@azure/msal-browser 5.11.0 → 5.13.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (267) hide show
  1. package/README.md +1 -0
  2. package/dist/app/IPublicClientApplication.mjs +1 -1
  3. package/dist/app/PublicClientApplication.mjs +44 -2
  4. package/dist/app/PublicClientApplication.mjs.map +1 -1
  5. package/dist/broker/nativeBroker/NativeStatusCodes.mjs +3 -3
  6. package/dist/broker/nativeBroker/PlatformAuthDOMHandler.mjs +1 -1
  7. package/dist/broker/nativeBroker/PlatformAuthExtensionHandler.mjs +1 -1
  8. package/dist/broker/nativeBroker/PlatformAuthProvider.mjs +1 -1
  9. package/dist/cache/AccountManager.mjs +1 -1
  10. package/dist/cache/AsyncMemoryStorage.mjs +1 -1
  11. package/dist/cache/BrowserCacheManager.mjs +99 -15
  12. package/dist/cache/BrowserCacheManager.mjs.map +1 -1
  13. package/dist/cache/CacheHelpers.mjs +1 -1
  14. package/dist/cache/CacheKeys.mjs +1 -1
  15. package/dist/cache/CookieStorage.mjs +1 -1
  16. package/dist/cache/DatabaseStorage.mjs +1 -1
  17. package/dist/cache/EncryptedData.mjs +1 -1
  18. package/dist/cache/LocalStorage.mjs +1 -1
  19. package/dist/cache/MemoryStorage.mjs +1 -1
  20. package/dist/cache/SessionStorage.mjs +1 -1
  21. package/dist/cache/TokenCache.mjs +1 -1
  22. package/dist/config/Configuration.mjs +3 -2
  23. package/dist/config/Configuration.mjs.map +1 -1
  24. package/dist/controllers/NestedAppAuthController.mjs +1 -1
  25. package/dist/controllers/StandardController.mjs +5 -5
  26. package/dist/controllers/StandardController.mjs.map +1 -1
  27. package/dist/crypto/BrowserCrypto.mjs +1 -1
  28. package/dist/crypto/CryptoOps.mjs +1 -1
  29. package/dist/crypto/PkceGenerator.mjs +1 -1
  30. package/dist/crypto/SignedHttpRequest.mjs +1 -1
  31. package/dist/custom_auth/CustomAuthConstants.mjs +1 -1
  32. package/dist/custom_auth/CustomAuthPublicClientApplication.mjs +1 -1
  33. package/dist/custom_auth/controller/CustomAuthStandardController.mjs +1 -1
  34. package/dist/custom_auth/core/CustomAuthAuthority.mjs +1 -1
  35. package/dist/custom_auth/core/auth_flow/AuthFlowErrorBase.mjs +1 -1
  36. package/dist/custom_auth/core/auth_flow/AuthFlowResultBase.mjs +1 -1
  37. package/dist/custom_auth/core/auth_flow/AuthFlowState.mjs +1 -1
  38. package/dist/custom_auth/core/auth_flow/AuthFlowStateTypes.mjs +1 -1
  39. package/dist/custom_auth/core/auth_flow/jit/error_type/AuthMethodRegistrationError.mjs +1 -1
  40. package/dist/custom_auth/core/auth_flow/jit/result/AuthMethodRegistrationChallengeMethodResult.mjs +1 -1
  41. package/dist/custom_auth/core/auth_flow/jit/result/AuthMethodRegistrationSubmitChallengeResult.mjs +1 -1
  42. package/dist/custom_auth/core/auth_flow/jit/state/AuthMethodRegistrationCompletedState.mjs +1 -1
  43. package/dist/custom_auth/core/auth_flow/jit/state/AuthMethodRegistrationFailedState.mjs +1 -1
  44. package/dist/custom_auth/core/auth_flow/jit/state/AuthMethodRegistrationState.mjs +1 -1
  45. package/dist/custom_auth/core/auth_flow/mfa/error_type/MfaError.mjs +1 -1
  46. package/dist/custom_auth/core/auth_flow/mfa/result/MfaRequestChallengeResult.mjs +1 -1
  47. package/dist/custom_auth/core/auth_flow/mfa/result/MfaSubmitChallengeResult.mjs +1 -1
  48. package/dist/custom_auth/core/auth_flow/mfa/state/MfaCompletedState.mjs +1 -1
  49. package/dist/custom_auth/core/auth_flow/mfa/state/MfaFailedState.mjs +1 -1
  50. package/dist/custom_auth/core/auth_flow/mfa/state/MfaState.mjs +1 -1
  51. package/dist/custom_auth/core/error/CustomAuthApiError.mjs +1 -1
  52. package/dist/custom_auth/core/error/CustomAuthError.mjs +1 -1
  53. package/dist/custom_auth/core/error/HttpError.mjs +1 -1
  54. package/dist/custom_auth/core/error/HttpErrorCodes.mjs +1 -1
  55. package/dist/custom_auth/core/error/InvalidArgumentError.mjs +1 -1
  56. package/dist/custom_auth/core/error/InvalidConfigurationError.mjs +1 -1
  57. package/dist/custom_auth/core/error/InvalidConfigurationErrorCodes.mjs +1 -1
  58. package/dist/custom_auth/core/error/MethodNotImplementedError.mjs +1 -1
  59. package/dist/custom_auth/core/error/MsalCustomAuthError.mjs +1 -1
  60. package/dist/custom_auth/core/error/NoCachedAccountFoundError.mjs +1 -1
  61. package/dist/custom_auth/core/error/ParsedUrlError.mjs +1 -1
  62. package/dist/custom_auth/core/error/ParsedUrlErrorCodes.mjs +1 -1
  63. package/dist/custom_auth/core/error/UnexpectedError.mjs +1 -1
  64. package/dist/custom_auth/core/error/UnsupportedEnvironmentError.mjs +1 -1
  65. package/dist/custom_auth/core/error/UserAccountAttributeError.mjs +1 -1
  66. package/dist/custom_auth/core/error/UserAlreadySignedInError.mjs +1 -1
  67. package/dist/custom_auth/core/interaction_client/CustomAuthInteractionClientBase.mjs +1 -1
  68. package/dist/custom_auth/core/interaction_client/CustomAuthInterationClientFactory.mjs +1 -1
  69. package/dist/custom_auth/core/interaction_client/jit/JitClient.mjs +1 -1
  70. package/dist/custom_auth/core/interaction_client/jit/result/JitActionResult.mjs +1 -1
  71. package/dist/custom_auth/core/interaction_client/mfa/MfaClient.mjs +1 -1
  72. package/dist/custom_auth/core/interaction_client/mfa/result/MfaActionResult.mjs +1 -1
  73. package/dist/custom_auth/core/network_client/custom_auth_api/BaseApiClient.mjs +1 -1
  74. package/dist/custom_auth/core/network_client/custom_auth_api/CustomAuthApiClient.mjs +1 -1
  75. package/dist/custom_auth/core/network_client/custom_auth_api/CustomAuthApiEndpoint.mjs +1 -1
  76. package/dist/custom_auth/core/network_client/custom_auth_api/RegisterApiClient.mjs +1 -1
  77. package/dist/custom_auth/core/network_client/custom_auth_api/ResetPasswordApiClient.mjs +1 -1
  78. package/dist/custom_auth/core/network_client/custom_auth_api/SignInApiClient.mjs +1 -1
  79. package/dist/custom_auth/core/network_client/custom_auth_api/SignupApiClient.mjs +1 -1
  80. package/dist/custom_auth/core/network_client/custom_auth_api/types/ApiErrorCodes.mjs +1 -1
  81. package/dist/custom_auth/core/network_client/custom_auth_api/types/ApiSuberrors.mjs +1 -1
  82. package/dist/custom_auth/core/network_client/http_client/FetchHttpClient.mjs +1 -1
  83. package/dist/custom_auth/core/network_client/http_client/IHttpClient.mjs +1 -1
  84. package/dist/custom_auth/core/telemetry/PublicApiId.mjs +1 -1
  85. package/dist/custom_auth/core/utils/ArgumentValidator.mjs +1 -1
  86. package/dist/custom_auth/core/utils/CustomHeaderUtils.mjs +1 -1
  87. package/dist/custom_auth/core/utils/UrlUtils.mjs +1 -1
  88. package/dist/custom_auth/get_account/auth_flow/CustomAuthAccountData.mjs +1 -1
  89. package/dist/custom_auth/get_account/auth_flow/error_type/GetAccountError.mjs +1 -1
  90. package/dist/custom_auth/get_account/auth_flow/result/GetAccessTokenResult.mjs +1 -1
  91. package/dist/custom_auth/get_account/auth_flow/result/GetAccountResult.mjs +1 -1
  92. package/dist/custom_auth/get_account/auth_flow/result/SignOutResult.mjs +1 -1
  93. package/dist/custom_auth/get_account/auth_flow/state/GetAccessTokenState.mjs +1 -1
  94. package/dist/custom_auth/get_account/auth_flow/state/GetAccountState.mjs +1 -1
  95. package/dist/custom_auth/get_account/auth_flow/state/SignOutState.mjs +1 -1
  96. package/dist/custom_auth/get_account/interaction_client/CustomAuthSilentCacheClient.mjs +1 -1
  97. package/dist/custom_auth/index.mjs +1 -1
  98. package/dist/custom_auth/operating_context/CustomAuthOperatingContext.mjs +1 -1
  99. package/dist/custom_auth/reset_password/auth_flow/error_type/ResetPasswordError.mjs +1 -1
  100. package/dist/custom_auth/reset_password/auth_flow/result/ResetPasswordResendCodeResult.mjs +1 -1
  101. package/dist/custom_auth/reset_password/auth_flow/result/ResetPasswordStartResult.mjs +1 -1
  102. package/dist/custom_auth/reset_password/auth_flow/result/ResetPasswordSubmitCodeResult.mjs +1 -1
  103. package/dist/custom_auth/reset_password/auth_flow/result/ResetPasswordSubmitPasswordResult.mjs +1 -1
  104. package/dist/custom_auth/reset_password/auth_flow/state/ResetPasswordCodeRequiredState.mjs +1 -1
  105. package/dist/custom_auth/reset_password/auth_flow/state/ResetPasswordCompletedState.mjs +1 -1
  106. package/dist/custom_auth/reset_password/auth_flow/state/ResetPasswordFailedState.mjs +1 -1
  107. package/dist/custom_auth/reset_password/auth_flow/state/ResetPasswordPasswordRequiredState.mjs +1 -1
  108. package/dist/custom_auth/reset_password/auth_flow/state/ResetPasswordState.mjs +1 -1
  109. package/dist/custom_auth/reset_password/interaction_client/ResetPasswordClient.mjs +1 -1
  110. package/dist/custom_auth/sign_in/auth_flow/SignInScenario.mjs +1 -1
  111. package/dist/custom_auth/sign_in/auth_flow/error_type/SignInError.mjs +1 -1
  112. package/dist/custom_auth/sign_in/auth_flow/result/SignInResendCodeResult.mjs +1 -1
  113. package/dist/custom_auth/sign_in/auth_flow/result/SignInResult.mjs +1 -1
  114. package/dist/custom_auth/sign_in/auth_flow/result/SignInSubmitCodeResult.mjs +1 -1
  115. package/dist/custom_auth/sign_in/auth_flow/result/SignInSubmitPasswordResult.mjs +1 -1
  116. package/dist/custom_auth/sign_in/auth_flow/state/SignInCodeRequiredState.mjs +1 -1
  117. package/dist/custom_auth/sign_in/auth_flow/state/SignInCompletedState.mjs +1 -1
  118. package/dist/custom_auth/sign_in/auth_flow/state/SignInContinuationState.mjs +1 -1
  119. package/dist/custom_auth/sign_in/auth_flow/state/SignInFailedState.mjs +1 -1
  120. package/dist/custom_auth/sign_in/auth_flow/state/SignInPasswordRequiredState.mjs +1 -1
  121. package/dist/custom_auth/sign_in/auth_flow/state/SignInState.mjs +1 -1
  122. package/dist/custom_auth/sign_in/interaction_client/SignInClient.mjs +1 -1
  123. package/dist/custom_auth/sign_in/interaction_client/result/SignInActionResult.mjs +1 -1
  124. package/dist/custom_auth/sign_up/auth_flow/error_type/SignUpError.mjs +1 -1
  125. package/dist/custom_auth/sign_up/auth_flow/result/SignUpResendCodeResult.mjs +1 -1
  126. package/dist/custom_auth/sign_up/auth_flow/result/SignUpResult.mjs +1 -1
  127. package/dist/custom_auth/sign_up/auth_flow/result/SignUpSubmitAttributesResult.mjs +1 -1
  128. package/dist/custom_auth/sign_up/auth_flow/result/SignUpSubmitCodeResult.mjs +1 -1
  129. package/dist/custom_auth/sign_up/auth_flow/result/SignUpSubmitPasswordResult.mjs +1 -1
  130. package/dist/custom_auth/sign_up/auth_flow/state/SignUpAttributesRequiredState.mjs +1 -1
  131. package/dist/custom_auth/sign_up/auth_flow/state/SignUpCodeRequiredState.mjs +1 -1
  132. package/dist/custom_auth/sign_up/auth_flow/state/SignUpCompletedState.mjs +1 -1
  133. package/dist/custom_auth/sign_up/auth_flow/state/SignUpFailedState.mjs +1 -1
  134. package/dist/custom_auth/sign_up/auth_flow/state/SignUpPasswordRequiredState.mjs +1 -1
  135. package/dist/custom_auth/sign_up/auth_flow/state/SignUpState.mjs +1 -1
  136. package/dist/custom_auth/sign_up/interaction_client/SignUpClient.mjs +1 -1
  137. package/dist/custom_auth/sign_up/interaction_client/result/SignUpActionResult.mjs +1 -1
  138. package/dist/encode/Base64Decode.mjs +1 -1
  139. package/dist/encode/Base64Encode.mjs +1 -1
  140. package/dist/error/BrowserAuthError.mjs +1 -1
  141. package/dist/error/BrowserAuthErrorCodes.mjs +1 -1
  142. package/dist/error/BrowserConfigurationAuthError.mjs +1 -1
  143. package/dist/error/BrowserConfigurationAuthErrorCodes.mjs +1 -1
  144. package/dist/error/NativeAuthError.mjs +4 -4
  145. package/dist/error/NativeAuthError.mjs.map +1 -1
  146. package/dist/error/NativeAuthErrorCodes.mjs +1 -1
  147. package/dist/error/NestedAppAuthError.mjs +1 -1
  148. package/dist/event/EventHandler.mjs +1 -1
  149. package/dist/event/EventMessage.mjs +1 -1
  150. package/dist/event/EventType.mjs +1 -1
  151. package/dist/index.mjs +1 -1
  152. package/dist/interaction_client/BaseInteractionClient.mjs +8 -3
  153. package/dist/interaction_client/BaseInteractionClient.mjs.map +1 -1
  154. package/dist/interaction_client/HybridSpaAuthorizationCodeClient.mjs +1 -1
  155. package/dist/interaction_client/PlatformAuthInteractionClient.mjs +7 -6
  156. package/dist/interaction_client/PlatformAuthInteractionClient.mjs.map +1 -1
  157. package/dist/interaction_client/PopupClient.mjs +30 -10
  158. package/dist/interaction_client/PopupClient.mjs.map +1 -1
  159. package/dist/interaction_client/RedirectClient.mjs +17 -9
  160. package/dist/interaction_client/RedirectClient.mjs.map +1 -1
  161. package/dist/interaction_client/SilentAuthCodeClient.mjs +2 -2
  162. package/dist/interaction_client/SilentAuthCodeClient.mjs.map +1 -1
  163. package/dist/interaction_client/SilentCacheClient.mjs +2 -2
  164. package/dist/interaction_client/SilentCacheClient.mjs.map +1 -1
  165. package/dist/interaction_client/SilentIframeClient.mjs +49 -20
  166. package/dist/interaction_client/SilentIframeClient.mjs.map +1 -1
  167. package/dist/interaction_client/SilentRefreshClient.mjs +2 -2
  168. package/dist/interaction_client/SilentRefreshClient.mjs.map +1 -1
  169. package/dist/interaction_client/StandardInteractionClient.mjs +1 -1
  170. package/dist/interaction_handler/InteractionHandler.mjs +1 -1
  171. package/dist/interaction_handler/SilentHandler.mjs +13 -26
  172. package/dist/interaction_handler/SilentHandler.mjs.map +1 -1
  173. package/dist/log-strings-mapping.json +1202 -1194
  174. package/dist/naa/BridgeError.mjs +1 -1
  175. package/dist/naa/BridgeProxy.mjs +1 -1
  176. package/dist/naa/BridgeStatusCode.mjs +1 -1
  177. package/dist/naa/mapping/NestedAppAuthAdapter.mjs +1 -1
  178. package/dist/navigation/NavigationClient.mjs +1 -1
  179. package/dist/network/FetchClient.mjs +1 -1
  180. package/dist/operatingcontext/BaseOperatingContext.mjs +10 -2
  181. package/dist/operatingcontext/BaseOperatingContext.mjs.map +1 -1
  182. package/dist/operatingcontext/NestedAppOperatingContext.mjs +1 -1
  183. package/dist/operatingcontext/StandardOperatingContext.mjs +1 -1
  184. package/dist/packageMetadata.mjs +2 -2
  185. package/dist/protocol/Authorize.mjs +1 -1
  186. package/dist/redirect_bridge/index.mjs +4 -5
  187. package/dist/redirect_bridge/index.mjs.map +1 -1
  188. package/dist/request/RequestHelpers.mjs +1 -1
  189. package/dist/response/ResponseHandler.mjs +1 -1
  190. package/dist/telemetry/BrowserPerformanceClient.mjs +1 -1
  191. package/dist/telemetry/BrowserPerformanceEvents.mjs +2 -3
  192. package/dist/telemetry/BrowserPerformanceEvents.mjs.map +1 -1
  193. package/dist/telemetry/BrowserPerformanceMeasurement.mjs +1 -1
  194. package/dist/telemetry/BrowserRootPerformanceEvents.mjs +1 -1
  195. package/dist/utils/BrowserConstants.mjs +1 -1
  196. package/dist/utils/BrowserProtocolUtils.mjs +1 -1
  197. package/dist/utils/BrowserUtils.mjs +15 -5
  198. package/dist/utils/BrowserUtils.mjs.map +1 -1
  199. package/dist/utils/Helpers.mjs +1 -1
  200. package/dist/utils/MsalFrameStatsUtils.mjs +1 -1
  201. package/lib/custom-auth-path/log-strings-mapping.json +19 -11
  202. package/lib/custom-auth-path/msal-custom-auth.cjs +511 -263
  203. package/lib/custom-auth-path/msal-custom-auth.cjs.map +1 -1
  204. package/lib/custom-auth-path/msal-custom-auth.js +511 -263
  205. package/lib/custom-auth-path/msal-custom-auth.js.map +1 -1
  206. package/lib/log-strings-mapping.json +11 -3
  207. package/lib/msal-browser.cjs +539 -267
  208. package/lib/msal-browser.cjs.map +1 -1
  209. package/lib/msal-browser.js +539 -267
  210. package/lib/msal-browser.js.map +1 -1
  211. package/lib/msal-browser.min.js +2 -2
  212. package/lib/redirect-bridge/msal-redirect-bridge.cjs +59 -50
  213. package/lib/redirect-bridge/msal-redirect-bridge.cjs.map +1 -1
  214. package/lib/redirect-bridge/msal-redirect-bridge.js +59 -50
  215. package/lib/redirect-bridge/msal-redirect-bridge.js.map +1 -1
  216. package/lib/redirect-bridge/msal-redirect-bridge.min.js +2 -2
  217. package/package.json +2 -2
  218. package/src/app/PublicClientApplication.ts +85 -1
  219. package/src/broker/nativeBroker/NativeStatusCodes.ts +1 -1
  220. package/src/cache/BrowserCacheManager.ts +157 -33
  221. package/src/config/Configuration.ts +6 -0
  222. package/src/controllers/StandardController.ts +10 -8
  223. package/src/error/NativeAuthError.ts +2 -2
  224. package/src/interaction_client/BaseInteractionClient.ts +12 -1
  225. package/src/interaction_client/PlatformAuthInteractionClient.ts +14 -4
  226. package/src/interaction_client/PopupClient.ts +74 -30
  227. package/src/interaction_client/RedirectClient.ts +32 -8
  228. package/src/interaction_client/SilentAuthCodeClient.ts +3 -1
  229. package/src/interaction_client/SilentCacheClient.ts +3 -1
  230. package/src/interaction_client/SilentIframeClient.ts +140 -74
  231. package/src/interaction_client/SilentRefreshClient.ts +3 -1
  232. package/src/interaction_handler/SilentHandler.ts +12 -32
  233. package/src/operatingcontext/BaseOperatingContext.ts +15 -1
  234. package/src/packageMetadata.ts +1 -1
  235. package/src/redirect_bridge/index.ts +3 -7
  236. package/src/telemetry/BrowserPerformanceEvents.ts +0 -1
  237. package/src/utils/BrowserUtils.ts +28 -7
  238. package/types/app/PublicClientApplication.d.ts +37 -1
  239. package/types/app/PublicClientApplication.d.ts.map +1 -1
  240. package/types/broker/nativeBroker/NativeStatusCodes.d.ts +1 -1
  241. package/types/cache/BrowserCacheManager.d.ts +18 -1
  242. package/types/cache/BrowserCacheManager.d.ts.map +1 -1
  243. package/types/config/Configuration.d.ts +5 -0
  244. package/types/config/Configuration.d.ts.map +1 -1
  245. package/types/controllers/StandardController.d.ts.map +1 -1
  246. package/types/custom_auth/CustomAuthConstants.d.ts +1 -1
  247. package/types/interaction_client/BaseInteractionClient.d.ts +2 -1
  248. package/types/interaction_client/BaseInteractionClient.d.ts.map +1 -1
  249. package/types/interaction_client/PlatformAuthInteractionClient.d.ts.map +1 -1
  250. package/types/interaction_client/PopupClient.d.ts +11 -1
  251. package/types/interaction_client/PopupClient.d.ts.map +1 -1
  252. package/types/interaction_client/RedirectClient.d.ts.map +1 -1
  253. package/types/interaction_client/SilentAuthCodeClient.d.ts.map +1 -1
  254. package/types/interaction_client/SilentCacheClient.d.ts.map +1 -1
  255. package/types/interaction_client/SilentIframeClient.d.ts +20 -1
  256. package/types/interaction_client/SilentIframeClient.d.ts.map +1 -1
  257. package/types/interaction_client/SilentRefreshClient.d.ts.map +1 -1
  258. package/types/interaction_handler/SilentHandler.d.ts +13 -6
  259. package/types/interaction_handler/SilentHandler.d.ts.map +1 -1
  260. package/types/operatingcontext/BaseOperatingContext.d.ts +8 -1
  261. package/types/operatingcontext/BaseOperatingContext.d.ts.map +1 -1
  262. package/types/packageMetadata.d.ts +1 -1
  263. package/types/redirect_bridge/index.d.ts.map +1 -1
  264. package/types/telemetry/BrowserPerformanceEvents.d.ts +0 -1
  265. package/types/telemetry/BrowserPerformanceEvents.d.ts.map +1 -1
  266. package/types/utils/BrowserUtils.d.ts +17 -2
  267. package/types/utils/BrowserUtils.d.ts.map +1 -1
@@ -1,8 +1,8 @@
1
- /*! @azure/msal-browser v5.11.0 2026-05-19 */
1
+ /*! @azure/msal-browser v5.13.0 2026-06-10 */
2
2
  'use strict';
3
3
  'use strict';
4
4
 
5
- /*! @azure/msal-common v16.6.2 2026-05-19 */
5
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
6
6
  /*
7
7
  * Copyright (c) Microsoft Corporation. All rights reserved.
8
8
  * Licensed under the MIT License.
@@ -229,7 +229,7 @@ const JsonWebTokenTypes = {
229
229
  // Token renewal offset default in seconds
230
230
  const DEFAULT_TOKEN_RENEWAL_OFFSET_SEC = 300;
231
231
 
232
- /*! @azure/msal-common v16.6.2 2026-05-19 */
232
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
233
233
  /*
234
234
  * Copyright (c) Microsoft Corporation. All rights reserved.
235
235
  * Licensed under the MIT License.
@@ -281,7 +281,7 @@ const EAR_JWE_CRYPTO = "ear_jwe_crypto";
281
281
  const RESOURCE = "resource";
282
282
  const CLI_DATA = "clidata";
283
283
 
284
- /*! @azure/msal-common v16.6.2 2026-05-19 */
284
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
285
285
  /*
286
286
  * Copyright (c) Microsoft Corporation. All rights reserved.
287
287
  * Licensed under the MIT License.
@@ -312,7 +312,7 @@ function createAuthError(code, additionalMessage) {
312
312
  return new AuthError(code, additionalMessage || getDefaultErrorMessage$1(code));
313
313
  }
314
314
 
315
- /*! @azure/msal-common v16.6.2 2026-05-19 */
315
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
316
316
 
317
317
  /*
318
318
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -332,7 +332,7 @@ function createClientConfigurationError(errorCode) {
332
332
  return new ClientConfigurationError(errorCode);
333
333
  }
334
334
 
335
- /*! @azure/msal-common v16.6.2 2026-05-19 */
335
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
336
336
  /*
337
337
  * Copyright (c) Microsoft Corporation. All rights reserved.
338
338
  * Licensed under the MIT License.
@@ -412,7 +412,7 @@ class StringUtils {
412
412
  }
413
413
  }
414
414
 
415
- /*! @azure/msal-common v16.6.2 2026-05-19 */
415
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
416
416
 
417
417
  /*
418
418
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -435,7 +435,7 @@ function createClientAuthError(errorCode, additionalMessage) {
435
435
  return new ClientAuthError(errorCode, additionalMessage);
436
436
  }
437
437
 
438
- /*! @azure/msal-common v16.6.2 2026-05-19 */
438
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
439
439
  /*
440
440
  * Copyright (c) Microsoft Corporation. All rights reserved.
441
441
  * Licensed under the MIT License.
@@ -461,7 +461,7 @@ const invalidRequestMethodForEAR = "invalid_request_method_for_EAR";
461
461
  const invalidPlatformBrokerConfiguration = "invalid_platform_broker_configuration";
462
462
  const issuerValidationFailed = "issuer_validation_failed";
463
463
 
464
- /*! @azure/msal-common v16.6.2 2026-05-19 */
464
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
465
465
  /*
466
466
  * Copyright (c) Microsoft Corporation. All rights reserved.
467
467
  * Licensed under the MIT License.
@@ -500,7 +500,7 @@ const methodNotImplemented = "method_not_implemented";
500
500
  const resourceParameterRequired = "resource_parameter_required";
501
501
  const misplacedResourceParam = "misplaced_resource_parameter";
502
502
 
503
- /*! @azure/msal-common v16.6.2 2026-05-19 */
503
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
504
504
 
505
505
  /*
506
506
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -695,7 +695,7 @@ class ScopeSet {
695
695
  }
696
696
  }
697
697
 
698
- /*! @azure/msal-common v16.6.2 2026-05-19 */
698
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
699
699
 
700
700
  /*
701
701
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1044,8 +1044,14 @@ function addSshJwk(parameters, sshJwkString) {
1044
1044
  * @param serverTelemetryManager
1045
1045
  */
1046
1046
  function addServerTelemetry(parameters, serverTelemetryManager) {
1047
- parameters.set(X_CLIENT_CURR_TELEM, serverTelemetryManager.generateCurrentRequestHeaderValue());
1048
- parameters.set(X_CLIENT_LAST_TELEM, serverTelemetryManager.generateLastRequestHeaderValue());
1047
+ const currentTelemetryHeader = serverTelemetryManager.generateCurrentRequestHeaderValue();
1048
+ const lastTelemetryHeader = serverTelemetryManager.generateLastRequestHeaderValue();
1049
+ if (currentTelemetryHeader) {
1050
+ parameters.set(X_CLIENT_CURR_TELEM, currentTelemetryHeader);
1051
+ }
1052
+ if (lastTelemetryHeader) {
1053
+ parameters.set(X_CLIENT_LAST_TELEM, lastTelemetryHeader);
1054
+ }
1049
1055
  }
1050
1056
  /**
1051
1057
  * Adds parameter that indicates to the server that throttling is supported
@@ -1084,34 +1090,12 @@ function addResource(parameters, resource) {
1084
1090
  }
1085
1091
  }
1086
1092
 
1087
- /*! @azure/msal-common v16.6.2 2026-05-19 */
1093
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
1088
1094
 
1089
1095
  /*
1090
1096
  * Copyright (c) Microsoft Corporation. All rights reserved.
1091
1097
  * Licensed under the MIT License.
1092
1098
  */
1093
- /**
1094
- * Canonicalizes a URL by making it lowercase and ensuring it ends with /
1095
- * Inlined version of UrlString.canonicalizeUri to avoid circular dependency
1096
- * @param url - URL to canonicalize
1097
- * @returns Canonicalized URL
1098
- */
1099
- function canonicalizeUrl(url) {
1100
- if (!url) {
1101
- return url;
1102
- }
1103
- let lowerCaseUrl = url.toLowerCase();
1104
- if (StringUtils.endsWith(lowerCaseUrl, "?")) {
1105
- lowerCaseUrl = lowerCaseUrl.slice(0, -1);
1106
- }
1107
- else if (StringUtils.endsWith(lowerCaseUrl, "?/")) {
1108
- lowerCaseUrl = lowerCaseUrl.slice(0, -2);
1109
- }
1110
- if (!StringUtils.endsWith(lowerCaseUrl, "/")) {
1111
- lowerCaseUrl += "/";
1112
- }
1113
- return lowerCaseUrl;
1114
- }
1115
1099
  /**
1116
1100
  * Parses hash string from given string. Returns empty string if no hash symbol is found.
1117
1101
  * @param hashString
@@ -1164,36 +1148,71 @@ function mapToQueryString(parameters) {
1164
1148
  return queryParameterArray.join("&");
1165
1149
  }
1166
1150
  /**
1167
- * Normalizes URLs for comparison by removing hash, canonicalizing,
1168
- * and ensuring consistent URL encoding in query parameters.
1169
- * This fixes redirect loops when URLs contain encoded characters like apostrophes (%27).
1151
+ * Normalizes URLs for comparison per MDN & RFC 3986 standards:
1152
+ * - Hash/fragment is removed
1153
+ * - Scheme and host are lowercased (case-insensitive per spec)
1154
+ * - Path and query parameters preserve original casing (case-sensitive per spec)
1155
+ * - Percent-encoding in pathname is normalized (e.g., %27 and ' are treated equivalently)
1156
+ * - Ensures pathname ends with /
1157
+ * Throws a urlParseError if the provided URL is malformed and cannot be parsed.
1170
1158
  * @param url - URL to normalize
1159
+ * @param logger - Optional logger used to log parse failures
1160
+ * @param correlationId - Optional correlationId associated with the log entry
1171
1161
  * @returns Normalized URL string for comparison
1172
1162
  */
1173
- function normalizeUrlForComparison(url) {
1163
+ function normalizeUrlForComparison(url, logger, correlationId) {
1174
1164
  if (!url) {
1175
1165
  return url;
1176
1166
  }
1177
- // Remove hash first
1178
1167
  const urlWithoutHash = url.split("#")[0];
1168
+ if (!urlWithoutHash) {
1169
+ return urlWithoutHash;
1170
+ }
1179
1171
  try {
1180
- // Parse the URL to handle encoding consistently
1181
1172
  const urlObj = new URL(urlWithoutHash);
1182
- /*
1183
- * Reconstruct the URL with properly decoded query parameters
1184
- * This ensures that %27 and ' are treated as equivalent
1185
- */
1186
- const normalizedUrl = urlObj.origin + urlObj.pathname + urlObj.search;
1187
- // Apply canonicalization logic inline to avoid circular dependency
1188
- return canonicalizeUrl(normalizedUrl);
1173
+ // Treat an empty query string (a bare trailing "?") as equivalent to no query
1174
+ if (!urlObj.search) {
1175
+ urlObj.search = "";
1176
+ }
1177
+ // Decode the pathname to normalize percent-encoding and ensure trailing slash
1178
+ let pathname;
1179
+ try {
1180
+ pathname = decodeURIComponent(urlObj.pathname);
1181
+ }
1182
+ catch (e) {
1183
+ pathname = urlObj.pathname;
1184
+ }
1185
+ if (!pathname.endsWith("/")) {
1186
+ pathname += "/";
1187
+ }
1188
+ urlObj.pathname = pathname;
1189
+ return urlObj.href;
1190
+ }
1191
+ catch (e) {
1192
+ logger?.error("15apdm", correlationId || "");
1193
+ throw createClientConfigurationError(urlParseError);
1194
+ }
1195
+ }
1196
+ /**
1197
+ * Validates that the provided value is a well-formed, parseable absolute URL.
1198
+ * Throws a urlParseError if the value cannot be parsed by the URL API (e.g. the
1199
+ * literal string "null", an empty string, or any malformed/relative URL). Use this
1200
+ * to guard against persisting an invalid value (such as a redirect URL) to the cache.
1201
+ * @param url - URL to validate
1202
+ * @param logger - Optional logger used to log validation failures
1203
+ * @param correlationId - Optional correlationId associated with the log entry
1204
+ */
1205
+ function validateUrl(url, logger, correlationId) {
1206
+ try {
1207
+ new URL(url);
1189
1208
  }
1190
1209
  catch (e) {
1191
- // Fallback to original logic if URL parsing fails
1192
- return canonicalizeUrl(urlWithoutHash);
1210
+ logger?.error("1lrjz7", correlationId || "");
1211
+ throw createClientConfigurationError(urlParseError);
1193
1212
  }
1194
1213
  }
1195
1214
 
1196
- /*! @azure/msal-common v16.6.2 2026-05-19 */
1215
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
1197
1216
 
1198
1217
  /*
1199
1218
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1232,7 +1251,7 @@ const DEFAULT_CRYPTO_IMPLEMENTATION = {
1232
1251
  },
1233
1252
  };
1234
1253
 
1235
- /*! @azure/msal-common v16.6.2 2026-05-19 */
1254
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
1236
1255
  /*
1237
1256
  * Copyright (c) Microsoft Corporation. All rights reserved.
1238
1257
  * Licensed under the MIT License.
@@ -1280,7 +1299,7 @@ function addLogToCache(correlationId, loggedMessage) {
1280
1299
  // Remove LRU (first entry) if capacity exceeded
1281
1300
  if (correlationCache.size > CACHE_CAPACITY) {
1282
1301
  const firstKey = correlationCache.keys().next().value;
1283
- if (firstKey) {
1302
+ if (firstKey !== undefined) {
1284
1303
  correlationCache.delete(firstKey);
1285
1304
  }
1286
1305
  }
@@ -1493,12 +1512,12 @@ class Logger {
1493
1512
  }
1494
1513
  }
1495
1514
 
1496
- /*! @azure/msal-common v16.6.2 2026-05-19 */
1515
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
1497
1516
  /* eslint-disable header/header */
1498
1517
  const name$1 = "@azure/msal-common";
1499
- const version$1 = "16.6.2";
1518
+ const version$1 = "16.8.0";
1500
1519
 
1501
- /*! @azure/msal-common v16.6.2 2026-05-19 */
1520
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
1502
1521
  /*
1503
1522
  * Copyright (c) Microsoft Corporation. All rights reserved.
1504
1523
  * Licensed under the MIT License.
@@ -1507,7 +1526,7 @@ const AzureCloudInstance = {
1507
1526
  // AzureCloudInstance is not specified.
1508
1527
  None: "none"};
1509
1528
 
1510
- /*! @azure/msal-common v16.6.2 2026-05-19 */
1529
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
1511
1530
  /*
1512
1531
  * Copyright (c) Microsoft Corporation. All rights reserved.
1513
1532
  * Licensed under the MIT License.
@@ -1590,7 +1609,7 @@ function updateAccountTenantProfileData(baseAccountInfo, tenantProfile, idTokenC
1590
1609
  return updatedAccountInfo;
1591
1610
  }
1592
1611
 
1593
- /*! @azure/msal-common v16.6.2 2026-05-19 */
1612
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
1594
1613
 
1595
1614
  /*
1596
1615
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1670,7 +1689,7 @@ function checkMaxAge(authTime, maxAge) {
1670
1689
  }
1671
1690
  }
1672
1691
 
1673
- /*! @azure/msal-common v16.6.2 2026-05-19 */
1692
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
1674
1693
 
1675
1694
  /*
1676
1695
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1827,7 +1846,7 @@ class UrlString {
1827
1846
  }
1828
1847
  }
1829
1848
 
1830
- /*! @azure/msal-common v16.6.2 2026-05-19 */
1849
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
1831
1850
 
1832
1851
  /*
1833
1852
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1993,7 +2012,7 @@ function getCloudDiscoveryMetadataFromNetworkResponse(response, authorityHost) {
1993
2012
  return null;
1994
2013
  }
1995
2014
 
1996
- /*! @azure/msal-common v16.6.2 2026-05-19 */
2015
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
1997
2016
  /*
1998
2017
  * Copyright (c) Microsoft Corporation. All rights reserved.
1999
2018
  * Licensed under the MIT License.
@@ -2001,7 +2020,7 @@ function getCloudDiscoveryMetadataFromNetworkResponse(response, authorityHost) {
2001
2020
  const cacheQuotaExceeded = "cache_quota_exceeded";
2002
2021
  const cacheErrorUnknown = "cache_error_unknown";
2003
2022
 
2004
- /*! @azure/msal-common v16.6.2 2026-05-19 */
2023
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
2005
2024
 
2006
2025
  /*
2007
2026
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -2039,7 +2058,7 @@ function createCacheError(e) {
2039
2058
  }
2040
2059
  }
2041
2060
 
2042
- /*! @azure/msal-common v16.6.2 2026-05-19 */
2061
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
2043
2062
 
2044
2063
  /*
2045
2064
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -2077,7 +2096,7 @@ function buildClientInfoFromHomeAccountId(homeAccountId) {
2077
2096
  };
2078
2097
  }
2079
2098
 
2080
- /*! @azure/msal-common v16.6.2 2026-05-19 */
2099
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
2081
2100
  /*
2082
2101
  * Copyright (c) Microsoft Corporation. All rights reserved.
2083
2102
  * Licensed under the MIT License.
@@ -2092,7 +2111,7 @@ const AuthorityType = {
2092
2111
  Ciam: 3,
2093
2112
  };
2094
2113
 
2095
- /*! @azure/msal-common v16.6.2 2026-05-19 */
2114
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
2096
2115
  /*
2097
2116
  * Copyright (c) Microsoft Corporation. All rights reserved.
2098
2117
  * Licensed under the MIT License.
@@ -2114,7 +2133,7 @@ function getTenantIdFromIdTokenClaims(idTokenClaims) {
2114
2133
  return null;
2115
2134
  }
2116
2135
 
2117
- /*! @azure/msal-common v16.6.2 2026-05-19 */
2136
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
2118
2137
  /*
2119
2138
  * Copyright (c) Microsoft Corporation. All rights reserved.
2120
2139
  * Licensed under the MIT License.
@@ -2138,7 +2157,7 @@ const ProtocolMode = {
2138
2157
  EAR: "EAR",
2139
2158
  };
2140
2159
 
2141
- /*! @azure/msal-common v16.6.2 2026-05-19 */
2160
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
2142
2161
  /**
2143
2162
  * Returns the AccountInfo interface for this account.
2144
2163
  */
@@ -2313,7 +2332,7 @@ function isAccountEntity(entity) {
2313
2332
  entity.hasOwnProperty("authorityType"));
2314
2333
  }
2315
2334
 
2316
- /*! @azure/msal-common v16.6.2 2026-05-19 */
2335
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
2317
2336
 
2318
2337
  /*
2319
2338
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -2453,8 +2472,8 @@ class CacheManager {
2453
2472
  return false;
2454
2473
  }
2455
2474
  if (!!tenantProfileFilter.username &&
2456
- !(this.matchUsername(tenantProfile.username, tenantProfileFilter.username) ||
2457
- !this.matchUsername(tenantProfile.upn, tenantProfileFilter.username))) {
2475
+ !this.matchUsername(tenantProfile.username, tenantProfileFilter.username) &&
2476
+ !this.matchUsername(tenantProfile.upn, tenantProfileFilter.username)) {
2458
2477
  return false;
2459
2478
  }
2460
2479
  if (!!tenantProfileFilter.loginHint &&
@@ -3444,7 +3463,7 @@ class DefaultStorageClass extends CacheManager {
3444
3463
  }
3445
3464
  }
3446
3465
 
3447
- /*! @azure/msal-common v16.6.2 2026-05-19 */
3466
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
3448
3467
  /*
3449
3468
  * Copyright (c) Microsoft Corporation. All rights reserved.
3450
3469
  * Licensed under the MIT License.
@@ -3458,7 +3477,7 @@ class DefaultStorageClass extends CacheManager {
3458
3477
  const PerformanceEventStatus = {
3459
3478
  InProgress: 1};
3460
3479
 
3461
- /*! @azure/msal-common v16.6.2 2026-05-19 */
3480
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
3462
3481
 
3463
3482
  /*
3464
3483
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -3513,7 +3532,7 @@ class StubPerformanceClient {
3513
3532
  }
3514
3533
  }
3515
3534
 
3516
- /*! @azure/msal-common v16.6.2 2026-05-19 */
3535
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
3517
3536
 
3518
3537
  /*
3519
3538
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -3608,7 +3627,7 @@ function isOidcProtocolMode(config) {
3608
3627
  return (config.authOptions.authority.options.protocolMode === ProtocolMode.OIDC);
3609
3628
  }
3610
3629
 
3611
- /*! @azure/msal-common v16.6.2 2026-05-19 */
3630
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
3612
3631
  /*
3613
3632
  * Copyright (c) Microsoft Corporation. All rights reserved.
3614
3633
  * Licensed under the MIT License.
@@ -3635,7 +3654,7 @@ function isOidcProtocolMode(config) {
3635
3654
  }
3636
3655
  }
3637
3656
 
3638
- /*! @azure/msal-common v16.6.2 2026-05-19 */
3657
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
3639
3658
  /*
3640
3659
  * Copyright (c) Microsoft Corporation. All rights reserved.
3641
3660
  * Licensed under the MIT License.
@@ -3700,7 +3719,7 @@ function wasClockTurnedBack(cachedAt) {
3700
3719
  return cachedAtSec > nowSeconds();
3701
3720
  }
3702
3721
 
3703
- /*! @azure/msal-common v16.6.2 2026-05-19 */
3722
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
3704
3723
 
3705
3724
  /*
3706
3725
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -3959,7 +3978,7 @@ function isAuthorityMetadataExpired(metadata) {
3959
3978
  return metadata.expiresAt <= nowSeconds();
3960
3979
  }
3961
3980
 
3962
- /*! @azure/msal-common v16.6.2 2026-05-19 */
3981
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
3963
3982
  /*
3964
3983
  * Copyright (c) Microsoft Corporation. All rights reserved.
3965
3984
  * Licensed under the MIT License.
@@ -4030,7 +4049,7 @@ const RegionDiscoveryGetCurrentVersion = "regionDiscoveryGetCurrentVersion";
4030
4049
  const CacheManagerGetRefreshToken = "cacheManagerGetRefreshToken";
4031
4050
  const SetUserData = "setUserData";
4032
4051
 
4033
- /*! @azure/msal-common v16.6.2 2026-05-19 */
4052
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
4034
4053
  /*
4035
4054
  * Copyright (c) Microsoft Corporation. All rights reserved.
4036
4055
  * Licensed under the MIT License.
@@ -4123,7 +4142,7 @@ const invokeAsync = (callback, eventName, logger, telemetryClient, correlationId
4123
4142
  };
4124
4143
  };
4125
4144
 
4126
- /*! @azure/msal-common v16.6.2 2026-05-19 */
4145
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
4127
4146
 
4128
4147
  /*
4129
4148
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4203,7 +4222,7 @@ class PopTokenGenerator {
4203
4222
  }
4204
4223
  }
4205
4224
 
4206
- /*! @azure/msal-common v16.6.2 2026-05-19 */
4225
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
4207
4226
  /*
4208
4227
  * Copyright (c) Microsoft Corporation. All rights reserved.
4209
4228
  * Licensed under the MIT License.
@@ -4227,7 +4246,7 @@ const refreshTokenExpired = "refresh_token_expired";
4227
4246
  * MSAL-defined error code indicating UI/UX is not allowed (e.g., blocked by policy), requiring alternate interaction.
4228
4247
  * @public
4229
4248
  */
4230
- const uxNotAllowed = "ux_not_allowed";
4249
+ const uiNotAllowed = "ui_not_allowed";
4231
4250
  /**
4232
4251
  * Server-originated error code indicating interaction is required to complete the request.
4233
4252
  * @public
@@ -4254,7 +4273,7 @@ const badToken = "bad_token";
4254
4273
  */
4255
4274
  const interruptedUser = "interrupted_user";
4256
4275
 
4257
- /*! @azure/msal-common v16.6.2 2026-05-19 */
4276
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
4258
4277
 
4259
4278
  /*
4260
4279
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4268,7 +4287,7 @@ const InteractionRequiredServerErrorMessage = [
4268
4287
  consentRequired,
4269
4288
  loginRequired,
4270
4289
  badToken,
4271
- uxNotAllowed,
4290
+ uiNotAllowed,
4272
4291
  interruptedUser,
4273
4292
  ];
4274
4293
  const InteractionRequiredAuthSubErrorMessage = [
@@ -4278,7 +4297,7 @@ const InteractionRequiredAuthSubErrorMessage = [
4278
4297
  "user_password_expired",
4279
4298
  "consent_required",
4280
4299
  "bad_token",
4281
- "ux_not_allowed",
4300
+ "ui_not_allowed",
4282
4301
  "interrupted_user",
4283
4302
  ];
4284
4303
  /**
@@ -4322,7 +4341,7 @@ function createInteractionRequiredAuthError(errorCode, errorMessage) {
4322
4341
  return new InteractionRequiredAuthError(errorCode, errorMessage);
4323
4342
  }
4324
4343
 
4325
- /*! @azure/msal-common v16.6.2 2026-05-19 */
4344
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
4326
4345
 
4327
4346
  /*
4328
4347
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4341,7 +4360,7 @@ class ServerError extends AuthError {
4341
4360
  }
4342
4361
  }
4343
4362
 
4344
- /*! @azure/msal-common v16.6.2 2026-05-19 */
4363
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
4345
4364
 
4346
4365
  /*
4347
4366
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4409,7 +4428,7 @@ function parseRequestState(base64Decode, state) {
4409
4428
  }
4410
4429
  }
4411
4430
 
4412
- /*! @azure/msal-common v16.6.2 2026-05-19 */
4431
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
4413
4432
 
4414
4433
  /*
4415
4434
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4757,7 +4776,7 @@ function buildAccountToCache(cacheStorage, authority, homeAccountId, base64Decod
4757
4776
  return baseAccount;
4758
4777
  }
4759
4778
 
4760
- /*! @azure/msal-common v16.6.2 2026-05-19 */
4779
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
4761
4780
  /*
4762
4781
  * Copyright (c) Microsoft Corporation. All rights reserved.
4763
4782
  * Licensed under the MIT License.
@@ -4767,7 +4786,7 @@ const CcsCredentialType = {
4767
4786
  UPN: "UPN",
4768
4787
  };
4769
4788
 
4770
- /*! @azure/msal-common v16.6.2 2026-05-19 */
4789
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
4771
4790
  /*
4772
4791
  * Copyright (c) Microsoft Corporation. All rights reserved.
4773
4792
  * Licensed under the MIT License.
@@ -4785,7 +4804,7 @@ async function getClientAssertion(clientAssertion, clientId, tokenEndpoint) {
4785
4804
  }
4786
4805
  }
4787
4806
 
4788
- /*! @azure/msal-common v16.6.2 2026-05-19 */
4807
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
4789
4808
  /*
4790
4809
  * Copyright (c) Microsoft Corporation. All rights reserved.
4791
4810
  * Licensed under the MIT License.
@@ -4806,7 +4825,7 @@ function getRequestThumbprint(clientId, request, homeAccountId) {
4806
4825
  };
4807
4826
  }
4808
4827
 
4809
- /*! @azure/msal-common v16.6.2 2026-05-19 */
4828
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
4810
4829
 
4811
4830
  /*
4812
4831
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4892,7 +4911,7 @@ class ThrottlingUtils {
4892
4911
  }
4893
4912
  }
4894
4913
 
4895
- /*! @azure/msal-common v16.6.2 2026-05-19 */
4914
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
4896
4915
 
4897
4916
  /*
4898
4917
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4923,7 +4942,7 @@ function createNetworkError(error, httpStatus, responseHeaders, additionalError)
4923
4942
  return new NetworkError(error, httpStatus, responseHeaders);
4924
4943
  }
4925
4944
 
4926
- /*! @azure/msal-common v16.6.2 2026-05-19 */
4945
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
4927
4946
 
4928
4947
  /*
4929
4948
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -5037,7 +5056,7 @@ async function sendPostRequest(thumbprint, tokenEndpoint, options, correlationId
5037
5056
  return response;
5038
5057
  }
5039
5058
 
5040
- /*! @azure/msal-common v16.6.2 2026-05-19 */
5059
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
5041
5060
  /*
5042
5061
  * Copyright (c) Microsoft Corporation. All rights reserved.
5043
5062
  * Licensed under the MIT License.
@@ -5049,7 +5068,7 @@ function isOpenIdConfigResponse(response) {
5049
5068
  response.hasOwnProperty("jwks_uri"));
5050
5069
  }
5051
5070
 
5052
- /*! @azure/msal-common v16.6.2 2026-05-19 */
5071
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
5053
5072
  /*
5054
5073
  * Copyright (c) Microsoft Corporation. All rights reserved.
5055
5074
  * Licensed under the MIT License.
@@ -5059,7 +5078,7 @@ function isCloudInstanceDiscoveryResponse(response) {
5059
5078
  response.hasOwnProperty("metadata"));
5060
5079
  }
5061
5080
 
5062
- /*! @azure/msal-common v16.6.2 2026-05-19 */
5081
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
5063
5082
  /*
5064
5083
  * Copyright (c) Microsoft Corporation. All rights reserved.
5065
5084
  * Licensed under the MIT License.
@@ -5069,7 +5088,7 @@ function isCloudInstanceDiscoveryErrorResponse(response) {
5069
5088
  response.hasOwnProperty("error_description"));
5070
5089
  }
5071
5090
 
5072
- /*! @azure/msal-common v16.6.2 2026-05-19 */
5091
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
5073
5092
 
5074
5093
  /*
5075
5094
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -5174,7 +5193,7 @@ RegionDiscovery.IMDS_OPTIONS = {
5174
5193
  },
5175
5194
  };
5176
5195
 
5177
- /*! @azure/msal-common v16.6.2 2026-05-19 */
5196
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
5178
5197
 
5179
5198
  /*
5180
5199
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -5731,7 +5750,7 @@ class Authority {
5731
5750
  }
5732
5751
  }
5733
5752
  // If cloudDiscoveryMetadata is empty or does not contain the host, check knownAuthorities
5734
- if (this.isInKnownAuthorities()) {
5753
+ if (this.isInKnownAuthorities(this.hostnameAndPort)) {
5735
5754
  this.logger.verbose("0mt9al", this.correlationId);
5736
5755
  return Authority.createCloudDiscoveryMetadataFromHost(this.hostnameAndPort);
5737
5756
  }
@@ -5798,13 +5817,14 @@ class Authority {
5798
5817
  return match;
5799
5818
  }
5800
5819
  /**
5801
- * Helper function to determine if this host is included in the knownAuthorities config option
5820
+ * Helper function to determine if a host is included in the knownAuthorities config option.
5802
5821
  */
5803
- isInKnownAuthorities() {
5822
+ isInKnownAuthorities(host) {
5823
+ const normalizedHost = host.toLowerCase();
5804
5824
  const matches = this.authorityOptions.knownAuthorities.filter((authority) => {
5805
5825
  return (authority &&
5806
5826
  UrlString.getDomainFromUrl(authority).toLowerCase() ===
5807
- this.hostnameAndPort);
5827
+ normalizedHost);
5808
5828
  });
5809
5829
  return matches.length > 0;
5810
5830
  }
@@ -5881,6 +5901,10 @@ class Authority {
5881
5901
  * 4. Same as (2), but the issuer host matches the CIAM tenant pattern
5882
5902
  * `{tenant}.ciamlogin.com` with an optional `/{tenant}[.onmicrosoft.com][/v2.0]`
5883
5903
  * path.
5904
+ * 5. The issuer host is HTTPS and is explicitly listed in the
5905
+ * developer-configured `knownAuthorities`. This covers scenarios where
5906
+ * the OIDC discovery document returns an issuer host that differs from
5907
+ * the authority (e.g., a GUID-based issuer for a name-based CIAM authority).
5884
5908
  *
5885
5909
  * @param issuer The `issuer` value returned in the OIDC discovery document.
5886
5910
  * @throws ClientConfigurationError("issuer_validation_failed") on failure.
@@ -5917,11 +5941,19 @@ class Authority {
5917
5941
  * have "{tenant}.ciamlogin.com" as the host, even when using a custom domain.
5918
5942
  */
5919
5943
  const matchesCiamTenantPattern = this.matchesCiamTenantPattern(issuerUrl, authorityHost, this.canonicalAuthorityUrlComponents.PathSegments);
5944
+ /*
5945
+ * Rule 5: The issuer host is explicitly listed in the developer-configured
5946
+ * knownAuthorities. This covers scenarios where the OIDC discovery document
5947
+ * returns an issuer with a different host than the authority
5948
+ * (e.g., a GUID-based issuer for a name-based authority).
5949
+ */
5950
+ const matchesKnownAuthority = issuerScheme === "https:" && this.isInKnownAuthorities(issuerHost);
5920
5951
  // Each rule is an independent boolean; the issuer is valid if ANY rule matches.
5921
5952
  if (matchesAuthorityOrigin ||
5922
5953
  matchesKnownMicrosoftHost ||
5923
5954
  matchesRegionalMicrosoftHost ||
5924
- matchesCiamTenantPattern) {
5955
+ matchesCiamTenantPattern ||
5956
+ matchesKnownAuthority) {
5925
5957
  return;
5926
5958
  }
5927
5959
  // issuer validation fails if none of the above rules are satisfied
@@ -6129,7 +6161,7 @@ function buildStaticAuthorityOptions(authOptions) {
6129
6161
  };
6130
6162
  }
6131
6163
 
6132
- /*! @azure/msal-common v16.6.2 2026-05-19 */
6164
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
6133
6165
 
6134
6166
  /*
6135
6167
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6163,7 +6195,7 @@ async function createDiscoveredInstance(authorityUri, networkClient, cacheManage
6163
6195
  }
6164
6196
  }
6165
6197
 
6166
- /*! @azure/msal-common v16.6.2 2026-05-19 */
6198
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
6167
6199
 
6168
6200
  /*
6169
6201
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6420,7 +6452,7 @@ class AuthorizationCodeClient {
6420
6452
  }
6421
6453
  }
6422
6454
 
6423
- /*! @azure/msal-common v16.6.2 2026-05-19 */
6455
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
6424
6456
 
6425
6457
  /*
6426
6458
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6641,7 +6673,7 @@ class RefreshTokenClient {
6641
6673
  }
6642
6674
  }
6643
6675
 
6644
- /*! @azure/msal-common v16.6.2 2026-05-19 */
6676
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
6645
6677
 
6646
6678
  /*
6647
6679
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6757,7 +6789,7 @@ class SilentFlowClient {
6757
6789
  }
6758
6790
  }
6759
6791
 
6760
- /*! @azure/msal-common v16.6.2 2026-05-19 */
6792
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
6761
6793
 
6762
6794
  /*
6763
6795
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6772,7 +6804,7 @@ const StubbedNetworkModule = {
6772
6804
  },
6773
6805
  };
6774
6806
 
6775
- /*! @azure/msal-common v16.6.2 2026-05-19 */
6807
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
6776
6808
 
6777
6809
  /*
6778
6810
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6995,7 +7027,7 @@ function extractLoginHint(account) {
6995
7027
  return account.loginHint || account.idTokenClaims?.login_hint || null;
6996
7028
  }
6997
7029
 
6998
- /*! @azure/msal-common v16.6.2 2026-05-19 */
7030
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
6999
7031
 
7000
7032
  /*
7001
7033
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7028,7 +7060,7 @@ function containsResourceParam(params) {
7028
7060
  return Object.prototype.hasOwnProperty.call(params, "resource");
7029
7061
  }
7030
7062
 
7031
- /*! @azure/msal-common v16.6.2 2026-05-19 */
7063
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
7032
7064
  /*
7033
7065
  * Copyright (c) Microsoft Corporation. All rights reserved.
7034
7066
  * Licensed under the MIT License.
@@ -7038,7 +7070,7 @@ function containsResourceParam(params) {
7038
7070
  */
7039
7071
  const unexpectedError = "unexpected_error";
7040
7072
 
7041
- /*! @azure/msal-common v16.6.2 2026-05-19 */
7073
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
7042
7074
 
7043
7075
  /*
7044
7076
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7149,35 +7181,40 @@ class ServerTelemetryManager {
7149
7181
  * @param error
7150
7182
  */
7151
7183
  cacheFailedRequest(error) {
7152
- const lastRequests = this.getLastRequests();
7153
- if (lastRequests.errors.length >=
7154
- SERVER_TELEM_MAX_CACHED_ERRORS) {
7155
- // Remove a cached error to make room, first in first out
7156
- lastRequests.failedRequests.shift(); // apiId
7157
- lastRequests.failedRequests.shift(); // correlationId
7158
- lastRequests.errors.shift();
7159
- }
7160
- lastRequests.failedRequests.push(this.apiId, this.correlationId);
7161
- if (error instanceof Error && !!error && error.toString()) {
7162
- if (error instanceof AuthError) {
7163
- if (error.subError) {
7164
- lastRequests.errors.push(error.subError);
7165
- }
7166
- else if (error.errorCode) {
7167
- lastRequests.errors.push(error.errorCode);
7184
+ try {
7185
+ const lastRequests = this.getLastRequests();
7186
+ if (lastRequests.errors.length >=
7187
+ SERVER_TELEM_MAX_CACHED_ERRORS) {
7188
+ // Remove a cached error to make room, first in first out
7189
+ lastRequests.failedRequests.shift(); // apiId
7190
+ lastRequests.failedRequests.shift(); // correlationId
7191
+ lastRequests.errors.shift();
7192
+ }
7193
+ lastRequests.failedRequests.push(this.apiId, this.correlationId);
7194
+ if (error instanceof Error && !!error && error.toString()) {
7195
+ if (error instanceof AuthError) {
7196
+ if (error.subError) {
7197
+ lastRequests.errors.push(error.subError);
7198
+ }
7199
+ else if (error.errorCode) {
7200
+ lastRequests.errors.push(error.errorCode);
7201
+ }
7202
+ else {
7203
+ lastRequests.errors.push(error.toString());
7204
+ }
7168
7205
  }
7169
7206
  else {
7170
7207
  lastRequests.errors.push(error.toString());
7171
7208
  }
7172
7209
  }
7173
7210
  else {
7174
- lastRequests.errors.push(error.toString());
7211
+ lastRequests.errors.push(SERVER_TELEM_UNKNOWN_ERROR);
7175
7212
  }
7213
+ this.cacheManager.setServerTelemetry(this.telemetryCacheKey, lastRequests, this.correlationId);
7176
7214
  }
7177
- else {
7178
- lastRequests.errors.push(SERVER_TELEM_UNKNOWN_ERROR);
7215
+ catch {
7216
+ // Ignore telemetry cache failures to avoid masking the original auth error path.
7179
7217
  }
7180
- this.cacheManager.setServerTelemetry(this.telemetryCacheKey, lastRequests, this.correlationId);
7181
7218
  return;
7182
7219
  }
7183
7220
  /**
@@ -7297,9 +7334,36 @@ class ServerTelemetryManager {
7297
7334
  static makeExtraSkuString(params) {
7298
7335
  return makeExtraSkuString(params);
7299
7336
  }
7337
+ }
7338
+ /** @internal */
7339
+ class StubServerTelemetryManager extends ServerTelemetryManager {
7340
+ constructor() {
7341
+ super({ clientId: "", apiId: 0, correlationId: "", forceRefresh: false }, {});
7342
+ }
7343
+ generateCurrentRequestHeaderValue() {
7344
+ return "";
7345
+ }
7346
+ generateLastRequestHeaderValue() {
7347
+ return "";
7348
+ }
7349
+ cacheFailedRequest() { }
7350
+ incrementCacheHits() {
7351
+ return 0;
7352
+ }
7353
+ clearTelemetryCache() { }
7354
+ getRegionDiscoveryFields() {
7355
+ return "";
7356
+ }
7357
+ updateRegionDiscoveryMetadata() { }
7358
+ setCacheOutcome() { }
7359
+ setNativeBrokerErrorCode() { }
7360
+ getNativeBrokerErrorCode() {
7361
+ return undefined;
7362
+ }
7363
+ clearNativeBrokerErrorCode() { }
7300
7364
  }
7301
7365
 
7302
- /*! @azure/msal-common v16.6.2 2026-05-19 */
7366
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
7303
7367
 
7304
7368
  /*
7305
7369
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7320,7 +7384,7 @@ function createJoseHeaderError(code) {
7320
7384
  return new JoseHeaderError(code);
7321
7385
  }
7322
7386
 
7323
- /*! @azure/msal-common v16.6.2 2026-05-19 */
7387
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
7324
7388
  /*
7325
7389
  * Copyright (c) Microsoft Corporation. All rights reserved.
7326
7390
  * Licensed under the MIT License.
@@ -7328,7 +7392,7 @@ function createJoseHeaderError(code) {
7328
7392
  const missingKidError = "missing_kid_error";
7329
7393
  const missingAlgError = "missing_alg_error";
7330
7394
 
7331
- /*! @azure/msal-common v16.6.2 2026-05-19 */
7395
+ /*! @azure/msal-common v16.8.0 2026-06-10 */
7332
7396
 
7333
7397
  /*
7334
7398
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7763,7 +7827,7 @@ function ensureArgumentIsJSONString(argName, argValue, correlationId) {
7763
7827
 
7764
7828
  /* eslint-disable header/header */
7765
7829
  const name = "@azure/msal-browser";
7766
- const version = "5.11.0";
7830
+ const version = "5.13.0";
7767
7831
 
7768
7832
  /*
7769
7833
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -8356,7 +8420,6 @@ const SilentIframeClientTokenHelper = "silentIframeClientTokenHelper";
8356
8420
  */
8357
8421
  const SilentHandlerInitiateAuthRequest = "silentHandlerInitiateAuthRequest";
8358
8422
  const SilentHandlerMonitorIframeForHash = "silentHandlerMonitorIframeForHash";
8359
- const SilentHandlerLoadFrameSync = "silentHandlerLoadFrameSync";
8360
8423
  /**
8361
8424
  * Helper functions in StandardInteractionClient class (msal-browser)
8362
8425
  */
@@ -8657,6 +8720,43 @@ function createBrowserAuthError(errorCode, subError) {
8657
8720
  return new BrowserAuthError(errorCode, subError);
8658
8721
  }
8659
8722
 
8723
+ /*
8724
+ * Copyright (c) Microsoft Corporation. All rights reserved.
8725
+ * Licensed under the MIT License.
8726
+ */
8727
+ /**
8728
+ * Class which exposes APIs to decode base64 strings to plaintext. See here for implementation details:
8729
+ * https://developer.mozilla.org/en-US/docs/Glossary/Base64#the_unicode_problem
8730
+ */
8731
+ /**
8732
+ * Returns a URL-safe plaintext decoded string from b64 encoded input.
8733
+ * @param input
8734
+ */
8735
+ function base64Decode(input) {
8736
+ return new TextDecoder().decode(base64DecToArr(input));
8737
+ }
8738
+ /**
8739
+ * Decodes base64 into Uint8Array
8740
+ * @param base64String
8741
+ */
8742
+ function base64DecToArr(base64String) {
8743
+ let encodedString = base64String.replace(/-/g, "+").replace(/_/g, "/");
8744
+ switch (encodedString.length % 4) {
8745
+ case 0:
8746
+ break;
8747
+ case 2:
8748
+ encodedString += "==";
8749
+ break;
8750
+ case 3:
8751
+ encodedString += "=";
8752
+ break;
8753
+ default:
8754
+ throw createBrowserAuthError(invalidBase64String);
8755
+ }
8756
+ const binString = atob(encodedString);
8757
+ return Uint8Array.from(binString, (m) => m.codePointAt(0) || 0);
8758
+ }
8759
+
8660
8760
  /*
8661
8761
  * Copyright (c) Microsoft Corporation. All rights reserved.
8662
8762
  * Licensed under the MIT License.
@@ -8701,43 +8801,6 @@ function base64EncArr(aBytes) {
8701
8801
  return btoa(binString);
8702
8802
  }
8703
8803
 
8704
- /*
8705
- * Copyright (c) Microsoft Corporation. All rights reserved.
8706
- * Licensed under the MIT License.
8707
- */
8708
- /**
8709
- * Class which exposes APIs to decode base64 strings to plaintext. See here for implementation details:
8710
- * https://developer.mozilla.org/en-US/docs/Glossary/Base64#the_unicode_problem
8711
- */
8712
- /**
8713
- * Returns a URL-safe plaintext decoded string from b64 encoded input.
8714
- * @param input
8715
- */
8716
- function base64Decode(input) {
8717
- return new TextDecoder().decode(base64DecToArr(input));
8718
- }
8719
- /**
8720
- * Decodes base64 into Uint8Array
8721
- * @param base64String
8722
- */
8723
- function base64DecToArr(base64String) {
8724
- let encodedString = base64String.replace(/-/g, "+").replace(/_/g, "/");
8725
- switch (encodedString.length % 4) {
8726
- case 0:
8727
- break;
8728
- case 2:
8729
- encodedString += "==";
8730
- break;
8731
- case 3:
8732
- encodedString += "=";
8733
- break;
8734
- default:
8735
- throw createBrowserAuthError(invalidBase64String);
8736
- }
8737
- const binString = atob(encodedString);
8738
- return Uint8Array.from(binString, (m) => m.codePointAt(0) || 0);
8739
- }
8740
-
8741
8804
  /*
8742
8805
  * Copyright (c) Microsoft Corporation. All rights reserved.
8743
8806
  * Licensed under the MIT License.
@@ -9206,7 +9269,7 @@ function cancelPendingBridgeResponse(logger, correlationId) {
9206
9269
  activeBridgeMonitor = null;
9207
9270
  }
9208
9271
  }
9209
- async function waitForBridgeResponse(timeoutMs, logger, browserCrypto, request, performanceClient, experimentalConfig) {
9272
+ async function waitForBridgeResponse(timeoutMs, logger, request, performanceClient, experimentalConfig) {
9210
9273
  return new Promise((resolve, reject) => {
9211
9274
  logger.verbose("1rf6em", request.correlationId);
9212
9275
  const correlationId = request.correlationId;
@@ -9214,7 +9277,7 @@ async function waitForBridgeResponse(timeoutMs, logger, browserCrypto, request,
9214
9277
  redirectBridgeTimeoutMs: timeoutMs,
9215
9278
  lateResponseExperimentEnabled: experimentalConfig?.iframeTimeoutTelemetry || false,
9216
9279
  }, correlationId);
9217
- const { libraryState } = parseRequestState(browserCrypto.base64Decode, request.state || "");
9280
+ const { libraryState } = parseRequestState(base64Decode, request.state || "");
9218
9281
  const channel = new BroadcastChannel(libraryState.id);
9219
9282
  let responseString = undefined;
9220
9283
  let timedOut$1 = false;
@@ -9431,10 +9494,15 @@ function getRedirectUri(requestRedirectUri, clientConfigRedirectUri, logger, cor
9431
9494
  * @param browserStorage - Browser cache manager instance for storing telemetry data
9432
9495
  * @param logger - Optional logger instance for verbose logging
9433
9496
  * @param forceRefresh - Optional flag to force refresh of telemetry data
9497
+ * @param enabled - Optional flag to enable or disable server telemetry (default: true for custom_auth flows, false for standard flows)
9434
9498
  * @returns Configured ServerTelemetryManager instance
9435
9499
  */
9436
- function initializeServerTelemetryManager(apiId, clientId, correlationId, browserStorage, logger, forceRefresh) {
9500
+ function initializeServerTelemetryManager(apiId, clientId, correlationId, browserStorage, logger, forceRefresh, enabled = true) {
9437
9501
  logger.verbose("1p12tq", correlationId);
9502
+ if (!enabled) {
9503
+ logger.verbose("0tajnr", correlationId);
9504
+ return new StubServerTelemetryManager();
9505
+ }
9438
9506
  const telemetryPayload = {
9439
9507
  clientId: clientId,
9440
9508
  correlationId: correlationId,
@@ -14994,6 +15062,15 @@ function removeElementFromArray(array, element) {
14994
15062
  * Copyright (c) Microsoft Corporation. All rights reserved.
14995
15063
  * Licensed under the MIT License.
14996
15064
  */
15065
+ /**
15066
+ * Reason an old-schema cache entry was removed during migration.
15067
+ */
15068
+ const MigrationRemovalReason = {
15069
+ Invalid: "invalid",
15070
+ TtlExpired: "ttlExpired",
15071
+ DecryptFailed: "decryptFailed",
15072
+ Expired: "expired",
15073
+ };
14997
15074
  /**
14998
15075
  * This class implements the cache storage interface for MSAL through browser local or session storage.
14999
15076
  */
@@ -15063,7 +15140,10 @@ class BrowserCacheManager extends CacheManager {
15063
15140
  const parsedValue = this.validateAndParseJson(rawValue || "");
15064
15141
  if (!parsedValue) {
15065
15142
  this.browserStorage.removeItem(key);
15066
- return null;
15143
+ return {
15144
+ entry: null,
15145
+ removalReason: MigrationRemovalReason.Invalid,
15146
+ };
15067
15147
  }
15068
15148
  if (!parsedValue.lastUpdatedAt) {
15069
15149
  // Add lastUpdatedAt to the existing v0 entry if it doesnt exist so we know when it's safe to remove it
@@ -15072,25 +15152,42 @@ class BrowserCacheManager extends CacheManager {
15072
15152
  }
15073
15153
  else if (isCacheExpired(parsedValue.lastUpdatedAt, this.cacheConfig.cacheRetentionDays)) {
15074
15154
  this.browserStorage.removeItem(key);
15075
- this.performanceClient.incrementFields({ expiredCacheRemovedCount: 1 }, correlationId);
15076
- return null;
15155
+ return {
15156
+ entry: null,
15157
+ removalReason: MigrationRemovalReason.TtlExpired,
15158
+ };
15077
15159
  }
15078
- const decryptedData = isEncrypted(parsedValue)
15160
+ const wasEncrypted = isEncrypted(parsedValue);
15161
+ const decryptedData = wasEncrypted
15079
15162
  ? await this.browserStorage.decryptData(key, parsedValue, correlationId)
15080
15163
  : parsedValue;
15081
- if (!decryptedData || !isCredentialEntity(decryptedData)) {
15082
- this.performanceClient.incrementFields({ invalidCacheCount: 1 }, correlationId);
15083
- return null;
15164
+ if (!decryptedData) {
15165
+ this.browserStorage.removeItem(key);
15166
+ return {
15167
+ entry: null,
15168
+ removalReason: wasEncrypted
15169
+ ? MigrationRemovalReason.DecryptFailed
15170
+ : MigrationRemovalReason.Invalid,
15171
+ };
15172
+ }
15173
+ if (!isCredentialEntity(decryptedData)) {
15174
+ this.browserStorage.removeItem(key);
15175
+ return {
15176
+ entry: null,
15177
+ removalReason: MigrationRemovalReason.Invalid,
15178
+ };
15084
15179
  }
15085
15180
  if ((isAccessTokenEntity(decryptedData) ||
15086
15181
  isRefreshTokenEntity(decryptedData)) &&
15087
15182
  decryptedData.expiresOn &&
15088
15183
  isTokenExpired(decryptedData.expiresOn, DEFAULT_TOKEN_RENEWAL_OFFSET_SEC)) {
15089
15184
  this.browserStorage.removeItem(key);
15090
- this.performanceClient.incrementFields({ expiredCacheRemovedCount: 1 }, correlationId);
15091
- return null;
15185
+ return {
15186
+ entry: null,
15187
+ removalReason: MigrationRemovalReason.Expired,
15188
+ };
15092
15189
  }
15093
- return decryptedData;
15190
+ return { entry: decryptedData };
15094
15191
  }
15095
15192
  /**
15096
15193
  * Remove accounts from the cache for older schema versions if they have not been updated in the last cacheRetentionDays
@@ -15109,6 +15206,8 @@ class BrowserCacheManager extends CacheManager {
15109
15206
  const rawValue = this.browserStorage.getItem(accountKey);
15110
15207
  const parsedValue = this.validateAndParseJson(rawValue || "");
15111
15208
  if (!parsedValue) {
15209
+ this.browserStorage.removeItem(accountKey);
15210
+ this.performanceClient.incrementFields({ invalidAcntCount: 1 }, correlationId);
15112
15211
  removeElementFromArray(accountKeysToCheck, accountKey);
15113
15212
  continue;
15114
15213
  }
@@ -15121,8 +15220,20 @@ class BrowserCacheManager extends CacheManager {
15121
15220
  else if (isCacheExpired(parsedValue.lastUpdatedAt, this.cacheConfig.cacheRetentionDays)) {
15122
15221
  // Cache expired remove account and associated tokens
15123
15222
  await this.removeAccountOldSchema(accountKey, parsedValue, credentialSchema, correlationId);
15223
+ this.performanceClient.incrementFields({ ttlExpiredAcntCount: 1 }, correlationId);
15124
15224
  removeElementFromArray(accountKeysToCheck, accountKey);
15125
15225
  }
15226
+ else if (isEncrypted(parsedValue)) {
15227
+ // Remove accounts encrypted with a different key (session cookie expired/changed)
15228
+ const decrypted = await this.browserStorage.decryptData(accountKey, parsedValue, correlationId);
15229
+ if (!decrypted) {
15230
+ this.browserStorage.removeItem(accountKey);
15231
+ this.performanceClient.incrementFields({
15232
+ decryptFailedAcntCount: 1,
15233
+ }, correlationId);
15234
+ removeElementFromArray(accountKeysToCheck, accountKey);
15235
+ }
15236
+ }
15126
15237
  }
15127
15238
  this.setAccountKeys(accountKeysToCheck, correlationId, accountSchema);
15128
15239
  }
@@ -15160,7 +15271,6 @@ class BrowserCacheManager extends CacheManager {
15160
15271
  });
15161
15272
  this.setTokenKeys(tokenKeys, correlationId, credentialSchema);
15162
15273
  }
15163
- this.performanceClient.incrementFields({ expiredAcntRemovedCount: 1 }, correlationId);
15164
15274
  this.browserStorage.removeItem(accountKey);
15165
15275
  }
15166
15276
  /**
@@ -15199,8 +15309,20 @@ class BrowserCacheManager extends CacheManager {
15199
15309
  const previousAccountKeys = getAccountKeys(this.browserStorage, accountSchema);
15200
15310
  for (const idTokenKey of [...credentialKeysToMigrate.idToken]) {
15201
15311
  this.performanceClient.incrementFields({ oldITCount: 1 }, correlationId);
15202
- const oldSchemaData = (await this.updateOldEntry(idTokenKey, correlationId));
15312
+ const result = await this.updateOldEntry(idTokenKey, correlationId);
15313
+ const oldSchemaData = result.entry;
15203
15314
  if (!oldSchemaData) {
15315
+ switch (result.removalReason) {
15316
+ case MigrationRemovalReason.TtlExpired:
15317
+ this.performanceClient.incrementFields({ ttlExpiredITCount: 1 }, correlationId);
15318
+ break;
15319
+ case MigrationRemovalReason.DecryptFailed:
15320
+ this.performanceClient.incrementFields({ decryptFailedITCount: 1 }, correlationId);
15321
+ break;
15322
+ case MigrationRemovalReason.Invalid:
15323
+ this.performanceClient.incrementFields({ invalidITCount: 1 }, correlationId);
15324
+ break;
15325
+ }
15204
15326
  removeElementFromArray(credentialKeysToMigrate.idToken, idTokenKey);
15205
15327
  continue;
15206
15328
  }
@@ -15279,8 +15401,23 @@ class BrowserCacheManager extends CacheManager {
15279
15401
  const currentCredentialKeys = getTokenKeys(this.clientId, this.browserStorage, CREDENTIAL_SCHEMA_VERSION);
15280
15402
  for (const accessTokenKey of [...credentialKeysToMigrate.accessToken]) {
15281
15403
  this.performanceClient.incrementFields({ oldATCount: 1 }, correlationId);
15282
- const oldSchemaData = (await this.updateOldEntry(accessTokenKey, correlationId));
15404
+ const result = await this.updateOldEntry(accessTokenKey, correlationId);
15405
+ const oldSchemaData = result.entry;
15283
15406
  if (!oldSchemaData) {
15407
+ switch (result.removalReason) {
15408
+ case MigrationRemovalReason.TtlExpired:
15409
+ this.performanceClient.incrementFields({ ttlExpiredATCount: 1 }, correlationId);
15410
+ break;
15411
+ case MigrationRemovalReason.DecryptFailed:
15412
+ this.performanceClient.incrementFields({ decryptFailedATCount: 1 }, correlationId);
15413
+ break;
15414
+ case MigrationRemovalReason.Expired:
15415
+ this.performanceClient.incrementFields({ expiredATCount: 1 }, correlationId);
15416
+ break;
15417
+ case MigrationRemovalReason.Invalid:
15418
+ this.performanceClient.incrementFields({ invalidATCount: 1 }, correlationId);
15419
+ break;
15420
+ }
15284
15421
  removeElementFromArray(credentialKeysToMigrate.accessToken, accessTokenKey);
15285
15422
  continue;
15286
15423
  }
@@ -15326,8 +15463,23 @@ class BrowserCacheManager extends CacheManager {
15326
15463
  ...credentialKeysToMigrate.refreshToken,
15327
15464
  ]) {
15328
15465
  this.performanceClient.incrementFields({ oldRTCount: 1 }, correlationId);
15329
- const oldSchemaData = (await this.updateOldEntry(refreshTokenKey, correlationId));
15466
+ const result = await this.updateOldEntry(refreshTokenKey, correlationId);
15467
+ const oldSchemaData = result.entry;
15330
15468
  if (!oldSchemaData) {
15469
+ switch (result.removalReason) {
15470
+ case MigrationRemovalReason.TtlExpired:
15471
+ this.performanceClient.incrementFields({ ttlExpiredRTCount: 1 }, correlationId);
15472
+ break;
15473
+ case MigrationRemovalReason.DecryptFailed:
15474
+ this.performanceClient.incrementFields({ decryptFailedRTCount: 1 }, correlationId);
15475
+ break;
15476
+ case MigrationRemovalReason.Expired:
15477
+ this.performanceClient.incrementFields({ expiredRTCount: 1 }, correlationId);
15478
+ break;
15479
+ case MigrationRemovalReason.Invalid:
15480
+ this.performanceClient.incrementFields({ invalidRTCount: 1 }, correlationId);
15481
+ break;
15482
+ }
15331
15483
  removeElementFromArray(credentialKeysToMigrate.refreshToken, refreshTokenKey);
15332
15484
  continue;
15333
15485
  }
@@ -16652,7 +16804,7 @@ const USER_CANCEL = "USER_CANCEL";
16652
16804
  const NO_NETWORK = "NO_NETWORK";
16653
16805
  const DISABLED = "DISABLED";
16654
16806
  const ACCOUNT_UNAVAILABLE = "ACCOUNT_UNAVAILABLE";
16655
- const UX_NOT_ALLOWED = "UX_NOT_ALLOWED";
16807
+ const UI_NOT_ALLOWED = "UI_NOT_ALLOWED";
16656
16808
 
16657
16809
  /*
16658
16810
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -16707,8 +16859,8 @@ function createNativeAuthError(code, description, ext) {
16707
16859
  return createBrowserAuthError(userCancelled);
16708
16860
  case NO_NETWORK:
16709
16861
  return createBrowserAuthError(noNetworkConnectivity);
16710
- case UX_NOT_ALLOWED:
16711
- return createInteractionRequiredAuthError(uxNotAllowed);
16862
+ case UI_NOT_ALLOWED:
16863
+ return createInteractionRequiredAuthError(uiNotAllowed);
16712
16864
  }
16713
16865
  }
16714
16866
  return new NativeAuthError(code, description, ext);
@@ -16725,7 +16877,7 @@ class SilentCacheClient extends StandardInteractionClient {
16725
16877
  */
16726
16878
  async acquireToken(silentRequest) {
16727
16879
  // Telemetry manager only used to increment cacheHits here
16728
- const serverTelemetryManager = initializeServerTelemetryManager(ApiId.acquireTokenSilent_silentFlow, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger);
16880
+ const serverTelemetryManager = initializeServerTelemetryManager(ApiId.acquireTokenSilent_silentFlow, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger, undefined, this.config.system.serverTelemetryEnabled);
16729
16881
  const clientConfig = await invokeAsync(this.getClientConfiguration.bind(this), StandardInteractionClientGetClientConfiguration, this.logger, this.performanceClient, this.correlationId)({
16730
16882
  serverTelemetryManager,
16731
16883
  requestAuthority: silentRequest.authority,
@@ -16801,7 +16953,7 @@ class PlatformAuthInteractionClient extends BaseInteractionClient {
16801
16953
  // start the perf measurement
16802
16954
  const nativeATMeasurement = this.performanceClient.startMeasurement(NativeInteractionClientAcquireToken, this.correlationId);
16803
16955
  const reqTimestamp = nowSeconds();
16804
- const serverTelemetryManager = initializeServerTelemetryManager(this.apiId, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger);
16956
+ const serverTelemetryManager = initializeServerTelemetryManager(this.apiId, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger, undefined, this.config.system.serverTelemetryEnabled);
16805
16957
  try {
16806
16958
  // initialize native request
16807
16959
  const nativeRequest = await this.initializePlatformRequest(request);
@@ -16925,7 +17077,7 @@ class PlatformAuthInteractionClient extends BaseInteractionClient {
16925
17077
  catch (e) {
16926
17078
  // Only throw fatal errors here to allow application to fallback to regular redirect. Otherwise proceed and the error will be thrown in handleRedirectPromise
16927
17079
  if (e instanceof NativeAuthError) {
16928
- const serverTelemetryManager = initializeServerTelemetryManager(this.apiId, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger);
17080
+ const serverTelemetryManager = initializeServerTelemetryManager(this.apiId, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger, undefined, this.config.system.serverTelemetryEnabled);
16929
17081
  serverTelemetryManager.setNativeBrokerErrorCode(e.errorCode);
16930
17082
  if (isFatalNativeAuthError(e)) {
16931
17083
  throw e;
@@ -16939,7 +17091,7 @@ class PlatformAuthInteractionClient extends BaseInteractionClient {
16939
17091
  noHistory: false,
16940
17092
  };
16941
17093
  const redirectUri = navigateToLoginRequestUrl
16942
- ? window.location.href
17094
+ ? UrlString.getAbsoluteUrl(request.redirectStartPage || window.location.href, getCurrentUri())
16943
17095
  : getRedirectUri(request.redirectUri, this.config.auth.redirectUri, this.logger, this.correlationId);
16944
17096
  rootMeasurement.end({ success: true });
16945
17097
  await this.navigationClient.navigateExternal(redirectUri, navigationOptions); // Need to treat this as external to ensure handleRedirectPromise is run again
@@ -16972,7 +17124,7 @@ class PlatformAuthInteractionClient extends BaseInteractionClient {
16972
17124
  this.logger.verbose("003x5a", this.correlationId);
16973
17125
  const response = await this.platformAuthProvider.sendMessage(request);
16974
17126
  const authResult = await this.handleNativeResponse(response, request, reqTimestamp);
16975
- const serverTelemetryManager = initializeServerTelemetryManager(this.apiId, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger);
17127
+ const serverTelemetryManager = initializeServerTelemetryManager(this.apiId, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger, undefined, this.config.system.serverTelemetryEnabled);
16976
17128
  serverTelemetryManager.clearNativeBrokerErrorCode();
16977
17129
  this.performanceClient?.addFields({ isNativeBroker: true }, this.correlationId);
16978
17130
  return authResult;
@@ -17979,6 +18131,7 @@ function buildConfiguration({ auth: userInputAuth, cache: userInputCache, system
17979
18131
  nativeBrokerHandshakeTimeout: userInputSystem?.nativeBrokerHandshakeTimeout ||
17980
18132
  DEFAULT_NATIVE_BROKER_HANDSHAKE_TIMEOUT_MS,
17981
18133
  protocolMode: ProtocolMode.AAD,
18134
+ serverTelemetryEnabled: false,
17982
18135
  };
17983
18136
  const providedSystemOptions = {
17984
18137
  ...DEFAULT_BROWSER_SYSTEM_OPTIONS,
@@ -18508,10 +18661,11 @@ function isPlatformAuthAllowed(config, logger, correlationId, platformAuthProvid
18508
18661
  * Licensed under the MIT License.
18509
18662
  */
18510
18663
  class PopupClient extends StandardInteractionClient {
18511
- constructor(config, storageImpl, browserCrypto, logger, eventHandler, navigationClient, performanceClient, nativeStorageImpl, correlationId, platformAuthHandler) {
18664
+ constructor(config, storageImpl, browserCrypto, logger, eventHandler, navigationClient, performanceClient, nativeStorageImpl, correlationId, platformAuthHandler, waitForPopupResponseHook) {
18512
18665
  super(config, storageImpl, browserCrypto, logger, eventHandler, navigationClient, performanceClient, correlationId, platformAuthHandler);
18513
18666
  this.nativeStorage = nativeStorageImpl;
18514
18667
  this.eventHandler = eventHandler;
18668
+ this.waitForPopupResponseHook = waitForPopupResponseHook;
18515
18669
  }
18516
18670
  /**
18517
18671
  * Acquires tokens by opening a popup window to the /authorize endpoint of the authority
@@ -18619,7 +18773,7 @@ class PopupClient extends StandardInteractionClient {
18619
18773
  */
18620
18774
  async executeCodeFlow(request, popupParams, pkceCodes) {
18621
18775
  const correlationId = request.correlationId;
18622
- const serverTelemetryManager = initializeServerTelemetryManager(ApiId.acquireTokenPopup, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger);
18776
+ const serverTelemetryManager = initializeServerTelemetryManager(ApiId.acquireTokenPopup, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger, undefined, this.config.system.serverTelemetryEnabled);
18623
18777
  const pkce = pkceCodes ||
18624
18778
  (await invokeAsync(generatePkceCodes, GeneratePkceCodes, this.logger, this.performanceClient, correlationId)(this.performanceClient, this.logger, correlationId));
18625
18779
  const popupRequest = {
@@ -18645,7 +18799,7 @@ class PopupClient extends StandardInteractionClient {
18645
18799
  const popupWindow = this.initiateAuthRequest(navigateUrl, popupParams);
18646
18800
  this.eventHandler.emitEvent(EventType.POPUP_OPENED, correlationId, InteractionType.Popup, { popupWindow }, null);
18647
18801
  // Wait for the redirect bridge response
18648
- const responseString = await waitForBridgeResponse(this.config.system.popupBridgeTimeout, this.logger, this.browserCrypto, request, this.performanceClient);
18802
+ const responseString = await this.waitForPopupResponse(request, popupWindow, popupParams.popupWindowParent);
18649
18803
  const serverParams = invoke(deserializeResponse, DeserializeResponse, this.logger, this.performanceClient, this.correlationId)(responseString, this.config.auth.OIDCOptions.responseMode, this.logger, this.correlationId);
18650
18804
  return await invokeAsync(handleResponseCode, HandleResponseCode, this.logger, this.performanceClient, correlationId)(request, serverParams, pkce.verifier, ApiId.acquireTokenPopup, this.config, authClient, this.browserStorage, this.nativeStorage, this.eventHandler, this.logger, this.performanceClient, this.platformAuthProvider);
18651
18805
  }
@@ -18680,11 +18834,11 @@ class PopupClient extends StandardInteractionClient {
18680
18834
  const form = await getEARForm(popupWindow.document, this.config, discoveredAuthority, popupRequest, this.logger, this.performanceClient);
18681
18835
  form.submit();
18682
18836
  // Monitor the popup for the hash. Return the string value and close the popup when the hash is received. Default timeout is 60 seconds.
18683
- const responseString = await invokeAsync(waitForBridgeResponse, SilentHandlerMonitorIframeForHash, this.logger, this.performanceClient, correlationId)(this.config.system.popupBridgeTimeout, this.logger, this.browserCrypto, popupRequest, this.performanceClient);
18837
+ const responseString = await invokeAsync(this.waitForPopupResponse.bind(this), SilentHandlerMonitorIframeForHash, this.logger, this.performanceClient, correlationId)(popupRequest, popupWindow, popupParams.popupWindowParent);
18684
18838
  const serverParams = invoke(deserializeResponse, DeserializeResponse, this.logger, this.performanceClient, this.correlationId)(responseString, this.config.auth.OIDCOptions.responseMode, this.logger, this.correlationId);
18685
18839
  if (!serverParams.ear_jwe && serverParams.code) {
18686
18840
  const authClient = await invokeAsync(this.createAuthCodeClient.bind(this), StandardInteractionClientCreateAuthCodeClient, this.logger, this.performanceClient, correlationId)({
18687
- serverTelemetryManager: initializeServerTelemetryManager(ApiId.acquireTokenPopup, this.config.auth.clientId, correlationId, this.browserStorage, this.logger),
18841
+ serverTelemetryManager: initializeServerTelemetryManager(ApiId.acquireTokenPopup, this.config.auth.clientId, correlationId, this.browserStorage, this.logger, undefined, this.config.system.serverTelemetryEnabled),
18688
18842
  requestAuthority: request.authority,
18689
18843
  requestAzureCloudOptions: request.azureCloudOptions,
18690
18844
  requestExtraQueryParameters: request.extraQueryParameters,
@@ -18705,7 +18859,7 @@ class PopupClient extends StandardInteractionClient {
18705
18859
  const form = await getCodeForm(popupWindow.document, this.config, discoveredAuthority, request, this.logger, this.performanceClient);
18706
18860
  form.submit();
18707
18861
  // Monitor the popup for the hash. Return the string value and close the popup when the hash is received. Default timeout is 60 seconds.
18708
- const responseString = await invokeAsync(waitForBridgeResponse, SilentHandlerMonitorIframeForHash, this.logger, this.performanceClient, correlationId)(this.config.system.popupBridgeTimeout, this.logger, this.browserCrypto, request, this.performanceClient);
18862
+ const responseString = await invokeAsync(this.waitForPopupResponse.bind(this), SilentHandlerMonitorIframeForHash, this.logger, this.performanceClient, correlationId)(request, popupWindow, popupParams.popupWindowParent);
18709
18863
  const serverParams = invoke(deserializeResponse, DeserializeResponse, this.logger, this.performanceClient, this.correlationId)(responseString, this.config.auth.OIDCOptions.responseMode, this.logger, this.correlationId);
18710
18864
  return invokeAsync(handleResponseCode, HandleResponseCode, this.logger, this.performanceClient, correlationId)(request, serverParams, pkceVerifier, ApiId.acquireTokenPopup, this.config, authClient, this.browserStorage, this.nativeStorage, this.eventHandler, this.logger, this.performanceClient, this.platformAuthProvider);
18711
18865
  }
@@ -18721,7 +18875,7 @@ class PopupClient extends StandardInteractionClient {
18721
18875
  async logoutPopupAsync(validRequest, popupParams, requestAuthority, mainWindowRedirectUri) {
18722
18876
  this.logger.verbose("0b7yrk", this.correlationId);
18723
18877
  this.eventHandler.emitEvent(EventType.LOGOUT_START, this.correlationId, InteractionType.Popup, validRequest);
18724
- const serverTelemetryManager = initializeServerTelemetryManager(ApiId.logoutPopup, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger);
18878
+ const serverTelemetryManager = initializeServerTelemetryManager(ApiId.logoutPopup, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger, undefined, this.config.system.serverTelemetryEnabled);
18725
18879
  try {
18726
18880
  // Clear cache on logout
18727
18881
  await clearCacheOnLogout(this.browserStorage, this.browserCrypto, this.logger, this.correlationId, validRequest.account);
@@ -18762,7 +18916,7 @@ class PopupClient extends StandardInteractionClient {
18762
18916
  // Open the popup window to requestUrl.
18763
18917
  const popupWindow = this.openPopup(logoutUri, popupParams);
18764
18918
  this.eventHandler.emitEvent(EventType.POPUP_OPENED, validRequest.correlationId, InteractionType.Popup, { popupWindow }, null);
18765
- await waitForBridgeResponse(this.config.system.popupBridgeTimeout, this.logger, this.browserCrypto, validRequest, this.performanceClient).catch(() => {
18919
+ await this.waitForPopupResponse(validRequest, popupWindow, popupParams.popupWindowParent).catch(() => {
18766
18920
  // Swallow any errors related to monitoring the window. Server logout is best effort
18767
18921
  });
18768
18922
  if (mainWindowRedirectUri) {
@@ -18841,6 +18995,19 @@ class PopupClient extends StandardInteractionClient {
18841
18995
  if (!popupWindow) {
18842
18996
  throw createBrowserAuthError(emptyWindowError);
18843
18997
  }
18998
+ try {
18999
+ popupWindow.document.title = "Microsoft Authentication";
19000
+ }
19001
+ catch (e) {
19002
+ if (typeof DOMException !== "undefined" &&
19003
+ e instanceof DOMException &&
19004
+ e.name === "SecurityError") {
19005
+ // Cross-origin - title cannot be set
19006
+ }
19007
+ else {
19008
+ this.logger.verbose("1s1yfs", this.correlationId);
19009
+ }
19010
+ }
18844
19011
  if (popupWindow.focus) {
18845
19012
  popupWindow.focus();
18846
19013
  }
@@ -18919,6 +19086,12 @@ class PopupClient extends StandardInteractionClient {
18919
19086
  const homeAccountId = request.account && request.account.homeAccountId;
18920
19087
  return `${BrowserConstants.POPUP_NAME_PREFIX}.${this.config.auth.clientId}.${homeAccountId}.${this.correlationId}`;
18921
19088
  }
19089
+ async waitForPopupResponse(request, popupWindow, popupWindowParent) {
19090
+ if (this.waitForPopupResponseHook) {
19091
+ return this.waitForPopupResponseHook(request, popupWindow, popupWindowParent);
19092
+ }
19093
+ return waitForBridgeResponse(this.config.system.popupBridgeTimeout, this.logger, request, this.performanceClient);
19094
+ }
18922
19095
  }
18923
19096
 
18924
19097
  /*
@@ -18986,7 +19159,7 @@ class RedirectClient extends StandardInteractionClient {
18986
19159
  */
18987
19160
  async executeCodeFlow(request) {
18988
19161
  const correlationId = request.correlationId;
18989
- const serverTelemetryManager = initializeServerTelemetryManager(ApiId.acquireTokenRedirect, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger);
19162
+ const serverTelemetryManager = initializeServerTelemetryManager(ApiId.acquireTokenRedirect, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger, undefined, this.config.system.serverTelemetryEnabled);
18990
19163
  const pkceCodes = await invokeAsync(generatePkceCodes, GeneratePkceCodes, this.logger, this.performanceClient, correlationId)(this.performanceClient, this.logger, correlationId);
18991
19164
  const redirectRequest = {
18992
19165
  ...request,
@@ -19072,7 +19245,9 @@ class RedirectClient extends StandardInteractionClient {
19072
19245
  * @param options {HandleRedirectPromiseOptions} options for handling redirect promise
19073
19246
  */
19074
19247
  async handleRedirectPromise(request, pkceVerifier, parentMeasurement, options) {
19075
- const serverTelemetryManager = initializeServerTelemetryManager(ApiId.handleRedirectPromise, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger);
19248
+ const originalTitle = document.title;
19249
+ document.title = "Microsoft Authentication";
19250
+ const serverTelemetryManager = initializeServerTelemetryManager(ApiId.handleRedirectPromise, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger, undefined, this.config.system.serverTelemetryEnabled);
19076
19251
  const navigateToLoginRequestUrl = options?.navigateToLoginRequestUrl ?? true;
19077
19252
  try {
19078
19253
  const [serverParams, responseString] = this.getRedirectResponse(options?.hash || "");
@@ -19091,8 +19266,8 @@ class RedirectClient extends StandardInteractionClient {
19091
19266
  }
19092
19267
  // If navigateToLoginRequestUrl is true, get the url where the redirect request was initiated
19093
19268
  const loginRequestUrl = this.browserStorage.getTemporaryCache(TemporaryCacheKeys.ORIGIN_URI, this.correlationId, true) || "";
19094
- const loginRequestUrlNormalized = normalizeUrlForComparison(loginRequestUrl);
19095
- const currentUrlNormalized = normalizeUrlForComparison(window.location.href);
19269
+ const loginRequestUrlNormalized = normalizeUrlForComparison(loginRequestUrl, this.logger, this.correlationId);
19270
+ const currentUrlNormalized = normalizeUrlForComparison(window.location.href, this.logger, this.correlationId);
19096
19271
  if (loginRequestUrlNormalized === currentUrlNormalized &&
19097
19272
  navigateToLoginRequestUrl) {
19098
19273
  // We are on the page we need to navigate to - handle hash
@@ -19125,8 +19300,8 @@ class RedirectClient extends StandardInteractionClient {
19125
19300
  * The start page is expected to also call handleRedirectPromise which will process the hash in one of the checks above.
19126
19301
  */
19127
19302
  let processHashOnRedirect = true;
19128
- if (!loginRequestUrl || loginRequestUrl === "null") {
19129
- // Redirect to home page if login request url is null (real null or the string null)
19303
+ if (!loginRequestUrl) {
19304
+ // Redirect to home page if login request url is empty
19130
19305
  const homepage = getHomepage();
19131
19306
  // Cache the homepage under ORIGIN_URI to ensure cached hash is processed on homepage
19132
19307
  this.browserStorage.setTemporaryCache(TemporaryCacheKeys.ORIGIN_URI, homepage, true);
@@ -19154,6 +19329,9 @@ class RedirectClient extends StandardInteractionClient {
19154
19329
  }
19155
19330
  throw e;
19156
19331
  }
19332
+ finally {
19333
+ document.title = originalTitle;
19334
+ }
19157
19335
  }
19158
19336
  /**
19159
19337
  * Gets the response hash for a redirect request
@@ -19269,7 +19447,7 @@ class RedirectClient extends StandardInteractionClient {
19269
19447
  async logout(logoutRequest) {
19270
19448
  this.logger.verbose("1rkurh", this.correlationId);
19271
19449
  const validLogoutRequest = this.initializeLogoutRequest(logoutRequest);
19272
- const serverTelemetryManager = initializeServerTelemetryManager(ApiId.logout, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger);
19450
+ const serverTelemetryManager = initializeServerTelemetryManager(ApiId.logout, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger, undefined, this.config.system.serverTelemetryEnabled);
19273
19451
  try {
19274
19452
  this.eventHandler.emitEvent(EventType.LOGOUT_START, this.correlationId, InteractionType.Redirect, logoutRequest);
19275
19453
  // Clear cache on logout
@@ -19350,7 +19528,10 @@ class RedirectClient extends StandardInteractionClient {
19350
19528
  */
19351
19529
  getRedirectStartPage(requestStartPage) {
19352
19530
  const redirectStartPage = requestStartPage || window.location.href;
19353
- return UrlString.getAbsoluteUrl(redirectStartPage, getCurrentUri());
19531
+ const absoluteRedirectStartPage = UrlString.getAbsoluteUrl(redirectStartPage, getCurrentUri());
19532
+ // Sanity check the URL before it is cached so we never persist a malformed value (e.g. the literal string "null")
19533
+ validateUrl(absoluteRedirectStartPage, this.logger, this.correlationId);
19534
+ return absoluteRedirectStartPage;
19354
19535
  }
19355
19536
  }
19356
19537
 
@@ -19359,20 +19540,20 @@ class RedirectClient extends StandardInteractionClient {
19359
19540
  * Licensed under the MIT License.
19360
19541
  */
19361
19542
  /**
19362
- * Creates a hidden iframe to given URL using user-requested scopes as an id.
19363
- * @param urlNavigate
19364
- * @param userRequestScopes
19543
+ * Navigates the given hidden iframe to the provided URL.
19544
+ * @param frame
19545
+ * @param requestUrl
19365
19546
  */
19366
- async function initiateCodeRequest(requestUrl, performanceClient, logger, correlationId) {
19547
+ async function initiateCodeRequest(frame, requestUrl, logger, correlationId) {
19367
19548
  if (!requestUrl) {
19368
19549
  // Throw error if request URL is empty.
19369
19550
  logger.info("1l7hyp", correlationId);
19370
19551
  throw createBrowserAuthError(emptyNavigateUri);
19371
19552
  }
19372
- return invoke(loadFrameSync, SilentHandlerLoadFrameSync, logger, performanceClient, correlationId)(requestUrl);
19553
+ frame.src = requestUrl;
19554
+ return frame;
19373
19555
  }
19374
- async function initiateCodeFlowWithPost(config, authority, request, logger, performanceClient) {
19375
- const frame = createHiddenIframe();
19556
+ async function initiateCodeFlowWithPost(frame, config, authority, request, logger, performanceClient) {
19376
19557
  if (!frame.contentDocument) {
19377
19558
  throw "No document associated with iframe!";
19378
19559
  }
@@ -19380,8 +19561,7 @@ async function initiateCodeFlowWithPost(config, authority, request, logger, perf
19380
19561
  form.submit();
19381
19562
  return frame;
19382
19563
  }
19383
- async function initiateEarRequest(config, authority, request, logger, performanceClient) {
19384
- const frame = createHiddenIframe();
19564
+ async function initiateEarRequest(frame, config, authority, request, logger, performanceClient) {
19385
19565
  if (!frame.contentDocument) {
19386
19566
  throw "No document associated with iframe!";
19387
19567
  }
@@ -19391,24 +19571,14 @@ async function initiateEarRequest(config, authority, request, logger, performanc
19391
19571
  }
19392
19572
  /**
19393
19573
  * @hidden
19394
- * Loads the iframe synchronously when the navigateTimeFrame is set to `0`
19395
- * @param urlNavigate
19396
- * @param frameName
19397
- * @param logger
19398
- */
19399
- function loadFrameSync(urlNavigate) {
19400
- const frameHandle = createHiddenIframe();
19401
- frameHandle.src = urlNavigate;
19402
- return frameHandle;
19403
- }
19404
- /**
19405
- * @hidden
19406
- * Creates a new hidden iframe or gets an existing one for silent token renewal.
19574
+ * Creates a new hidden iframe for silent token renewal. Callers navigate it
19575
+ * (set `src` or submit a form) after registering the response listener.
19407
19576
  * @ignore
19408
19577
  */
19409
19578
  function createHiddenIframe() {
19410
19579
  const authFrame = document.createElement("iframe");
19411
19580
  authFrame.className = "msalSilentIframe";
19581
+ authFrame.title = "Microsoft Authentication";
19412
19582
  authFrame.style.visibility = "hidden";
19413
19583
  authFrame.style.position = "absolute";
19414
19584
  authFrame.style.width = authFrame.style.height = "0";
@@ -19434,10 +19604,11 @@ function removeHiddenIframe(iframe) {
19434
19604
  * Licensed under the MIT License.
19435
19605
  */
19436
19606
  class SilentIframeClient extends StandardInteractionClient {
19437
- constructor(config, storageImpl, browserCrypto, logger, eventHandler, navigationClient, apiId, performanceClient, nativeStorageImpl, correlationId, platformAuthProvider) {
19607
+ constructor(config, storageImpl, browserCrypto, logger, eventHandler, navigationClient, apiId, performanceClient, nativeStorageImpl, correlationId, platformAuthProvider, waitForIframeResponseHook) {
19438
19608
  super(config, storageImpl, browserCrypto, logger, eventHandler, navigationClient, performanceClient, correlationId, platformAuthProvider);
19439
19609
  this.apiId = apiId;
19440
19610
  this.nativeStorage = nativeStorageImpl;
19611
+ this.waitForIframeResponseHook = waitForIframeResponseHook;
19441
19612
  }
19442
19613
  /**
19443
19614
  * Acquires a token silently by opening a hidden iframe to the /authorize endpoint with prompt=none or prompt=no_session
@@ -19480,7 +19651,7 @@ class SilentIframeClient extends StandardInteractionClient {
19480
19651
  */
19481
19652
  async executeCodeFlow(request) {
19482
19653
  let authClient;
19483
- const serverTelemetryManager = initializeServerTelemetryManager(this.apiId, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger);
19654
+ const serverTelemetryManager = initializeServerTelemetryManager(this.apiId, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger, undefined, this.config.system.serverTelemetryEnabled);
19484
19655
  try {
19485
19656
  // Initialize the client
19486
19657
  authClient = await invokeAsync(this.createAuthCodeClient.bind(this), StandardInteractionClientCreateAuthCodeClient, this.logger, this.performanceClient, request.correlationId)({
@@ -19522,11 +19693,22 @@ class SilentIframeClient extends StandardInteractionClient {
19522
19693
  earJwk: earJwk,
19523
19694
  codeChallenge: pkceCodes.challenge,
19524
19695
  };
19525
- const iframe = await invokeAsync(initiateEarRequest, SilentHandlerInitiateAuthRequest, this.logger, this.performanceClient, correlationId)(this.config, discoveredAuthority, silentRequest, this.logger, this.performanceClient);
19696
+ // Create the iframe, register the response listener, then navigate, so the listener is active before the iframe can respond.
19697
+ const iframe = createHiddenIframe();
19526
19698
  const responseType = this.config.auth.OIDCOptions.responseMode;
19527
19699
  let responseString;
19528
19700
  try {
19529
- responseString = await invokeAsync(waitForBridgeResponse, SilentHandlerMonitorIframeForHash, this.logger, this.performanceClient, correlationId)(this.config.system.iframeBridgeTimeout, this.logger, this.browserCrypto, request, this.performanceClient, this.config.experimental);
19701
+ const responsePromise = invokeAsync(this.waitForIframeResponse.bind(this), SilentHandlerMonitorIframeForHash, this.logger, this.performanceClient, correlationId)(iframe, request);
19702
+ responsePromise.catch(() => {
19703
+ /*
19704
+ * If navigation below throws before responsePromise is awaited,
19705
+ * the listener still rejects on timeout. Swallow it here so it
19706
+ * does not surface as an unhandled rejection; the navigation
19707
+ * error is propagated instead.
19708
+ */
19709
+ });
19710
+ await invokeAsync(initiateEarRequest, SilentHandlerInitiateAuthRequest, this.logger, this.performanceClient, correlationId)(iframe, this.config, discoveredAuthority, silentRequest, this.logger, this.performanceClient);
19711
+ responseString = await responsePromise;
19530
19712
  }
19531
19713
  finally {
19532
19714
  invoke(removeHiddenIframe, RemoveHiddenIframe, this.logger, this.performanceClient, correlationId)(iframe);
@@ -19535,7 +19717,7 @@ class SilentIframeClient extends StandardInteractionClient {
19535
19717
  if (!serverParams.ear_jwe && serverParams.code) {
19536
19718
  // If server doesn't support EAR, they may fallback to auth code flow instead
19537
19719
  const authClient = await invokeAsync(this.createAuthCodeClient.bind(this), StandardInteractionClientCreateAuthCodeClient, this.logger, this.performanceClient, correlationId)({
19538
- serverTelemetryManager: initializeServerTelemetryManager(this.apiId, this.config.auth.clientId, correlationId, this.browserStorage, this.logger),
19720
+ serverTelemetryManager: initializeServerTelemetryManager(this.apiId, this.config.auth.clientId, correlationId, this.browserStorage, this.logger, undefined, this.config.system.serverTelemetryEnabled),
19539
19721
  requestAuthority: request.authority,
19540
19722
  requestAzureCloudOptions: request.azureCloudOptions,
19541
19723
  requestExtraQueryParameters: request.extraQueryParameters,
@@ -19562,7 +19744,7 @@ class SilentIframeClient extends StandardInteractionClient {
19562
19744
  // Create silent request
19563
19745
  const silentRequest = await invokeAsync(initializeAuthorizationRequest, StandardInteractionClientInitializeAuthorizationRequest, this.logger, this.performanceClient, this.correlationId)(inputRequest, InteractionType.Silent, this.config, this.browserCrypto, this.browserStorage, this.logger, this.performanceClient, this.correlationId);
19564
19746
  const authClient = await invokeAsync(this.createAuthCodeClient.bind(this), StandardInteractionClientCreateAuthCodeClient, this.logger, this.performanceClient, this.correlationId)({
19565
- serverTelemetryManager: initializeServerTelemetryManager(this.apiId, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger),
19747
+ serverTelemetryManager: initializeServerTelemetryManager(this.apiId, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger, undefined, this.config.system.serverTelemetryEnabled),
19566
19748
  requestAuthority: silentRequest.authority,
19567
19749
  requestAzureCloudOptions: silentRequest.azureCloudOptions,
19568
19750
  requestExtraQueryParameters: silentRequest.extraQueryParameters,
@@ -19610,21 +19792,32 @@ class SilentIframeClient extends StandardInteractionClient {
19610
19792
  ...request,
19611
19793
  codeChallenge: pkceCodes.challenge,
19612
19794
  };
19613
- let iframe;
19614
- if (request.httpMethod === HttpMethod$1.POST) {
19615
- iframe = await invokeAsync(initiateCodeFlowWithPost, SilentHandlerInitiateAuthRequest, this.logger, this.performanceClient, correlationId)(this.config, authClient.authority, silentRequest, this.logger, this.performanceClient);
19616
- }
19617
- else {
19618
- // Create authorize request url
19619
- const navigateUrl = await invokeAsync(getAuthCodeRequestUrl, GetAuthCodeUrl, this.logger, this.performanceClient, correlationId)(this.config, authClient.authority, silentRequest, this.logger, this.performanceClient);
19620
- // Get the frame handle for the silent request
19621
- iframe = await invokeAsync(initiateCodeRequest, SilentHandlerInitiateAuthRequest, this.logger, this.performanceClient, correlationId)(navigateUrl, this.performanceClient, this.logger, correlationId);
19622
- }
19795
+ // Create the iframe, register the response listener, then navigate, so the listener is active before the iframe can respond.
19796
+ const iframe = createHiddenIframe();
19623
19797
  const responseType = this.config.auth.OIDCOptions.responseMode;
19624
19798
  // Wait for response from the redirect bridge.
19625
19799
  let responseString;
19626
19800
  try {
19627
- responseString = await invokeAsync(waitForBridgeResponse, SilentHandlerMonitorIframeForHash, this.logger, this.performanceClient, correlationId)(this.config.system.iframeBridgeTimeout, this.logger, this.browserCrypto, request, this.performanceClient, this.config.experimental);
19801
+ const responsePromise = invokeAsync(this.waitForIframeResponse.bind(this), SilentHandlerMonitorIframeForHash, this.logger, this.performanceClient, correlationId)(iframe, request);
19802
+ responsePromise.catch(() => {
19803
+ /*
19804
+ * If URL creation or navigation below throws before
19805
+ * responsePromise is awaited, the listener still rejects on
19806
+ * timeout. Swallow it here so it does not surface as an
19807
+ * unhandled rejection; the navigation error is propagated
19808
+ * instead.
19809
+ */
19810
+ });
19811
+ if (request.httpMethod === HttpMethod$1.POST) {
19812
+ await invokeAsync(initiateCodeFlowWithPost, SilentHandlerInitiateAuthRequest, this.logger, this.performanceClient, correlationId)(iframe, this.config, authClient.authority, silentRequest, this.logger, this.performanceClient);
19813
+ }
19814
+ else {
19815
+ // Create authorize request url
19816
+ const navigateUrl = await invokeAsync(getAuthCodeRequestUrl, GetAuthCodeUrl, this.logger, this.performanceClient, correlationId)(this.config, authClient.authority, silentRequest, this.logger, this.performanceClient);
19817
+ // Navigate the iframe to the authorize request url
19818
+ await invokeAsync(initiateCodeRequest, SilentHandlerInitiateAuthRequest, this.logger, this.performanceClient, correlationId)(iframe, navigateUrl, this.logger, correlationId);
19819
+ }
19820
+ responseString = await responsePromise;
19628
19821
  }
19629
19822
  finally {
19630
19823
  invoke(removeHiddenIframe, RemoveHiddenIframe, this.logger, this.performanceClient, correlationId)(iframe);
@@ -19632,6 +19825,12 @@ class SilentIframeClient extends StandardInteractionClient {
19632
19825
  const serverParams = invoke(deserializeResponse, DeserializeResponse, this.logger, this.performanceClient, correlationId)(responseString, responseType, this.logger, this.correlationId);
19633
19826
  return { serverParams, pkceCodes, silentRequest };
19634
19827
  }
19828
+ async waitForIframeResponse(iframe, request) {
19829
+ if (this.waitForIframeResponseHook) {
19830
+ return this.waitForIframeResponseHook(iframe, request);
19831
+ }
19832
+ return waitForBridgeResponse(this.config.system.iframeBridgeTimeout, this.logger, request, this.performanceClient, this.config.experimental);
19833
+ }
19635
19834
  }
19636
19835
 
19637
19836
  /*
@@ -19653,7 +19852,7 @@ class SilentRefreshClient extends StandardInteractionClient {
19653
19852
  // Make sure any passed redirectUri is converted to an absolute URL - redirectUri is not a required parameter for refresh token redemption so only include if explicitly provided
19654
19853
  silentRequest.redirectUri = getRedirectUri(request.redirectUri, this.config.auth.redirectUri, this.logger, this.correlationId);
19655
19854
  }
19656
- const serverTelemetryManager = initializeServerTelemetryManager(ApiId.acquireTokenSilent_silentFlow, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger);
19855
+ const serverTelemetryManager = initializeServerTelemetryManager(ApiId.acquireTokenSilent_silentFlow, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger, undefined, this.config.system.serverTelemetryEnabled);
19657
19856
  const refreshTokenClient = await this.createRefreshTokenClient({
19658
19857
  serverTelemetryManager,
19659
19858
  authorityUrl: silentRequest.authority,
@@ -19733,7 +19932,7 @@ class SilentAuthCodeClient extends StandardInteractionClient {
19733
19932
  * Each auth request creates a new instance of *Client so we can safely use this.correlationId.
19734
19933
  */
19735
19934
  this.correlationId);
19736
- const serverTelemetryManager = initializeServerTelemetryManager(this.apiId, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger);
19935
+ const serverTelemetryManager = initializeServerTelemetryManager(this.apiId, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger, undefined, this.config.system.serverTelemetryEnabled);
19737
19936
  try {
19738
19937
  // Create auth code request (PKCE not needed)
19739
19938
  const authCodeRequest = {
@@ -20086,6 +20285,8 @@ class StandardController {
20086
20285
  // Preflight request
20087
20286
  const correlationId = this.getRequestCorrelationId(request);
20088
20287
  this.logger.verbose("0os66p", correlationId);
20288
+ redirectPreflightCheck(this.initialized, this.config);
20289
+ this.browserStorage.setInteractionInProgress(true, INTERACTION_TYPE.SIGNIN);
20089
20290
  const atrMeasurement = this.performanceClient.startMeasurement(AcquireTokenPreRedirect, correlationId);
20090
20291
  atrMeasurement.add({
20091
20292
  scenarioId: request.scenarioId,
@@ -20103,9 +20304,7 @@ class StandardController {
20103
20304
  return navigate;
20104
20305
  };
20105
20306
  try {
20106
- redirectPreflightCheck(this.initialized, this.config);
20107
20307
  enforceResourceParameter(this.config.auth.isMcp, request);
20108
- this.browserStorage.setInteractionInProgress(true, INTERACTION_TYPE.SIGNIN);
20109
20308
  this.eventHandler.emitEvent(EventType.ACQUIRE_TOKEN_START, correlationId, InteractionType.Redirect, request);
20110
20309
  let result;
20111
20310
  if (this.platformAuthProvider &&
@@ -20833,7 +21032,7 @@ class StandardController {
20833
21032
  * @param correlationId
20834
21033
  */
20835
21034
  createPopupClient(correlationId) {
20836
- return new PopupClient(this.config, this.browserStorage, this.browserCrypto, this.logger, this.eventHandler, this.navigationClient, this.performanceClient, this.nativeInternalStorage, correlationId, this.platformAuthProvider);
21035
+ return new PopupClient(this.config, this.browserStorage, this.browserCrypto, this.logger, this.eventHandler, this.navigationClient, this.performanceClient, this.nativeInternalStorage, correlationId, this.platformAuthProvider, this.operatingContext.getResponseHandlers()?.waitForPopupResponse);
20837
21036
  }
20838
21037
  /**
20839
21038
  * Returns new instance of the Redirect Interaction Client
@@ -20847,7 +21046,7 @@ class StandardController {
20847
21046
  * @param correlationId
20848
21047
  */
20849
21048
  createSilentIframeClient(correlationId) {
20850
- return new SilentIframeClient(this.config, this.browserStorage, this.browserCrypto, this.logger, this.eventHandler, this.navigationClient, ApiId.ssoSilent, this.performanceClient, this.nativeInternalStorage, correlationId, this.platformAuthProvider);
21049
+ return new SilentIframeClient(this.config, this.browserStorage, this.browserCrypto, this.logger, this.eventHandler, this.navigationClient, ApiId.ssoSilent, this.performanceClient, this.nativeInternalStorage, correlationId, this.platformAuthProvider, this.operatingContext.getResponseHandlers()?.waitForIframeResponse);
20851
21050
  }
20852
21051
  /**
20853
21052
  * Returns new instance of the Silent Cache Interaction Client
@@ -21616,7 +21815,7 @@ class BaseOperatingContext {
21616
21815
  return;
21617
21816
  }
21618
21817
  }
21619
- constructor(config) {
21818
+ constructor(config, responseHandlers) {
21620
21819
  /*
21621
21820
  * If loaded in an environment where window is not available,
21622
21821
  * set internal flag to false so that further requests fail.
@@ -21624,6 +21823,7 @@ class BaseOperatingContext {
21624
21823
  */
21625
21824
  this.browserEnvironment = typeof window !== "undefined";
21626
21825
  this.config = buildConfiguration(config, this.browserEnvironment);
21826
+ this.responseHandlers = responseHandlers;
21627
21827
  let sessionStorage;
21628
21828
  try {
21629
21829
  sessionStorage = window[BrowserCacheLocation.SessionStorage];
@@ -21660,6 +21860,13 @@ class BaseOperatingContext {
21660
21860
  getConfig() {
21661
21861
  return this.config;
21662
21862
  }
21863
+ /**
21864
+ * Returns the internal response handlers supplied by PublicClientApplication, if any.
21865
+ * @returns AuthResponseHandlers | undefined
21866
+ */
21867
+ getResponseHandlers() {
21868
+ return this.responseHandlers;
21869
+ }
21663
21870
  /**
21664
21871
  * Returns the MSAL Logger
21665
21872
  * @returns Logger
@@ -22024,7 +22231,48 @@ class PublicClientApplication {
22024
22231
  constructor(configuration, controller) {
22025
22232
  this.controller =
22026
22233
  controller ||
22027
- new StandardController(new StandardOperatingContext(configuration));
22234
+ new StandardController(new StandardOperatingContext(configuration, {
22235
+ waitForPopupResponse: this.waitForPopupResponse.bind(this),
22236
+ waitForIframeResponse: this.waitForIframeResponse.bind(this),
22237
+ }));
22238
+ }
22239
+ /**
22240
+ * Waits for the auth response from a popup window opened by MSAL.
22241
+ *
22242
+ * The default implementation delegates to MSAL's `BroadcastChannel`-based bridge.
22243
+ * Subclasses must return the raw response string (hash/query/fragment), or reject
22244
+ * with an `AuthError` on failure.
22245
+ *
22246
+ * @internal
22247
+ * @param request The in-flight authorization or end-session request.
22248
+ * @param popupWindow The popup window opened by MSAL.
22249
+ * @param popupWindowParent The parent window that opened the popup.
22250
+ */
22251
+ async waitForPopupResponse(request,
22252
+ // eslint-disable-next-line @typescript-eslint/no-unused-vars
22253
+ popupWindow,
22254
+ // eslint-disable-next-line @typescript-eslint/no-unused-vars
22255
+ popupWindowParent) {
22256
+ const controller = this.controller;
22257
+ return waitForBridgeResponse(controller.getConfiguration().system.popupBridgeTimeout, controller.getLogger(), request, controller.getPerformanceClient());
22258
+ }
22259
+ /**
22260
+ * Waits for the auth response from a hidden iframe used by MSAL silent flows.
22261
+ *
22262
+ * The default implementation delegates to MSAL's `BroadcastChannel`-based bridge.
22263
+ * Subclasses must return the raw response string (hash/query/fragment), or reject
22264
+ * with an `AuthError` on failure.
22265
+ *
22266
+ * @internal
22267
+ * @param iframe The hidden iframe MSAL attached to the document.
22268
+ * @param request The in-flight authorization request.
22269
+ */
22270
+ async waitForIframeResponse(
22271
+ // eslint-disable-next-line @typescript-eslint/no-unused-vars
22272
+ iframe, request) {
22273
+ const controller = this.controller;
22274
+ const config = controller.getConfiguration();
22275
+ return waitForBridgeResponse(config.system.iframeBridgeTimeout, controller.getLogger(), request, controller.getPerformanceClient(), config.experimental);
22028
22276
  }
22029
22277
  /**
22030
22278
  * Initializer function to perform async startup tasks such as connecting to WAM extension