renewal.
15593
+ * Creates a new hidden iframe for silent token renewal. Callers navigate it
15594
+ * (set `src` or submit a form) after registering the response listener.
15402
15595
  * @ignore
15403
15596
  */
15404
15597
  function createHiddenIframe() {
15405
15598
  const authFrame = document.createElement("iframe");
15406
15599
  authFrame.className = "msalSilentIframe";
15600
+ authFrame.title = "Microsoft Authentication";
15407
15601
  authFrame.style.visibility = "hidden";
15408
15602
  authFrame.style.position = "absolute";
15409
15603
  authFrame.style.width = authFrame.style.height = "0";
@@ -15429,10 +15623,11 @@
15429
15623
  * Licensed under the MIT License.
15430
15624
  */
15431
15625
  class SilentIframeClient extends StandardInteractionClient {
15432
- constructor(config, storageImpl, browserCrypto, logger, eventHandler, navigationClient, apiId, performanceClient, nativeStorageImpl, correlationId, platformAuthProvider) {
15626
+ constructor(config, storageImpl, browserCrypto, logger, eventHandler, navigationClient, apiId, performanceClient, nativeStorageImpl, correlationId, platformAuthProvider, waitForIframeResponseHook) {
15433
15627
  super(config, storageImpl, browserCrypto, logger, eventHandler, navigationClient, performanceClient, correlationId, platformAuthProvider);
15434
15628
  this.apiId = apiId;
15435
15629
  this.nativeStorage = nativeStorageImpl;
15630
+ this.waitForIframeResponseHook = waitForIframeResponseHook;
15436
15631
  }
15437
15632
  /**
15438
15633
  * Acquires a token silently by opening a hidden iframe to the /authorize endpoint with prompt=none or prompt=no_session
@@ -15475,7 +15670,7 @@
15475
15670
  */
15476
15671
  async executeCodeFlow(request) {
15477
15672
  let authClient;
15478
- const serverTelemetryManager = initializeServerTelemetryManager(this.apiId, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger);
15673
+ const serverTelemetryManager = initializeServerTelemetryManager(this.apiId, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger, undefined, this.config.system.serverTelemetryEnabled);
15479
15674
  try {
15480
15675
  // Initialize the client
15481
15676
  authClient = await invokeAsync(this.createAuthCodeClient.bind(this), StandardInteractionClientCreateAuthCodeClient, this.logger, this.performanceClient, request.correlationId)({
@@ -15517,11 +15712,22 @@
15517
15712
  earJwk: earJwk,
15518
15713
  codeChallenge: pkceCodes.challenge,
15519
15714
  };
15520
- const iframe = await invokeAsync(initiateEarRequest, SilentHandlerInitiateAuthRequest, this.logger, this.performanceClient, correlationId)(this.config, discoveredAuthority, silentRequest, this.logger, this.performanceClient);
15715
+ // Create the iframe, register the response listener, then navigate, so the listener is active before the iframe can respond.
15716
+ const iframe = createHiddenIframe();
15521
15717
  const responseType = this.config.auth.OIDCOptions.responseMode;
15522
15718
  let responseString;
15523
15719
  try {
15524
- responseString = await invokeAsync(waitForBridgeResponse, SilentHandlerMonitorIframeForHash, this.logger, this.performanceClient, correlationId)(this.config.system.iframeBridgeTimeout, this.logger, this.browserCrypto, request, this.performanceClient, this.config.experimental);
15720
+ const responsePromise = invokeAsync(this.waitForIframeResponse.bind(this), SilentHandlerMonitorIframeForHash, this.logger, this.performanceClient, correlationId)(iframe, request);
15721
+ responsePromise.catch(() => {
15722
+ /*
15723
+ * If navigation below throws before responsePromise is awaited,
15724
+ * the listener still rejects on timeout. Swallow it here so it
15725
+ * does not surface as an unhandled rejection; the navigation
15726
+ * error is propagated instead.
15727
+ */
15728
+ });
15729
+ await invokeAsync(initiateEarRequest, SilentHandlerInitiateAuthRequest, this.logger, this.performanceClient, correlationId)(iframe, this.config, discoveredAuthority, silentRequest, this.logger, this.performanceClient);
15730
+ responseString = await responsePromise;
15525
15731
  }
15526
15732
  finally {
15527
15733
  invoke(removeHiddenIframe, RemoveHiddenIframe, this.logger, this.performanceClient, correlationId)(iframe);
@@ -15530,7 +15736,7 @@
15530
15736
  if (!serverParams.ear_jwe && serverParams.code) {
15531
15737
  // If server doesn't support EAR, they may fallback to auth code flow instead
15532
15738
  const authClient = await invokeAsync(this.createAuthCodeClient.bind(this), StandardInteractionClientCreateAuthCodeClient, this.logger, this.performanceClient, correlationId)({
15533
- serverTelemetryManager: initializeServerTelemetryManager(this.apiId, this.config.auth.clientId, correlationId, this.browserStorage, this.logger),
15739
+ serverTelemetryManager: initializeServerTelemetryManager(this.apiId, this.config.auth.clientId, correlationId, this.browserStorage, this.logger, undefined, this.config.system.serverTelemetryEnabled),
15534
15740
  requestAuthority: request.authority,
15535
15741
  requestAzureCloudOptions: request.azureCloudOptions,
15536
15742
  requestExtraQueryParameters: request.extraQueryParameters,
@@ -15557,7 +15763,7 @@
15557
15763
  // Create silent request
15558
15764
  const silentRequest = await invokeAsync(initializeAuthorizationRequest, StandardInteractionClientInitializeAuthorizationRequest, this.logger, this.performanceClient, this.correlationId)(inputRequest, exports.InteractionType.Silent, this.config, this.browserCrypto, this.browserStorage, this.logger, this.performanceClient, this.correlationId);
15559
15765
  const authClient = await invokeAsync(this.createAuthCodeClient.bind(this), StandardInteractionClientCreateAuthCodeClient, this.logger, this.performanceClient, this.correlationId)({
15560
- serverTelemetryManager: initializeServerTelemetryManager(this.apiId, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger),
15766
+ serverTelemetryManager: initializeServerTelemetryManager(this.apiId, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger, undefined, this.config.system.serverTelemetryEnabled),
15561
15767
  requestAuthority: silentRequest.authority,
15562
15768
  requestAzureCloudOptions: silentRequest.azureCloudOptions,
15563
15769
  requestExtraQueryParameters: silentRequest.extraQueryParameters,
@@ -15605,21 +15811,32 @@
15605
15811
  ...request,
15606
15812
  codeChallenge: pkceCodes.challenge,
15607
15813
  };
15608
- let iframe;
15609
- if (request.httpMethod === HttpMethod.POST) {
15610
- iframe = await invokeAsync(initiateCodeFlowWithPost, SilentHandlerInitiateAuthRequest, this.logger, this.performanceClient, correlationId)(this.config, authClient.authority, silentRequest, this.logger, this.performanceClient);
15611
- }
15612
- else {
15613
- // Create authorize request url
15614
- const navigateUrl = await invokeAsync(getAuthCodeRequestUrl, GetAuthCodeUrl, this.logger, this.performanceClient, correlationId)(this.config, authClient.authority, silentRequest, this.logger, this.performanceClient);
15615
- // Get the frame handle for the silent request
15616
- iframe = await invokeAsync(initiateCodeRequest, SilentHandlerInitiateAuthRequest, this.logger, this.performanceClient, correlationId)(navigateUrl, this.performanceClient, this.logger, correlationId);
15617
- }
15814
+ // Create the iframe, register the response listener, then navigate, so the listener is active before the iframe can respond.
15815
+ const iframe = createHiddenIframe();
15618
15816
  const responseType = this.config.auth.OIDCOptions.responseMode;
15619
15817
  // Wait for response from the redirect bridge.
15620
15818
  let responseString;
15621
15819
  try {
15622
- responseString = await invokeAsync(waitForBridgeResponse, SilentHandlerMonitorIframeForHash, this.logger, this.performanceClient, correlationId)(this.config.system.iframeBridgeTimeout, this.logger, this.browserCrypto, request, this.performanceClient, this.config.experimental);
15820
+ const responsePromise = invokeAsync(this.waitForIframeResponse.bind(this), SilentHandlerMonitorIframeForHash, this.logger, this.performanceClient, correlationId)(iframe, request);
15821
+ responsePromise.catch(() => {
15822
+ /*
15823
+ * If URL creation or navigation below throws before
15824
+ * responsePromise is awaited, the listener still rejects on
15825
+ * timeout. Swallow it here so it does not surface as an
15826
+ * unhandled rejection; the navigation error is propagated
15827
+ * instead.
15828
+ */
15829
+ });
15830
+ if (request.httpMethod === HttpMethod.POST) {
15831
+ await invokeAsync(initiateCodeFlowWithPost, SilentHandlerInitiateAuthRequest, this.logger, this.performanceClient, correlationId)(iframe, this.config, authClient.authority, silentRequest, this.logger, this.performanceClient);
15832
+ }
15833
+ else {
15834
+ // Create authorize request url
15835
+ const navigateUrl = await invokeAsync(getAuthCodeRequestUrl, GetAuthCodeUrl, this.logger, this.performanceClient, correlationId)(this.config, authClient.authority, silentRequest, this.logger, this.performanceClient);
15836
+ // Navigate the iframe to the authorize request url
15837
+ await invokeAsync(initiateCodeRequest, SilentHandlerInitiateAuthRequest, this.logger, this.performanceClient, correlationId)(iframe, navigateUrl, this.logger, correlationId);
15838
+ }
15839
+ responseString = await responsePromise;
15623
15840
  }
15624
15841
  finally {
15625
15842
  invoke(removeHiddenIframe, RemoveHiddenIframe, this.logger, this.performanceClient, correlationId)(iframe);
@@ -15627,6 +15844,12 @@
15627
15844
  const serverParams = invoke(deserializeResponse, DeserializeResponse, this.logger, this.performanceClient, correlationId)(responseString, responseType, this.logger, this.correlationId);
15628
15845
  return { serverParams, pkceCodes, silentRequest };
15629
15846
  }
15847
+ async waitForIframeResponse(iframe, request) {
15848
+ if (this.waitForIframeResponseHook) {
15849
+ return this.waitForIframeResponseHook(iframe, request);
15850
+ }
15851
+ return waitForBridgeResponse(this.config.system.iframeBridgeTimeout, this.logger, request, this.performanceClient, this.config.experimental);
15852
+ }
15630
15853
  }
15631
15854
 
15632
15855
  /*
@@ -15648,7 +15871,7 @@
15648
15871
  // Make sure any passed redirectUri is converted to an absolute URL - redirectUri is not a required parameter for refresh token redemption so only include if explicitly provided
15649
15872
  silentRequest.redirectUri = getRedirectUri(request.redirectUri, this.config.auth.redirectUri, this.logger, this.correlationId);
15650
15873
  }
15651
- const serverTelemetryManager = initializeServerTelemetryManager(ApiId.acquireTokenSilent_silentFlow, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger);
15874
+ const serverTelemetryManager = initializeServerTelemetryManager(ApiId.acquireTokenSilent_silentFlow, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger, undefined, this.config.system.serverTelemetryEnabled);
15652
15875
  const refreshTokenClient = await this.createRefreshTokenClient({
15653
15876
  serverTelemetryManager,
15654
15877
  authorityUrl: silentRequest.authority,
@@ -15728,7 +15951,7 @@
15728
15951
  * Each auth request creates a new instance of *Client so we can safely use this.correlationId.
15729
15952
  */
15730
15953
  this.correlationId);
15731
- const serverTelemetryManager = initializeServerTelemetryManager(this.apiId, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger);
15954
+ const serverTelemetryManager = initializeServerTelemetryManager(this.apiId, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger, undefined, this.config.system.serverTelemetryEnabled);
15732
15955
  try {
15733
15956
  // Create auth code request (PKCE not needed)
15734
15957
  const authCodeRequest = {
@@ -16093,6 +16316,8 @@
16093
16316
  // Preflight request
16094
16317
  const correlationId = this.getRequestCorrelationId(request);
16095
16318
  this.logger.verbose("0os66p", correlationId);
16319
+ redirectPreflightCheck(this.initialized, this.config);
16320
+ this.browserStorage.setInteractionInProgress(true, INTERACTION_TYPE.SIGNIN);
16096
16321
  const atrMeasurement = this.performanceClient.startMeasurement(AcquireTokenPreRedirect, correlationId);
16097
16322
  atrMeasurement.add({
16098
16323
  scenarioId: request.scenarioId,
@@ -16110,9 +16335,7 @@
16110
16335
  return navigate;
16111
16336
  };
16112
16337
  try {
16113
- redirectPreflightCheck(this.initialized, this.config);
16114
16338
  enforceResourceParameter(this.config.auth.isMcp, request);
16115
- this.browserStorage.setInteractionInProgress(true, INTERACTION_TYPE.SIGNIN);
16116
16339
  this.eventHandler.emitEvent(EventType.ACQUIRE_TOKEN_START, correlationId, exports.InteractionType.Redirect, request);
16117
16340
  let result;
16118
16341
  if (this.platformAuthProvider &&
@@ -16840,7 +17063,7 @@
16840
17063
  * @param correlationId
16841
17064
  */
16842
17065
  createPopupClient(correlationId) {
16843
- return new PopupClient(this.config, this.browserStorage, this.browserCrypto, this.logger, this.eventHandler, this.navigationClient, this.performanceClient, this.nativeInternalStorage, correlationId, this.platformAuthProvider);
17066
+ return new PopupClient(this.config, this.browserStorage, this.browserCrypto, this.logger, this.eventHandler, this.navigationClient, this.performanceClient, this.nativeInternalStorage, correlationId, this.platformAuthProvider, this.operatingContext.getResponseHandlers()?.waitForPopupResponse);
16844
17067
  }
16845
17068
  /**
16846
17069
  * Returns new instance of the Redirect Interaction Client
@@ -16854,7 +17077,7 @@
16854
17077
  * @param correlationId
16855
17078
  */
16856
17079
  createSilentIframeClient(correlationId) {
16857
- return new SilentIframeClient(this.config, this.browserStorage, this.browserCrypto, this.logger, this.eventHandler, this.navigationClient, ApiId.ssoSilent, this.performanceClient, this.nativeInternalStorage, correlationId, this.platformAuthProvider);
17080
+ return new SilentIframeClient(this.config, this.browserStorage, this.browserCrypto, this.logger, this.eventHandler, this.navigationClient, ApiId.ssoSilent, this.performanceClient, this.nativeInternalStorage, correlationId, this.platformAuthProvider, this.operatingContext.getResponseHandlers()?.waitForIframeResponse);
16858
17081
  }
16859
17082
  /**
16860
17083
  * Returns new instance of the Silent Cache Interaction Client
@@ -17328,7 +17551,7 @@
17328
17551
  return;
17329
17552
  }
17330
17553
  }
17331
- constructor(config) {
17554
+ constructor(config, responseHandlers) {
17332
17555
  /*
17333
17556
  * If loaded in an environment where window is not available,
17334
17557
  * set internal flag to false so that further requests fail.
@@ -17336,6 +17559,7 @@
17336
17559
  */
17337
17560
  this.browserEnvironment = typeof window !== "undefined";
17338
17561
  this.config = buildConfiguration(config, this.browserEnvironment);
17562
+ this.responseHandlers = responseHandlers;
17339
17563
  let sessionStorage;
17340
17564
  try {
17341
17565
  sessionStorage = window[BrowserCacheLocation.SessionStorage];
@@ -17372,6 +17596,13 @@
17372
17596
  getConfig() {
17373
17597
  return this.config;
17374
17598
  }
17599
+ /**
17600
+ * Returns the internal response handlers supplied by PublicClientApplication, if any.
17601
+ * @returns AuthResponseHandlers | undefined
17602
+ */
17603
+ getResponseHandlers() {
17604
+ return this.responseHandlers;
17605
+ }
17375
17606
  /**
17376
17607
  * Returns the MSAL Logger
17377
17608
  * @returns Logger
@@ -18393,7 +18624,48 @@
18393
18624
  constructor(configuration, controller) {
18394
18625
  this.controller =
18395
18626
  controller ||
18396
- new StandardController(new StandardOperatingContext(configuration));
18627
+ new StandardController(new StandardOperatingContext(configuration, {
18628
+ waitForPopupResponse: this.waitForPopupResponse.bind(this),
18629
+ waitForIframeResponse: this.waitForIframeResponse.bind(this),
18630
+ }));
18631
+ }
18632
+ /**
18633
+ * Waits for the auth response from a popup window opened by MSAL.
18634
+ *
18635
+ * The default implementation delegates to MSAL's `BroadcastChannel`-based bridge.
18636
+ * Subclasses must return the raw response string (hash/query/fragment), or reject
18637
+ * with an `AuthError` on failure.
18638
+ *
18639
+ * @internal
18640
+ * @param request The in-flight authorization or end-session request.
18641
+ * @param popupWindow The popup window opened by MSAL.
18642
+ * @param popupWindowParent The parent window that opened the popup.
18643
+ */
18644
+ async waitForPopupResponse(request,
18645
+ // eslint-disable-next-line @typescript-eslint/no-unused-vars
18646
+ popupWindow,
18647
+ // eslint-disable-next-line @typescript-eslint/no-unused-vars
18648
+ popupWindowParent) {
18649
+ const controller = this.controller;
18650
+ return waitForBridgeResponse(controller.getConfiguration().system.popupBridgeTimeout, controller.getLogger(), request, controller.getPerformanceClient());
18651
+ }
18652
+ /**
18653
+ * Waits for the auth response from a hidden iframe used by MSAL silent flows.
18654
+ *
18655
+ * The default implementation delegates to MSAL's `BroadcastChannel`-based bridge.
18656
+ * Subclasses must return the raw response string (hash/query/fragment), or reject
18657
+ * with an `AuthError` on failure.
18658
+ *
18659
+ * @internal
18660
+ * @param iframe The hidden iframe MSAL attached to the document.
18661
+ * @param request The in-flight authorization request.
18662
+ */
18663
+ async waitForIframeResponse(
18664
+ // eslint-disable-next-line @typescript-eslint/no-unused-vars
18665
+ iframe, request) {
18666
+ const controller = this.controller;
18667
+ const config = controller.getConfiguration();
18668
+ return waitForBridgeResponse(config.system.iframeBridgeTimeout, controller.getLogger(), request, controller.getPerformanceClient(), config.experimental);
18397
18669
  }
18398
18670
  /**
18399
18671
  * Initializer function to perform async startup tasks such as connecting to WAM extension