@azure/msal-browser 5.13.0 → 5.15.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (357) hide show
  1. package/dist/app/IPublicClientApplication.mjs +16 -16
  2. package/dist/app/IPublicClientApplication.mjs.map +1 -1
  3. package/dist/app/PublicClientApplication.mjs +1 -1
  4. package/dist/broker/nativeBroker/NativeStatusCodes.mjs +1 -1
  5. package/dist/broker/nativeBroker/PlatformAuthDOMHandler.mjs +11 -11
  6. package/dist/broker/nativeBroker/PlatformAuthDOMHandler.mjs.map +1 -1
  7. package/dist/broker/nativeBroker/PlatformAuthExtensionHandler.mjs +21 -21
  8. package/dist/broker/nativeBroker/PlatformAuthExtensionHandler.mjs.map +1 -1
  9. package/dist/broker/nativeBroker/PlatformAuthProvider.mjs +3 -3
  10. package/dist/broker/nativeBroker/PlatformAuthProvider.mjs.map +1 -1
  11. package/dist/cache/AccountManager.mjs +1 -1
  12. package/dist/cache/AsyncMemoryStorage.mjs +1 -1
  13. package/dist/cache/BrowserCacheManager.mjs +18 -18
  14. package/dist/cache/BrowserCacheManager.mjs.map +1 -1
  15. package/dist/cache/CacheHelpers.mjs +1 -1
  16. package/dist/cache/CacheKeys.mjs +1 -1
  17. package/dist/cache/CookieStorage.mjs +4 -4
  18. package/dist/cache/CookieStorage.mjs.map +1 -1
  19. package/dist/cache/DatabaseStorage.mjs +7 -7
  20. package/dist/cache/DatabaseStorage.mjs.map +1 -1
  21. package/dist/cache/EncryptedData.mjs +1 -1
  22. package/dist/cache/LocalStorage.mjs +6 -6
  23. package/dist/cache/LocalStorage.mjs.map +1 -1
  24. package/dist/cache/MemoryStorage.mjs +1 -1
  25. package/dist/cache/SessionStorage.mjs +2 -2
  26. package/dist/cache/SessionStorage.mjs.map +1 -1
  27. package/dist/cache/TokenCache.mjs +10 -8
  28. package/dist/cache/TokenCache.mjs.map +1 -1
  29. package/dist/config/Configuration.mjs +5 -4
  30. package/dist/config/Configuration.mjs.map +1 -1
  31. package/dist/controllers/NestedAppAuthController.mjs +16 -17
  32. package/dist/controllers/NestedAppAuthController.mjs.map +1 -1
  33. package/dist/controllers/StandardController.mjs +24 -24
  34. package/dist/controllers/StandardController.mjs.map +1 -1
  35. package/dist/crypto/BrowserCrypto.mjs +7 -7
  36. package/dist/crypto/BrowserCrypto.mjs.map +1 -1
  37. package/dist/crypto/CryptoOps.mjs +4 -4
  38. package/dist/crypto/CryptoOps.mjs.map +1 -1
  39. package/dist/crypto/PkceGenerator.mjs +3 -3
  40. package/dist/crypto/PkceGenerator.mjs.map +1 -1
  41. package/dist/crypto/SignedHttpRequest.mjs +1 -1
  42. package/dist/custom_auth/CustomAuthConstants.mjs +1 -1
  43. package/dist/custom_auth/CustomAuthPublicClientApplication.mjs +1 -1
  44. package/dist/custom_auth/controller/CustomAuthStandardController.mjs +13 -8
  45. package/dist/custom_auth/controller/CustomAuthStandardController.mjs.map +1 -1
  46. package/dist/custom_auth/core/CustomAuthAuthority.mjs +2 -2
  47. package/dist/custom_auth/core/CustomAuthAuthority.mjs.map +1 -1
  48. package/dist/custom_auth/core/auth_flow/AuthFlowErrorBase.mjs +1 -1
  49. package/dist/custom_auth/core/auth_flow/AuthFlowResultBase.mjs +1 -1
  50. package/dist/custom_auth/core/auth_flow/AuthFlowState.mjs +1 -1
  51. package/dist/custom_auth/core/auth_flow/AuthFlowStateTypes.mjs +1 -1
  52. package/dist/custom_auth/core/auth_flow/jit/error_type/AuthMethodRegistrationError.mjs +1 -1
  53. package/dist/custom_auth/core/auth_flow/jit/result/AuthMethodRegistrationChallengeMethodResult.mjs +1 -1
  54. package/dist/custom_auth/core/auth_flow/jit/result/AuthMethodRegistrationSubmitChallengeResult.mjs +1 -1
  55. package/dist/custom_auth/core/auth_flow/jit/state/AuthMethodRegistrationCompletedState.mjs +1 -1
  56. package/dist/custom_auth/core/auth_flow/jit/state/AuthMethodRegistrationFailedState.mjs +1 -1
  57. package/dist/custom_auth/core/auth_flow/jit/state/AuthMethodRegistrationState.mjs +4 -4
  58. package/dist/custom_auth/core/auth_flow/jit/state/AuthMethodRegistrationState.mjs.map +1 -1
  59. package/dist/custom_auth/core/auth_flow/mfa/error_type/MfaError.mjs +1 -1
  60. package/dist/custom_auth/core/auth_flow/mfa/result/MfaRequestChallengeResult.mjs +1 -1
  61. package/dist/custom_auth/core/auth_flow/mfa/result/MfaSubmitChallengeResult.mjs +1 -1
  62. package/dist/custom_auth/core/auth_flow/mfa/state/MfaCompletedState.mjs +1 -1
  63. package/dist/custom_auth/core/auth_flow/mfa/state/MfaFailedState.mjs +1 -1
  64. package/dist/custom_auth/core/auth_flow/mfa/state/MfaState.mjs +4 -4
  65. package/dist/custom_auth/core/auth_flow/mfa/state/MfaState.mjs.map +1 -1
  66. package/dist/custom_auth/core/error/CustomAuthApiError.mjs +1 -1
  67. package/dist/custom_auth/core/error/CustomAuthError.mjs +1 -1
  68. package/dist/custom_auth/core/error/HttpError.mjs +1 -1
  69. package/dist/custom_auth/core/error/HttpErrorCodes.mjs +1 -1
  70. package/dist/custom_auth/core/error/InvalidArgumentError.mjs +1 -1
  71. package/dist/custom_auth/core/error/InvalidConfigurationError.mjs +1 -1
  72. package/dist/custom_auth/core/error/InvalidConfigurationErrorCodes.mjs +1 -1
  73. package/dist/custom_auth/core/error/MethodNotImplementedError.mjs +1 -1
  74. package/dist/custom_auth/core/error/MsalCustomAuthError.mjs +1 -1
  75. package/dist/custom_auth/core/error/NoCachedAccountFoundError.mjs +1 -1
  76. package/dist/custom_auth/core/error/ParsedUrlError.mjs +1 -1
  77. package/dist/custom_auth/core/error/ParsedUrlErrorCodes.mjs +1 -1
  78. package/dist/custom_auth/core/error/UnexpectedError.mjs +1 -1
  79. package/dist/custom_auth/core/error/UnsupportedEnvironmentError.mjs +1 -1
  80. package/dist/custom_auth/core/error/UserAccountAttributeError.mjs +1 -1
  81. package/dist/custom_auth/core/error/UserAlreadySignedInError.mjs +1 -1
  82. package/dist/custom_auth/core/interaction_client/CustomAuthInteractionClientBase.mjs +1 -1
  83. package/dist/custom_auth/core/interaction_client/CustomAuthInterationClientFactory.mjs +1 -1
  84. package/dist/custom_auth/core/interaction_client/jit/JitClient.mjs +1 -1
  85. package/dist/custom_auth/core/interaction_client/jit/result/JitActionResult.mjs +1 -1
  86. package/dist/custom_auth/core/interaction_client/mfa/MfaClient.mjs +2 -2
  87. package/dist/custom_auth/core/interaction_client/mfa/MfaClient.mjs.map +1 -1
  88. package/dist/custom_auth/core/interaction_client/mfa/result/MfaActionResult.mjs +1 -1
  89. package/dist/custom_auth/core/network_client/custom_auth_api/BaseApiClient.mjs +2 -2
  90. package/dist/custom_auth/core/network_client/custom_auth_api/BaseApiClient.mjs.map +1 -1
  91. package/dist/custom_auth/core/network_client/custom_auth_api/CustomAuthApiClient.mjs +1 -1
  92. package/dist/custom_auth/core/network_client/custom_auth_api/CustomAuthApiEndpoint.mjs +1 -1
  93. package/dist/custom_auth/core/network_client/custom_auth_api/RegisterApiClient.mjs +1 -1
  94. package/dist/custom_auth/core/network_client/custom_auth_api/ResetPasswordApiClient.mjs +1 -1
  95. package/dist/custom_auth/core/network_client/custom_auth_api/SignInApiClient.mjs +1 -1
  96. package/dist/custom_auth/core/network_client/custom_auth_api/SignupApiClient.mjs +1 -1
  97. package/dist/custom_auth/core/network_client/custom_auth_api/types/ApiErrorCodes.mjs +1 -1
  98. package/dist/custom_auth/core/network_client/custom_auth_api/types/ApiSuberrors.mjs +1 -1
  99. package/dist/custom_auth/core/network_client/http_client/FetchHttpClient.mjs +4 -4
  100. package/dist/custom_auth/core/network_client/http_client/FetchHttpClient.mjs.map +1 -1
  101. package/dist/custom_auth/core/network_client/http_client/IHttpClient.mjs +1 -1
  102. package/dist/custom_auth/core/telemetry/PublicApiId.mjs +1 -1
  103. package/dist/custom_auth/core/utils/ArgumentValidator.mjs +1 -1
  104. package/dist/custom_auth/core/utils/CustomHeaderUtils.mjs +3 -3
  105. package/dist/custom_auth/core/utils/CustomHeaderUtils.mjs.map +1 -1
  106. package/dist/custom_auth/core/utils/UrlUtils.mjs +1 -1
  107. package/dist/custom_auth/get_account/auth_flow/CustomAuthAccountData.mjs +2 -2
  108. package/dist/custom_auth/get_account/auth_flow/CustomAuthAccountData.mjs.map +1 -1
  109. package/dist/custom_auth/get_account/auth_flow/error_type/GetAccountError.mjs +1 -1
  110. package/dist/custom_auth/get_account/auth_flow/result/GetAccessTokenResult.mjs +1 -1
  111. package/dist/custom_auth/get_account/auth_flow/result/GetAccountResult.mjs +1 -1
  112. package/dist/custom_auth/get_account/auth_flow/result/SignOutResult.mjs +1 -1
  113. package/dist/custom_auth/get_account/auth_flow/state/GetAccessTokenState.mjs +1 -1
  114. package/dist/custom_auth/get_account/auth_flow/state/GetAccountState.mjs +1 -1
  115. package/dist/custom_auth/get_account/auth_flow/state/SignOutState.mjs +1 -1
  116. package/dist/custom_auth/get_account/interaction_client/CustomAuthSilentCacheClient.mjs +2 -2
  117. package/dist/custom_auth/get_account/interaction_client/CustomAuthSilentCacheClient.mjs.map +1 -1
  118. package/dist/custom_auth/index.mjs +1 -1
  119. package/dist/custom_auth/operating_context/CustomAuthOperatingContext.mjs +1 -1
  120. package/dist/custom_auth/reset_password/auth_flow/error_type/ResetPasswordError.mjs +1 -1
  121. package/dist/custom_auth/reset_password/auth_flow/result/ResetPasswordResendCodeResult.mjs +1 -1
  122. package/dist/custom_auth/reset_password/auth_flow/result/ResetPasswordStartResult.mjs +1 -1
  123. package/dist/custom_auth/reset_password/auth_flow/result/ResetPasswordSubmitCodeResult.mjs +1 -1
  124. package/dist/custom_auth/reset_password/auth_flow/result/ResetPasswordSubmitPasswordResult.mjs +1 -1
  125. package/dist/custom_auth/reset_password/auth_flow/state/ResetPasswordCodeRequiredState.mjs +3 -3
  126. package/dist/custom_auth/reset_password/auth_flow/state/ResetPasswordCodeRequiredState.mjs.map +1 -1
  127. package/dist/custom_auth/reset_password/auth_flow/state/ResetPasswordCompletedState.mjs +1 -1
  128. package/dist/custom_auth/reset_password/auth_flow/state/ResetPasswordFailedState.mjs +1 -1
  129. package/dist/custom_auth/reset_password/auth_flow/state/ResetPasswordPasswordRequiredState.mjs +2 -2
  130. package/dist/custom_auth/reset_password/auth_flow/state/ResetPasswordPasswordRequiredState.mjs.map +1 -1
  131. package/dist/custom_auth/reset_password/auth_flow/state/ResetPasswordState.mjs +1 -1
  132. package/dist/custom_auth/reset_password/interaction_client/ResetPasswordClient.mjs +3 -3
  133. package/dist/custom_auth/reset_password/interaction_client/ResetPasswordClient.mjs.map +1 -1
  134. package/dist/custom_auth/sign_in/auth_flow/SignInScenario.mjs +1 -1
  135. package/dist/custom_auth/sign_in/auth_flow/error_type/SignInError.mjs +1 -1
  136. package/dist/custom_auth/sign_in/auth_flow/result/SignInResendCodeResult.mjs +1 -1
  137. package/dist/custom_auth/sign_in/auth_flow/result/SignInResult.mjs +1 -1
  138. package/dist/custom_auth/sign_in/auth_flow/result/SignInSubmitCodeResult.mjs +1 -1
  139. package/dist/custom_auth/sign_in/auth_flow/result/SignInSubmitPasswordResult.mjs +1 -1
  140. package/dist/custom_auth/sign_in/auth_flow/state/SignInCodeRequiredState.mjs +2 -2
  141. package/dist/custom_auth/sign_in/auth_flow/state/SignInCodeRequiredState.mjs.map +1 -1
  142. package/dist/custom_auth/sign_in/auth_flow/state/SignInCompletedState.mjs +1 -1
  143. package/dist/custom_auth/sign_in/auth_flow/state/SignInContinuationState.mjs +2 -2
  144. package/dist/custom_auth/sign_in/auth_flow/state/SignInContinuationState.mjs.map +1 -1
  145. package/dist/custom_auth/sign_in/auth_flow/state/SignInFailedState.mjs +1 -1
  146. package/dist/custom_auth/sign_in/auth_flow/state/SignInPasswordRequiredState.mjs +2 -2
  147. package/dist/custom_auth/sign_in/auth_flow/state/SignInPasswordRequiredState.mjs.map +1 -1
  148. package/dist/custom_auth/sign_in/auth_flow/state/SignInState.mjs +1 -1
  149. package/dist/custom_auth/sign_in/interaction_client/SignInClient.mjs +2 -2
  150. package/dist/custom_auth/sign_in/interaction_client/SignInClient.mjs.map +1 -1
  151. package/dist/custom_auth/sign_in/interaction_client/result/SignInActionResult.mjs +1 -1
  152. package/dist/custom_auth/sign_up/auth_flow/error_type/SignUpError.mjs +1 -1
  153. package/dist/custom_auth/sign_up/auth_flow/result/SignUpResendCodeResult.mjs +1 -1
  154. package/dist/custom_auth/sign_up/auth_flow/result/SignUpResult.mjs +1 -1
  155. package/dist/custom_auth/sign_up/auth_flow/result/SignUpSubmitAttributesResult.mjs +1 -1
  156. package/dist/custom_auth/sign_up/auth_flow/result/SignUpSubmitCodeResult.mjs +1 -1
  157. package/dist/custom_auth/sign_up/auth_flow/result/SignUpSubmitPasswordResult.mjs +1 -1
  158. package/dist/custom_auth/sign_up/auth_flow/state/SignUpAttributesRequiredState.mjs +2 -2
  159. package/dist/custom_auth/sign_up/auth_flow/state/SignUpAttributesRequiredState.mjs.map +1 -1
  160. package/dist/custom_auth/sign_up/auth_flow/state/SignUpCodeRequiredState.mjs +3 -3
  161. package/dist/custom_auth/sign_up/auth_flow/state/SignUpCodeRequiredState.mjs.map +1 -1
  162. package/dist/custom_auth/sign_up/auth_flow/state/SignUpCompletedState.mjs +1 -1
  163. package/dist/custom_auth/sign_up/auth_flow/state/SignUpFailedState.mjs +1 -1
  164. package/dist/custom_auth/sign_up/auth_flow/state/SignUpPasswordRequiredState.mjs +2 -2
  165. package/dist/custom_auth/sign_up/auth_flow/state/SignUpPasswordRequiredState.mjs.map +1 -1
  166. package/dist/custom_auth/sign_up/auth_flow/state/SignUpState.mjs +1 -1
  167. package/dist/custom_auth/sign_up/interaction_client/SignUpClient.mjs +5 -5
  168. package/dist/custom_auth/sign_up/interaction_client/SignUpClient.mjs.map +1 -1
  169. package/dist/custom_auth/sign_up/interaction_client/result/SignUpActionResult.mjs +1 -1
  170. package/dist/encode/Base64Decode.mjs +2 -2
  171. package/dist/encode/Base64Decode.mjs.map +1 -1
  172. package/dist/encode/Base64Encode.mjs +1 -1
  173. package/dist/error/BrowserAuthError.mjs +5 -5
  174. package/dist/error/BrowserAuthError.mjs.map +1 -1
  175. package/dist/error/BrowserAuthErrorCodes.mjs +1 -1
  176. package/dist/error/BrowserConfigurationAuthError.mjs +5 -5
  177. package/dist/error/BrowserConfigurationAuthError.mjs.map +1 -1
  178. package/dist/error/BrowserConfigurationAuthErrorCodes.mjs +1 -1
  179. package/dist/error/NativeAuthError.mjs +20 -10
  180. package/dist/error/NativeAuthError.mjs.map +1 -1
  181. package/dist/error/NativeAuthErrorCodes.mjs +1 -1
  182. package/dist/error/NestedAppAuthError.mjs +9 -5
  183. package/dist/error/NestedAppAuthError.mjs.map +1 -1
  184. package/dist/event/EventHandler.mjs +7 -6
  185. package/dist/event/EventHandler.mjs.map +1 -1
  186. package/dist/event/EventMessage.mjs +1 -1
  187. package/dist/event/EventType.mjs +1 -1
  188. package/dist/index.mjs +1 -1
  189. package/dist/interaction_client/BaseInteractionClient.mjs +6 -7
  190. package/dist/interaction_client/BaseInteractionClient.mjs.map +1 -1
  191. package/dist/interaction_client/HybridSpaAuthorizationCodeClient.mjs +1 -1
  192. package/dist/interaction_client/PlatformAuthInteractionClient.mjs +24 -20
  193. package/dist/interaction_client/PlatformAuthInteractionClient.mjs.map +1 -1
  194. package/dist/interaction_client/PopupClient.mjs +14 -14
  195. package/dist/interaction_client/PopupClient.mjs.map +1 -1
  196. package/dist/interaction_client/RedirectClient.mjs +17 -17
  197. package/dist/interaction_client/RedirectClient.mjs.map +1 -1
  198. package/dist/interaction_client/SilentAuthCodeClient.mjs +4 -4
  199. package/dist/interaction_client/SilentAuthCodeClient.mjs.map +1 -1
  200. package/dist/interaction_client/SilentCacheClient.mjs +1 -1
  201. package/dist/interaction_client/SilentIframeClient.mjs +5 -5
  202. package/dist/interaction_client/SilentIframeClient.mjs.map +1 -1
  203. package/dist/interaction_client/SilentRefreshClient.mjs +3 -3
  204. package/dist/interaction_client/SilentRefreshClient.mjs.map +1 -1
  205. package/dist/interaction_client/StandardInteractionClient.mjs +6 -6
  206. package/dist/interaction_client/StandardInteractionClient.mjs.map +1 -1
  207. package/dist/interaction_handler/InteractionHandler.mjs +3 -3
  208. package/dist/interaction_handler/InteractionHandler.mjs.map +1 -1
  209. package/dist/interaction_handler/SilentHandler.mjs +2 -2
  210. package/dist/interaction_handler/SilentHandler.mjs.map +1 -1
  211. package/dist/log-strings-mapping.json +1200 -1200
  212. package/dist/naa/BridgeError.mjs +1 -1
  213. package/dist/naa/BridgeProxy.mjs +1 -1
  214. package/dist/naa/BridgeStatusCode.mjs +1 -1
  215. package/dist/naa/mapping/NestedAppAuthAdapter.mjs +18 -17
  216. package/dist/naa/mapping/NestedAppAuthAdapter.mjs.map +1 -1
  217. package/dist/navigation/NavigationClient.mjs +2 -2
  218. package/dist/navigation/NavigationClient.mjs.map +1 -1
  219. package/dist/network/FetchClient.mjs +7 -7
  220. package/dist/network/FetchClient.mjs.map +1 -1
  221. package/dist/operatingcontext/BaseOperatingContext.mjs +1 -1
  222. package/dist/operatingcontext/NestedAppOperatingContext.mjs +3 -3
  223. package/dist/operatingcontext/NestedAppOperatingContext.mjs.map +1 -1
  224. package/dist/operatingcontext/StandardOperatingContext.mjs +1 -1
  225. package/dist/packageMetadata.mjs +2 -2
  226. package/dist/protocol/Authorize.mjs +8 -8
  227. package/dist/protocol/Authorize.mjs.map +1 -1
  228. package/dist/redirect_bridge/index.mjs +1 -1
  229. package/dist/request/RequestHelpers.mjs +5 -5
  230. package/dist/request/RequestHelpers.mjs.map +1 -1
  231. package/dist/response/ResponseHandler.mjs +11 -11
  232. package/dist/response/ResponseHandler.mjs.map +1 -1
  233. package/dist/telemetry/BrowserPerformanceClient.mjs +1 -1
  234. package/dist/telemetry/BrowserPerformanceEvents.mjs +1 -1
  235. package/dist/telemetry/BrowserPerformanceMeasurement.mjs +1 -1
  236. package/dist/telemetry/BrowserRootPerformanceEvents.mjs +1 -1
  237. package/dist/utils/BrowserConstants.mjs +1 -1
  238. package/dist/utils/BrowserProtocolUtils.mjs +4 -4
  239. package/dist/utils/BrowserProtocolUtils.mjs.map +1 -1
  240. package/dist/utils/BrowserUtils.mjs +26 -20
  241. package/dist/utils/BrowserUtils.mjs.map +1 -1
  242. package/dist/utils/Helpers.mjs +1 -1
  243. package/dist/utils/MsalFrameStatsUtils.mjs +1 -1
  244. package/lib/custom-auth-path/log-strings-mapping.json +2 -2
  245. package/lib/custom-auth-path/msal-custom-auth.cjs +969 -866
  246. package/lib/custom-auth-path/msal-custom-auth.cjs.map +1 -1
  247. package/lib/custom-auth-path/msal-custom-auth.js +860 -761
  248. package/lib/custom-auth-path/msal-custom-auth.js.map +1 -1
  249. package/lib/log-strings-mapping.json +2 -2
  250. package/lib/msal-browser.cjs +898 -796
  251. package/lib/msal-browser.cjs.map +1 -1
  252. package/lib/msal-browser.js +898 -796
  253. package/lib/msal-browser.js.map +1 -1
  254. package/lib/msal-browser.min.js +2 -2
  255. package/lib/redirect-bridge/msal-redirect-bridge.cjs +55 -51
  256. package/lib/redirect-bridge/msal-redirect-bridge.cjs.map +1 -1
  257. package/lib/redirect-bridge/msal-redirect-bridge.js +55 -51
  258. package/lib/redirect-bridge/msal-redirect-bridge.js.map +1 -1
  259. package/lib/redirect-bridge/msal-redirect-bridge.min.js +2 -2
  260. package/package.json +5 -6
  261. package/src/app/IPublicClientApplication.ts +30 -15
  262. package/src/broker/nativeBroker/PlatformAuthDOMHandler.ts +2 -0
  263. package/src/broker/nativeBroker/PlatformAuthExtensionHandler.ts +8 -2
  264. package/src/broker/nativeBroker/PlatformAuthProvider.ts +2 -1
  265. package/src/cache/BrowserCacheManager.ts +19 -7
  266. package/src/cache/CookieStorage.ts +13 -3
  267. package/src/cache/DatabaseStorage.ts +12 -6
  268. package/src/cache/LocalStorage.ts +8 -4
  269. package/src/cache/SessionStorage.ts +2 -1
  270. package/src/cache/TokenCache.ts +22 -7
  271. package/src/config/Configuration.ts +15 -4
  272. package/src/controllers/NestedAppAuthController.ts +19 -11
  273. package/src/controllers/StandardController.ts +20 -9
  274. package/src/crypto/BrowserCrypto.ts +10 -2
  275. package/src/crypto/CryptoOps.ts +4 -2
  276. package/src/crypto/PkceGenerator.ts +8 -2
  277. package/src/custom_auth/controller/CustomAuthStandardController.ts +2 -4
  278. package/src/custom_auth/core/CustomAuthAuthority.ts +4 -2
  279. package/src/custom_auth/get_account/interaction_client/CustomAuthSilentCacheClient.ts +2 -1
  280. package/src/encode/Base64Decode.ts +2 -1
  281. package/src/error/BrowserAuthError.ts +9 -3
  282. package/src/error/BrowserConfigurationAuthError.ts +9 -3
  283. package/src/error/NativeAuthError.ts +44 -11
  284. package/src/error/NestedAppAuthError.ts +14 -4
  285. package/src/event/EventHandler.ts +2 -1
  286. package/src/interaction_client/BaseInteractionClient.ts +10 -6
  287. package/src/interaction_client/PlatformAuthInteractionClient.ts +49 -21
  288. package/src/interaction_client/PopupClient.ts +14 -8
  289. package/src/interaction_client/RedirectClient.ts +21 -10
  290. package/src/interaction_client/SilentAuthCodeClient.ts +5 -3
  291. package/src/interaction_client/SilentIframeClient.ts +5 -3
  292. package/src/interaction_client/SilentRefreshClient.ts +3 -2
  293. package/src/interaction_client/StandardInteractionClient.ts +8 -4
  294. package/src/interaction_handler/InteractionHandler.ts +4 -2
  295. package/src/interaction_handler/SilentHandler.ts +4 -1
  296. package/src/naa/mapping/NestedAppAuthAdapter.ts +43 -14
  297. package/src/navigation/NavigationClient.ts +1 -0
  298. package/src/network/FetchClient.ts +14 -6
  299. package/src/packageMetadata.ts +1 -1
  300. package/src/protocol/Authorize.ts +23 -7
  301. package/src/request/RequestHelpers.ts +6 -3
  302. package/src/response/ResponseHandler.ts +20 -7
  303. package/src/utils/BrowserProtocolUtils.ts +11 -3
  304. package/src/utils/BrowserUtils.ts +44 -17
  305. package/types/app/IPublicClientApplication.d.ts.map +1 -1
  306. package/types/broker/nativeBroker/PlatformAuthDOMHandler.d.ts.map +1 -1
  307. package/types/broker/nativeBroker/PlatformAuthExtensionHandler.d.ts.map +1 -1
  308. package/types/broker/nativeBroker/PlatformAuthProvider.d.ts.map +1 -1
  309. package/types/cache/BrowserCacheManager.d.ts.map +1 -1
  310. package/types/cache/CookieStorage.d.ts +1 -1
  311. package/types/cache/CookieStorage.d.ts.map +1 -1
  312. package/types/cache/DatabaseStorage.d.ts.map +1 -1
  313. package/types/cache/LocalStorage.d.ts.map +1 -1
  314. package/types/cache/SessionStorage.d.ts.map +1 -1
  315. package/types/cache/TokenCache.d.ts.map +1 -1
  316. package/types/config/Configuration.d.ts +5 -1
  317. package/types/config/Configuration.d.ts.map +1 -1
  318. package/types/controllers/NestedAppAuthController.d.ts.map +1 -1
  319. package/types/controllers/StandardController.d.ts.map +1 -1
  320. package/types/crypto/BrowserCrypto.d.ts.map +1 -1
  321. package/types/crypto/CryptoOps.d.ts.map +1 -1
  322. package/types/custom_auth/CustomAuthConstants.d.ts +1 -1
  323. package/types/custom_auth/controller/CustomAuthStandardController.d.ts.map +1 -1
  324. package/types/custom_auth/core/CustomAuthAuthority.d.ts.map +1 -1
  325. package/types/custom_auth/get_account/interaction_client/CustomAuthSilentCacheClient.d.ts.map +1 -1
  326. package/types/encode/Base64Decode.d.ts.map +1 -1
  327. package/types/error/BrowserAuthError.d.ts +2 -2
  328. package/types/error/BrowserAuthError.d.ts.map +1 -1
  329. package/types/error/BrowserConfigurationAuthError.d.ts +2 -2
  330. package/types/error/BrowserConfigurationAuthError.d.ts.map +1 -1
  331. package/types/error/NativeAuthError.d.ts +2 -2
  332. package/types/error/NativeAuthError.d.ts.map +1 -1
  333. package/types/error/NestedAppAuthError.d.ts +2 -2
  334. package/types/error/NestedAppAuthError.d.ts.map +1 -1
  335. package/types/event/EventHandler.d.ts.map +1 -1
  336. package/types/interaction_client/BaseInteractionClient.d.ts.map +1 -1
  337. package/types/interaction_client/PlatformAuthInteractionClient.d.ts.map +1 -1
  338. package/types/interaction_client/PopupClient.d.ts.map +1 -1
  339. package/types/interaction_client/RedirectClient.d.ts.map +1 -1
  340. package/types/interaction_client/SilentAuthCodeClient.d.ts.map +1 -1
  341. package/types/interaction_client/SilentIframeClient.d.ts.map +1 -1
  342. package/types/interaction_client/SilentRefreshClient.d.ts.map +1 -1
  343. package/types/interaction_client/StandardInteractionClient.d.ts.map +1 -1
  344. package/types/interaction_handler/InteractionHandler.d.ts.map +1 -1
  345. package/types/interaction_handler/SilentHandler.d.ts.map +1 -1
  346. package/types/naa/mapping/NestedAppAuthAdapter.d.ts.map +1 -1
  347. package/types/navigation/NavigationClient.d.ts.map +1 -1
  348. package/types/network/FetchClient.d.ts.map +1 -1
  349. package/types/packageMetadata.d.ts +1 -1
  350. package/types/protocol/Authorize.d.ts.map +1 -1
  351. package/types/request/RequestHelpers.d.ts.map +1 -1
  352. package/types/response/ResponseHandler.d.ts +1 -1
  353. package/types/response/ResponseHandler.d.ts.map +1 -1
  354. package/types/utils/BrowserProtocolUtils.d.ts +1 -1
  355. package/types/utils/BrowserProtocolUtils.d.ts.map +1 -1
  356. package/types/utils/BrowserUtils.d.ts +5 -3
  357. package/types/utils/BrowserUtils.d.ts.map +1 -1
@@ -1,4 +1,4 @@
1
- /*! @azure/msal-browser v5.13.0 2026-06-10 */
1
+ /*! @azure/msal-browser v5.15.0 2026-06-23 */
2
2
  'use strict';
3
3
  (function (global, factory) {
4
4
  typeof exports === 'object' && typeof module !== 'undefined' ? factory(exports) :
@@ -6,7 +6,7 @@
6
6
  (global = typeof globalThis !== 'undefined' ? globalThis : global || self, factory(global.msalCustomAuth = {}));
7
7
  })(this, (function (exports) { 'use strict';
8
8
 
9
- /*! @azure/msal-common v16.8.0 2026-06-10 */
9
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
10
10
  /*
11
11
  * Copyright (c) Microsoft Corporation. All rights reserved.
12
12
  * Licensed under the MIT License.
@@ -33,10 +33,11 @@
33
33
  const EMAIL_SCOPE = "email";
34
34
  const S256_CODE_CHALLENGE_METHOD = "S256";
35
35
  const URL_FORM_CONTENT_TYPE = "application/x-www-form-urlencoded;charset=utf-8";
36
+ const NOT_APPLICABLE = "N/A";
36
37
  const NOT_AVAILABLE = "Not Available";
37
38
  const FORWARD_SLASH = "/";
38
- const IMDS_ENDPOINT = "http://169.254.169.254/metadata/instance/compute/location";
39
- const IMDS_VERSION = "2020-06-01";
39
+ const IMDS_ENDPOINT = "http://169.254.169.254/metadata/instance/compute";
40
+ const IMDS_VERSION = "2021-02-01";
40
41
  const IMDS_TIMEOUT = 2000;
41
42
  const AZURE_REGION_AUTO_DISCOVER_FLAG = "TryAutoDetect";
42
43
  const REGIONAL_AUTH_PUBLIC_CLOUD_SUFFIX = "login.microsoft.com";
@@ -97,6 +98,9 @@
97
98
  const ClaimsRequestKeys = {
98
99
  ACCESS_TOKEN: "access_token",
99
100
  XMS_CC: "xms_cc",
101
+ ID_TOKEN: "id_token",
102
+ SIGNIN_STATE: "signin_state",
103
+ LOGIN_HINT: "login_hint",
100
104
  };
101
105
  /**
102
106
  * we considered making this "enum" in the request instead of string, however it looks like the allowed list of
@@ -233,7 +237,7 @@
233
237
  // Token renewal offset default in seconds
234
238
  const DEFAULT_TOKEN_RENEWAL_OFFSET_SEC = 300;
235
239
 
236
- /*! @azure/msal-common v16.8.0 2026-06-10 */
240
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
237
241
  /*
238
242
  * Copyright (c) Microsoft Corporation. All rights reserved.
239
243
  * Licensed under the MIT License.
@@ -285,7 +289,7 @@
285
289
  const RESOURCE = "resource";
286
290
  const CLI_DATA = "clidata";
287
291
 
288
- /*! @azure/msal-common v16.8.0 2026-06-10 */
292
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
289
293
  /*
290
294
  * Copyright (c) Microsoft Corporation. All rights reserved.
291
295
  * Licensed under the MIT License.
@@ -297,7 +301,7 @@
297
301
  * General error class thrown by the MSAL.js library.
298
302
  */
299
303
  class AuthError extends Error {
300
- constructor(errorCode, errorMessage, suberror) {
304
+ constructor(errorCode, correlationId, errorMessage, suberror) {
301
305
  const message = errorMessage ||
302
306
  (errorCode ? getDefaultErrorMessage$1(errorCode) : "");
303
307
  const errorString = message ? `${errorCode}: ${message}` : errorCode;
@@ -306,17 +310,15 @@
306
310
  this.errorCode = errorCode || "";
307
311
  this.errorMessage = message || "";
308
312
  this.subError = suberror || "";
309
- this.name = "AuthError";
310
- }
311
- setCorrelationId(correlationId) {
312
313
  this.correlationId = correlationId;
314
+ this.name = "AuthError";
313
315
  }
314
316
  }
315
- function createAuthError(code, additionalMessage) {
316
- return new AuthError(code, additionalMessage || getDefaultErrorMessage$1(code));
317
+ function createAuthError(code, correlationId, additionalMessage) {
318
+ return new AuthError(code, correlationId, additionalMessage || getDefaultErrorMessage$1(code));
317
319
  }
318
320
 
319
- /*! @azure/msal-common v16.8.0 2026-06-10 */
321
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
320
322
 
321
323
  /*
322
324
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -326,17 +328,17 @@
326
328
  * Error thrown when there is an error in configuration of the MSAL.js library.
327
329
  */
328
330
  class ClientConfigurationError extends AuthError {
329
- constructor(errorCode) {
330
- super(errorCode);
331
+ constructor(errorCode, correlationId) {
332
+ super(errorCode, correlationId);
331
333
  this.name = "ClientConfigurationError";
332
334
  Object.setPrototypeOf(this, ClientConfigurationError.prototype);
333
335
  }
334
336
  }
335
- function createClientConfigurationError(errorCode) {
336
- return new ClientConfigurationError(errorCode);
337
+ function createClientConfigurationError(errorCode, correlationId) {
338
+ return new ClientConfigurationError(errorCode, correlationId);
337
339
  }
338
340
 
339
- /*! @azure/msal-common v16.8.0 2026-06-10 */
341
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
340
342
  /*
341
343
  * Copyright (c) Microsoft Corporation. All rights reserved.
342
344
  * Licensed under the MIT License.
@@ -416,7 +418,7 @@
416
418
  }
417
419
  }
418
420
 
419
- /*! @azure/msal-common v16.8.0 2026-06-10 */
421
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
420
422
 
421
423
  /*
422
424
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -429,17 +431,17 @@
429
431
  * Error thrown when there is an error in the client code running on the browser.
430
432
  */
431
433
  class ClientAuthError extends AuthError {
432
- constructor(errorCode, additionalMessage) {
433
- super(errorCode, additionalMessage);
434
+ constructor(errorCode, correlationId, additionalMessage) {
435
+ super(errorCode, correlationId, additionalMessage);
434
436
  this.name = "ClientAuthError";
435
437
  Object.setPrototypeOf(this, ClientAuthError.prototype);
436
438
  }
437
439
  }
438
- function createClientAuthError(errorCode, additionalMessage) {
439
- return new ClientAuthError(errorCode, additionalMessage);
440
+ function createClientAuthError(errorCode, correlationId, additionalMessage) {
441
+ return new ClientAuthError(errorCode, correlationId, additionalMessage);
440
442
  }
441
443
 
442
- /*! @azure/msal-common v16.8.0 2026-06-10 */
444
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
443
445
  /*
444
446
  * Copyright (c) Microsoft Corporation. All rights reserved.
445
447
  * Licensed under the MIT License.
@@ -465,7 +467,7 @@
465
467
  const invalidPlatformBrokerConfiguration = "invalid_platform_broker_configuration";
466
468
  const issuerValidationFailed = "issuer_validation_failed";
467
469
 
468
- /*! @azure/msal-common v16.8.0 2026-06-10 */
470
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
469
471
  /*
470
472
  * Copyright (c) Microsoft Corporation. All rights reserved.
471
473
  * Licensed under the MIT License.
@@ -482,8 +484,6 @@
482
484
  const stateMismatch = "state_mismatch";
483
485
  const stateNotFound = "state_not_found";
484
486
  const nonceMismatch = "nonce_mismatch";
485
- const authTimeNotFound = "auth_time_not_found";
486
- const maxAgeTranspired = "max_age_transpired";
487
487
  const multipleMatchingAppMetadata = "multiple_matching_appMetadata";
488
488
  const requestCannotBeMade = "request_cannot_be_made";
489
489
  const cannotRemoveEmptyScope = "cannot_remove_empty_scope";
@@ -504,7 +504,7 @@
504
504
  const resourceParameterRequired = "resource_parameter_required";
505
505
  const misplacedResourceParam = "misplaced_resource_parameter";
506
506
 
507
- /*! @azure/msal-common v16.8.0 2026-06-10 */
507
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
508
508
 
509
509
  /*
510
510
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -516,7 +516,8 @@
516
516
  * to ensure uniqueness of strings.
517
517
  */
518
518
  class ScopeSet {
519
- constructor(inputScopes) {
519
+ constructor(inputScopes, correlationId) {
520
+ this.correlationId = correlationId;
520
521
  // Filter empty string and null/undefined array items
521
522
  const scopeArr = inputScopes
522
523
  ? StringUtils.trimArrayEntries([...inputScopes])
@@ -526,7 +527,7 @@
526
527
  : [];
527
528
  // Check if scopes array has at least one member
528
529
  if (!filteredInput || !filteredInput.length) {
529
- throw createClientConfigurationError(emptyInputScopesError);
530
+ throw createClientConfigurationError(emptyInputScopesError, correlationId);
530
531
  }
531
532
  this.scopes = new Set(); // Iterator in constructor not supported by IE11
532
533
  filteredInput.forEach((scope) => this.scopes.add(scope));
@@ -537,22 +538,22 @@
537
538
  * @param appClientId
538
539
  * @param scopesRequired
539
540
  */
540
- static fromString(inputScopeString) {
541
+ static fromString(inputScopeString, correlationId) {
541
542
  const scopeString = inputScopeString || "";
542
543
  const inputScopes = scopeString.split(" ");
543
- return new ScopeSet(inputScopes);
544
+ return new ScopeSet(inputScopes, correlationId);
544
545
  }
545
546
  /**
546
547
  * Creates the set of scopes to search for in cache lookups
547
548
  * @param inputScopeString
548
549
  * @returns
549
550
  */
550
- static createSearchScopes(inputScopeString) {
551
+ static createSearchScopes(inputScopeString, correlationId) {
551
552
  // Handle empty scopes by using default OIDC scopes for cache lookup
552
553
  const scopesToUse = inputScopeString && inputScopeString.length > 0
553
554
  ? inputScopeString
554
555
  : [...OIDC_DEFAULT_SCOPES];
555
- const scopeSet = new ScopeSet(scopesToUse);
556
+ const scopeSet = new ScopeSet(scopesToUse, correlationId);
556
557
  if (!scopeSet.containsOnlyOIDCScopes()) {
557
558
  scopeSet.removeOIDCScopes();
558
559
  }
@@ -567,7 +568,7 @@
567
568
  */
568
569
  containsScope(scope) {
569
570
  const lowerCaseScopes = this.printScopesLowerCase().split(" ");
570
- const lowerCaseScopesSet = new ScopeSet(lowerCaseScopes);
571
+ const lowerCaseScopesSet = new ScopeSet(lowerCaseScopes, this.correlationId);
571
572
  // compare lowercase scopes
572
573
  return scope
573
574
  ? lowerCaseScopesSet.scopes.has(scope.toLowerCase())
@@ -614,7 +615,7 @@
614
615
  newScopes.forEach((newScope) => this.appendScope(newScope));
615
616
  }
616
617
  catch (e) {
617
- throw createClientAuthError(cannotAppendScopeSet);
618
+ throw createClientAuthError(cannotAppendScopeSet, this.correlationId);
618
619
  }
619
620
  }
620
621
  /**
@@ -623,7 +624,7 @@
623
624
  */
624
625
  removeScope(scope) {
625
626
  if (!scope) {
626
- throw createClientAuthError(cannotRemoveEmptyScope);
627
+ throw createClientAuthError(cannotRemoveEmptyScope, this.correlationId);
627
628
  }
628
629
  this.scopes.delete(scope.trim());
629
630
  }
@@ -642,7 +643,7 @@
642
643
  */
643
644
  unionScopeSets(otherScopes) {
644
645
  if (!otherScopes) {
645
- throw createClientAuthError(emptyInputScopeSet);
646
+ throw createClientAuthError(emptyInputScopeSet, this.correlationId);
646
647
  }
647
648
  const unionScopes = new Set(); // Iterator in constructor not supported in IE11
648
649
  otherScopes.scopes.forEach((scope) => unionScopes.add(scope.toLowerCase()));
@@ -655,7 +656,7 @@
655
656
  */
656
657
  intersectingScopeSets(otherScopes) {
657
658
  if (!otherScopes) {
658
- throw createClientAuthError(emptyInputScopeSet);
659
+ throw createClientAuthError(emptyInputScopeSet, this.correlationId);
659
660
  }
660
661
  // Do not allow OIDC scopes to be the only intersecting scopes
661
662
  if (!otherScopes.containsOnlyOIDCScopes()) {
@@ -699,7 +700,7 @@
699
700
  }
700
701
  }
701
702
 
702
- /*! @azure/msal-common v16.8.0 2026-06-10 */
703
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
703
704
 
704
705
  /*
705
706
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -743,7 +744,7 @@
743
744
  * @param scopeSet
744
745
  * @param addOidcScopes
745
746
  */
746
- function addScopes(parameters, scopes, addOidcScopes = true, defaultScopes = OIDC_DEFAULT_SCOPES) {
747
+ function addScopes(parameters, scopes, correlationId, addOidcScopes = true, defaultScopes = OIDC_DEFAULT_SCOPES) {
747
748
  // Always add openid to the scopes when adding OIDC scopes
748
749
  if (addOidcScopes &&
749
750
  !defaultScopes.includes("openid") &&
@@ -753,7 +754,7 @@
753
754
  const requestScopes = addOidcScopes
754
755
  ? [...(scopes || []), ...defaultScopes]
755
756
  : scopes || [];
756
- const scopeSet = new ScopeSet(requestScopes);
757
+ const scopeSet = new ScopeSet(requestScopes, correlationId);
757
758
  parameters.set(SCOPE, scopeSet.printScopes());
758
759
  }
759
760
  /**
@@ -823,26 +824,18 @@
823
824
  * Adds claims to request parameters, conditionally excluding clientCapabilities
824
825
  * when skipBrokerClaims is true and a brokered flow is in effect.
825
826
  * @param parameters - The request parameters map
827
+ * @param correlationId - The request correlation id
826
828
  * @param claims - The claims string from the request
827
829
  * @param clientCapabilities - The client capabilities from configuration
828
830
  * @param skipBrokerClaims - When true and BROKER_CLIENT_ID is present, excludes clientCapabilities from claims
829
831
  */
830
- function addClaims(parameters, claims, clientCapabilities, skipBrokerClaims) {
832
+ function addClaims(parameters, correlationId, claims, clientCapabilities, skipBrokerClaims) {
831
833
  // Skip clientCapabilities if skipBrokerClaims is set to true and this is a brokered authentication flow
832
834
  const configClaims = skipBrokerClaims && parameters.has(BROKER_CLIENT_ID)
833
835
  ? undefined
834
836
  : clientCapabilities;
835
- if (!StringUtils.isEmptyObj(claims) ||
836
- (configClaims && configClaims.length > 0)) {
837
- const mergedClaims = addClientCapabilitiesToClaims(claims, configClaims);
838
- try {
839
- JSON.parse(mergedClaims);
840
- }
841
- catch (e) {
842
- throw createClientConfigurationError(invalidClaims);
843
- }
844
- parameters.set(CLAIMS, mergedClaims);
845
- }
837
+ const mergedClaims = buildMergedClaims(claims, configClaims, correlationId);
838
+ parameters.set(CLAIMS, mergedClaims);
846
839
  }
847
840
  /**
848
841
  * add correlationId
@@ -913,7 +906,7 @@
913
906
  parameters.set(CODE_CHALLENGE_METHOD, codeChallengeMethod);
914
907
  }
915
908
  else {
916
- throw createClientConfigurationError(pkceParamsMissing);
909
+ throw createClientConfigurationError(pkceParamsMissing, "");
917
910
  }
918
911
  }
919
912
  /**
@@ -998,7 +991,23 @@
998
991
  }
999
992
  });
1000
993
  }
1001
- function addClientCapabilitiesToClaims(claims, clientCapabilities) {
994
+ /**
995
+ * Default optional idToken claims requested on all auth requests.
996
+ * signin_state enables KMSI detection; login_hint enables login hint propagation.
997
+ */
998
+ const DEFAULT_ID_TOKEN_CLAIMS = {
999
+ [ClaimsRequestKeys.SIGNIN_STATE]: { essential: false },
1000
+ [ClaimsRequestKeys.LOGIN_HINT]: { essential: false },
1001
+ };
1002
+ /**
1003
+ * Parses claims JSON, merges default optional idToken claims (signin_state, login_hint),
1004
+ * and appends client capabilities (xms_cc) to the access_token section.
1005
+ * Does not overwrite idToken claims already specified by the caller.
1006
+ * @param claims - Existing claims JSON string from the request (may be undefined)
1007
+ * @param clientCapabilities - Client capabilities array from configuration
1008
+ * @returns Merged claims JSON string
1009
+ */
1010
+ function buildMergedClaims(claims, clientCapabilities, correlationId = "") {
1002
1011
  let mergedClaims;
1003
1012
  // Parse provided claims into JSON object or initialize empty object
1004
1013
  if (!claims) {
@@ -1006,14 +1015,31 @@
1006
1015
  }
1007
1016
  else {
1008
1017
  try {
1009
- mergedClaims = JSON.parse(claims);
1018
+ const parsed = JSON.parse(claims);
1019
+ if (typeof parsed !== "object" ||
1020
+ parsed === null ||
1021
+ Array.isArray(parsed)) {
1022
+ throw new Error("Claims must be a JSON object");
1023
+ }
1024
+ mergedClaims = parsed;
1010
1025
  }
1011
1026
  catch (e) {
1012
- throw createClientConfigurationError(invalidClaims);
1027
+ throw createClientConfigurationError(invalidClaims, correlationId);
1028
+ }
1029
+ }
1030
+ // Add default optional idToken claims
1031
+ if (!Object.prototype.hasOwnProperty.call(mergedClaims, ClaimsRequestKeys.ID_TOKEN)) {
1032
+ mergedClaims[ClaimsRequestKeys.ID_TOKEN] = {};
1033
+ }
1034
+ const idTokenClaims = mergedClaims[ClaimsRequestKeys.ID_TOKEN];
1035
+ for (const [key, value] of Object.entries(DEFAULT_ID_TOKEN_CLAIMS)) {
1036
+ if (!(key in idTokenClaims)) {
1037
+ idTokenClaims[key] = value;
1013
1038
  }
1014
1039
  }
1040
+ // Add client capabilities
1015
1041
  if (clientCapabilities && clientCapabilities.length > 0) {
1016
- if (!mergedClaims.hasOwnProperty(ClaimsRequestKeys.ACCESS_TOKEN)) {
1042
+ if (!Object.prototype.hasOwnProperty.call(mergedClaims, ClaimsRequestKeys.ACCESS_TOKEN)) {
1017
1043
  // Add access_token key to claims object
1018
1044
  mergedClaims[ClaimsRequestKeys.ACCESS_TOKEN] = {};
1019
1045
  }
@@ -1046,16 +1072,11 @@
1046
1072
  /**
1047
1073
  * add server telemetry fields
1048
1074
  * @param serverTelemetryManager
1075
+ * @internal
1049
1076
  */
1050
1077
  function addServerTelemetry(parameters, serverTelemetryManager) {
1051
- const currentTelemetryHeader = serverTelemetryManager.generateCurrentRequestHeaderValue();
1052
- const lastTelemetryHeader = serverTelemetryManager.generateLastRequestHeaderValue();
1053
- if (currentTelemetryHeader) {
1054
- parameters.set(X_CLIENT_CURR_TELEM, currentTelemetryHeader);
1055
- }
1056
- if (lastTelemetryHeader) {
1057
- parameters.set(X_CLIENT_LAST_TELEM, lastTelemetryHeader);
1058
- }
1078
+ parameters.set(X_CLIENT_CURR_TELEM, serverTelemetryManager.generateCurrentRequestHeaderValue());
1079
+ parameters.set(X_CLIENT_LAST_TELEM, serverTelemetryManager.generateLastRequestHeaderValue());
1059
1080
  }
1060
1081
  /**
1061
1082
  * Adds parameter that indicates to the server that throttling is supported
@@ -1094,7 +1115,7 @@
1094
1115
  }
1095
1116
  }
1096
1117
 
1097
- /*! @azure/msal-common v16.8.0 2026-06-10 */
1118
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
1098
1119
 
1099
1120
  /*
1100
1121
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1137,7 +1158,7 @@
1137
1158
  }
1138
1159
  }
1139
1160
  catch (e) {
1140
- throw createClientAuthError(hashNotDeserialized);
1161
+ throw createClientAuthError(hashNotDeserialized, "");
1141
1162
  }
1142
1163
  return null;
1143
1164
  }
@@ -1193,8 +1214,8 @@
1193
1214
  return urlObj.href;
1194
1215
  }
1195
1216
  catch (e) {
1196
- logger?.error("15apdm", correlationId || "");
1197
- throw createClientConfigurationError(urlParseError);
1217
+ logger?.error(`15apdm ${e}`, correlationId || "");
1218
+ throw createClientConfigurationError(urlParseError, correlationId || "");
1198
1219
  }
1199
1220
  }
1200
1221
  /**
@@ -1211,12 +1232,12 @@
1211
1232
  new URL(url);
1212
1233
  }
1213
1234
  catch (e) {
1214
- logger?.error("1lrjz7", correlationId || "");
1215
- throw createClientConfigurationError(urlParseError);
1235
+ logger?.error(`1lrjz7 ${e}`, correlationId || "");
1236
+ throw createClientConfigurationError(urlParseError, correlationId || "");
1216
1237
  }
1217
1238
  }
1218
1239
 
1219
- /*! @azure/msal-common v16.8.0 2026-06-10 */
1240
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
1220
1241
 
1221
1242
  /*
1222
1243
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1224,38 +1245,38 @@
1224
1245
  */
1225
1246
  const DEFAULT_CRYPTO_IMPLEMENTATION = {
1226
1247
  createNewGuid: () => {
1227
- throw createClientAuthError(methodNotImplemented);
1248
+ throw createClientAuthError(methodNotImplemented, "");
1228
1249
  },
1229
1250
  base64Decode: () => {
1230
- throw createClientAuthError(methodNotImplemented);
1251
+ throw createClientAuthError(methodNotImplemented, "");
1231
1252
  },
1232
1253
  base64Encode: () => {
1233
- throw createClientAuthError(methodNotImplemented);
1254
+ throw createClientAuthError(methodNotImplemented, "");
1234
1255
  },
1235
1256
  base64UrlEncode: () => {
1236
- throw createClientAuthError(methodNotImplemented);
1257
+ throw createClientAuthError(methodNotImplemented, "");
1237
1258
  },
1238
1259
  encodeKid: () => {
1239
- throw createClientAuthError(methodNotImplemented);
1260
+ throw createClientAuthError(methodNotImplemented, "");
1240
1261
  },
1241
1262
  async getPublicKeyThumbprint() {
1242
- throw createClientAuthError(methodNotImplemented);
1263
+ throw createClientAuthError(methodNotImplemented, "");
1243
1264
  },
1244
1265
  async removeTokenBindingKey() {
1245
- throw createClientAuthError(methodNotImplemented);
1266
+ throw createClientAuthError(methodNotImplemented, "");
1246
1267
  },
1247
1268
  async clearKeystore() {
1248
- throw createClientAuthError(methodNotImplemented);
1269
+ throw createClientAuthError(methodNotImplemented, "");
1249
1270
  },
1250
1271
  async signJwt() {
1251
- throw createClientAuthError(methodNotImplemented);
1272
+ throw createClientAuthError(methodNotImplemented, "");
1252
1273
  },
1253
1274
  async hashString() {
1254
- throw createClientAuthError(methodNotImplemented);
1275
+ throw createClientAuthError(methodNotImplemented, "");
1255
1276
  },
1256
1277
  };
1257
1278
 
1258
- /*! @azure/msal-common v16.8.0 2026-06-10 */
1279
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
1259
1280
  /*
1260
1281
  * Copyright (c) Microsoft Corporation. All rights reserved.
1261
1282
  * Licensed under the MIT License.
@@ -1318,22 +1339,36 @@
1318
1339
  }
1319
1340
  }
1320
1341
  /**
1321
- * Checks if a string is already a hashed logging string (6 alphanumeric characters)
1322
- */
1323
- function isHashedString(str) {
1324
- if (str.length !== 6) {
1325
- return false;
1342
+ * Extracts the leading minification hash from a log message, if present.
1343
+ *
1344
+ * Minified messages are produced by the logger-minify rollup plugin and are
1345
+ * either a bare 6-character alphanumeric hash, or that hash followed by a space
1346
+ * and runtime variables appended for local (console) logging, e.g.
1347
+ * "abc123 user-1 popup". Only the leading hash is returned so that telemetry
1348
+ * never captures the appended variables. Returns null when the message is not
1349
+ * a minified message.
1350
+ */
1351
+ function getMessageHash(str) {
1352
+ if (str.length < 6) {
1353
+ return null;
1326
1354
  }
1327
- for (let i = 0; i < str.length; i++) {
1355
+ /*
1356
+ * If the message is longer than the hash, the hash must be delimited by a
1357
+ * space (the separator the plugin inserts before appended variables).
1358
+ */
1359
+ if (str.length > 6 && str[6] !== " ") {
1360
+ return null;
1361
+ }
1362
+ for (let i = 0; i < 6; i++) {
1328
1363
  const char = str[i];
1329
1364
  const isAlphaNumeric = (char >= "a" && char <= "z") ||
1330
1365
  (char >= "A" && char <= "Z") ||
1331
1366
  (char >= "0" && char <= "9");
1332
1367
  if (!isAlphaNumeric) {
1333
- return false;
1368
+ return null;
1334
1369
  }
1335
1370
  }
1336
- return true;
1371
+ return str.substring(0, 6);
1337
1372
  }
1338
1373
  /**
1339
1374
  * Class which facilitates logging of messages to a specific place.
@@ -1380,10 +1415,10 @@
1380
1415
  */
1381
1416
  logMessage(logMessage, options) {
1382
1417
  const correlationId = options.correlationId;
1383
- const isHashedInput = isHashedString(logMessage);
1384
- if (isHashedInput) {
1418
+ const messageHash = getMessageHash(logMessage);
1419
+ if (messageHash) {
1385
1420
  const loggedMessage = {
1386
- hash: logMessage,
1421
+ hash: messageHash,
1387
1422
  level: options.logLevel,
1388
1423
  containsPii: options.containsPii || false,
1389
1424
  milliseconds: 0, // Will be calculated in addLogToCache
@@ -1516,12 +1551,12 @@
1516
1551
  }
1517
1552
  }
1518
1553
 
1519
- /*! @azure/msal-common v16.8.0 2026-06-10 */
1554
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
1520
1555
  /* eslint-disable header/header */
1521
1556
  const name$1 = "@azure/msal-common";
1522
- const version$1 = "16.8.0";
1557
+ const version$1 = "16.10.0";
1523
1558
 
1524
- /*! @azure/msal-common v16.8.0 2026-06-10 */
1559
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
1525
1560
  /*
1526
1561
  * Copyright (c) Microsoft Corporation. All rights reserved.
1527
1562
  * Licensed under the MIT License.
@@ -1530,7 +1565,74 @@
1530
1565
  // AzureCloudInstance is not specified.
1531
1566
  None: "none"};
1532
1567
 
1533
- /*! @azure/msal-common v16.8.0 2026-06-10 */
1568
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
1569
+
1570
+ /*
1571
+ * Copyright (c) Microsoft Corporation. All rights reserved.
1572
+ * Licensed under the MIT License.
1573
+ */
1574
+ /**
1575
+ * Extract token by decoding the rawToken
1576
+ *
1577
+ * @param encodedToken
1578
+ */
1579
+ function extractTokenClaims(encodedToken, base64Decode, correlationId) {
1580
+ const jswPayload = getJWSPayload(encodedToken, correlationId);
1581
+ // token will be decoded to get the username
1582
+ try {
1583
+ // base64Decode() should throw an error if there is an issue
1584
+ const base64Decoded = base64Decode(jswPayload);
1585
+ return JSON.parse(base64Decoded);
1586
+ }
1587
+ catch (err) {
1588
+ throw createClientAuthError(tokenParsingError, correlationId);
1589
+ }
1590
+ }
1591
+ /**
1592
+ * Check if the signin_state claim contains "kmsi"
1593
+ * @param idTokenClaims
1594
+ * @returns
1595
+ */
1596
+ function isKmsi(idTokenClaims) {
1597
+ if (!idTokenClaims.signin_state) {
1598
+ return false;
1599
+ }
1600
+ /**
1601
+ * Signin_state claim known values:
1602
+ * dvc_mngd - device is managed
1603
+ * dvc_dmjd - device is domain joined
1604
+ * kmsi - user opted to "keep me signed in"
1605
+ * inknownntwk - Request made inside a known network. Don't use this, use CAE instead.
1606
+ */
1607
+ const kmsiClaims = ["kmsi", "dvc_dmjd"]; // There are some cases where kmsi may not be returned but persistent storage is still OK - allow dvc_dmjd as well
1608
+ return idTokenClaims.signin_state.some((value) => kmsiClaims.includes(value.trim().toLowerCase()));
1609
+ }
1610
+ /**
1611
+ * decode a JWT
1612
+ *
1613
+ * @param authToken
1614
+ */
1615
+ function getJWSPayload(authToken, correlationId) {
1616
+ if (!authToken) {
1617
+ throw createClientAuthError(nullOrEmptyToken, correlationId);
1618
+ }
1619
+ const tokenPartsRegex = /^([^\.\s]*)\.([^\.\s]+)\.([^\.\s]*)$/;
1620
+ const matches = tokenPartsRegex.exec(authToken);
1621
+ if (!matches || matches.length < 4) {
1622
+ throw createClientAuthError(tokenParsingError, correlationId);
1623
+ }
1624
+ /**
1625
+ * const crackedToken = {
1626
+ * header: matches[1],
1627
+ * JWSPayload: matches[2],
1628
+ * JWSSig: matches[3],
1629
+ * };
1630
+ */
1631
+ return matches[2];
1632
+ }
1633
+
1634
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
1635
+
1534
1636
  /*
1535
1637
  * Copyright (c) Microsoft Corporation. All rights reserved.
1536
1638
  * Licensed under the MIT License.
@@ -1551,10 +1653,11 @@
1551
1653
  * @param homeAccountId - Home account identifier for this account object
1552
1654
  * @param localAccountId - Local account identifer for this account object
1553
1655
  * @param tenantId - Full tenant or organizational id that this account belongs to
1656
+ * @param nativeAccountId - Native account identifier for this tenant
1554
1657
  * @param idTokenClaims - Claims from the ID token
1555
1658
  * @returns
1556
1659
  */
1557
- function buildTenantProfile(homeAccountId, localAccountId, tenantId, idTokenClaims) {
1660
+ function buildTenantProfile(homeAccountId, localAccountId, tenantId, nativeAccountId, idTokenClaims) {
1558
1661
  if (idTokenClaims) {
1559
1662
  const { oid, sub, tid, name, tfp, acr, preferred_username, upn, login_hint, } = idTokenClaims;
1560
1663
  /**
@@ -1572,6 +1675,7 @@
1572
1675
  loginHint: login_hint,
1573
1676
  isHomeTenant: tenantIdMatchesHomeTenant(tenantId, homeAccountId),
1574
1677
  upn: upn,
1678
+ ...(nativeAccountId && { nativeAccountId }),
1575
1679
  };
1576
1680
  }
1577
1681
  else {
@@ -1580,6 +1684,7 @@
1580
1684
  localAccountId,
1581
1685
  username: "",
1582
1686
  isHomeTenant: tenantIdMatchesHomeTenant(tenantId, homeAccountId),
1687
+ ...(nativeAccountId && { nativeAccountId }),
1583
1688
  };
1584
1689
  }
1585
1690
  }
@@ -1601,99 +1706,20 @@
1601
1706
  if (idTokenClaims) {
1602
1707
  // Ignore isHomeTenant which is a utility property of tenant profile but not required in base account info
1603
1708
  // eslint-disable-next-line @typescript-eslint/no-unused-vars
1604
- const { isHomeTenant, ...claimsSourcedTenantProfile } = buildTenantProfile(baseAccountInfo.homeAccountId, baseAccountInfo.localAccountId, baseAccountInfo.tenantId, idTokenClaims);
1709
+ const { isHomeTenant, ...claimsSourcedTenantProfile } = buildTenantProfile(baseAccountInfo.homeAccountId, baseAccountInfo.localAccountId, baseAccountInfo.tenantId, updatedAccountInfo.nativeAccountId, idTokenClaims);
1605
1710
  updatedAccountInfo = {
1606
1711
  ...updatedAccountInfo,
1607
1712
  ...claimsSourcedTenantProfile,
1608
1713
  idTokenClaims: idTokenClaims,
1609
1714
  idToken: idTokenSecret,
1715
+ kmsi: isKmsi(idTokenClaims),
1610
1716
  };
1611
1717
  return updatedAccountInfo;
1612
1718
  }
1613
1719
  return updatedAccountInfo;
1614
1720
  }
1615
1721
 
1616
- /*! @azure/msal-common v16.8.0 2026-06-10 */
1617
-
1618
- /*
1619
- * Copyright (c) Microsoft Corporation. All rights reserved.
1620
- * Licensed under the MIT License.
1621
- */
1622
- /**
1623
- * Extract token by decoding the rawToken
1624
- *
1625
- * @param encodedToken
1626
- */
1627
- function extractTokenClaims(encodedToken, base64Decode) {
1628
- const jswPayload = getJWSPayload(encodedToken);
1629
- // token will be decoded to get the username
1630
- try {
1631
- // base64Decode() should throw an error if there is an issue
1632
- const base64Decoded = base64Decode(jswPayload);
1633
- return JSON.parse(base64Decoded);
1634
- }
1635
- catch (err) {
1636
- throw createClientAuthError(tokenParsingError);
1637
- }
1638
- }
1639
- /**
1640
- * Check if the signin_state claim contains "kmsi"
1641
- * @param idTokenClaims
1642
- * @returns
1643
- */
1644
- function isKmsi(idTokenClaims) {
1645
- if (!idTokenClaims.signin_state) {
1646
- return false;
1647
- }
1648
- /**
1649
- * Signin_state claim known values:
1650
- * dvc_mngd - device is managed
1651
- * dvc_dmjd - device is domain joined
1652
- * kmsi - user opted to "keep me signed in"
1653
- * inknownntwk - Request made inside a known network. Don't use this, use CAE instead.
1654
- */
1655
- const kmsiClaims = ["kmsi", "dvc_dmjd"]; // There are some cases where kmsi may not be returned but persistent storage is still OK - allow dvc_dmjd as well
1656
- return idTokenClaims.signin_state.some((value) => kmsiClaims.includes(value.trim().toLowerCase()));
1657
- }
1658
- /**
1659
- * decode a JWT
1660
- *
1661
- * @param authToken
1662
- */
1663
- function getJWSPayload(authToken) {
1664
- if (!authToken) {
1665
- throw createClientAuthError(nullOrEmptyToken);
1666
- }
1667
- const tokenPartsRegex = /^([^\.\s]*)\.([^\.\s]+)\.([^\.\s]*)$/;
1668
- const matches = tokenPartsRegex.exec(authToken);
1669
- if (!matches || matches.length < 4) {
1670
- throw createClientAuthError(tokenParsingError);
1671
- }
1672
- /**
1673
- * const crackedToken = {
1674
- * header: matches[1],
1675
- * JWSPayload: matches[2],
1676
- * JWSSig: matches[3],
1677
- * };
1678
- */
1679
- return matches[2];
1680
- }
1681
- /**
1682
- * Determine if the token's max_age has transpired
1683
- */
1684
- function checkMaxAge(authTime, maxAge) {
1685
- /*
1686
- * per https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
1687
- * To force an immediate re-authentication: If an app requires that a user re-authenticate prior to access,
1688
- * provide a value of 0 for the max_age parameter and the AS will force a fresh login.
1689
- */
1690
- const fiveMinuteSkew = 300000; // five minutes in milliseconds
1691
- if (maxAge === 0 || Date.now() - fiveMinuteSkew > authTime + maxAge) {
1692
- throw createClientAuthError(maxAgeTranspired);
1693
- }
1694
- }
1695
-
1696
- /*! @azure/msal-common v16.8.0 2026-06-10 */
1722
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
1697
1723
 
1698
1724
  /*
1699
1725
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1706,11 +1732,12 @@
1706
1732
  get urlString() {
1707
1733
  return this._urlString;
1708
1734
  }
1709
- constructor(url) {
1735
+ constructor(url, correlationId) {
1710
1736
  this._urlString = url;
1737
+ this.correlationId = correlationId;
1711
1738
  if (!this._urlString) {
1712
1739
  // Throws error if url is empty
1713
- throw createClientConfigurationError(urlEmptyError);
1740
+ throw createClientConfigurationError(urlEmptyError, correlationId);
1714
1741
  }
1715
1742
  if (!url.includes("#")) {
1716
1743
  this._urlString = UrlString.canonicalizeUri(url);
@@ -1746,16 +1773,16 @@
1746
1773
  components = this.getUrlComponents();
1747
1774
  }
1748
1775
  catch (e) {
1749
- throw createClientConfigurationError(urlParseError);
1776
+ throw createClientConfigurationError(urlParseError, this.correlationId);
1750
1777
  }
1751
1778
  // Throw error if URI or path segments are not parseable.
1752
1779
  if (!components.HostNameAndPort || !components.PathSegments) {
1753
- throw createClientConfigurationError(urlParseError);
1780
+ throw createClientConfigurationError(urlParseError, this.correlationId);
1754
1781
  }
1755
1782
  // Throw error if uri is insecure.
1756
1783
  if (!components.Protocol ||
1757
1784
  components.Protocol.toLowerCase() !== "https:") {
1758
- throw createClientConfigurationError(authorityUriInsecure);
1785
+ throw createClientConfigurationError(authorityUriInsecure, this.correlationId);
1759
1786
  }
1760
1787
  }
1761
1788
  /**
@@ -1792,7 +1819,7 @@
1792
1819
  pathArray[0] === AADAuthority.ORGANIZATIONS)) {
1793
1820
  pathArray[0] = tenantId;
1794
1821
  }
1795
- return UrlString.constructAuthorityUriFromObject(urlObject);
1822
+ return UrlString.constructAuthorityUriFromObject(urlObject, this.correlationId);
1796
1823
  }
1797
1824
  /**
1798
1825
  * Parses out the components from a url string.
@@ -1804,7 +1831,7 @@
1804
1831
  // If url string does not match regEx, we throw an error
1805
1832
  const match = this.urlString.match(regEx);
1806
1833
  if (!match) {
1807
- throw createClientConfigurationError(urlParseError);
1834
+ throw createClientConfigurationError(urlParseError, this.correlationId);
1808
1835
  }
1809
1836
  // Url component object
1810
1837
  const urlComponents = {
@@ -1822,17 +1849,17 @@
1822
1849
  }
1823
1850
  return urlComponents;
1824
1851
  }
1825
- static getDomainFromUrl(url) {
1852
+ static getDomainFromUrl(url, correlationId) {
1826
1853
  const regEx = RegExp("^([^:/?#]+://)?([^/?#]*)");
1827
1854
  const match = url.match(regEx);
1828
1855
  if (!match) {
1829
- throw createClientConfigurationError(urlParseError);
1856
+ throw createClientConfigurationError(urlParseError, correlationId);
1830
1857
  }
1831
1858
  return match[2];
1832
1859
  }
1833
- static getAbsoluteUrl(relativeUrl, baseUrl) {
1860
+ static getAbsoluteUrl(relativeUrl, baseUrl, correlationId) {
1834
1861
  if (relativeUrl[0] === FORWARD_SLASH) {
1835
- const url = new UrlString(baseUrl);
1862
+ const url = new UrlString(baseUrl, correlationId);
1836
1863
  const baseComponents = url.getUrlComponents();
1837
1864
  return (baseComponents.Protocol +
1838
1865
  "//" +
@@ -1841,16 +1868,16 @@
1841
1868
  }
1842
1869
  return relativeUrl;
1843
1870
  }
1844
- static constructAuthorityUriFromObject(urlObject) {
1871
+ static constructAuthorityUriFromObject(urlObject, correlationId) {
1845
1872
  return new UrlString(urlObject.Protocol +
1846
1873
  "//" +
1847
1874
  urlObject.HostNameAndPort +
1848
1875
  "/" +
1849
- urlObject.PathSegments.join("/"));
1876
+ urlObject.PathSegments.join("/"), correlationId);
1850
1877
  }
1851
1878
  }
1852
1879
 
1853
- /*! @azure/msal-common v16.8.0 2026-06-10 */
1880
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
1854
1881
 
1855
1882
  /*
1856
1883
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1966,10 +1993,10 @@
1966
1993
  let staticAliases;
1967
1994
  const canonicalAuthority = staticAuthorityOptions.canonicalAuthority;
1968
1995
  if (canonicalAuthority) {
1969
- const authorityHost = new UrlString(canonicalAuthority).getUrlComponents().HostNameAndPort;
1996
+ const authorityHost = new UrlString(canonicalAuthority, correlationId).getUrlComponents().HostNameAndPort;
1970
1997
  staticAliases =
1971
- getAliasesFromMetadata(logger, correlationId, authorityHost, staticAuthorityOptions.cloudDiscoveryMetadata?.metadata) ||
1972
- getAliasesFromMetadata(logger, correlationId, authorityHost, InstanceDiscoveryMetadata.metadata) ||
1998
+ getAliasesFromMetadata(logger, correlationId, authorityHost, staticAuthorityOptions.cloudDiscoveryMetadata?.metadata, AuthorityMetadataSource.CONFIG) ||
1999
+ getAliasesFromMetadata(logger, correlationId, authorityHost, InstanceDiscoveryMetadata.metadata, AuthorityMetadataSource.HARDCODED_VALUES) ||
1973
2000
  staticAuthorityOptions.knownAuthorities;
1974
2001
  }
1975
2002
  return staticAliases || [];
@@ -1981,15 +2008,15 @@
1981
2008
  * @returns
1982
2009
  */
1983
2010
  function getAliasesFromMetadata(logger, correlationId, authorityHost, cloudDiscoveryMetadata, source) {
1984
- logger.trace("1bmquz", correlationId);
2011
+ logger.trace(`1bmquz ${source}`, correlationId);
1985
2012
  if (authorityHost && cloudDiscoveryMetadata) {
1986
2013
  const metadata = getCloudDiscoveryMetadataFromNetworkResponse(cloudDiscoveryMetadata, authorityHost);
1987
2014
  if (metadata) {
1988
- logger.trace("1fotbt", correlationId);
2015
+ logger.trace(`1fotbt ${source}`, correlationId);
1989
2016
  return metadata.aliases;
1990
2017
  }
1991
2018
  else {
1992
- logger.trace("14avvj", correlationId);
2019
+ logger.trace(`14avvj ${source}`, correlationId);
1993
2020
  }
1994
2021
  }
1995
2022
  return null;
@@ -2016,7 +2043,7 @@
2016
2043
  return null;
2017
2044
  }
2018
2045
 
2019
- /*! @azure/msal-common v16.8.0 2026-06-10 */
2046
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
2020
2047
  /*
2021
2048
  * Copyright (c) Microsoft Corporation. All rights reserved.
2022
2049
  * Licensed under the MIT License.
@@ -2024,7 +2051,7 @@
2024
2051
  const cacheQuotaExceeded = "cache_quota_exceeded";
2025
2052
  const cacheErrorUnknown = "cache_error_unknown";
2026
2053
 
2027
- /*! @azure/msal-common v16.8.0 2026-06-10 */
2054
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
2028
2055
 
2029
2056
  /*
2030
2057
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -2062,7 +2089,7 @@
2062
2089
  }
2063
2090
  }
2064
2091
 
2065
- /*! @azure/msal-common v16.8.0 2026-06-10 */
2092
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
2066
2093
 
2067
2094
  /*
2068
2095
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -2075,14 +2102,14 @@
2075
2102
  */
2076
2103
  function buildClientInfo(rawClientInfo, base64Decode) {
2077
2104
  if (!rawClientInfo) {
2078
- throw createClientAuthError(clientInfoEmptyError);
2105
+ throw createClientAuthError(clientInfoEmptyError, "");
2079
2106
  }
2080
2107
  try {
2081
2108
  const decodedClientInfo = base64Decode(rawClientInfo);
2082
2109
  return JSON.parse(decodedClientInfo);
2083
2110
  }
2084
2111
  catch (e) {
2085
- throw createClientAuthError(clientInfoDecodingError);
2112
+ throw createClientAuthError(clientInfoDecodingError, "");
2086
2113
  }
2087
2114
  }
2088
2115
  /**
@@ -2091,7 +2118,7 @@
2091
2118
  */
2092
2119
  function buildClientInfoFromHomeAccountId(homeAccountId) {
2093
2120
  if (!homeAccountId) {
2094
- throw createClientAuthError(clientInfoDecodingError);
2121
+ throw createClientAuthError(clientInfoDecodingError, "");
2095
2122
  }
2096
2123
  const clientInfoParts = homeAccountId.split(CLIENT_INFO_SEPARATOR, 2);
2097
2124
  return {
@@ -2100,7 +2127,7 @@
2100
2127
  };
2101
2128
  }
2102
2129
 
2103
- /*! @azure/msal-common v16.8.0 2026-06-10 */
2130
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
2104
2131
  /*
2105
2132
  * Copyright (c) Microsoft Corporation. All rights reserved.
2106
2133
  * Licensed under the MIT License.
@@ -2115,7 +2142,7 @@
2115
2142
  Ciam: 3,
2116
2143
  };
2117
2144
 
2118
- /*! @azure/msal-common v16.8.0 2026-06-10 */
2145
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
2119
2146
  /*
2120
2147
  * Copyright (c) Microsoft Corporation. All rights reserved.
2121
2148
  * Licensed under the MIT License.
@@ -2137,7 +2164,7 @@
2137
2164
  return null;
2138
2165
  }
2139
2166
 
2140
- /*! @azure/msal-common v16.8.0 2026-06-10 */
2167
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
2141
2168
  /*
2142
2169
  * Copyright (c) Microsoft Corporation. All rights reserved.
2143
2170
  * Licensed under the MIT License.
@@ -2161,9 +2188,10 @@
2161
2188
  EAR: "EAR",
2162
2189
  };
2163
2190
 
2164
- /*! @azure/msal-common v16.8.0 2026-06-10 */
2191
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
2165
2192
  /**
2166
2193
  * Returns the AccountInfo interface for this account.
2194
+ * @internal
2167
2195
  */
2168
2196
  function getAccountInfo(accountEntity) {
2169
2197
  const tenantProfiles = accountEntity.tenantProfiles || [];
@@ -2171,8 +2199,11 @@
2171
2199
  if (tenantProfiles.length === 0 &&
2172
2200
  accountEntity.realm &&
2173
2201
  accountEntity.localAccountId) {
2174
- tenantProfiles.push(buildTenantProfile(accountEntity.homeAccountId, accountEntity.localAccountId, accountEntity.realm));
2202
+ tenantProfiles.push(buildTenantProfile(accountEntity.homeAccountId, accountEntity.localAccountId, accountEntity.realm, accountEntity.nativeAccountId));
2175
2203
  }
2204
+ // Resolve nativeAccountId from the home tenant profile first, fall back to top-level (deprecated) for old cache entries
2205
+ const homeTenantProfile = tenantProfiles.find((tp) => tp.tenantId === accountEntity.realm);
2206
+ const nativeAccountId = homeTenantProfile?.nativeAccountId || accountEntity.nativeAccountId;
2176
2207
  return {
2177
2208
  homeAccountId: accountEntity.homeAccountId,
2178
2209
  environment: accountEntity.environment,
@@ -2181,7 +2212,7 @@
2181
2212
  localAccountId: accountEntity.localAccountId,
2182
2213
  loginHint: accountEntity.loginHint,
2183
2214
  name: accountEntity.name,
2184
- nativeAccountId: accountEntity.nativeAccountId,
2215
+ nativeAccountId: nativeAccountId,
2185
2216
  authorityType: accountEntity.authorityType,
2186
2217
  // Deserialize tenant profiles array into a Map
2187
2218
  tenantProfiles: new Map(tenantProfiles.map((tenantProfile) => {
@@ -2193,8 +2224,9 @@
2193
2224
  /**
2194
2225
  * Build Account cache from IdToken, clientInfo and authority/policy. Associated with AAD.
2195
2226
  * @param accountDetails
2227
+ * @internal
2196
2228
  */
2197
- function createAccountEntity(accountDetails, authority, base64Decode) {
2229
+ function createAccountEntity(accountDetails, authority, correlationId, base64Decode) {
2198
2230
  let authorityType;
2199
2231
  if (authority.authorityType === AuthorityType.Adfs) {
2200
2232
  authorityType = CACHE_ACCOUNT_TYPE_ADFS;
@@ -2216,7 +2248,7 @@
2216
2248
  const env = accountDetails.environment ||
2217
2249
  (authority && authority.getPreferredCache());
2218
2250
  if (!env) {
2219
- throw createClientAuthError(invalidCacheEnvironment);
2251
+ throw createClientAuthError(invalidCacheEnvironment, correlationId);
2220
2252
  }
2221
2253
  /*
2222
2254
  * In B2C scenarios the emails claim is used instead of preferred_username and it is an array.
@@ -2243,7 +2275,7 @@
2243
2275
  tenantProfiles = accountDetails.tenantProfiles;
2244
2276
  }
2245
2277
  else {
2246
- const tenantProfile = buildTenantProfile(accountDetails.homeAccountId, localAccountId, realm, accountDetails.idTokenClaims);
2278
+ const tenantProfile = buildTenantProfile(accountDetails.homeAccountId, localAccountId, realm, accountDetails.nativeAccountId, accountDetails.idTokenClaims);
2247
2279
  tenantProfiles = [tenantProfile];
2248
2280
  }
2249
2281
  return {
@@ -2271,6 +2303,7 @@
2271
2303
  * @param cloudGraphHostName
2272
2304
  * @param msGraphHost
2273
2305
  * @returns
2306
+ * @internal
2274
2307
  */
2275
2308
  function createAccountEntityFromAccountInfo(accountInfo, cloudGraphHostName, msGraphHost) {
2276
2309
  // Serialize tenant profiles map into an array
@@ -2279,7 +2312,14 @@
2279
2312
  if (tenantProfiles.length === 0 &&
2280
2313
  accountInfo.tenantId &&
2281
2314
  accountInfo.localAccountId) {
2282
- tenantProfiles.push(buildTenantProfile(accountInfo.homeAccountId, accountInfo.localAccountId, accountInfo.tenantId, accountInfo.idTokenClaims));
2315
+ tenantProfiles.push(buildTenantProfile(accountInfo.homeAccountId, accountInfo.localAccountId, accountInfo.tenantId, accountInfo.nativeAccountId, accountInfo.idTokenClaims));
2316
+ }
2317
+ else if (accountInfo.nativeAccountId) {
2318
+ // Ensure nativeAccountId is set on the matching tenant profile
2319
+ const matchingProfile = tenantProfiles.find((tp) => tp.tenantId === accountInfo.tenantId);
2320
+ if (matchingProfile && !matchingProfile.nativeAccountId) {
2321
+ matchingProfile.nativeAccountId = accountInfo.nativeAccountId;
2322
+ }
2283
2323
  }
2284
2324
  return {
2285
2325
  authorityType: accountInfo.authorityType || CACHE_ACCOUNT_TYPE_GENERIC,
@@ -2323,6 +2363,7 @@
2323
2363
  /**
2324
2364
  * Validates an entity: checks for all expected params
2325
2365
  * @param entity
2366
+ * @internal
2326
2367
  */
2327
2368
  function isAccountEntity(entity) {
2328
2369
  if (!entity) {
@@ -2336,7 +2377,7 @@
2336
2377
  entity.hasOwnProperty("authorityType"));
2337
2378
  }
2338
2379
 
2339
- /*! @azure/msal-common v16.8.0 2026-06-10 */
2380
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
2340
2381
 
2341
2382
  /*
2342
2383
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -2425,7 +2466,7 @@
2425
2466
  }
2426
2467
  const idToken = this.getIdToken(accountInfo, correlationId, tokenKeys, tenantProfile.tenantId);
2427
2468
  if (idToken) {
2428
- idTokenClaims = extractTokenClaims(idToken.secret, this.cryptoImpl.base64Decode);
2469
+ idTokenClaims = extractTokenClaims(idToken.secret, this.cryptoImpl.base64Decode, correlationId);
2429
2470
  if (!this.idTokenClaimsMatchTenantProfileFilter(idTokenClaims, tenantProfileFilter)) {
2430
2471
  // ID token sourced claims don't match so this tenant profile is not a match
2431
2472
  return null;
@@ -2488,6 +2529,11 @@
2488
2529
  !(tenantProfile.upn === tenantProfileFilter.upn)) {
2489
2530
  return false;
2490
2531
  }
2532
+ if (!!tenantProfileFilter.nativeAccountId &&
2533
+ tenantProfile.nativeAccountId !==
2534
+ tenantProfileFilter.nativeAccountId) {
2535
+ return false;
2536
+ }
2491
2537
  return true;
2492
2538
  }
2493
2539
  idTokenClaimsMatchTenantProfileFilter(idTokenClaims, tenantProfileFilter) {
@@ -2525,7 +2571,7 @@
2525
2571
  */
2526
2572
  async saveCacheRecord(cacheRecord, correlationId, kmsi, apiId, storeInCache) {
2527
2573
  if (!cacheRecord) {
2528
- throw createClientAuthError(invalidCacheRecord);
2574
+ throw createClientAuthError(invalidCacheRecord, correlationId);
2529
2575
  }
2530
2576
  try {
2531
2577
  if (!!cacheRecord.account) {
@@ -2570,7 +2616,7 @@
2570
2616
  tokenType: credential.tokenType,
2571
2617
  };
2572
2618
  const tokenKeys = this.getTokenKeys();
2573
- const currentScopes = ScopeSet.fromString(credential.target);
2619
+ const currentScopes = ScopeSet.fromString(credential.target, correlationId);
2574
2620
  tokenKeys.accessToken.forEach((key) => {
2575
2621
  if (!this.accessTokenKeyMatchesFilter(key, accessTokenFilter, false)) {
2576
2622
  return;
@@ -2578,7 +2624,7 @@
2578
2624
  const tokenEntity = this.getAccessTokenCredential(key, correlationId);
2579
2625
  if (tokenEntity &&
2580
2626
  this.credentialMatchesFilter(tokenEntity, accessTokenFilter, correlationId)) {
2581
- const tokenScopeSet = ScopeSet.fromString(tokenEntity.target);
2627
+ const tokenScopeSet = ScopeSet.fromString(tokenEntity.target, correlationId);
2582
2628
  if (tokenScopeSet.intersectingScopeSets(currentScopes)) {
2583
2629
  this.removeAccessToken(key, correlationId);
2584
2630
  }
@@ -2612,10 +2658,6 @@
2612
2658
  !this.matchRealm(entity, accountFilter.realm)) {
2613
2659
  return;
2614
2660
  }
2615
- if (!!accountFilter.nativeAccountId &&
2616
- !this.matchNativeAccountId(entity, accountFilter.nativeAccountId)) {
2617
- return;
2618
- }
2619
2661
  if (!!accountFilter.authorityType &&
2620
2662
  !this.matchAuthorityType(entity, accountFilter.authorityType)) {
2621
2663
  return;
@@ -2627,6 +2669,7 @@
2627
2669
  username: accountFilter?.username,
2628
2670
  loginHint: accountFilter?.loginHint,
2629
2671
  upn: accountFilter?.upn,
2672
+ nativeAccountId: accountFilter?.nativeAccountId,
2630
2673
  };
2631
2674
  const matchingTenantProfiles = entity.tenantProfiles?.filter((tenantProfile) => {
2632
2675
  return this.tenantProfileMatchesFilter(tenantProfile, tenantProfileFilter);
@@ -2680,7 +2723,8 @@
2680
2723
  * idTokens do not have "target", target specific refreshTokens do exist for some types of authentication
2681
2724
  * Resource specific refresh tokens case will be added when the support is deemed necessary
2682
2725
  */
2683
- if (!!filter.target && !this.matchTarget(entity, filter.target)) {
2726
+ if (!!filter.target &&
2727
+ !this.matchTarget(entity, filter.target, correlationId)) {
2684
2728
  return false;
2685
2729
  }
2686
2730
  // Access Token with Auth Scheme specific matching
@@ -2697,6 +2741,28 @@
2697
2741
  }
2698
2742
  }
2699
2743
  }
2744
+ // Additional cache key components matching (bidirectional isolation)
2745
+ const entityComponents = entity.additionalCacheKeyComponents;
2746
+ const filterComponents = filter.additionalCacheKeyComponents;
2747
+ const entityHasComponents = !!entityComponents && Object.keys(entityComponents).length > 0;
2748
+ const filterHasComponents = !!filterComponents && Object.keys(filterComponents).length > 0;
2749
+ if (entityHasComponents !== filterHasComponents) {
2750
+ return false;
2751
+ }
2752
+ if (entityHasComponents && filterHasComponents) {
2753
+ const entityKeys = Object.keys(entityComponents).sort();
2754
+ const filterKeys = Object.keys(filterComponents).sort();
2755
+ if (entityKeys.length !== filterKeys.length) {
2756
+ return false;
2757
+ }
2758
+ for (let i = 0; i < entityKeys.length; i++) {
2759
+ if (entityKeys[i] !== filterKeys[i] ||
2760
+ entityComponents[entityKeys[i]] !==
2761
+ filterComponents[filterKeys[i]]) {
2762
+ return false;
2763
+ }
2764
+ }
2765
+ }
2700
2766
  return true;
2701
2767
  }
2702
2768
  /**
@@ -2822,7 +2888,7 @@
2822
2888
  void this.cryptoImpl
2823
2889
  .removeTokenBindingKey(kid, correlationId)
2824
2890
  .catch(() => {
2825
- this.commonLogger.error("0cx291", correlationId);
2891
+ this.commonLogger.error(`0cx291 ${kid}`, correlationId);
2826
2892
  this.performanceClient?.incrementFields({ removeTokenBindingKeyFailure: 1 }, correlationId);
2827
2893
  });
2828
2894
  }
@@ -2964,7 +3030,7 @@
2964
3030
  getAccessToken(account, request, tokenKeys, targetRealm) {
2965
3031
  const correlationId = request.correlationId;
2966
3032
  this.commonLogger.trace("1t7hz1", correlationId);
2967
- const scopes = ScopeSet.createSearchScopes(request.scopes);
3033
+ const scopes = ScopeSet.createSearchScopes(request.scopes, correlationId);
2968
3034
  const authScheme = request.authenticationScheme ||
2969
3035
  AuthenticationScheme.BEARER;
2970
3036
  /*
@@ -3154,7 +3220,7 @@
3154
3220
  return null;
3155
3221
  }
3156
3222
  else if (numAppMetadata > 1) {
3157
- throw createClientAuthError(multipleMatchingAppMetadata);
3223
+ throw createClientAuthError(multipleMatchingAppMetadata, correlationId);
3158
3224
  }
3159
3225
  return appMetadataEntries[0];
3160
3226
  }
@@ -3284,15 +3350,6 @@
3284
3350
  matchRealm(entity, realm) {
3285
3351
  return !!(entity.realm?.toLowerCase() === realm.toLowerCase());
3286
3352
  }
3287
- /**
3288
- * helper to match nativeAccountId
3289
- * @param entity
3290
- * @param nativeAccountId
3291
- * @returns boolean indicating the match result
3292
- */
3293
- matchNativeAccountId(entity, nativeAccountId) {
3294
- return !!(entity.nativeAccountId && nativeAccountId === entity.nativeAccountId);
3295
- }
3296
3353
  /**
3297
3354
  * helper to match loginHint which can be either:
3298
3355
  * 1. login_hint ID token claim
@@ -3336,14 +3393,14 @@
3336
3393
  * @param entity
3337
3394
  * @param target
3338
3395
  */
3339
- matchTarget(entity, target) {
3396
+ matchTarget(entity, target, correlationId) {
3340
3397
  const isNotAccessTokenCredential = entity.credentialType !== CredentialType.ACCESS_TOKEN &&
3341
3398
  entity.credentialType !==
3342
3399
  CredentialType.ACCESS_TOKEN_WITH_AUTH_SCHEME;
3343
3400
  if (isNotAccessTokenCredential || !entity.target) {
3344
3401
  return false;
3345
3402
  }
3346
- const entityScopeSet = ScopeSet.fromString(entity.target);
3403
+ const entityScopeSet = ScopeSet.fromString(entity.target, correlationId);
3347
3404
  return entityScopeSet.containsScopeSet(target);
3348
3405
  }
3349
3406
  /**
@@ -3397,77 +3454,77 @@
3397
3454
  /** @internal */
3398
3455
  class DefaultStorageClass extends CacheManager {
3399
3456
  async setAccount() {
3400
- throw createClientAuthError(methodNotImplemented);
3457
+ throw createClientAuthError(methodNotImplemented, "");
3401
3458
  }
3402
3459
  getAccount() {
3403
- throw createClientAuthError(methodNotImplemented);
3460
+ throw createClientAuthError(methodNotImplemented, "");
3404
3461
  }
3405
3462
  async setIdTokenCredential() {
3406
- throw createClientAuthError(methodNotImplemented);
3463
+ throw createClientAuthError(methodNotImplemented, "");
3407
3464
  }
3408
3465
  getIdTokenCredential() {
3409
- throw createClientAuthError(methodNotImplemented);
3466
+ throw createClientAuthError(methodNotImplemented, "");
3410
3467
  }
3411
3468
  async setAccessTokenCredential() {
3412
- throw createClientAuthError(methodNotImplemented);
3469
+ throw createClientAuthError(methodNotImplemented, "");
3413
3470
  }
3414
3471
  getAccessTokenCredential() {
3415
- throw createClientAuthError(methodNotImplemented);
3472
+ throw createClientAuthError(methodNotImplemented, "");
3416
3473
  }
3417
3474
  async setRefreshTokenCredential() {
3418
- throw createClientAuthError(methodNotImplemented);
3475
+ throw createClientAuthError(methodNotImplemented, "");
3419
3476
  }
3420
3477
  getRefreshTokenCredential() {
3421
- throw createClientAuthError(methodNotImplemented);
3478
+ throw createClientAuthError(methodNotImplemented, "");
3422
3479
  }
3423
3480
  setAppMetadata() {
3424
- throw createClientAuthError(methodNotImplemented);
3481
+ throw createClientAuthError(methodNotImplemented, "");
3425
3482
  }
3426
3483
  getAppMetadata() {
3427
- throw createClientAuthError(methodNotImplemented);
3484
+ throw createClientAuthError(methodNotImplemented, "");
3428
3485
  }
3429
3486
  setServerTelemetry() {
3430
- throw createClientAuthError(methodNotImplemented);
3487
+ throw createClientAuthError(methodNotImplemented, "");
3431
3488
  }
3432
3489
  getServerTelemetry() {
3433
- throw createClientAuthError(methodNotImplemented);
3490
+ throw createClientAuthError(methodNotImplemented, "");
3434
3491
  }
3435
3492
  setAuthorityMetadata() {
3436
- throw createClientAuthError(methodNotImplemented);
3493
+ throw createClientAuthError(methodNotImplemented, "");
3437
3494
  }
3438
3495
  getAuthorityMetadata() {
3439
- throw createClientAuthError(methodNotImplemented);
3496
+ throw createClientAuthError(methodNotImplemented, "");
3440
3497
  }
3441
3498
  getAuthorityMetadataKeys() {
3442
- throw createClientAuthError(methodNotImplemented);
3499
+ throw createClientAuthError(methodNotImplemented, "");
3443
3500
  }
3444
3501
  setThrottlingCache() {
3445
- throw createClientAuthError(methodNotImplemented);
3502
+ throw createClientAuthError(methodNotImplemented, "");
3446
3503
  }
3447
3504
  getThrottlingCache() {
3448
- throw createClientAuthError(methodNotImplemented);
3505
+ throw createClientAuthError(methodNotImplemented, "");
3449
3506
  }
3450
3507
  removeItem() {
3451
- throw createClientAuthError(methodNotImplemented);
3508
+ throw createClientAuthError(methodNotImplemented, "");
3452
3509
  }
3453
3510
  getKeys() {
3454
- throw createClientAuthError(methodNotImplemented);
3511
+ throw createClientAuthError(methodNotImplemented, "");
3455
3512
  }
3456
3513
  getAccountKeys() {
3457
- throw createClientAuthError(methodNotImplemented);
3514
+ throw createClientAuthError(methodNotImplemented, "");
3458
3515
  }
3459
3516
  getTokenKeys() {
3460
- throw createClientAuthError(methodNotImplemented);
3517
+ throw createClientAuthError(methodNotImplemented, "");
3461
3518
  }
3462
3519
  generateCredentialKey() {
3463
- throw createClientAuthError(methodNotImplemented);
3520
+ throw createClientAuthError(methodNotImplemented, "");
3464
3521
  }
3465
3522
  generateAccountKey() {
3466
- throw createClientAuthError(methodNotImplemented);
3523
+ throw createClientAuthError(methodNotImplemented, "");
3467
3524
  }
3468
3525
  }
3469
3526
 
3470
- /*! @azure/msal-common v16.8.0 2026-06-10 */
3527
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
3471
3528
  /*
3472
3529
  * Copyright (c) Microsoft Corporation. All rights reserved.
3473
3530
  * Licensed under the MIT License.
@@ -3481,7 +3538,7 @@
3481
3538
  const PerformanceEventStatus = {
3482
3539
  InProgress: 1};
3483
3540
 
3484
- /*! @azure/msal-common v16.8.0 2026-06-10 */
3541
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
3485
3542
 
3486
3543
  /*
3487
3544
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -3536,7 +3593,7 @@
3536
3593
  }
3537
3594
  }
3538
3595
 
3539
- /*! @azure/msal-common v16.8.0 2026-06-10 */
3596
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
3540
3597
 
3541
3598
  /*
3542
3599
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -3556,10 +3613,10 @@
3556
3613
  };
3557
3614
  const DEFAULT_NETWORK_IMPLEMENTATION = {
3558
3615
  async sendGetRequestAsync() {
3559
- throw createClientAuthError(methodNotImplemented);
3616
+ throw createClientAuthError(methodNotImplemented, "");
3560
3617
  },
3561
3618
  async sendPostRequestAsync() {
3562
- throw createClientAuthError(methodNotImplemented);
3619
+ throw createClientAuthError(methodNotImplemented, "");
3563
3620
  },
3564
3621
  };
3565
3622
  const DEFAULT_LIBRARY_INFO = {
@@ -3588,6 +3645,7 @@
3588
3645
  * @param Configuration
3589
3646
  *
3590
3647
  * @returns Configuration
3648
+ * @internal
3591
3649
  */
3592
3650
  function buildClientConfiguration({ authOptions: userAuthOptions, systemOptions: userSystemOptions, loggerOptions: userLoggerOption, storageInterface: storageImplementation, networkInterface: networkImplementation, cryptoInterface: cryptoImplementation, clientCredentials: clientCredentials, libraryInfo: libraryInfo, telemetry: telemetry, serverTelemetryManager: serverTelemetryManager, persistencePlugin: persistencePlugin, serializableCache: serializableCache, }) {
3593
3651
  const loggerOptions = {
@@ -3599,7 +3657,7 @@
3599
3657
  systemOptions: { ...DEFAULT_SYSTEM_OPTIONS, ...userSystemOptions },
3600
3658
  loggerOptions: loggerOptions,
3601
3659
  storageInterface: storageImplementation ||
3602
- new DefaultStorageClass(userAuthOptions.clientId, DEFAULT_CRYPTO_IMPLEMENTATION, new Logger(loggerOptions), new StubPerformanceClient()),
3660
+ new DefaultStorageClass(userAuthOptions.clientId, DEFAULT_CRYPTO_IMPLEMENTATION, new Logger(loggerOptions, name$1, version$1), new StubPerformanceClient()),
3603
3661
  networkInterface: networkImplementation || DEFAULT_NETWORK_IMPLEMENTATION,
3604
3662
  cryptoInterface: cryptoImplementation || DEFAULT_CRYPTO_IMPLEMENTATION,
3605
3663
  clientCredentials: clientCredentials || DEFAULT_CLIENT_CREDENTIALS,
@@ -3631,7 +3689,7 @@
3631
3689
  return (config.authOptions.authority.options.protocolMode === ProtocolMode.OIDC);
3632
3690
  }
3633
3691
 
3634
- /*! @azure/msal-common v16.8.0 2026-06-10 */
3692
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
3635
3693
  /*
3636
3694
  * Copyright (c) Microsoft Corporation. All rights reserved.
3637
3695
  * Licensed under the MIT License.
@@ -3658,7 +3716,7 @@
3658
3716
  }
3659
3717
  }
3660
3718
 
3661
- /*! @azure/msal-common v16.8.0 2026-06-10 */
3719
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
3662
3720
  /*
3663
3721
  * Copyright (c) Microsoft Corporation. All rights reserved.
3664
3722
  * Licensed under the MIT License.
@@ -3723,7 +3781,7 @@
3723
3781
  return cachedAtSec > nowSeconds();
3724
3782
  }
3725
3783
 
3726
- /*! @azure/msal-common v16.8.0 2026-06-10 */
3784
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
3727
3785
 
3728
3786
  /*
3729
3787
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -3759,7 +3817,7 @@
3759
3817
  * @param expiresOn
3760
3818
  * @param extExpiresOn
3761
3819
  */
3762
- function createAccessTokenEntity(homeAccountId, environment, accessToken, clientId, tenantId, scopes, expiresOn, extExpiresOn, base64Decode, refreshOn, tokenType, userAssertionHash, keyId) {
3820
+ function createAccessTokenEntity(homeAccountId, environment, accessToken, clientId, tenantId, scopes, expiresOn, extExpiresOn, base64Decode, correlationId, refreshOn, tokenType, userAssertionHash, keyId, additionalCacheKeyComponents) {
3763
3821
  const atEntity = {
3764
3822
  homeAccountId: homeAccountId,
3765
3823
  credentialType: CredentialType.ACCESS_TOKEN,
@@ -3791,9 +3849,9 @@
3791
3849
  switch (atEntity.tokenType) {
3792
3850
  case AuthenticationScheme.POP:
3793
3851
  // Make sure keyId is present and add it to credential
3794
- const tokenClaims = extractTokenClaims(accessToken, base64Decode);
3852
+ const tokenClaims = extractTokenClaims(accessToken, base64Decode, correlationId);
3795
3853
  if (!tokenClaims?.cnf?.kid) {
3796
- throw createClientAuthError(tokenClaimsCnfRequiredForSignedJwt);
3854
+ throw createClientAuthError(tokenClaimsCnfRequiredForSignedJwt, correlationId);
3797
3855
  }
3798
3856
  atEntity.keyId = tokenClaims.cnf.kid;
3799
3857
  break;
@@ -3801,6 +3859,11 @@
3801
3859
  atEntity.keyId = keyId;
3802
3860
  }
3803
3861
  }
3862
+ /* Additional cache key components for cache isolation (e.g., FMI path) */
3863
+ if (additionalCacheKeyComponents &&
3864
+ Object.keys(additionalCacheKeyComponents).length > 0) {
3865
+ atEntity.additionalCacheKeyComponents = additionalCacheKeyComponents;
3866
+ }
3804
3867
  return atEntity;
3805
3868
  }
3806
3869
  /**
@@ -3960,6 +4023,7 @@
3960
4023
  return (nowSeconds() +
3961
4024
  AUTHORITY_METADATA_REFRESH_TIME_SECONDS);
3962
4025
  }
4026
+ /** @internal */
3963
4027
  function updateAuthorityEndpointMetadata(authorityMetadata, updatedValues, fromNetwork) {
3964
4028
  authorityMetadata.authorization_endpoint =
3965
4029
  updatedValues.authorization_endpoint;
@@ -3969,6 +4033,7 @@
3969
4033
  authorityMetadata.endpointsFromNetwork = fromNetwork;
3970
4034
  authorityMetadata.jwks_uri = updatedValues.jwks_uri;
3971
4035
  }
4036
+ /** @internal */
3972
4037
  function updateCloudDiscoveryMetadata(authorityMetadata, updatedValues, fromNetwork) {
3973
4038
  authorityMetadata.aliases = updatedValues.aliases;
3974
4039
  authorityMetadata.preferred_cache = updatedValues.preferred_cache;
@@ -3977,12 +4042,13 @@
3977
4042
  }
3978
4043
  /**
3979
4044
  * Returns whether or not the data needs to be refreshed
4045
+ * @internal
3980
4046
  */
3981
4047
  function isAuthorityMetadataExpired(metadata) {
3982
4048
  return metadata.expiresAt <= nowSeconds();
3983
4049
  }
3984
4050
 
3985
- /*! @azure/msal-common v16.8.0 2026-06-10 */
4051
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
3986
4052
  /*
3987
4053
  * Copyright (c) Microsoft Corporation. All rights reserved.
3988
4054
  * Licensed under the MIT License.
@@ -4053,7 +4119,7 @@
4053
4119
  const CacheManagerGetRefreshToken = "cacheManagerGetRefreshToken";
4054
4120
  const SetUserData = "setUserData";
4055
4121
 
4056
- /*! @azure/msal-common v16.8.0 2026-06-10 */
4122
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
4057
4123
  /*
4058
4124
  * Copyright (c) Microsoft Corporation. All rights reserved.
4059
4125
  * Licensed under the MIT License.
@@ -4072,7 +4138,7 @@
4072
4138
  // eslint-disable-next-line @typescript-eslint/no-explicit-any
4073
4139
  const invoke = (callback, eventName, logger, telemetryClient, correlationId) => {
4074
4140
  return (...args) => {
4075
- logger.trace("1plfzx", correlationId);
4141
+ logger.trace(`1plfzx ${eventName}`, correlationId);
4076
4142
  const inProgressEvent = telemetryClient.startMeasurement(eventName, correlationId);
4077
4143
  if (correlationId) {
4078
4144
  // Track number of times this API is called in a single request
@@ -4083,11 +4149,11 @@
4083
4149
  inProgressEvent.end({
4084
4150
  success: true,
4085
4151
  });
4086
- logger.trace("1g8n6a", correlationId);
4152
+ logger.trace(`1g8n6a ${eventName}`, correlationId);
4087
4153
  return result;
4088
4154
  }
4089
4155
  catch (e) {
4090
- logger.trace("0cfd8i", correlationId);
4156
+ logger.trace(`0cfd8i ${eventName}`, correlationId);
4091
4157
  try {
4092
4158
  logger.trace(JSON.stringify(e), correlationId);
4093
4159
  }
@@ -4116,7 +4182,7 @@
4116
4182
  // eslint-disable-next-line @typescript-eslint/no-explicit-any
4117
4183
  const invokeAsync = (callback, eventName, logger, telemetryClient, correlationId) => {
4118
4184
  return (...args) => {
4119
- logger.trace("1plfzx", correlationId);
4185
+ logger.trace(`1plfzx ${eventName}`, correlationId);
4120
4186
  const inProgressEvent = telemetryClient.startMeasurement(eventName, correlationId);
4121
4187
  if (correlationId) {
4122
4188
  // Track number of times this API is called in a single request
@@ -4124,14 +4190,14 @@
4124
4190
  }
4125
4191
  return callback(...args)
4126
4192
  .then((response) => {
4127
- logger.trace("1g8n6a", correlationId);
4193
+ logger.trace(`1g8n6a ${eventName}`, correlationId);
4128
4194
  inProgressEvent.end({
4129
4195
  success: true,
4130
4196
  });
4131
4197
  return response;
4132
4198
  })
4133
4199
  .catch((e) => {
4134
- logger.trace("0cfd8i", correlationId);
4200
+ logger.trace(`0cfd8i ${eventName}`, correlationId);
4135
4201
  try {
4136
4202
  logger.trace(JSON.stringify(e), correlationId);
4137
4203
  }
@@ -4146,7 +4212,7 @@
4146
4212
  };
4147
4213
  };
4148
4214
 
4149
- /*! @azure/msal-common v16.8.0 2026-06-10 */
4215
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
4150
4216
 
4151
4217
  /*
4152
4218
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4207,7 +4273,7 @@
4207
4273
  // Deconstruct request to extract SHR parameters
4208
4274
  const { resourceRequestMethod, resourceRequestUri, shrClaims, shrNonce, shrOptions, } = request;
4209
4275
  const resourceUrlString = resourceRequestUri
4210
- ? new UrlString(resourceRequestUri)
4276
+ ? new UrlString(resourceRequestUri, request.correlationId)
4211
4277
  : undefined;
4212
4278
  const resourceUrlComponents = resourceUrlString?.getUrlComponents();
4213
4279
  return this.cryptoUtils.signJwt({
@@ -4226,7 +4292,7 @@
4226
4292
  }
4227
4293
  }
4228
4294
 
4229
- /*! @azure/msal-common v16.8.0 2026-06-10 */
4295
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
4230
4296
  /*
4231
4297
  * Copyright (c) Microsoft Corporation. All rights reserved.
4232
4298
  * Licensed under the MIT License.
@@ -4277,7 +4343,7 @@
4277
4343
  */
4278
4344
  const interruptedUser = "interrupted_user";
4279
4345
 
4280
- /*! @azure/msal-common v16.8.0 2026-06-10 */
4346
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
4281
4347
 
4282
4348
  /*
4283
4349
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4308,12 +4374,11 @@
4308
4374
  * Error thrown when user interaction is required.
4309
4375
  */
4310
4376
  class InteractionRequiredAuthError extends AuthError {
4311
- constructor(errorCode, errorMessage, subError, timestamp, traceId, correlationId, claims, errorNo) {
4312
- super(errorCode, errorMessage, subError);
4377
+ constructor(errorCode, correlationId, errorMessage, subError, timestamp, traceId, claims, errorNo) {
4378
+ super(errorCode, correlationId, errorMessage, subError);
4313
4379
  Object.setPrototypeOf(this, InteractionRequiredAuthError.prototype);
4314
4380
  this.timestamp = timestamp || "";
4315
4381
  this.traceId = traceId || "";
4316
- this.correlationId = correlationId || "";
4317
4382
  this.claims = claims || "";
4318
4383
  this.name = "InteractionRequiredAuthError";
4319
4384
  this.errorNo = errorNo;
@@ -4341,11 +4406,11 @@
4341
4406
  /**
4342
4407
  * Creates an InteractionRequiredAuthError
4343
4408
  */
4344
- function createInteractionRequiredAuthError(errorCode, errorMessage) {
4345
- return new InteractionRequiredAuthError(errorCode, errorMessage);
4409
+ function createInteractionRequiredAuthError(errorCode, correlationId, errorMessage) {
4410
+ return new InteractionRequiredAuthError(errorCode, correlationId, errorMessage);
4346
4411
  }
4347
4412
 
4348
- /*! @azure/msal-common v16.8.0 2026-06-10 */
4413
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
4349
4414
 
4350
4415
  /*
4351
4416
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4355,8 +4420,8 @@
4355
4420
  * Error thrown when there is an error with the server code, for example, unavailability.
4356
4421
  */
4357
4422
  class ServerError extends AuthError {
4358
- constructor(errorCode, errorMessage, subError, errorNo, status) {
4359
- super(errorCode, errorMessage, subError);
4423
+ constructor(errorCode, correlationId, errorMessage, subError, errorNo, status) {
4424
+ super(errorCode, correlationId, errorMessage, subError);
4360
4425
  this.name = "ServerError";
4361
4426
  this.errorNo = errorNo;
4362
4427
  this.status = status;
@@ -4364,7 +4429,7 @@
4364
4429
  }
4365
4430
  }
4366
4431
 
4367
- /*! @azure/msal-common v16.8.0 2026-06-10 */
4432
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
4368
4433
 
4369
4434
  /*
4370
4435
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4375,9 +4440,10 @@
4375
4440
  * @param cryptoObj
4376
4441
  * @param userState
4377
4442
  * @param meta
4443
+ * @param correlationId
4378
4444
  */
4379
- function setRequestState(cryptoObj, userState, meta) {
4380
- const libraryState = generateLibraryState(cryptoObj, meta);
4445
+ function setRequestState(cryptoObj, userState, meta, correlationId) {
4446
+ const libraryState = generateLibraryState(cryptoObj, correlationId, meta);
4381
4447
  return userState
4382
4448
  ? `${libraryState}${RESOURCE_DELIM}${userState}`
4383
4449
  : libraryState;
@@ -4385,11 +4451,12 @@
4385
4451
  /**
4386
4452
  * Generates the state value used by the common library.
4387
4453
  * @param cryptoObj
4454
+ * @param correlationId
4388
4455
  * @param meta
4389
4456
  */
4390
- function generateLibraryState(cryptoObj, meta) {
4457
+ function generateLibraryState(cryptoObj, correlationId, meta) {
4391
4458
  if (!cryptoObj) {
4392
- throw createClientAuthError(noCryptoObject);
4459
+ throw createClientAuthError(noCryptoObject, correlationId);
4393
4460
  }
4394
4461
  // Create a state object containing a unique id and the timestamp of the request creation
4395
4462
  const stateObj = {
@@ -4405,13 +4472,14 @@
4405
4472
  * Parses the state into the RequestStateObject, which contains the LibraryState info and the state passed by the user.
4406
4473
  * @param base64Decode
4407
4474
  * @param state
4475
+ * @param correlationId
4408
4476
  */
4409
- function parseRequestState(base64Decode, state) {
4477
+ function parseRequestState(base64Decode, state, correlationId) {
4410
4478
  if (!base64Decode) {
4411
- throw createClientAuthError(noCryptoObject);
4479
+ throw createClientAuthError(noCryptoObject, correlationId);
4412
4480
  }
4413
4481
  if (!state) {
4414
- throw createClientAuthError(invalidState);
4482
+ throw createClientAuthError(invalidState, correlationId);
4415
4483
  }
4416
4484
  try {
4417
4485
  // Split the state between library state and user passed state and decode them separately
@@ -4428,11 +4496,11 @@
4428
4496
  };
4429
4497
  }
4430
4498
  catch (e) {
4431
- throw createClientAuthError(invalidState);
4499
+ throw createClientAuthError(invalidState, correlationId);
4432
4500
  }
4433
4501
  }
4434
4502
 
4435
- /*! @azure/msal-common v16.8.0 2026-06-10 */
4503
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
4436
4504
 
4437
4505
  /*
4438
4506
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4467,14 +4535,14 @@
4467
4535
  const serverErrorNo = serverResponse.error_codes?.length
4468
4536
  ? serverResponse.error_codes[0]
4469
4537
  : undefined;
4470
- const serverError = new ServerError(serverResponse.error, errString, serverResponse.suberror, serverErrorNo, serverResponse.status);
4538
+ const serverError = new ServerError(serverResponse.error || "", serverResponse.correlation_id || "", errString, serverResponse.suberror, serverErrorNo, serverResponse.status);
4471
4539
  // check if 500 error
4472
4540
  if (refreshAccessToken &&
4473
4541
  serverResponse.status &&
4474
4542
  serverResponse.status >=
4475
4543
  HTTP_SERVER_ERROR_RANGE_START &&
4476
4544
  serverResponse.status <= HTTP_SERVER_ERROR_RANGE_END) {
4477
- this.logger.warning("16ks7j", correlationId);
4545
+ this.logger.warning(`16ks7j ${serverError}`, correlationId);
4478
4546
  // don't throw an exception, but alert the user via a log that the token was unable to be refreshed
4479
4547
  return;
4480
4548
  // check if 400 error
@@ -4484,12 +4552,12 @@
4484
4552
  serverResponse.status >=
4485
4553
  HTTP_CLIENT_ERROR_RANGE_START &&
4486
4554
  serverResponse.status <= HTTP_CLIENT_ERROR_RANGE_END) {
4487
- this.logger.warning("0g61x3", correlationId);
4555
+ this.logger.warning(`0g61x3 ${serverError}`, correlationId);
4488
4556
  // don't throw an exception, but alert the user via a log that the token was unable to be refreshed
4489
4557
  return;
4490
4558
  }
4491
4559
  if (isInteractionRequiredError(serverResponse.error, serverResponse.error_description, serverResponse.suberror)) {
4492
- throw new InteractionRequiredAuthError(serverResponse.error, serverResponse.error_description, serverResponse.suberror, serverResponse.timestamp || "", serverResponse.trace_id || "", serverResponse.correlation_id || "", serverResponse.claims || "", serverErrorNo);
4560
+ throw new InteractionRequiredAuthError(serverResponse.error || "", serverResponse.correlation_id || "", serverResponse.error_description, serverResponse.suberror, serverResponse.timestamp || "", serverResponse.trace_id || "", serverResponse.claims || "", serverErrorNo);
4493
4561
  }
4494
4562
  throw serverError;
4495
4563
  }
@@ -4499,24 +4567,16 @@
4499
4567
  * @param serverTokenResponse
4500
4568
  * @param authority
4501
4569
  */
4502
- async handleServerTokenResponse(serverTokenResponse, authority, reqTimestamp, request, apiId, authCodePayload, userAssertionHash, handlingRefreshTokenResponse, forceCacheRefreshTokenResponse, serverRequestId) {
4570
+ async handleServerTokenResponse(serverTokenResponse, authority, reqTimestamp, request, apiId, authCodePayload, userAssertionHash, handlingRefreshTokenResponse, forceCacheRefreshTokenResponse, serverRequestId, additionalCacheKeyComponents) {
4503
4571
  // create an idToken object (not entity)
4504
4572
  let idTokenClaims;
4505
4573
  if (serverTokenResponse.id_token) {
4506
- idTokenClaims = extractTokenClaims(serverTokenResponse.id_token || "", this.cryptoObj.base64Decode);
4574
+ idTokenClaims = extractTokenClaims(serverTokenResponse.id_token || "", this.cryptoObj.base64Decode, request.correlationId);
4507
4575
  // token nonce check (TODO: Add a warning if no nonce is given?)
4508
4576
  if (authCodePayload && authCodePayload.nonce) {
4509
4577
  if (idTokenClaims.nonce !== authCodePayload.nonce) {
4510
- throw createClientAuthError(nonceMismatch);
4511
- }
4512
- }
4513
- // token max_age check
4514
- if (request.maxAge || request.maxAge === 0) {
4515
- const authTime = idTokenClaims.auth_time;
4516
- if (!authTime) {
4517
- throw createClientAuthError(authTimeNotFound);
4578
+ throw createClientAuthError(nonceMismatch, request.correlationId);
4518
4579
  }
4519
- checkMaxAge(authTime, request.maxAge);
4520
4580
  }
4521
4581
  }
4522
4582
  // generate homeAccountId
@@ -4524,12 +4584,12 @@
4524
4584
  // save the response tokens
4525
4585
  let requestStateObj;
4526
4586
  if (!!authCodePayload && !!authCodePayload.state) {
4527
- requestStateObj = parseRequestState(this.cryptoObj.base64Decode, authCodePayload.state);
4587
+ requestStateObj = parseRequestState(this.cryptoObj.base64Decode, authCodePayload.state, request.correlationId);
4528
4588
  }
4529
4589
  // Add keyId from request to serverTokenResponse if defined
4530
4590
  serverTokenResponse.key_id =
4531
4591
  serverTokenResponse.key_id || request.sshKid || undefined;
4532
- const cacheRecord = this.generateCacheRecord(serverTokenResponse, authority, reqTimestamp, request, idTokenClaims, userAssertionHash, authCodePayload);
4592
+ const cacheRecord = this.generateCacheRecord(serverTokenResponse, authority, reqTimestamp, request, idTokenClaims, userAssertionHash, authCodePayload, additionalCacheKeyComponents);
4533
4593
  let cacheContext;
4534
4594
  try {
4535
4595
  if (this.persistencePlugin && this.serializableCache) {
@@ -4576,10 +4636,10 @@
4576
4636
  * @param idTokenObj
4577
4637
  * @param authority
4578
4638
  */
4579
- generateCacheRecord(serverTokenResponse, authority, reqTimestamp, request, idTokenClaims, userAssertionHash, authCodePayload) {
4639
+ generateCacheRecord(serverTokenResponse, authority, reqTimestamp, request, idTokenClaims, userAssertionHash, authCodePayload, additionalCacheKeyComponents) {
4580
4640
  const env = authority.getPreferredCache();
4581
4641
  if (!env) {
4582
- throw createClientAuthError(invalidCacheEnvironment);
4642
+ throw createClientAuthError(invalidCacheEnvironment, request.correlationId);
4583
4643
  }
4584
4644
  const claimsTenantId = getTenantIdFromIdTokenClaims(idTokenClaims);
4585
4645
  // IdToken: non AAD scenarios can have empty realm
@@ -4595,8 +4655,8 @@
4595
4655
  if (serverTokenResponse.access_token) {
4596
4656
  // If scopes not returned in server response, use request scopes
4597
4657
  const responseScopes = serverTokenResponse.scope
4598
- ? ScopeSet.fromString(serverTokenResponse.scope)
4599
- : new ScopeSet(request.scopes || []);
4658
+ ? ScopeSet.fromString(serverTokenResponse.scope, request.correlationId)
4659
+ : new ScopeSet(request.scopes || [], request.correlationId);
4600
4660
  /*
4601
4661
  * Use timestamp calculated before request
4602
4662
  * Server may return timestamps as strings, parse to numbers if so.
@@ -4616,7 +4676,7 @@
4616
4676
  ? reqTimestamp + refreshIn
4617
4677
  : undefined;
4618
4678
  // non AAD scenarios can have empty realm
4619
- cachedAccessToken = createAccessTokenEntity(this.homeAccountIdentifier, env, serverTokenResponse.access_token, this.clientId, claimsTenantId || authority.tenant || "", responseScopes.printScopes(), tokenExpirationSeconds, extendedTokenExpirationSeconds, this.cryptoObj.base64Decode, refreshOnSeconds, serverTokenResponse.token_type, userAssertionHash, serverTokenResponse.key_id);
4679
+ cachedAccessToken = createAccessTokenEntity(this.homeAccountIdentifier, env, serverTokenResponse.access_token, this.clientId, claimsTenantId || authority.tenant || "", responseScopes.printScopes(), tokenExpirationSeconds, extendedTokenExpirationSeconds, this.cryptoObj.base64Decode, request.correlationId, refreshOnSeconds, serverTokenResponse.token_type, userAssertionHash, serverTokenResponse.key_id, additionalCacheKeyComponents);
4620
4680
  // Set resource (to be used for MCP scenarios)
4621
4681
  const resource = request.resource || null;
4622
4682
  if (resource) {
@@ -4682,14 +4742,14 @@
4682
4742
  const popTokenGenerator = new PopTokenGenerator(cryptoObj, performanceClient);
4683
4743
  const { secret, keyId } = cacheRecord.accessToken;
4684
4744
  if (!keyId) {
4685
- throw createClientAuthError(keyIdMissing);
4745
+ throw createClientAuthError(keyIdMissing, request.correlationId);
4686
4746
  }
4687
4747
  accessToken = await popTokenGenerator.signPopToken(secret, keyId, request);
4688
4748
  }
4689
4749
  else {
4690
4750
  accessToken = cacheRecord.accessToken.secret;
4691
4751
  }
4692
- responseScopes = ScopeSet.fromString(cacheRecord.accessToken.target).asArray();
4752
+ responseScopes = ScopeSet.fromString(cacheRecord.accessToken.target, request.correlationId).asArray();
4693
4753
  // Access token expiresOn cached in seconds, converting to Date for AuthenticationResult
4694
4754
  expiresOn = toDateFromSeconds(cacheRecord.accessToken.expiresOn);
4695
4755
  extExpiresOn = toDateFromSeconds(cacheRecord.accessToken.extendedExpiresOn);
@@ -4707,8 +4767,18 @@
4707
4767
  const tid = idTokenClaims?.tid || "";
4708
4768
  // for hybrid + native bridge enablement, send back the native account Id
4709
4769
  if (serverTokenResponse?.spa_accountid && !!cacheRecord.account) {
4770
+ // Set on deprecated top-level for downgrade compat
4710
4771
  cacheRecord.account.nativeAccountId =
4711
4772
  serverTokenResponse?.spa_accountid;
4773
+ // Set on the matching tenant profile (source of truth)
4774
+ const targetTenantId = tid || cacheRecord.account.realm;
4775
+ if (cacheRecord.account.tenantProfiles) {
4776
+ const matchingProfile = cacheRecord.account.tenantProfiles.find((tp) => tp.tenantId === targetTenantId);
4777
+ if (matchingProfile) {
4778
+ matchingProfile.nativeAccountId =
4779
+ serverTokenResponse.spa_accountid;
4780
+ }
4781
+ }
4712
4782
  }
4713
4783
  const accountInfo = cacheRecord.account
4714
4784
  ? updateAccountTenantProfileData(getAccountInfo(cacheRecord.account), undefined, // tenantProfile optional
@@ -4739,6 +4809,7 @@
4739
4809
  };
4740
4810
  }
4741
4811
  }
4812
+ /** @internal */
4742
4813
  function buildAccountToCache(cacheStorage, authority, homeAccountId, base64Decode, correlationId, idTokenClaims, clientInfo, environment, claimsTenantId, authCodePayload, nativeAccountId, logger, performanceClient) {
4743
4814
  logger?.verbose("09jz0t", correlationId);
4744
4815
  /*
@@ -4766,21 +4837,21 @@
4766
4837
  cloudGraphHostName: authCodePayload?.cloud_graph_host_name,
4767
4838
  msGraphHost: authCodePayload?.msgraph_host,
4768
4839
  nativeAccountId: nativeAccountId,
4769
- }, authority, base64Decode);
4840
+ }, authority, correlationId, base64Decode);
4770
4841
  const tenantProfiles = baseAccount.tenantProfiles || [];
4771
4842
  const tenantId = claimsTenantId || baseAccount.realm;
4772
4843
  if (tenantId &&
4773
4844
  !tenantProfiles.find((tenantProfile) => {
4774
4845
  return tenantProfile.tenantId === tenantId;
4775
4846
  })) {
4776
- const newTenantProfile = buildTenantProfile(homeAccountId, baseAccount.localAccountId, tenantId, idTokenClaims);
4847
+ const newTenantProfile = buildTenantProfile(homeAccountId, baseAccount.localAccountId, tenantId, nativeAccountId, idTokenClaims);
4777
4848
  tenantProfiles.push(newTenantProfile);
4778
4849
  }
4779
4850
  baseAccount.tenantProfiles = tenantProfiles;
4780
4851
  return baseAccount;
4781
4852
  }
4782
4853
 
4783
- /*! @azure/msal-common v16.8.0 2026-06-10 */
4854
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
4784
4855
  /*
4785
4856
  * Copyright (c) Microsoft Corporation. All rights reserved.
4786
4857
  * Licensed under the MIT License.
@@ -4790,12 +4861,12 @@
4790
4861
  UPN: "UPN",
4791
4862
  };
4792
4863
 
4793
- /*! @azure/msal-common v16.8.0 2026-06-10 */
4864
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
4794
4865
  /*
4795
4866
  * Copyright (c) Microsoft Corporation. All rights reserved.
4796
4867
  * Licensed under the MIT License.
4797
4868
  */
4798
- async function getClientAssertion(clientAssertion, clientId, tokenEndpoint) {
4869
+ async function getClientAssertion(clientAssertion, clientId, tokenEndpoint, fmiPath) {
4799
4870
  if (typeof clientAssertion === "string") {
4800
4871
  return clientAssertion;
4801
4872
  }
@@ -4803,12 +4874,13 @@
4803
4874
  const config = {
4804
4875
  clientId: clientId,
4805
4876
  tokenEndpoint: tokenEndpoint,
4877
+ fmiPath: fmiPath,
4806
4878
  };
4807
4879
  return clientAssertion(config);
4808
4880
  }
4809
4881
  }
4810
4882
 
4811
- /*! @azure/msal-common v16.8.0 2026-06-10 */
4883
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
4812
4884
  /*
4813
4885
  * Copyright (c) Microsoft Corporation. All rights reserved.
4814
4886
  * Licensed under the MIT License.
@@ -4829,7 +4901,7 @@
4829
4901
  };
4830
4902
  }
4831
4903
 
4832
- /*! @azure/msal-common v16.8.0 2026-06-10 */
4904
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
4833
4905
 
4834
4906
  /*
4835
4907
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4857,7 +4929,7 @@
4857
4929
  cacheManager.removeItem(key, correlationId);
4858
4930
  return;
4859
4931
  }
4860
- throw new ServerError(value.errorCodes?.join(" ") || "", value.errorMessage, value.subError);
4932
+ throw new ServerError(value.errorCodes?.join(" ") || "", correlationId, value.errorMessage, value.subError);
4861
4933
  }
4862
4934
  }
4863
4935
  /**
@@ -4915,7 +4987,7 @@
4915
4987
  }
4916
4988
  }
4917
4989
 
4918
- /*! @azure/msal-common v16.8.0 2026-06-10 */
4990
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
4919
4991
 
4920
4992
  /*
4921
4993
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4926,7 +4998,7 @@
4926
4998
  */
4927
4999
  class NetworkError extends AuthError {
4928
5000
  constructor(error, httpStatus, responseHeaders) {
4929
- super(error.errorCode, error.errorMessage, error.subError);
5001
+ super(error.errorCode, error.correlationId, error.errorMessage, error.subError);
4930
5002
  Object.setPrototypeOf(this, NetworkError.prototype);
4931
5003
  this.name = "NetworkError";
4932
5004
  this.error = error;
@@ -4946,7 +5018,7 @@
4946
5018
  return new NetworkError(error, httpStatus, responseHeaders);
4947
5019
  }
4948
5020
 
4949
- /*! @azure/msal-common v16.8.0 2026-06-10 */
5021
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
4950
5022
 
4951
5023
  /*
4952
5024
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4966,7 +5038,7 @@
4966
5038
  headers[HeaderNames.CCS_HEADER] = `Oid:${clientInfo.uid}@${clientInfo.utid}`;
4967
5039
  }
4968
5040
  catch (e) {
4969
- logger.verbose("1qhtee", "");
5041
+ logger.verbose(`1qhtee ${e}`, "");
4970
5042
  }
4971
5043
  break;
4972
5044
  case CcsCredentialType.UPN:
@@ -4998,6 +5070,7 @@
4998
5070
  * @param queryString
4999
5071
  * @param headers
5000
5072
  * @param thumbprint
5073
+ * @internal
5001
5074
  */
5002
5075
  async function executePostToTokenEndpoint(tokenEndpoint, queryString, headers, thumbprint, correlationId, cacheManager, networkClient, logger, performanceClient, serverTelemetryManager) {
5003
5076
  const response = await sendPostRequest(thumbprint, tokenEndpoint, { body: queryString, headers: headers }, correlationId, cacheManager, networkClient, logger, performanceClient);
@@ -5019,6 +5092,7 @@
5019
5092
  * @param networkClient - Network module instance
5020
5093
  * @param logger - Logger instance
5021
5094
  * @param performanceClient - Performance client instance
5095
+ * @internal
5022
5096
  */
5023
5097
  async function sendPostRequest(thumbprint, tokenEndpoint, options, correlationId, cacheManager, networkClient, logger, performanceClient) {
5024
5098
  ThrottlingUtils.preProcess(cacheManager, thumbprint, correlationId);
@@ -5053,14 +5127,14 @@
5053
5127
  throw e;
5054
5128
  }
5055
5129
  else {
5056
- throw createClientAuthError(networkError);
5130
+ throw createClientAuthError(networkError, correlationId);
5057
5131
  }
5058
5132
  }
5059
5133
  ThrottlingUtils.postProcess(cacheManager, thumbprint, response, correlationId);
5060
5134
  return response;
5061
5135
  }
5062
5136
 
5063
- /*! @azure/msal-common v16.8.0 2026-06-10 */
5137
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
5064
5138
  /*
5065
5139
  * Copyright (c) Microsoft Corporation. All rights reserved.
5066
5140
  * Licensed under the MIT License.
@@ -5072,7 +5146,7 @@
5072
5146
  response.hasOwnProperty("jwks_uri"));
5073
5147
  }
5074
5148
 
5075
- /*! @azure/msal-common v16.8.0 2026-06-10 */
5149
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
5076
5150
  /*
5077
5151
  * Copyright (c) Microsoft Corporation. All rights reserved.
5078
5152
  * Licensed under the MIT License.
@@ -5082,7 +5156,7 @@
5082
5156
  response.hasOwnProperty("metadata"));
5083
5157
  }
5084
5158
 
5085
- /*! @azure/msal-common v16.8.0 2026-06-10 */
5159
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
5086
5160
  /*
5087
5161
  * Copyright (c) Microsoft Corporation. All rights reserved.
5088
5162
  * Licensed under the MIT License.
@@ -5092,7 +5166,7 @@
5092
5166
  response.hasOwnProperty("error_description"));
5093
5167
  }
5094
5168
 
5095
- /*! @azure/msal-common v16.8.0 2026-06-10 */
5169
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
5096
5170
 
5097
5171
  /*
5098
5172
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -5119,9 +5193,12 @@
5119
5193
  try {
5120
5194
  const localIMDSVersionResponse = await invokeAsync(this.getRegionFromIMDS.bind(this), RegionDiscoveryGetRegionFromIMDS, this.logger, this.performanceClient, this.correlationId)(IMDS_VERSION, options);
5121
5195
  if (localIMDSVersionResponse.status === HTTP_SUCCESS) {
5122
- autodetectedRegionName = localIMDSVersionResponse.body;
5123
- regionDiscoveryMetadata.region_source =
5124
- RegionDiscoverySources.IMDS;
5196
+ autodetectedRegionName =
5197
+ localIMDSVersionResponse.body?.location;
5198
+ if (autodetectedRegionName) {
5199
+ regionDiscoveryMetadata.region_source =
5200
+ RegionDiscoverySources.IMDS;
5201
+ }
5125
5202
  }
5126
5203
  // If the response using the local IMDS version failed, try to fetch the current version of IMDS and retry.
5127
5204
  if (localIMDSVersionResponse.status ===
@@ -5136,9 +5213,11 @@
5136
5213
  if (currentIMDSVersionResponse.status ===
5137
5214
  HTTP_SUCCESS) {
5138
5215
  autodetectedRegionName =
5139
- currentIMDSVersionResponse.body;
5140
- regionDiscoveryMetadata.region_source =
5141
- RegionDiscoverySources.IMDS;
5216
+ currentIMDSVersionResponse.body?.location;
5217
+ if (autodetectedRegionName) {
5218
+ regionDiscoveryMetadata.region_source =
5219
+ RegionDiscoverySources.IMDS;
5220
+ }
5142
5221
  }
5143
5222
  }
5144
5223
  }
@@ -5162,11 +5241,12 @@
5162
5241
  /**
5163
5242
  * Make the call to the IMDS endpoint
5164
5243
  *
5165
- * @param imdsEndpointUrl
5166
- * @returns Promise<NetworkResponse<string>>
5244
+ * @param version
5245
+ * @param options
5246
+ * @returns Promise<NetworkResponse<ImdsComputeResponse>>
5167
5247
  */
5168
5248
  async getRegionFromIMDS(version, options) {
5169
- return this.networkInterface.sendGetRequestAsync(`${IMDS_ENDPOINT}?api-version=${version}&format=text`, options, IMDS_TIMEOUT);
5249
+ return this.networkInterface.sendGetRequestAsync(`${IMDS_ENDPOINT}?api-version=${version}`, options, IMDS_TIMEOUT);
5170
5250
  }
5171
5251
  /**
5172
5252
  * Get the most recent version of the IMDS endpoint available
@@ -5197,7 +5277,7 @@
5197
5277
  },
5198
5278
  };
5199
5279
 
5200
- /*! @azure/msal-common v16.8.0 2026-06-10 */
5280
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
5201
5281
 
5202
5282
  /*
5203
5283
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -5227,7 +5307,7 @@
5227
5307
  this.regionDiscovery = new RegionDiscovery(networkInterface, this.logger, this.performanceClient, this.correlationId);
5228
5308
  }
5229
5309
  /**
5230
- * Get {@link AuthorityType}
5310
+ * Get {@link AuthorityType:type}
5231
5311
  * @param authorityUri {@link IUri}
5232
5312
  * @private
5233
5313
  */
@@ -5273,7 +5353,7 @@
5273
5353
  * Sets canonical authority.
5274
5354
  */
5275
5355
  set canonicalAuthority(url) {
5276
- this._canonicalAuthority = new UrlString(url);
5356
+ this._canonicalAuthority = new UrlString(url, this.correlationId);
5277
5357
  this._canonicalAuthority.validateAsUri();
5278
5358
  this._canonicalAuthorityUrlComponents = null;
5279
5359
  }
@@ -5307,7 +5387,7 @@
5307
5387
  return this.replacePath(this.metadata.authorization_endpoint);
5308
5388
  }
5309
5389
  else {
5310
- throw createClientAuthError(endpointResolutionError);
5390
+ throw createClientAuthError(endpointResolutionError, this.correlationId);
5311
5391
  }
5312
5392
  }
5313
5393
  /**
@@ -5318,7 +5398,7 @@
5318
5398
  return this.replacePath(this.metadata.token_endpoint);
5319
5399
  }
5320
5400
  else {
5321
- throw createClientAuthError(endpointResolutionError);
5401
+ throw createClientAuthError(endpointResolutionError, this.correlationId);
5322
5402
  }
5323
5403
  }
5324
5404
  get deviceCodeEndpoint() {
@@ -5326,7 +5406,7 @@
5326
5406
  return this.replacePath(this.metadata.token_endpoint.replace("/token", "/devicecode"));
5327
5407
  }
5328
5408
  else {
5329
- throw createClientAuthError(endpointResolutionError);
5409
+ throw createClientAuthError(endpointResolutionError, this.correlationId);
5330
5410
  }
5331
5411
  }
5332
5412
  /**
@@ -5336,12 +5416,12 @@
5336
5416
  if (this.discoveryComplete()) {
5337
5417
  // ROPC policies may not have end_session_endpoint set
5338
5418
  if (!this.metadata.end_session_endpoint) {
5339
- throw createClientAuthError(endSessionEndpointNotSupported);
5419
+ throw createClientAuthError(endSessionEndpointNotSupported, this.correlationId);
5340
5420
  }
5341
5421
  return this.replacePath(this.metadata.end_session_endpoint);
5342
5422
  }
5343
5423
  else {
5344
- throw createClientAuthError(endpointResolutionError);
5424
+ throw createClientAuthError(endpointResolutionError, this.correlationId);
5345
5425
  }
5346
5426
  }
5347
5427
  /**
@@ -5352,7 +5432,7 @@
5352
5432
  return this.replacePath(this.metadata.issuer);
5353
5433
  }
5354
5434
  else {
5355
- throw createClientAuthError(endpointResolutionError);
5435
+ throw createClientAuthError(endpointResolutionError, this.correlationId);
5356
5436
  }
5357
5437
  }
5358
5438
  /**
@@ -5363,7 +5443,7 @@
5363
5443
  return this.replacePath(this.metadata.jwks_uri);
5364
5444
  }
5365
5445
  else {
5366
- throw createClientAuthError(endpointResolutionError);
5446
+ throw createClientAuthError(endpointResolutionError, this.correlationId);
5367
5447
  }
5368
5448
  }
5369
5449
  /**
@@ -5390,7 +5470,7 @@
5390
5470
  */
5391
5471
  replacePath(urlString) {
5392
5472
  let endpoint = urlString;
5393
- const cachedAuthorityUrl = new UrlString(this.metadata.canonical_authority);
5473
+ const cachedAuthorityUrl = new UrlString(this.metadata.canonical_authority, this.correlationId);
5394
5474
  const cachedAuthorityUrlComponents = cachedAuthorityUrl.getUrlComponents();
5395
5475
  const cachedAuthorityParts = cachedAuthorityUrlComponents.PathSegments;
5396
5476
  const currentAuthorityParts = this.canonicalAuthorityUrlComponents.PathSegments;
@@ -5398,14 +5478,14 @@
5398
5478
  let cachedPart = cachedAuthorityParts[index];
5399
5479
  if (index === 0 &&
5400
5480
  this.canReplaceTenant(cachedAuthorityUrlComponents)) {
5401
- const tenantId = new UrlString(this.metadata.authorization_endpoint).getUrlComponents().PathSegments[0];
5481
+ const tenantId = new UrlString(this.metadata.authorization_endpoint, this.correlationId).getUrlComponents().PathSegments[0];
5402
5482
  /**
5403
5483
  * Check if AAD canonical authority contains tenant domain name, for example "testdomain.onmicrosoft.com",
5404
5484
  * by comparing its first path segment to the corresponding authorization endpoint path segment, which is
5405
5485
  * always resolved with tenant id by OIDC.
5406
5486
  */
5407
5487
  if (cachedPart !== tenantId) {
5408
- this.logger.verbose("1q3g2x", this.correlationId);
5488
+ this.logger.verbose(`1q3g2x ${cachedPart} ${tenantId}`, this.correlationId);
5409
5489
  cachedPart = tenantId;
5410
5490
  }
5411
5491
  }
@@ -5532,7 +5612,7 @@
5532
5612
  }
5533
5613
  else {
5534
5614
  // Metadata could not be obtained from the config, cache, network or hardcoded values
5535
- throw createClientAuthError(openIdConfigError, this.defaultOpenIdConfigurationEndpoint);
5615
+ throw createClientAuthError(openIdConfigError, this.defaultOpenIdConfigurationEndpoint, this.correlationId);
5536
5616
  }
5537
5617
  }
5538
5618
  /**
@@ -5584,7 +5664,7 @@
5584
5664
  * @param metadataEntity
5585
5665
  */
5586
5666
  isAuthoritySameType(metadataEntity) {
5587
- const cachedAuthorityUrl = new UrlString(metadataEntity.canonical_authority);
5667
+ const cachedAuthorityUrl = new UrlString(metadataEntity.canonical_authority, this.correlationId);
5588
5668
  const cachedParts = cachedAuthorityUrl.getUrlComponents().PathSegments;
5589
5669
  return (cachedParts.length ===
5590
5670
  this.canonicalAuthorityUrlComponents.PathSegments.length);
@@ -5598,7 +5678,7 @@
5598
5678
  return JSON.parse(this.authorityOptions.authorityMetadata);
5599
5679
  }
5600
5680
  catch (e) {
5601
- throw createClientConfigurationError(invalidAuthorityMetadata);
5681
+ throw createClientConfigurationError(invalidAuthorityMetadata, this.correlationId);
5602
5682
  }
5603
5683
  }
5604
5684
  return null;
@@ -5615,7 +5695,7 @@
5615
5695
  * hardcoded list of metadata
5616
5696
  */
5617
5697
  const openIdConfigurationEndpoint = this.defaultOpenIdConfigurationEndpoint;
5618
- this.logger.verbose("1y65x6", this.correlationId);
5698
+ this.logger.verbose(`1y65x6 ${openIdConfigurationEndpoint}`, this.correlationId);
5619
5699
  try {
5620
5700
  const response = await this.networkInterface.sendGetRequestAsync(openIdConfigurationEndpoint, options);
5621
5701
  const isValidResponse = isOpenIdConfigResponse(response.body);
@@ -5628,7 +5708,7 @@
5628
5708
  }
5629
5709
  }
5630
5710
  catch (e) {
5631
- this.logger.verbose("0a9wik", this.correlationId);
5711
+ this.logger.verbose(`0a9wik ${e}`, this.correlationId);
5632
5712
  return null;
5633
5713
  }
5634
5714
  }
@@ -5654,7 +5734,7 @@
5654
5734
  RegionDiscoveryOutcomes.CONFIGURED_NO_AUTO_DETECTION;
5655
5735
  this.regionDiscoveryMetadata.region_used =
5656
5736
  userConfiguredAzureRegion;
5657
- return Authority.replaceWithRegionalInformation(metadata, userConfiguredAzureRegion);
5737
+ return Authority.replaceWithRegionalInformation(metadata, userConfiguredAzureRegion, this.correlationId);
5658
5738
  }
5659
5739
  const autodetectedRegionName = await invokeAsync(this.regionDiscovery.detectRegion.bind(this.regionDiscovery), RegionDiscoveryDetectRegion, this.logger, this.performanceClient, this.correlationId)(this.authorityOptions.azureRegionConfiguration
5660
5740
  ?.environmentRegion, this.regionDiscoveryMetadata);
@@ -5663,7 +5743,7 @@
5663
5743
  RegionDiscoveryOutcomes.AUTO_DETECTION_REQUESTED_SUCCESSFUL;
5664
5744
  this.regionDiscoveryMetadata.region_used =
5665
5745
  autodetectedRegionName;
5666
- return Authority.replaceWithRegionalInformation(metadata, autodetectedRegionName);
5746
+ return Authority.replaceWithRegionalInformation(metadata, autodetectedRegionName, this.correlationId);
5667
5747
  }
5668
5748
  this.regionDiscoveryMetadata.region_outcome =
5669
5749
  RegionDiscoveryOutcomes.AUTO_DETECTION_REQUESTED_FAILED;
@@ -5688,13 +5768,15 @@
5688
5768
  return AuthorityMetadataSource.NETWORK;
5689
5769
  }
5690
5770
  // Metadata could not be obtained from the config, cache, network or hardcoded values
5691
- throw createClientConfigurationError(untrustedAuthority);
5771
+ throw createClientConfigurationError(untrustedAuthority, this.correlationId);
5692
5772
  }
5693
5773
  updateCloudDiscoveryMetadataFromLocalSources(metadataEntity) {
5694
5774
  this.logger.verbose("1tpqlr", this.correlationId);
5695
- this.logger.verbosePii("1fy7uz", this.correlationId);
5696
- this.logger.verbosePii("08zabj", this.correlationId);
5697
- this.logger.verbosePii("1o1kv3", this.correlationId);
5775
+ this.logger.verbosePii(`1fy7uz ${this.authorityOptions.knownAuthorities ||
5776
+ NOT_APPLICABLE}`, this.correlationId);
5777
+ this.logger.verbosePii(`08zabj ${this.authorityOptions.authorityMetadata ||
5778
+ NOT_APPLICABLE}`, this.correlationId);
5779
+ this.logger.verbosePii(`1o1kv3 ${metadataEntity.canonical_authority || NOT_APPLICABLE}`, this.correlationId);
5698
5780
  const metadata = this.getCloudDiscoveryMetadataFromConfig();
5699
5781
  if (metadata) {
5700
5782
  this.logger.verbose("1nakio", this.correlationId);
@@ -5750,7 +5832,7 @@
5750
5832
  }
5751
5833
  catch (e) {
5752
5834
  this.logger.verbose("1wq5tu", this.correlationId);
5753
- throw createClientConfigurationError(invalidCloudDiscoveryMetadata);
5835
+ throw createClientConfigurationError(invalidCloudDiscoveryMetadata, this.correlationId);
5754
5836
  }
5755
5837
  }
5756
5838
  // If cloudDiscoveryMetadata is empty or does not contain the host, check knownAuthorities
@@ -5781,18 +5863,18 @@
5781
5863
  typedResponseBody =
5782
5864
  response.body;
5783
5865
  metadata = typedResponseBody.metadata;
5784
- this.logger.verbosePii("1vglyt", this.correlationId);
5866
+ this.logger.verbosePii(`1vglyt ${typedResponseBody.tenant_discovery_endpoint}`, this.correlationId);
5785
5867
  }
5786
5868
  else if (isCloudInstanceDiscoveryErrorResponse(response.body)) {
5787
- this.logger.warning("062uto", this.correlationId);
5869
+ this.logger.warning(`062uto ${response.status}`, this.correlationId);
5788
5870
  typedResponseBody =
5789
5871
  response.body;
5790
5872
  if (typedResponseBody.error === INVALID_INSTANCE) {
5791
5873
  this.logger.error("1x90tm", this.correlationId);
5792
5874
  return null;
5793
5875
  }
5794
- this.logger.warning("0wchdm", this.correlationId);
5795
- this.logger.warning("1s5mpv", this.correlationId);
5876
+ this.logger.warning(`0wchdm ${typedResponseBody.error}`, this.correlationId);
5877
+ this.logger.warning(`1s5mpv ${typedResponseBody.error_description}`, this.correlationId);
5796
5878
  this.logger.warning("1yhqpw", this.correlationId);
5797
5879
  metadata = [];
5798
5880
  }
@@ -5805,10 +5887,11 @@
5805
5887
  }
5806
5888
  catch (error) {
5807
5889
  if (error instanceof AuthError) {
5808
- this.logger.error("0vwhc7", this.correlationId);
5890
+ this.logger.error(`0vwhc7 ${error.errorCode} ${error.errorMessage}`, this.correlationId);
5809
5891
  }
5810
5892
  else {
5811
- this.logger.error("0s2z41", this.correlationId);
5893
+ const typedError = error;
5894
+ this.logger.error(`0s2z41 ${typedError.name} ${typedError.message}`, this.correlationId);
5812
5895
  }
5813
5896
  return null;
5814
5897
  }
@@ -5827,8 +5910,7 @@
5827
5910
  const normalizedHost = host.toLowerCase();
5828
5911
  const matches = this.authorityOptions.knownAuthorities.filter((authority) => {
5829
5912
  return (authority &&
5830
- UrlString.getDomainFromUrl(authority).toLowerCase() ===
5831
- normalizedHost);
5913
+ UrlString.getDomainFromUrl(authority, this.correlationId).toLowerCase() === normalizedHost);
5832
5914
  });
5833
5915
  return matches.length > 0;
5834
5916
  }
@@ -5872,7 +5954,7 @@
5872
5954
  return this.metadata.preferred_cache;
5873
5955
  }
5874
5956
  else {
5875
- throw createClientAuthError(endpointResolutionError);
5957
+ throw createClientAuthError(endpointResolutionError, this.correlationId);
5876
5958
  }
5877
5959
  }
5878
5960
  /**
@@ -5915,7 +5997,7 @@
5915
5997
  */
5916
5998
  validateIssuer(issuer) {
5917
5999
  if (!issuer) {
5918
- throw createClientConfigurationError(issuerValidationFailed);
6000
+ throw createClientConfigurationError(issuerValidationFailed, this.correlationId);
5919
6001
  }
5920
6002
  // Parse with the WHATWG URL API. URL normalizes scheme + host to lowercase per RFC 3986.
5921
6003
  let issuerUrl;
@@ -5923,7 +6005,7 @@
5923
6005
  issuerUrl = new URL(issuer);
5924
6006
  }
5925
6007
  catch {
5926
- throw createClientConfigurationError(issuerValidationFailed);
6008
+ throw createClientConfigurationError(issuerValidationFailed, this.correlationId);
5927
6009
  }
5928
6010
  const issuerScheme = issuerUrl.protocol;
5929
6011
  const issuerHost = issuerUrl.host;
@@ -5961,7 +6043,7 @@
5961
6043
  return;
5962
6044
  }
5963
6045
  // issuer validation fails if none of the above rules are satisfied
5964
- throw createClientConfigurationError(issuerValidationFailed);
6046
+ throw createClientConfigurationError(issuerValidationFailed, this.correlationId);
5965
6047
  }
5966
6048
  /**
5967
6049
  * Rule 1: The issuer scheme + host (and port) match the authority's. Path
@@ -6049,9 +6131,9 @@
6049
6131
  * @param host string
6050
6132
  * @param region string
6051
6133
  */
6052
- static buildRegionalAuthorityString(host, region, queryString) {
6134
+ static buildRegionalAuthorityString(host, region, correlationId, queryString) {
6053
6135
  // Create and validate a Url string object with the initial authority string
6054
- const authorityUrlInstance = new UrlString(host);
6136
+ const authorityUrlInstance = new UrlString(host, correlationId);
6055
6137
  authorityUrlInstance.validateAsUri();
6056
6138
  const authorityUrlParts = authorityUrlInstance.getUrlComponents();
6057
6139
  let hostNameAndPort = `${region}.${authorityUrlParts.HostNameAndPort}`;
@@ -6062,7 +6144,7 @@
6062
6144
  const url = UrlString.constructAuthorityUriFromObject({
6063
6145
  ...authorityUrlInstance.getUrlComponents(),
6064
6146
  HostNameAndPort: hostNameAndPort,
6065
- }).urlString;
6147
+ }, correlationId).urlString;
6066
6148
  // Add the query string if a query string was provided
6067
6149
  if (queryString)
6068
6150
  return `${url}?${queryString}`;
@@ -6074,15 +6156,15 @@
6074
6156
  * @param metadata OpenIdConfigResponse
6075
6157
  * @param azureRegion string
6076
6158
  */
6077
- static replaceWithRegionalInformation(metadata, azureRegion) {
6159
+ static replaceWithRegionalInformation(metadata, azureRegion, correlationId) {
6078
6160
  const regionalMetadata = { ...metadata };
6079
6161
  regionalMetadata.authorization_endpoint =
6080
- Authority.buildRegionalAuthorityString(regionalMetadata.authorization_endpoint, azureRegion);
6162
+ Authority.buildRegionalAuthorityString(regionalMetadata.authorization_endpoint, azureRegion, correlationId);
6081
6163
  regionalMetadata.token_endpoint =
6082
- Authority.buildRegionalAuthorityString(regionalMetadata.token_endpoint, azureRegion);
6164
+ Authority.buildRegionalAuthorityString(regionalMetadata.token_endpoint, azureRegion, correlationId);
6083
6165
  if (regionalMetadata.end_session_endpoint) {
6084
6166
  regionalMetadata.end_session_endpoint =
6085
- Authority.buildRegionalAuthorityString(regionalMetadata.end_session_endpoint, azureRegion);
6167
+ Authority.buildRegionalAuthorityString(regionalMetadata.end_session_endpoint, azureRegion, correlationId);
6086
6168
  }
6087
6169
  return regionalMetadata;
6088
6170
  }
@@ -6095,9 +6177,9 @@
6095
6177
  *
6096
6178
  * @param authority
6097
6179
  */
6098
- static transformCIAMAuthority(authority) {
6180
+ static transformCIAMAuthority(authority, correlationId) {
6099
6181
  let ciamAuthority = authority;
6100
- const authorityUrl = new UrlString(authority);
6182
+ const authorityUrl = new UrlString(authority, correlationId);
6101
6183
  const authorityUrlComponents = authorityUrl.getUrlComponents();
6102
6184
  // check if transformation is needed
6103
6185
  if (authorityUrlComponents.PathSegments.length === 0 &&
@@ -6119,8 +6201,8 @@
6119
6201
  /**
6120
6202
  * Extract tenantId from authority
6121
6203
  */
6122
- function getTenantFromAuthorityString(authority) {
6123
- const authorityUrl = new UrlString(authority);
6204
+ function getTenantFromAuthorityString(authority, correlationId) {
6205
+ const authorityUrl = new UrlString(authority, correlationId);
6124
6206
  const authorityUrlComponents = authorityUrl.getUrlComponents();
6125
6207
  /**
6126
6208
  * For credential matching purposes, tenantId is the last path segment of the authority URL:
@@ -6153,7 +6235,7 @@
6153
6235
  cloudDiscoveryMetadata = JSON.parse(rawCloudDiscoveryMetadata);
6154
6236
  }
6155
6237
  catch (e) {
6156
- throw createClientConfigurationError(invalidCloudDiscoveryMetadata);
6238
+ throw createClientConfigurationError(invalidCloudDiscoveryMetadata, "");
6157
6239
  }
6158
6240
  }
6159
6241
  return {
@@ -6165,7 +6247,7 @@
6165
6247
  };
6166
6248
  }
6167
6249
 
6168
- /*! @azure/msal-common v16.8.0 2026-06-10 */
6250
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
6169
6251
 
6170
6252
  /*
6171
6253
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6187,7 +6269,7 @@
6187
6269
  * @internal
6188
6270
  */
6189
6271
  async function createDiscoveredInstance(authorityUri, networkClient, cacheManager, authorityOptions, logger, correlationId, performanceClient) {
6190
- const authorityUriFinal = Authority.transformCIAMAuthority(formatAuthorityUri(authorityUri));
6272
+ const authorityUriFinal = Authority.transformCIAMAuthority(formatAuthorityUri(authorityUri), correlationId);
6191
6273
  // Initialize authority and perform discovery endpoint check.
6192
6274
  const acquireTokenAuthority = new Authority(authorityUriFinal, networkClient, cacheManager, authorityOptions, logger, correlationId, performanceClient);
6193
6275
  try {
@@ -6195,11 +6277,11 @@
6195
6277
  return acquireTokenAuthority;
6196
6278
  }
6197
6279
  catch (e) {
6198
- throw createClientAuthError(endpointResolutionError);
6280
+ throw createClientAuthError(endpointResolutionError, correlationId);
6199
6281
  }
6200
6282
  }
6201
6283
 
6202
- /*! @azure/msal-common v16.8.0 2026-06-10 */
6284
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
6203
6285
 
6204
6286
  /*
6205
6287
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6239,7 +6321,7 @@
6239
6321
  */
6240
6322
  async acquireToken(request, apiId, authCodePayload) {
6241
6323
  if (!request.code) {
6242
- throw createClientAuthError(requestCannotBeMade);
6324
+ throw createClientAuthError(requestCannotBeMade, request.correlationId);
6243
6325
  }
6244
6326
  // Check for new cloud instance
6245
6327
  if (authCodePayload && authCodePayload.cloud_instance_host_name) {
@@ -6262,7 +6344,7 @@
6262
6344
  getLogoutUri(logoutRequest) {
6263
6345
  // Throw error if logoutRequest is null/undefined
6264
6346
  if (!logoutRequest) {
6265
- throw createClientConfigurationError(logoutRequestEmpty);
6347
+ throw createClientConfigurationError(logoutRequestEmpty, "");
6266
6348
  }
6267
6349
  const queryString = this.createLogoutUrlQueryString(logoutRequest);
6268
6350
  // Construct logout URI
@@ -6287,7 +6369,7 @@
6287
6369
  };
6288
6370
  }
6289
6371
  catch (e) {
6290
- this.logger.verbose("0wznt3", request.correlationId);
6372
+ this.logger.verbose(`0wznt3 ${e}`, request.correlationId);
6291
6373
  }
6292
6374
  }
6293
6375
  const headers = createTokenRequestHeaders(this.logger, this.config.systemOptions.preventCorsPreflight, ccsCredential || request.ccsCredential);
@@ -6310,7 +6392,7 @@
6310
6392
  if (!this.includeRedirectUri) {
6311
6393
  // Just validate
6312
6394
  if (!request.redirectUri) {
6313
- throw createClientConfigurationError(redirectUriEmpty);
6395
+ throw createClientConfigurationError(redirectUriEmpty, request.correlationId);
6314
6396
  }
6315
6397
  }
6316
6398
  else {
@@ -6318,7 +6400,7 @@
6318
6400
  addRedirectUri(parameters, request.redirectUri);
6319
6401
  }
6320
6402
  // Add scope array, parameter builder will add default scopes and dedupe
6321
- addScopes(parameters, request.scopes, true, this.oidcDefaultScopes);
6403
+ addScopes(parameters, request.scopes, request.correlationId, true, this.oidcDefaultScopes);
6322
6404
  addResource(parameters, request.resource);
6323
6405
  // add code: user set, not validated
6324
6406
  addAuthorizationCode(parameters, request.code);
@@ -6361,7 +6443,7 @@
6361
6443
  addSshJwk(parameters, request.sshJwk);
6362
6444
  }
6363
6445
  else {
6364
- throw createClientConfigurationError(missingSshJwk);
6446
+ throw createClientConfigurationError(missingSshJwk, request.correlationId);
6365
6447
  }
6366
6448
  }
6367
6449
  let ccsCred = undefined;
@@ -6374,7 +6456,7 @@
6374
6456
  };
6375
6457
  }
6376
6458
  catch (e) {
6377
- this.logger.verbose("0wznt3", request.correlationId);
6459
+ this.logger.verbose(`0wznt3 ${e}`, request.correlationId);
6378
6460
  }
6379
6461
  }
6380
6462
  else {
@@ -6389,7 +6471,7 @@
6389
6471
  addCcsOid(parameters, clientInfo);
6390
6472
  }
6391
6473
  catch (e) {
6392
- this.logger.verbose("1qhtee", request.correlationId);
6474
+ this.logger.verbose(`1qhtee ${e}`, request.correlationId);
6393
6475
  }
6394
6476
  break;
6395
6477
  case CcsCredentialType.UPN:
@@ -6412,7 +6494,7 @@
6412
6494
  });
6413
6495
  }
6414
6496
  instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
6415
- addClaims(parameters, request.claims, this.config.authOptions.clientCapabilities, request.skipBrokerClaims);
6497
+ addClaims(parameters, request.correlationId, request.claims, this.config.authOptions.clientCapabilities, request.skipBrokerClaims);
6416
6498
  return mapToQueryString(parameters);
6417
6499
  }
6418
6500
  /**
@@ -6456,7 +6538,7 @@
6456
6538
  }
6457
6539
  }
6458
6540
 
6459
- /*! @azure/msal-common v16.8.0 2026-06-10 */
6541
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
6460
6542
 
6461
6543
  /*
6462
6544
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6502,11 +6584,11 @@
6502
6584
  async acquireTokenByRefreshToken(request, apiId) {
6503
6585
  // Cannot renew token if no request object is given.
6504
6586
  if (!request) {
6505
- throw createClientConfigurationError(tokenRequestEmpty);
6587
+ throw createClientConfigurationError(tokenRequestEmpty, "");
6506
6588
  }
6507
6589
  // We currently do not support silent flow for account === null use cases; This will be revisited for confidential flow usecases
6508
6590
  if (!request.account) {
6509
- throw createClientAuthError(noAccountInSilentRequest);
6591
+ throw createClientAuthError(noAccountInSilentRequest, request.correlationId);
6510
6592
  }
6511
6593
  // try checking if FOCI is enabled for the given application
6512
6594
  const isFOCI = this.cacheManager.isAppMetadataFOCI(request.account.environment, request.correlationId);
@@ -6543,7 +6625,7 @@
6543
6625
  // fetches family RT or application RT based on FOCI value
6544
6626
  const refreshToken = invoke(this.cacheManager.getRefreshToken.bind(this.cacheManager), CacheManagerGetRefreshToken, this.logger, this.performanceClient, request.correlationId)(request.account, foci, request.correlationId, undefined);
6545
6627
  if (!refreshToken) {
6546
- throw createInteractionRequiredAuthError(noTokensFound);
6628
+ throw createInteractionRequiredAuthError(noTokensFound, request.correlationId);
6547
6629
  }
6548
6630
  if (refreshToken.expiresOn) {
6549
6631
  const offset = request.refreshTokenExpirationOffsetSeconds ||
@@ -6553,7 +6635,7 @@
6553
6635
  rtOffsetSeconds: offset,
6554
6636
  }, request.correlationId);
6555
6637
  if (isTokenExpired(refreshToken.expiresOn, offset)) {
6556
- throw createInteractionRequiredAuthError(refreshTokenExpired);
6638
+ throw createInteractionRequiredAuthError(refreshTokenExpired, request.correlationId);
6557
6639
  }
6558
6640
  }
6559
6641
  // attach cached RT size to the current measurement
@@ -6607,7 +6689,7 @@
6607
6689
  if (request.redirectUri) {
6608
6690
  addRedirectUri(parameters, request.redirectUri);
6609
6691
  }
6610
- addScopes(parameters, request.scopes, true, this.config.authOptions.authority.options.OIDCOptions?.defaultScopes);
6692
+ addScopes(parameters, request.scopes, request.correlationId, true, this.config.authOptions.authority.options.OIDCOptions?.defaultScopes);
6611
6693
  addGrantType(parameters, GrantType$1.REFRESH_TOKEN_GRANT);
6612
6694
  addClientInfo(parameters);
6613
6695
  addLibraryInfo(parameters, this.config.libraryInfo);
@@ -6643,7 +6725,7 @@
6643
6725
  addSshJwk(parameters, request.sshJwk);
6644
6726
  }
6645
6727
  else {
6646
- throw createClientConfigurationError(missingSshJwk);
6728
+ throw createClientConfigurationError(missingSshJwk, request.correlationId);
6647
6729
  }
6648
6730
  }
6649
6731
  if (this.config.systemOptions.preventCorsPreflight &&
@@ -6655,7 +6737,7 @@
6655
6737
  addCcsOid(parameters, clientInfo);
6656
6738
  }
6657
6739
  catch (e) {
6658
- this.logger.verbose("1qhtee", request.correlationId);
6740
+ this.logger.verbose(`1qhtee ${e}`, request.correlationId);
6659
6741
  }
6660
6742
  break;
6661
6743
  case CcsCredentialType.UPN:
@@ -6672,12 +6754,12 @@
6672
6754
  });
6673
6755
  }
6674
6756
  instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
6675
- addClaims(parameters, request.claims, this.config.authOptions.clientCapabilities, request.skipBrokerClaims);
6757
+ addClaims(parameters, request.correlationId, request.claims, this.config.authOptions.clientCapabilities, request.skipBrokerClaims);
6676
6758
  return mapToQueryString(parameters);
6677
6759
  }
6678
6760
  }
6679
6761
 
6680
- /*! @azure/msal-common v16.8.0 2026-06-10 */
6762
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
6681
6763
 
6682
6764
  /*
6683
6765
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6712,32 +6794,32 @@
6712
6794
  if (request.forceRefresh || !StringUtils.isEmptyObj(request.claims)) {
6713
6795
  // Must refresh due to present force_refresh flag.
6714
6796
  this.setCacheOutcome(CacheOutcome.FORCE_REFRESH_OR_CLAIMS, request.correlationId);
6715
- throw createClientAuthError(tokenRefreshRequired);
6797
+ throw createClientAuthError(tokenRefreshRequired, request.correlationId);
6716
6798
  }
6717
6799
  // We currently do not support silent flow for account === null use cases; This will be revisited for confidential flow usecases
6718
6800
  if (!request.account) {
6719
- throw createClientAuthError(noAccountInSilentRequest);
6801
+ throw createClientAuthError(noAccountInSilentRequest, request.correlationId);
6720
6802
  }
6721
6803
  const requestTenantId = request.account.tenantId ||
6722
- getTenantFromAuthorityString(request.authority);
6804
+ getTenantFromAuthorityString(request.authority, request.correlationId);
6723
6805
  const tokenKeys = this.cacheManager.getTokenKeys();
6724
6806
  const cachedAccessToken = this.cacheManager.getAccessToken(request.account, request, tokenKeys, requestTenantId);
6725
6807
  if (!cachedAccessToken) {
6726
6808
  // must refresh due to non-existent access_token
6727
6809
  this.setCacheOutcome(CacheOutcome.NO_CACHED_ACCESS_TOKEN, request.correlationId);
6728
- throw createClientAuthError(tokenRefreshRequired);
6810
+ throw createClientAuthError(tokenRefreshRequired, request.correlationId);
6729
6811
  }
6730
6812
  else if (wasClockTurnedBack(cachedAccessToken.cachedAt) ||
6731
6813
  isTokenExpired(cachedAccessToken.expiresOn, this.config.systemOptions.tokenRenewalOffsetSeconds)) {
6732
6814
  // must refresh due to the expires_in value
6733
6815
  this.setCacheOutcome(CacheOutcome.CACHED_ACCESS_TOKEN_EXPIRED, request.correlationId);
6734
- throw createClientAuthError(tokenRefreshRequired);
6816
+ throw createClientAuthError(tokenRefreshRequired, request.correlationId);
6735
6817
  }
6736
6818
  else if (request.resource) {
6737
6819
  // cached access token must have a resource that matches the request resource for MCP scenarios
6738
6820
  if (cachedAccessToken.resource !== request.resource) {
6739
6821
  this.setCacheOutcome(CacheOutcome.NO_CACHED_ACCESS_TOKEN, request.correlationId);
6740
- throw createClientAuthError(tokenRefreshRequired);
6822
+ throw createClientAuthError(tokenRefreshRequired, request.correlationId);
6741
6823
  }
6742
6824
  }
6743
6825
  else if (cachedAccessToken.refreshOn &&
@@ -6769,7 +6851,7 @@
6769
6851
  cacheOutcome: cacheOutcome,
6770
6852
  }, correlationId);
6771
6853
  if (cacheOutcome !== CacheOutcome.NOT_APPLICABLE) {
6772
- this.logger.info("09ingz", correlationId);
6854
+ this.logger.info(`09ingz ${cacheOutcome}`, correlationId);
6773
6855
  }
6774
6856
  }
6775
6857
  /**
@@ -6779,36 +6861,29 @@
6779
6861
  async generateResultFromCacheRecord(cacheRecord, request) {
6780
6862
  let idTokenClaims;
6781
6863
  if (cacheRecord.idToken) {
6782
- idTokenClaims = extractTokenClaims(cacheRecord.idToken.secret, this.config.cryptoInterface.base64Decode);
6783
- }
6784
- // token max_age check
6785
- if (request.maxAge || request.maxAge === 0) {
6786
- const authTime = idTokenClaims?.auth_time;
6787
- if (!authTime) {
6788
- throw createClientAuthError(authTimeNotFound);
6789
- }
6790
- checkMaxAge(authTime, request.maxAge);
6864
+ idTokenClaims = extractTokenClaims(cacheRecord.idToken.secret, this.config.cryptoInterface.base64Decode, request.correlationId);
6791
6865
  }
6792
6866
  return ResponseHandler.generateAuthenticationResult(this.cryptoUtils, this.authority, cacheRecord, true, request, this.performanceClient, idTokenClaims);
6793
6867
  }
6794
6868
  }
6795
6869
 
6796
- /*! @azure/msal-common v16.8.0 2026-06-10 */
6870
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
6797
6871
 
6798
6872
  /*
6799
6873
  * Copyright (c) Microsoft Corporation. All rights reserved.
6800
6874
  * Licensed under the MIT License.
6801
6875
  */
6802
6876
  const StubbedNetworkModule = {
6877
+ // Module-level singleton: no per-request correlationId available
6803
6878
  sendGetRequestAsync: () => {
6804
- return Promise.reject(createClientAuthError(methodNotImplemented));
6879
+ return Promise.reject(createClientAuthError(methodNotImplemented, ""));
6805
6880
  },
6806
6881
  sendPostRequestAsync: () => {
6807
- return Promise.reject(createClientAuthError(methodNotImplemented));
6882
+ return Promise.reject(createClientAuthError(methodNotImplemented, ""));
6808
6883
  },
6809
6884
  };
6810
6885
 
6811
- /*! @azure/msal-common v16.8.0 2026-06-10 */
6886
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
6812
6887
 
6813
6888
  /*
6814
6889
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6821,6 +6896,7 @@
6821
6896
  * @param logger
6822
6897
  * @param performanceClient
6823
6898
  * @returns
6899
+ * @internal
6824
6900
  */
6825
6901
  function getStandardAuthorizeRequestParameters(authOptions, request, logger, performanceClient) {
6826
6902
  // generate the correlationId if not set by the user and add
@@ -6833,7 +6909,7 @@
6833
6909
  ...(request.scopes || []),
6834
6910
  ...(request.extraScopesToConsent || []),
6835
6911
  ];
6836
- addScopes(parameters, requestScopes, true, authOptions.authority.options.OIDCOptions?.defaultScopes);
6912
+ addScopes(parameters, requestScopes, request.correlationId, true, authOptions.authority.options.OIDCOptions?.defaultScopes);
6837
6913
  addResource(parameters, request.resource);
6838
6914
  addRedirectUri(parameters, request.redirectUri);
6839
6915
  addCorrelationId(parameters, correlationId);
@@ -6935,7 +7011,7 @@
6935
7011
  if (request.embeddedClientId) {
6936
7012
  addBrokerParameters(parameters, authOptions.clientId, authOptions.redirectUri);
6937
7013
  }
6938
- addClaims(parameters, request.claims, authOptions.clientCapabilities, request.skipBrokerClaims);
7014
+ addClaims(parameters, request.correlationId, request.claims, authOptions.clientCapabilities, request.skipBrokerClaims);
6939
7015
  // If extraQueryParameters includes instance_aware its value will be added when extraQueryParameters are added
6940
7016
  if (authOptions.instanceAware &&
6941
7017
  (!request.extraQueryParameters ||
@@ -6949,6 +7025,7 @@
6949
7025
  * @param authority
6950
7026
  * @param requestParameters
6951
7027
  * @returns
7028
+ * @internal
6952
7029
  */
6953
7030
  function getAuthorizeUrl(authority, requestParameters) {
6954
7031
  const queryString = mapToQueryString(requestParameters);
@@ -6959,13 +7036,14 @@
6959
7036
  * the client to exchange for a token in acquireToken.
6960
7037
  * @param serverParams
6961
7038
  * @param cachedState
7039
+ * @param correlationId
6962
7040
  */
6963
- function getAuthorizationCodePayload(serverParams, cachedState) {
7041
+ function getAuthorizationCodePayload(serverParams, cachedState, correlationId) {
6964
7042
  // Get code response
6965
- validateAuthorizationResponse(serverParams, cachedState);
7043
+ validateAuthorizationResponse(serverParams, cachedState, correlationId);
6966
7044
  // throw when there is no auth code in the response
6967
7045
  if (!serverParams.code) {
6968
- throw createClientAuthError(authorizationCodeMissingFromServerResponse);
7046
+ throw createClientAuthError(authorizationCodeMissingFromServerResponse, correlationId);
6969
7047
  }
6970
7048
  return serverParams;
6971
7049
  }
@@ -6973,12 +7051,13 @@
6973
7051
  * Function which validates server authorization code response.
6974
7052
  * @param serverResponseHash
6975
7053
  * @param requestState
7054
+ * @param correlationId
6976
7055
  */
6977
- function validateAuthorizationResponse(serverResponse, requestState) {
7056
+ function validateAuthorizationResponse(serverResponse, requestState, correlationId) {
6978
7057
  if (!serverResponse.state || !requestState) {
6979
7058
  throw serverResponse.state
6980
- ? createClientAuthError(stateNotFound, "Cached State")
6981
- : createClientAuthError(stateNotFound, "Server State");
7059
+ ? createClientAuthError(stateNotFound, correlationId, "Cached State")
7060
+ : createClientAuthError(stateNotFound, correlationId, "Server State");
6982
7061
  }
6983
7062
  let decodedServerResponseState;
6984
7063
  let decodedRequestState;
@@ -6986,16 +7065,16 @@
6986
7065
  decodedServerResponseState = decodeURIComponent(serverResponse.state);
6987
7066
  }
6988
7067
  catch (e) {
6989
- throw createClientAuthError(invalidState, serverResponse.state);
7068
+ throw createClientAuthError(invalidState, correlationId, serverResponse.state);
6990
7069
  }
6991
7070
  try {
6992
7071
  decodedRequestState = decodeURIComponent(requestState);
6993
7072
  }
6994
7073
  catch (e) {
6995
- throw createClientAuthError(invalidState, serverResponse.state);
7074
+ throw createClientAuthError(invalidState, correlationId, serverResponse.state);
6996
7075
  }
6997
7076
  if (decodedServerResponseState !== decodedRequestState) {
6998
- throw createClientAuthError(stateMismatch);
7077
+ throw createClientAuthError(stateMismatch, correlationId);
6999
7078
  }
7000
7079
  // Check for error
7001
7080
  if (serverResponse.error ||
@@ -7003,9 +7082,9 @@
7003
7082
  serverResponse.suberror) {
7004
7083
  const serverErrorNo = parseServerErrorNo(serverResponse);
7005
7084
  if (isInteractionRequiredError(serverResponse.error, serverResponse.error_description, serverResponse.suberror)) {
7006
- throw new InteractionRequiredAuthError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverResponse.timestamp || "", serverResponse.trace_id || "", serverResponse.correlation_id || "", serverResponse.claims || "", serverErrorNo);
7085
+ throw new InteractionRequiredAuthError(serverResponse.error || "", serverResponse.correlation_id || correlationId, serverResponse.error_description, serverResponse.suberror, serverResponse.timestamp || "", serverResponse.trace_id || "", serverResponse.claims || "", serverErrorNo);
7007
7086
  }
7008
- throw new ServerError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverErrorNo);
7087
+ throw new ServerError(serverResponse.error || "", serverResponse.correlation_id || correlationId, serverResponse.error_description, serverResponse.suberror, serverErrorNo);
7009
7088
  }
7010
7089
  }
7011
7090
  /**
@@ -7031,7 +7110,7 @@
7031
7110
  return account.loginHint || account.idTokenClaims?.login_hint || null;
7032
7111
  }
7033
7112
 
7034
- /*! @azure/msal-common v16.8.0 2026-06-10 */
7113
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
7035
7114
 
7036
7115
  /*
7037
7116
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7051,10 +7130,10 @@
7051
7130
  if (request.resource &&
7052
7131
  (containsResourceParam(request.extraParameters) ||
7053
7132
  containsResourceParam(request.extraQueryParameters))) {
7054
- throw createClientAuthError(misplacedResourceParam);
7133
+ throw createClientAuthError(misplacedResourceParam, request.correlationId || "");
7055
7134
  }
7056
7135
  if (!request.resource) {
7057
- throw createClientAuthError(resourceParameterRequired);
7136
+ throw createClientAuthError(resourceParameterRequired, request.correlationId || "");
7058
7137
  }
7059
7138
  }
7060
7139
  function containsResourceParam(params) {
@@ -7064,7 +7143,7 @@
7064
7143
  return Object.prototype.hasOwnProperty.call(params, "resource");
7065
7144
  }
7066
7145
 
7067
- /*! @azure/msal-common v16.8.0 2026-06-10 */
7146
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
7068
7147
  /*
7069
7148
  * Copyright (c) Microsoft Corporation. All rights reserved.
7070
7149
  * Licensed under the MIT License.
@@ -7074,7 +7153,7 @@
7074
7153
  */
7075
7154
  const unexpectedError = "unexpected_error";
7076
7155
 
7077
- /*! @azure/msal-common v16.8.0 2026-06-10 */
7156
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
7078
7157
 
7079
7158
  /*
7080
7159
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7367,7 +7446,7 @@
7367
7446
  clearNativeBrokerErrorCode() { }
7368
7447
  }
7369
7448
 
7370
- /*! @azure/msal-common v16.8.0 2026-06-10 */
7449
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
7371
7450
 
7372
7451
  /*
7373
7452
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7377,18 +7456,18 @@
7377
7456
  * Error thrown when there is an error in the client code running on the browser.
7378
7457
  */
7379
7458
  class JoseHeaderError extends AuthError {
7380
- constructor(errorCode, errorMessage) {
7381
- super(errorCode, errorMessage);
7459
+ constructor(errorCode, correlationId, errorMessage) {
7460
+ super(errorCode, correlationId, errorMessage);
7382
7461
  this.name = "JoseHeaderError";
7383
7462
  Object.setPrototypeOf(this, JoseHeaderError.prototype);
7384
7463
  }
7385
7464
  }
7386
7465
  /** Returns JoseHeaderError object */
7387
- function createJoseHeaderError(code) {
7388
- return new JoseHeaderError(code);
7466
+ function createJoseHeaderError(code, correlationId) {
7467
+ return new JoseHeaderError(code, correlationId);
7389
7468
  }
7390
7469
 
7391
- /*! @azure/msal-common v16.8.0 2026-06-10 */
7470
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
7392
7471
  /*
7393
7472
  * Copyright (c) Microsoft Corporation. All rights reserved.
7394
7473
  * Licensed under the MIT License.
@@ -7396,7 +7475,7 @@
7396
7475
  const missingKidError = "missing_kid_error";
7397
7476
  const missingAlgError = "missing_alg_error";
7398
7477
 
7399
- /*! @azure/msal-common v16.8.0 2026-06-10 */
7478
+ /*! @azure/msal-common v16.10.0 2026-06-23 */
7400
7479
 
7401
7480
  /*
7402
7481
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7420,11 +7499,11 @@
7420
7499
  static getShrHeaderString(shrHeaderOptions) {
7421
7500
  // KeyID is required on the SHR header
7422
7501
  if (!shrHeaderOptions.kid) {
7423
- throw createJoseHeaderError(missingKidError);
7502
+ throw createJoseHeaderError(missingKidError, "");
7424
7503
  }
7425
7504
  // Alg is required on the SHR header
7426
7505
  if (!shrHeaderOptions.alg) {
7427
- throw createJoseHeaderError(missingAlgError);
7506
+ throw createJoseHeaderError(missingAlgError, "");
7428
7507
  }
7429
7508
  const shrHeader = new JoseHeader({
7430
7509
  // Access Token PoP headers must have type pop, but the type header can be overriden for special cases
@@ -7831,7 +7910,7 @@
7831
7910
 
7832
7911
  /* eslint-disable header/header */
7833
7912
  const name = "@azure/msal-browser";
7834
- const version = "5.13.0";
7913
+ const version = "5.15.0";
7835
7914
 
7836
7915
  /*
7837
7916
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -8467,6 +8546,116 @@
8467
8546
  */
8468
8547
  const WaitForBridgeLateResponse = "waitForBridgeLateResponse";
8469
8548
 
8549
+ /*
8550
+ * Copyright (c) Microsoft Corporation. All rights reserved.
8551
+ * Licensed under the MIT License.
8552
+ */
8553
+ const pkceNotCreated = "pkce_not_created";
8554
+ const earJwkEmpty = "ear_jwk_empty";
8555
+ const earJweEmpty = "ear_jwe_empty";
8556
+ const cryptoNonExistent = "crypto_nonexistent";
8557
+ const emptyNavigateUri = "empty_navigate_uri";
8558
+ const hashEmptyError = "hash_empty_error";
8559
+ const noStateInHash = "no_state_in_hash";
8560
+ const hashDoesNotContainKnownProperties = "hash_does_not_contain_known_properties";
8561
+ const unableToParseState = "unable_to_parse_state";
8562
+ const stateInteractionTypeMismatch = "state_interaction_type_mismatch";
8563
+ const interactionInProgress = "interaction_in_progress";
8564
+ const interactionInProgressCancelled = "interaction_in_progress_cancelled";
8565
+ const popupWindowError = "popup_window_error";
8566
+ const emptyWindowError = "empty_window_error";
8567
+ const userCancelled = "user_cancelled";
8568
+ const redirectBridgeEmptyResponse = "redirect_bridge_empty_response";
8569
+ const redirectInIframe = "redirect_in_iframe";
8570
+ const blockIframeReload = "block_iframe_reload";
8571
+ const blockNestedPopups = "block_nested_popups";
8572
+ const silentLogoutUnsupported = "silent_logout_unsupported";
8573
+ const noAccountError = "no_account_error";
8574
+ const noTokenRequestCacheError = "no_token_request_cache_error";
8575
+ const unableToParseTokenRequestCacheError = "unable_to_parse_token_request_cache_error";
8576
+ const nonBrowserEnvironment = "non_browser_environment";
8577
+ const databaseNotOpen = "database_not_open";
8578
+ const noNetworkConnectivity = "no_network_connectivity";
8579
+ const postRequestFailed = "post_request_failed";
8580
+ const getRequestFailed = "get_request_failed";
8581
+ const failedToParseResponse = "failed_to_parse_response";
8582
+ const cryptoKeyNotFound = "crypto_key_not_found";
8583
+ const authCodeRequired = "auth_code_required";
8584
+ const authCodeOrNativeAccountIdRequired = "auth_code_or_nativeAccountId_required";
8585
+ const spaCodeAndNativeAccountIdPresent = "spa_code_and_nativeAccountId_present";
8586
+ const databaseUnavailable = "database_unavailable";
8587
+ const unableToAcquireTokenFromNativePlatform = "unable_to_acquire_token_from_native_platform";
8588
+ const nativeHandshakeTimeout = "native_handshake_timeout";
8589
+ const nativeExtensionNotInstalled = "native_extension_not_installed";
8590
+ const nativeConnectionNotEstablished = "native_connection_not_established";
8591
+ const uninitializedPublicClientApplication = "uninitialized_public_client_application";
8592
+ const nativePromptNotSupported = "native_prompt_not_supported";
8593
+ const invalidBase64String = "invalid_base64_string";
8594
+ const invalidPopTokenRequest = "invalid_pop_token_request";
8595
+ const failedToBuildHeaders = "failed_to_build_headers";
8596
+ const failedToParseHeaders = "failed_to_parse_headers";
8597
+ const failedToDecryptEarResponse = "failed_to_decrypt_ear_response";
8598
+ const timedOut = "timed_out";
8599
+ const emptyResponse = "empty_response";
8600
+
8601
+ /*
8602
+ * Copyright (c) Microsoft Corporation. All rights reserved.
8603
+ * Licensed under the MIT License.
8604
+ */
8605
+ function getDefaultErrorMessage(code) {
8606
+ return `See https://aka.ms/msal.js.errors#${code} for details`;
8607
+ }
8608
+ /**
8609
+ * Browser library error class thrown by the MSAL.js library for SPAs
8610
+ */
8611
+ class BrowserAuthError extends AuthError {
8612
+ constructor(errorCode, correlationId, subError) {
8613
+ super(errorCode, correlationId, getDefaultErrorMessage(errorCode), subError);
8614
+ Object.setPrototypeOf(this, BrowserAuthError.prototype);
8615
+ this.name = "BrowserAuthError";
8616
+ }
8617
+ }
8618
+ function createBrowserAuthError(errorCode, correlationId, subError) {
8619
+ return new BrowserAuthError(errorCode, correlationId, subError);
8620
+ }
8621
+
8622
+ /*
8623
+ * Copyright (c) Microsoft Corporation. All rights reserved.
8624
+ * Licensed under the MIT License.
8625
+ */
8626
+ /**
8627
+ * Class which exposes APIs to decode base64 strings to plaintext. See here for implementation details:
8628
+ * https://developer.mozilla.org/en-US/docs/Glossary/Base64#the_unicode_problem
8629
+ */
8630
+ /**
8631
+ * Returns a URL-safe plaintext decoded string from b64 encoded input.
8632
+ * @param input
8633
+ */
8634
+ function base64Decode(input) {
8635
+ return new TextDecoder().decode(base64DecToArr(input));
8636
+ }
8637
+ /**
8638
+ * Decodes base64 into Uint8Array
8639
+ * @param base64String
8640
+ */
8641
+ function base64DecToArr(base64String) {
8642
+ let encodedString = base64String.replace(/-/g, "+").replace(/_/g, "/");
8643
+ switch (encodedString.length % 4) {
8644
+ case 0:
8645
+ break;
8646
+ case 2:
8647
+ encodedString += "==";
8648
+ break;
8649
+ case 3:
8650
+ encodedString += "=";
8651
+ break;
8652
+ default:
8653
+ throw createBrowserAuthError(invalidBase64String, "");
8654
+ }
8655
+ const binString = atob(encodedString);
8656
+ return Uint8Array.from(binString, (m) => m.codePointAt(0) || 0);
8657
+ }
8658
+
8470
8659
  /*
8471
8660
  * Copyright (c) Microsoft Corporation. All rights reserved.
8472
8661
  * Licensed under the MIT License.
@@ -8651,116 +8840,6 @@
8651
8840
  CacheLookupPolicy.RefreshTokenAndNetwork,
8652
8841
  ];
8653
8842
 
8654
- /*
8655
- * Copyright (c) Microsoft Corporation. All rights reserved.
8656
- * Licensed under the MIT License.
8657
- */
8658
- const pkceNotCreated = "pkce_not_created";
8659
- const earJwkEmpty = "ear_jwk_empty";
8660
- const earJweEmpty = "ear_jwe_empty";
8661
- const cryptoNonExistent = "crypto_nonexistent";
8662
- const emptyNavigateUri = "empty_navigate_uri";
8663
- const hashEmptyError = "hash_empty_error";
8664
- const noStateInHash = "no_state_in_hash";
8665
- const hashDoesNotContainKnownProperties = "hash_does_not_contain_known_properties";
8666
- const unableToParseState = "unable_to_parse_state";
8667
- const stateInteractionTypeMismatch = "state_interaction_type_mismatch";
8668
- const interactionInProgress = "interaction_in_progress";
8669
- const interactionInProgressCancelled = "interaction_in_progress_cancelled";
8670
- const popupWindowError = "popup_window_error";
8671
- const emptyWindowError = "empty_window_error";
8672
- const userCancelled = "user_cancelled";
8673
- const redirectBridgeEmptyResponse = "redirect_bridge_empty_response";
8674
- const redirectInIframe = "redirect_in_iframe";
8675
- const blockIframeReload = "block_iframe_reload";
8676
- const blockNestedPopups = "block_nested_popups";
8677
- const silentLogoutUnsupported = "silent_logout_unsupported";
8678
- const noAccountError = "no_account_error";
8679
- const noTokenRequestCacheError = "no_token_request_cache_error";
8680
- const unableToParseTokenRequestCacheError = "unable_to_parse_token_request_cache_error";
8681
- const nonBrowserEnvironment = "non_browser_environment";
8682
- const databaseNotOpen = "database_not_open";
8683
- const noNetworkConnectivity = "no_network_connectivity";
8684
- const postRequestFailed = "post_request_failed";
8685
- const getRequestFailed = "get_request_failed";
8686
- const failedToParseResponse = "failed_to_parse_response";
8687
- const cryptoKeyNotFound = "crypto_key_not_found";
8688
- const authCodeRequired = "auth_code_required";
8689
- const authCodeOrNativeAccountIdRequired = "auth_code_or_nativeAccountId_required";
8690
- const spaCodeAndNativeAccountIdPresent = "spa_code_and_nativeAccountId_present";
8691
- const databaseUnavailable = "database_unavailable";
8692
- const unableToAcquireTokenFromNativePlatform = "unable_to_acquire_token_from_native_platform";
8693
- const nativeHandshakeTimeout = "native_handshake_timeout";
8694
- const nativeExtensionNotInstalled = "native_extension_not_installed";
8695
- const nativeConnectionNotEstablished = "native_connection_not_established";
8696
- const uninitializedPublicClientApplication = "uninitialized_public_client_application";
8697
- const nativePromptNotSupported = "native_prompt_not_supported";
8698
- const invalidBase64String = "invalid_base64_string";
8699
- const invalidPopTokenRequest = "invalid_pop_token_request";
8700
- const failedToBuildHeaders = "failed_to_build_headers";
8701
- const failedToParseHeaders = "failed_to_parse_headers";
8702
- const failedToDecryptEarResponse = "failed_to_decrypt_ear_response";
8703
- const timedOut = "timed_out";
8704
- const emptyResponse = "empty_response";
8705
-
8706
- /*
8707
- * Copyright (c) Microsoft Corporation. All rights reserved.
8708
- * Licensed under the MIT License.
8709
- */
8710
- function getDefaultErrorMessage(code) {
8711
- return `See https://aka.ms/msal.js.errors#${code} for details`;
8712
- }
8713
- /**
8714
- * Browser library error class thrown by the MSAL.js library for SPAs
8715
- */
8716
- class BrowserAuthError extends AuthError {
8717
- constructor(errorCode, subError) {
8718
- super(errorCode, getDefaultErrorMessage(errorCode), subError);
8719
- Object.setPrototypeOf(this, BrowserAuthError.prototype);
8720
- this.name = "BrowserAuthError";
8721
- }
8722
- }
8723
- function createBrowserAuthError(errorCode, subError) {
8724
- return new BrowserAuthError(errorCode, subError);
8725
- }
8726
-
8727
- /*
8728
- * Copyright (c) Microsoft Corporation. All rights reserved.
8729
- * Licensed under the MIT License.
8730
- */
8731
- /**
8732
- * Class which exposes APIs to decode base64 strings to plaintext. See here for implementation details:
8733
- * https://developer.mozilla.org/en-US/docs/Glossary/Base64#the_unicode_problem
8734
- */
8735
- /**
8736
- * Returns a URL-safe plaintext decoded string from b64 encoded input.
8737
- * @param input
8738
- */
8739
- function base64Decode(input) {
8740
- return new TextDecoder().decode(base64DecToArr(input));
8741
- }
8742
- /**
8743
- * Decodes base64 into Uint8Array
8744
- * @param base64String
8745
- */
8746
- function base64DecToArr(base64String) {
8747
- let encodedString = base64String.replace(/-/g, "+").replace(/_/g, "/");
8748
- switch (encodedString.length % 4) {
8749
- case 0:
8750
- break;
8751
- case 2:
8752
- encodedString += "==";
8753
- break;
8754
- case 3:
8755
- encodedString += "=";
8756
- break;
8757
- default:
8758
- throw createBrowserAuthError(invalidBase64String);
8759
- }
8760
- const binString = atob(encodedString);
8761
- return Uint8Array.from(binString, (m) => m.codePointAt(0) || 0);
8762
- }
8763
-
8764
8843
  /*
8765
8844
  * Copyright (c) Microsoft Corporation. All rights reserved.
8766
8845
  * Licensed under the MIT License.
@@ -8849,13 +8928,13 @@
8849
8928
  */
8850
8929
  function validateCryptoAvailable(skipValidateSubtleCrypto) {
8851
8930
  if (!window) {
8852
- throw createBrowserAuthError(nonBrowserEnvironment);
8931
+ throw createBrowserAuthError(nonBrowserEnvironment, "");
8853
8932
  }
8854
8933
  if (!window.crypto) {
8855
- throw createBrowserAuthError(cryptoNonExistent);
8934
+ throw createBrowserAuthError(cryptoNonExistent, "");
8856
8935
  }
8857
8936
  if (!skipValidateSubtleCrypto && !window.crypto.subtle) {
8858
- throw createBrowserAuthError(cryptoNonExistent, SUBTLE_SUBERROR);
8937
+ throw createBrowserAuthError(cryptoNonExistent, "", SUBTLE_SUBERROR);
8859
8938
  }
8860
8939
  }
8861
8940
  /**
@@ -8994,10 +9073,10 @@
8994
9073
  async function decryptEarResponse(earJwk, earJwe) {
8995
9074
  const earJweParts = earJwe.split(".");
8996
9075
  if (earJweParts.length !== 5) {
8997
- throw createBrowserAuthError(failedToDecryptEarResponse, "jwe_length");
9076
+ throw createBrowserAuthError(failedToDecryptEarResponse, "", "jwe_length");
8998
9077
  }
8999
9078
  const key = await importEarKey(earJwk).catch(() => {
9000
- throw createBrowserAuthError(failedToDecryptEarResponse, "import_key");
9079
+ throw createBrowserAuthError(failedToDecryptEarResponse, "", "import_key");
9001
9080
  });
9002
9081
  try {
9003
9082
  const header = new TextEncoder().encode(earJweParts[0]);
@@ -9018,7 +9097,7 @@
9018
9097
  return new TextDecoder().decode(decryptedData);
9019
9098
  }
9020
9099
  catch (e) {
9021
- throw createBrowserAuthError(failedToDecryptEarResponse, "decrypt");
9100
+ throw createBrowserAuthError(failedToDecryptEarResponse, "", "decrypt");
9022
9101
  }
9023
9102
  }
9024
9103
  /**
@@ -9116,14 +9195,14 @@
9116
9195
  * Browser library error class thrown by the MSAL.js library for SPAs
9117
9196
  */
9118
9197
  class BrowserConfigurationAuthError extends AuthError {
9119
- constructor(errorCode, errorMessage) {
9120
- super(errorCode, errorMessage);
9198
+ constructor(errorCode, correlationId, errorMessage) {
9199
+ super(errorCode, correlationId, errorMessage);
9121
9200
  this.name = "BrowserConfigurationAuthError";
9122
9201
  Object.setPrototypeOf(this, BrowserConfigurationAuthError.prototype);
9123
9202
  }
9124
9203
  }
9125
- function createBrowserConfigurationAuthError(errorCode) {
9126
- return new BrowserConfigurationAuthError(errorCode, getDefaultErrorMessage(errorCode));
9204
+ function createBrowserConfigurationAuthError(errorCode, correlationId) {
9205
+ return new BrowserConfigurationAuthError(errorCode, correlationId, getDefaultErrorMessage(errorCode));
9127
9206
  }
9128
9207
 
9129
9208
  /*
@@ -9179,17 +9258,21 @@
9179
9258
  payload = `${queryContent}${hashContent}`;
9180
9259
  params = new URLSearchParams(payload);
9181
9260
  }
9261
+ /*
9262
+ * Called by the redirect-bridge entry point before any request context exists,
9263
+ * so correlationId is intentionally empty for the throws below.
9264
+ */
9182
9265
  if (!payload || !params) {
9183
- throw createBrowserAuthError(emptyResponse);
9266
+ throw createBrowserAuthError(emptyResponse, "");
9184
9267
  }
9185
9268
  const state = params.get("state");
9186
9269
  if (!state) {
9187
- throw createBrowserAuthError(noStateInHash);
9270
+ throw createBrowserAuthError(noStateInHash, "");
9188
9271
  }
9189
- const { libraryState } = parseRequestState(base64Decode, state);
9272
+ const { libraryState } = parseRequestState(base64Decode, state, "");
9190
9273
  const { id, meta } = libraryState;
9191
9274
  if (!id || !meta) {
9192
- throw createBrowserAuthError(unableToParseState, "missing_library_state");
9275
+ throw createBrowserAuthError(unableToParseState, "", "missing_library_state");
9193
9276
  }
9194
9277
  return {
9195
9278
  params,
@@ -9269,10 +9352,11 @@
9269
9352
  logger.verbose("BrowserUtils.cancelPendingBridgeResponse - Cancelling pending bridge monitor", correlationId);
9270
9353
  clearTimeout(activeBridgeMonitor.timeoutId);
9271
9354
  activeBridgeMonitor.channel.close();
9272
- activeBridgeMonitor.reject(createBrowserAuthError(interactionInProgressCancelled));
9355
+ activeBridgeMonitor.reject(createBrowserAuthError(interactionInProgressCancelled, ""));
9273
9356
  activeBridgeMonitor = null;
9274
9357
  }
9275
9358
  }
9359
+ /** @internal */
9276
9360
  async function waitForBridgeResponse(timeoutMs, logger, request, performanceClient, experimentalConfig) {
9277
9361
  return new Promise((resolve, reject) => {
9278
9362
  logger.verbose("BrowserUtils.waitForBridgeResponse - started", request.correlationId);
@@ -9281,7 +9365,7 @@
9281
9365
  redirectBridgeTimeoutMs: timeoutMs,
9282
9366
  lateResponseExperimentEnabled: experimentalConfig?.iframeTimeoutTelemetry || false,
9283
9367
  }, correlationId);
9284
- const { libraryState } = parseRequestState(base64Decode, request.state || "");
9368
+ const { libraryState } = parseRequestState(base64Decode, request.state || "", request.correlationId);
9285
9369
  const channel = new BroadcastChannel(libraryState.id);
9286
9370
  let responseString = undefined;
9287
9371
  let timedOut$1 = false;
@@ -9302,7 +9386,7 @@
9302
9386
  else {
9303
9387
  channel.close();
9304
9388
  }
9305
- reject(createBrowserAuthError(timedOut, "redirect_bridge_timeout"));
9389
+ reject(createBrowserAuthError(timedOut, "", "redirect_bridge_timeout"));
9306
9390
  }, timeoutMs);
9307
9391
  // Track this monitor so it can be cancelled if needed
9308
9392
  activeBridgeMonitor = {
@@ -9334,7 +9418,7 @@
9334
9418
  resolve(responseString);
9335
9419
  }
9336
9420
  else {
9337
- reject(createBrowserAuthError(redirectBridgeEmptyResponse));
9421
+ reject(createBrowserAuthError(redirectBridgeEmptyResponse, correlationId));
9338
9422
  }
9339
9423
  };
9340
9424
  });
@@ -9351,8 +9435,8 @@
9351
9435
  /**
9352
9436
  * Gets the homepage url for the current window location.
9353
9437
  */
9354
- function getHomepage() {
9355
- const currentUrl = new UrlString(window.location.href);
9438
+ function getHomepage(correlationId) {
9439
+ const currentUrl = new UrlString(window.location.href, correlationId || "");
9356
9440
  const urlComponents = currentUrl.getUrlComponents();
9357
9441
  return `${urlComponents.Protocol}//${urlComponents.HostNameAndPort}/`;
9358
9442
  }
@@ -9364,7 +9448,7 @@
9364
9448
  const isResponseHash = getDeserializedResponse(window.location.hash);
9365
9449
  // return an error if called from the hidden iframe created by the msal js silent calls
9366
9450
  if (isResponseHash && isInIframe()) {
9367
- throw createBrowserAuthError(blockIframeReload);
9451
+ throw createBrowserAuthError(blockIframeReload, "");
9368
9452
  }
9369
9453
  }
9370
9454
  /**
@@ -9375,7 +9459,7 @@
9375
9459
  function blockRedirectInIframe(allowRedirectInIframe) {
9376
9460
  if (isInIframe() && !allowRedirectInIframe) {
9377
9461
  // If we are not in top frame, we shouldn't redirect. This is also handled by the service.
9378
- throw createBrowserAuthError(redirectInIframe);
9462
+ throw createBrowserAuthError(redirectInIframe, "");
9379
9463
  }
9380
9464
  }
9381
9465
  /**
@@ -9384,7 +9468,7 @@
9384
9468
  function blockAcquireTokenInPopups() {
9385
9469
  // Popups opened by msal popup APIs are given a name that starts with "msal."
9386
9470
  if (isInPopup()) {
9387
- throw createBrowserAuthError(blockNestedPopups);
9471
+ throw createBrowserAuthError(blockNestedPopups, "");
9388
9472
  }
9389
9473
  }
9390
9474
  /**
@@ -9393,7 +9477,7 @@
9393
9477
  */
9394
9478
  function blockNonBrowserEnvironment() {
9395
9479
  if (typeof window === "undefined") {
9396
- throw createBrowserAuthError(nonBrowserEnvironment);
9480
+ throw createBrowserAuthError(nonBrowserEnvironment, "");
9397
9481
  }
9398
9482
  }
9399
9483
  /**
@@ -9402,7 +9486,7 @@
9402
9486
  */
9403
9487
  function blockAPICallsBeforeInitialize(initialized) {
9404
9488
  if (!initialized) {
9405
- throw createBrowserAuthError(uninitializedPublicClientApplication);
9489
+ throw createBrowserAuthError(uninitializedPublicClientApplication, "");
9406
9490
  }
9407
9491
  }
9408
9492
  /**
@@ -9420,16 +9504,17 @@
9420
9504
  blockAPICallsBeforeInitialize(initialized);
9421
9505
  }
9422
9506
  /**
9423
- * Helper to validate app enviornment before making redirect request
9507
+ * Helper to validate app environment before making redirect request
9424
9508
  * @param initialized
9425
9509
  * @param config
9510
+ * @internal
9426
9511
  */
9427
9512
  function redirectPreflightCheck(initialized, config) {
9428
9513
  preflightCheck$1(initialized);
9429
9514
  blockRedirectInIframe(config.system.allowRedirectInIframe);
9430
9515
  // Block redirects if memory storage is enabled
9431
9516
  if (config.cache.cacheLocation === BrowserCacheLocation.MemoryStorage) {
9432
- throw createBrowserConfigurationAuthError(inMemRedirectUnavailable);
9517
+ throw createBrowserConfigurationAuthError(inMemRedirectUnavailable, "");
9433
9518
  }
9434
9519
  }
9435
9520
  /**
@@ -9473,7 +9558,7 @@
9473
9558
  this.navigationClient = navigationClient;
9474
9559
  this.platformAuthProvider = platformAuthProvider;
9475
9560
  this.correlationId = correlationId;
9476
- this.logger = logger.clone(BrowserConstants.MSAL_SKU, version);
9561
+ this.logger = logger.clone(name, version);
9477
9562
  this.performanceClient = performanceClient;
9478
9563
  }
9479
9564
  }
@@ -9488,7 +9573,7 @@
9488
9573
  function getRedirectUri(requestRedirectUri, clientConfigRedirectUri, logger, correlationId) {
9489
9574
  logger.verbose("getRedirectUri called", correlationId);
9490
9575
  const redirectUri = requestRedirectUri || clientConfigRedirectUri || "";
9491
- return UrlString.getAbsoluteUrl(redirectUri, getCurrentUri());
9576
+ return UrlString.getAbsoluteUrl(redirectUri, getCurrentUri(), correlationId);
9492
9577
  }
9493
9578
  /**
9494
9579
  * Initializes and returns a ServerTelemetryManager with the provided telemetry configuration.
@@ -9549,13 +9634,13 @@
9549
9634
  ? instanceAwareEQ === "true"
9550
9635
  : config.auth.instanceAware;
9551
9636
  const userAuthority = account && resolvedInstanceAware
9552
- ? config.auth.authority.replace(UrlString.getDomainFromUrl(resolvedAuthority), account.environment)
9637
+ ? config.auth.authority.replace(UrlString.getDomainFromUrl(resolvedAuthority, correlationId), account.environment)
9553
9638
  : resolvedAuthority;
9554
9639
  // fall back to the authority from config
9555
9640
  const builtAuthority = Authority.generateAuthority(userAuthority, requestAzureCloudOptions || config.auth.azureCloudOptions);
9556
9641
  const discoveredAuthority = await invokeAsync(createDiscoveredInstance, AuthorityFactoryCreateDiscoveredInstance, logger, performanceClient, correlationId)(builtAuthority, config.system.networkClient, browserStorage, authorityOptions, logger, correlationId, performanceClient);
9557
9642
  if (account && !discoveredAuthority.isAlias(account.environment)) {
9558
- throw createClientConfigurationError(authorityMismatch);
9643
+ throw createClientConfigurationError(authorityMismatch, correlationId);
9559
9644
  }
9560
9645
  return discoveredAuthority;
9561
9646
  }
@@ -9628,10 +9713,10 @@
9628
9713
  if (validatedRequest.authenticationScheme ===
9629
9714
  AuthenticationScheme.SSH) {
9630
9715
  if (!request.sshJwk) {
9631
- throw createClientConfigurationError(missingSshJwk);
9716
+ throw createClientConfigurationError(missingSshJwk, "");
9632
9717
  }
9633
9718
  if (!request.sshKid) {
9634
- throw createClientConfigurationError(missingSshKid);
9719
+ throw createClientConfigurationError(missingSshKid, "");
9635
9720
  }
9636
9721
  }
9637
9722
  logger.verbose(`Authentication Scheme set to "'${validatedRequest.authenticationScheme}'" as configured in Auth request`, correlationId);
@@ -9660,7 +9745,7 @@
9660
9745
  if (protocolMode === ProtocolMode.EAR) {
9661
9746
  // Validate that method can only be POST when protocol mode is EAR
9662
9747
  if (requestMethod && requestMethod !== HttpMethod$1.POST) {
9663
- throw createClientConfigurationError(invalidRequestMethodForEAR);
9748
+ throw createClientConfigurationError(invalidRequestMethodForEAR, "");
9664
9749
  }
9665
9750
  else {
9666
9751
  httpMethod = HttpMethod$1.POST;
@@ -9725,7 +9810,7 @@
9725
9810
  if (logoutRequest && logoutRequest.postLogoutRedirectUri) {
9726
9811
  this.logger.verbose("Setting postLogoutRedirectUri to uri set on logout request", validLogoutRequest.correlationId);
9727
9812
  validLogoutRequest.postLogoutRedirectUri =
9728
- UrlString.getAbsoluteUrl(logoutRequest.postLogoutRedirectUri, getCurrentUri());
9813
+ UrlString.getAbsoluteUrl(logoutRequest.postLogoutRedirectUri, getCurrentUri(), validLogoutRequest.correlationId);
9729
9814
  }
9730
9815
  else if (this.config.auth.postLogoutRedirectUri === null) {
9731
9816
  this.logger.verbose("postLogoutRedirectUri configured as null and no uri set on request, not passing post logout redirect", validLogoutRequest.correlationId);
@@ -9733,12 +9818,12 @@
9733
9818
  else if (this.config.auth.postLogoutRedirectUri) {
9734
9819
  this.logger.verbose("Setting postLogoutRedirectUri to configured uri", validLogoutRequest.correlationId);
9735
9820
  validLogoutRequest.postLogoutRedirectUri =
9736
- UrlString.getAbsoluteUrl(this.config.auth.postLogoutRedirectUri, getCurrentUri());
9821
+ UrlString.getAbsoluteUrl(this.config.auth.postLogoutRedirectUri, getCurrentUri(), validLogoutRequest.correlationId);
9737
9822
  }
9738
9823
  else {
9739
9824
  this.logger.verbose("Setting postLogoutRedirectUri to current page", validLogoutRequest.correlationId);
9740
9825
  validLogoutRequest.postLogoutRedirectUri =
9741
- UrlString.getAbsoluteUrl(getCurrentUri(), getCurrentUri());
9826
+ UrlString.getAbsoluteUrl(getCurrentUri(), getCurrentUri(), validLogoutRequest.correlationId);
9742
9827
  }
9743
9828
  }
9744
9829
  else {
@@ -9851,7 +9936,7 @@
9851
9936
  const browserState = {
9852
9937
  interactionType: interactionType,
9853
9938
  };
9854
- const state = setRequestState(browserCrypto, (request && request.state) || "", browserState);
9939
+ const state = setRequestState(browserCrypto, (request && request.state) || "", browserState, correlationId);
9855
9940
  const baseRequest = await invokeAsync(initializeBaseRequest, InitializeBaseRequest, logger, performanceClient, correlationId)({ ...request, correlationId: correlationId }, config, performanceClient, logger, correlationId);
9856
9941
  const interactionRequest = {
9857
9942
  ...baseRequest,
@@ -10703,7 +10788,7 @@
10703
10788
  * @param customAuthProxyDomain - The custom auth proxy domain.
10704
10789
  */
10705
10790
  constructor(authority, config, networkInterface, cacheManager, logger, performanceClient, customAuthProxyDomain) {
10706
- const ciamAuthorityUrl = CustomAuthAuthority.transformCIAMAuthority(authority);
10791
+ const ciamAuthorityUrl = CustomAuthAuthority.transformCIAMAuthority(authority, "");
10707
10792
  const authorityOptions = {
10708
10793
  protocolMode: config.system.protocolMode,
10709
10794
  OIDCOptions: config.auth.OIDCOptions,
@@ -12019,7 +12104,7 @@
12019
12104
  this.logger.verbose("Cache cleared", correlationId);
12020
12105
  const postLogoutRedirectUri = this.config.auth.postLogoutRedirectUri;
12021
12106
  if (postLogoutRedirectUri) {
12022
- const absoluteRedirectUri = UrlString.getAbsoluteUrl(postLogoutRedirectUri, getCurrentUri());
12107
+ const absoluteRedirectUri = UrlString.getAbsoluteUrl(postLogoutRedirectUri, getCurrentUri(), correlationId);
12023
12108
  this.logger.verbose("Post logout redirect uri is set, redirecting to uri", correlationId);
12024
12109
  // Redirect to post logout redirect uri
12025
12110
  await this.navigationClient.navigateExternal(absoluteRedirectUri, {
@@ -13940,7 +14025,7 @@
13940
14025
  this.dbOpen = true;
13941
14026
  resolve();
13942
14027
  });
13943
- openDB.addEventListener("error", () => reject(createBrowserAuthError(databaseUnavailable)));
14028
+ openDB.addEventListener("error", () => reject(createBrowserAuthError(databaseUnavailable, "")));
13944
14029
  });
13945
14030
  }
13946
14031
  /**
@@ -13971,7 +14056,7 @@
13971
14056
  return new Promise((resolve, reject) => {
13972
14057
  // TODO: Add timeouts?
13973
14058
  if (!this.db) {
13974
- return reject(createBrowserAuthError(databaseNotOpen));
14059
+ return reject(createBrowserAuthError(databaseNotOpen, ""));
13975
14060
  }
13976
14061
  const transaction = this.db.transaction([this.tableName], "readonly");
13977
14062
  const objectStore = transaction.objectStore(this.tableName);
@@ -13997,7 +14082,7 @@
13997
14082
  return new Promise((resolve, reject) => {
13998
14083
  // TODO: Add timeouts?
13999
14084
  if (!this.db) {
14000
- return reject(createBrowserAuthError(databaseNotOpen));
14085
+ return reject(createBrowserAuthError(databaseNotOpen, ""));
14001
14086
  }
14002
14087
  const transaction = this.db.transaction([this.tableName], "readwrite");
14003
14088
  const objectStore = transaction.objectStore(this.tableName);
@@ -14020,7 +14105,7 @@
14020
14105
  await this.validateDbIsOpen();
14021
14106
  return new Promise((resolve, reject) => {
14022
14107
  if (!this.db) {
14023
- return reject(createBrowserAuthError(databaseNotOpen));
14108
+ return reject(createBrowserAuthError(databaseNotOpen, ""));
14024
14109
  }
14025
14110
  const transaction = this.db.transaction([this.tableName], "readwrite");
14026
14111
  const objectStore = transaction.objectStore(this.tableName);
@@ -14042,7 +14127,7 @@
14042
14127
  await this.validateDbIsOpen();
14043
14128
  return new Promise((resolve, reject) => {
14044
14129
  if (!this.db) {
14045
- return reject(createBrowserAuthError(databaseNotOpen));
14130
+ return reject(createBrowserAuthError(databaseNotOpen, ""));
14046
14131
  }
14047
14132
  const transaction = this.db.transaction([this.tableName], "readonly");
14048
14133
  const objectStore = transaction.objectStore(this.tableName);
@@ -14066,7 +14151,7 @@
14066
14151
  await this.validateDbIsOpen();
14067
14152
  return new Promise((resolve, reject) => {
14068
14153
  if (!this.db) {
14069
- return reject(createBrowserAuthError(databaseNotOpen));
14154
+ return reject(createBrowserAuthError(databaseNotOpen, ""));
14070
14155
  }
14071
14156
  const transaction = this.db.transaction([this.tableName], "readonly");
14072
14157
  const objectStore = transaction.objectStore(this.tableName);
@@ -14391,7 +14476,7 @@
14391
14476
  await this.cache.removeItem(kid, correlationId);
14392
14477
  const keyFound = await this.cache.containsKey(kid, correlationId);
14393
14478
  if (keyFound) {
14394
- throw createClientAuthError(bindingKeyNotRemoved);
14479
+ throw createClientAuthError(bindingKeyNotRemoved, correlationId);
14395
14480
  }
14396
14481
  }
14397
14482
  /**
@@ -14428,7 +14513,7 @@
14428
14513
  const signJwtMeasurement = this.performanceClient?.startMeasurement(CryptoOptsSignJwt, correlationId);
14429
14514
  const cachedKeyPair = await this.cache.getItem(kid, correlationId || "");
14430
14515
  if (!cachedKeyPair) {
14431
- throw createBrowserAuthError(cryptoKeyNotFound);
14516
+ throw createBrowserAuthError(cryptoKeyNotFound, correlationId || "");
14432
14517
  }
14433
14518
  // Get public key as JWK
14434
14519
  const publicKeyJwk = await exportJwk(cachedKeyPair.publicKey);
@@ -14584,7 +14669,7 @@
14584
14669
  return "";
14585
14670
  }
14586
14671
  getUserData() {
14587
- throw createClientAuthError(methodNotImplemented);
14672
+ throw createClientAuthError(methodNotImplemented, "");
14588
14673
  }
14589
14674
  setItem(key, value, cookieLifeDays, secure = true, sameSite = SameSiteOptions.Lax) {
14590
14675
  let cookieStr = `${encodeURIComponent(key)}=${encodeURIComponent(value)};path=/;SameSite=${sameSite};`;
@@ -14598,8 +14683,8 @@
14598
14683
  }
14599
14684
  document.cookie = cookieStr;
14600
14685
  }
14601
- async setUserData() {
14602
- return Promise.reject(createClientAuthError(methodNotImplemented));
14686
+ async setUserData(_key, _value, correlationId) {
14687
+ return Promise.reject(createClientAuthError(methodNotImplemented, correlationId));
14603
14688
  }
14604
14689
  removeItem(key) {
14605
14690
  // Setting expiration to -1 removes it
@@ -14698,7 +14783,7 @@
14698
14783
  class LocalStorage {
14699
14784
  constructor(clientId, logger, performanceClient) {
14700
14785
  if (!window.localStorage) {
14701
- throw createBrowserConfigurationAuthError(storageNotSupported);
14786
+ throw createBrowserConfigurationAuthError(storageNotSupported, "");
14702
14787
  }
14703
14788
  this.memoryStorage = new MemoryStorage();
14704
14789
  this.initialized = false;
@@ -14755,13 +14840,13 @@
14755
14840
  }
14756
14841
  getUserData(key) {
14757
14842
  if (!this.initialized) {
14758
- throw createBrowserAuthError(uninitializedPublicClientApplication);
14843
+ throw createBrowserAuthError(uninitializedPublicClientApplication, "");
14759
14844
  }
14760
14845
  return this.memoryStorage.getItem(key);
14761
14846
  }
14762
14847
  async decryptData(key, data, correlationId) {
14763
14848
  if (!this.initialized || !this.encryptionCookie) {
14764
- throw createBrowserAuthError(uninitializedPublicClientApplication);
14849
+ throw createBrowserAuthError(uninitializedPublicClientApplication, "");
14765
14850
  }
14766
14851
  if (data.id !== this.encryptionCookie.id) {
14767
14852
  // Data was encrypted with a different key. It must be removed because it is from a previous session.
@@ -14788,7 +14873,7 @@
14788
14873
  }
14789
14874
  async setUserData(key, value, correlationId, timestamp, kmsi) {
14790
14875
  if (!this.initialized || !this.encryptionCookie) {
14791
- throw createBrowserAuthError(uninitializedPublicClientApplication);
14876
+ throw createBrowserAuthError(uninitializedPublicClientApplication, "");
14792
14877
  }
14793
14878
  if (kmsi) {
14794
14879
  this.setItem(key, value);
@@ -14986,7 +15071,7 @@
14986
15071
  class SessionStorage {
14987
15072
  constructor() {
14988
15073
  if (!window.sessionStorage) {
14989
- throw createBrowserConfigurationAuthError(storageNotSupported);
15074
+ throw createBrowserConfigurationAuthError(storageNotSupported, "");
14990
15075
  }
14991
15076
  }
14992
15077
  async initialize() {
@@ -15288,7 +15373,7 @@
15288
15373
  const rawValue = this.browserStorage.getUserData(key);
15289
15374
  if (rawValue) {
15290
15375
  const idToken = JSON.parse(rawValue);
15291
- const claims = extractTokenClaims(idToken.secret, base64Decode);
15376
+ const claims = extractTokenClaims(idToken.secret, base64Decode, "");
15292
15377
  if (claims) {
15293
15378
  kmsiMap[idToken.homeAccountId] = isKmsi(claims);
15294
15379
  }
@@ -15349,12 +15434,12 @@
15349
15434
  this.performanceClient.incrementFields({ skipITMigrateCount: 1 }, correlationId);
15350
15435
  continue;
15351
15436
  }
15352
- const claims = extractTokenClaims(oldSchemaData.secret, base64Decode);
15437
+ const claims = extractTokenClaims(oldSchemaData.secret, base64Decode, correlationId);
15353
15438
  const newIdTokenKey = this.generateCredentialKey(oldSchemaData);
15354
15439
  const currentIdToken = this.getIdTokenCredential(newIdTokenKey, correlationId);
15355
15440
  const oldTokenHasSignInState = Object.keys(claims).includes("signin_state");
15356
15441
  const currentTokenHasSignInState = currentIdToken &&
15357
- Object.keys(extractTokenClaims(currentIdToken.secret, base64Decode) || {}).includes("signin_state");
15442
+ Object.keys(extractTokenClaims(currentIdToken.secret, base64Decode, correlationId) || {}).includes("signin_state");
15358
15443
  /**
15359
15444
  * Only migrate if:
15360
15445
  * 1. Token doesn't yet exist in current schema
@@ -15369,7 +15454,7 @@
15369
15454
  !tenantProfiles.find((tenantProfile) => {
15370
15455
  return tenantProfile.tenantId === tenantId;
15371
15456
  })) {
15372
- const newTenantProfile = buildTenantProfile(account.homeAccountId, account.localAccountId, tenantId, claims);
15457
+ const newTenantProfile = buildTenantProfile(account.homeAccountId, account.localAccountId, tenantId, account.nativeAccountId, claims);
15373
15458
  tenantProfiles.push(newTenantProfile);
15374
15459
  }
15375
15460
  account.tenantProfiles = tenantProfiles;
@@ -16322,7 +16407,7 @@
16322
16407
  // Get token request from cache and parse as TokenExchangeParameters.
16323
16408
  const encodedTokenRequest = this.getTemporaryCache(TemporaryCacheKeys.REQUEST_PARAMS, correlationId, true);
16324
16409
  if (!encodedTokenRequest) {
16325
- throw createBrowserAuthError(noTokenRequestCacheError);
16410
+ throw createBrowserAuthError(noTokenRequestCacheError, "");
16326
16411
  }
16327
16412
  const encodedVerifier = this.getTemporaryCache(TemporaryCacheKeys.VERIFIER, correlationId, true);
16328
16413
  let parsedRequest;
@@ -16336,7 +16421,7 @@
16336
16421
  catch (e) {
16337
16422
  this.logger.errorPii(`Attempted to parse: '${encodedTokenRequest}'`, correlationId);
16338
16423
  this.logger.error(`Parsing cached token request threw with error: '${e}'`, correlationId);
16339
- throw createBrowserAuthError(unableToParseTokenRequestCacheError);
16424
+ throw createBrowserAuthError(unableToParseTokenRequestCacheError, "");
16340
16425
  }
16341
16426
  return [parsedRequest, verifier];
16342
16427
  }
@@ -16396,7 +16481,7 @@
16396
16481
  this.removeTemporaryItem(key);
16397
16482
  }
16398
16483
  else {
16399
- throw createBrowserAuthError(interactionInProgress);
16484
+ throw createBrowserAuthError(interactionInProgress, "");
16400
16485
  }
16401
16486
  }
16402
16487
  // Set new interaction
@@ -16427,7 +16512,7 @@
16427
16512
  ? toSecondsFromDate(result.expiresOn)
16428
16513
  : 0, result.extExpiresOn
16429
16514
  ? toSecondsFromDate(result.extExpiresOn)
16430
- : 0, base64Decode, undefined, // refreshOn
16515
+ : 0, base64Decode, request.correlationId || "", undefined, // refreshOn
16431
16516
  result.tokenType, undefined, // userAssertionHash
16432
16517
  request.sshKid);
16433
16518
  if (request.resource) {
@@ -16437,7 +16522,7 @@
16437
16522
  idToken: idTokenEntity,
16438
16523
  accessToken: accessTokenEntity,
16439
16524
  };
16440
- return this.saveCacheRecord(cacheRecord, result.correlationId, isKmsi(extractTokenClaims(result.idToken, base64Decode)), ApiId.hydrateCache);
16525
+ return this.saveCacheRecord(cacheRecord, result.correlationId, isKmsi(extractTokenClaims(result.idToken, base64Decode, result.correlationId)), ApiId.hydrateCache);
16441
16526
  }
16442
16527
  /**
16443
16528
  * saves a cache record
@@ -16550,7 +16635,7 @@
16550
16635
  class EventHandler {
16551
16636
  constructor(logger) {
16552
16637
  this.eventCallbacks = new Map();
16553
- this.logger = logger || new Logger({});
16638
+ this.logger = logger || new Logger({}, name, version);
16554
16639
  if (typeof BroadcastChannel !== "undefined") {
16555
16640
  this.broadcastChannel = new BroadcastChannel(BROADCAST_CHANNEL_NAME);
16556
16641
  }
@@ -16653,16 +16738,16 @@
16653
16738
  * @param browserCrypto
16654
16739
  * @param state
16655
16740
  */
16656
- function extractBrowserRequestState(browserCrypto, state) {
16741
+ function extractBrowserRequestState(browserCrypto, state, correlationId) {
16657
16742
  if (!state) {
16658
16743
  return null;
16659
16744
  }
16660
16745
  try {
16661
- const requestStateObj = parseRequestState(browserCrypto.base64Decode, state);
16746
+ const requestStateObj = parseRequestState(browserCrypto.base64Decode, state, correlationId);
16662
16747
  return requestStateObj.libraryState.meta;
16663
16748
  }
16664
16749
  catch (e) {
16665
- throw createClientAuthError(invalidState);
16750
+ throw createClientAuthError(invalidState, correlationId);
16666
16751
  }
16667
16752
  }
16668
16753
 
@@ -16677,12 +16762,12 @@
16677
16762
  if (!stripLeadingHashOrQuery(responseString)) {
16678
16763
  // Hash or Query string is empty
16679
16764
  logger.error(`The request has returned to the redirectUri but a '${responseLocation}' is not present. It's likely that the '${responseLocation}' has been removed or the page has been redirected by code running on the redirectUri page.`, correlationId);
16680
- throw createBrowserAuthError(hashEmptyError);
16765
+ throw createBrowserAuthError(hashEmptyError, correlationId);
16681
16766
  }
16682
16767
  else {
16683
16768
  logger.error(`A '${responseLocation}' is present in the iframe but it does not contain known properties. It's likely that the '${responseLocation}' has been replaced by code running on the redirectUri page.`, correlationId);
16684
16769
  logger.errorPii(`The '${responseLocation}' detected is: '${responseString}'`, correlationId);
16685
- throw createBrowserAuthError(hashDoesNotContainKnownProperties);
16770
+ throw createBrowserAuthError(hashDoesNotContainKnownProperties, correlationId);
16686
16771
  }
16687
16772
  }
16688
16773
  return serverParams;
@@ -16690,16 +16775,16 @@
16690
16775
  /**
16691
16776
  * Returns the interaction type that the response object belongs to
16692
16777
  */
16693
- function validateInteractionType(response, browserCrypto, interactionType) {
16778
+ function validateInteractionType(response, browserCrypto, interactionType, correlationId) {
16694
16779
  if (!response.state) {
16695
- throw createBrowserAuthError(noStateInHash);
16780
+ throw createBrowserAuthError(noStateInHash, correlationId);
16696
16781
  }
16697
- const platformStateObj = extractBrowserRequestState(browserCrypto, response.state);
16782
+ const platformStateObj = extractBrowserRequestState(browserCrypto, response.state, correlationId);
16698
16783
  if (!platformStateObj) {
16699
- throw createBrowserAuthError(unableToParseState);
16784
+ throw createBrowserAuthError(unableToParseState, correlationId);
16700
16785
  }
16701
16786
  if (platformStateObj.interactionType !== interactionType) {
16702
- throw createBrowserAuthError(stateInteractionTypeMismatch);
16787
+ throw createBrowserAuthError(stateInteractionTypeMismatch, correlationId);
16703
16788
  }
16704
16789
  }
16705
16790
 
@@ -16725,13 +16810,13 @@
16725
16810
  async handleCodeResponse(response, request, apiId) {
16726
16811
  let authCodeResponse;
16727
16812
  try {
16728
- authCodeResponse = getAuthorizationCodePayload(response, request.state);
16813
+ authCodeResponse = getAuthorizationCodePayload(response, request.state, request.correlationId);
16729
16814
  }
16730
16815
  catch (e) {
16731
16816
  if (e instanceof ServerError &&
16732
16817
  e.subError === userCancelled) {
16733
16818
  // Translate server error caused by user closing native prompt to corresponding first class MSAL error
16734
- throw createBrowserAuthError(userCancelled);
16819
+ throw createBrowserAuthError(userCancelled, request.correlationId);
16735
16820
  }
16736
16821
  else {
16737
16822
  throw e;
@@ -16816,8 +16901,8 @@
16816
16901
  */
16817
16902
  const INVALID_METHOD_ERROR = -2147186943;
16818
16903
  class NativeAuthError extends AuthError {
16819
- constructor(errorCode, description, ext) {
16820
- super(errorCode, description || getDefaultErrorMessage(errorCode));
16904
+ constructor(errorCode, correlationId, description, ext) {
16905
+ super(errorCode, correlationId, description || getDefaultErrorMessage(errorCode));
16821
16906
  Object.setPrototypeOf(this, NativeAuthError.prototype);
16822
16907
  this.name = "NativeAuthError";
16823
16908
  this.ext = ext;
@@ -16852,22 +16937,32 @@
16852
16937
  * @param ext
16853
16938
  * @returns
16854
16939
  */
16855
- function createNativeAuthError(code, description, ext) {
16940
+ function createNativeAuthError(code, correlationId, description, ext) {
16941
+ let error;
16856
16942
  if (ext && ext.status) {
16857
16943
  switch (ext.status) {
16858
16944
  case ACCOUNT_UNAVAILABLE:
16859
- return createInteractionRequiredAuthError(nativeAccountUnavailable, getDefaultErrorMessage(code));
16945
+ error = createInteractionRequiredAuthError(nativeAccountUnavailable, correlationId, getDefaultErrorMessage(code));
16946
+ break;
16860
16947
  case USER_INTERACTION_REQUIRED:
16861
- return new InteractionRequiredAuthError(code, description);
16948
+ error = new InteractionRequiredAuthError(code, correlationId, description);
16949
+ break;
16862
16950
  case USER_CANCEL:
16863
- return createBrowserAuthError(userCancelled);
16951
+ error = createBrowserAuthError(userCancelled, correlationId);
16952
+ break;
16864
16953
  case NO_NETWORK:
16865
- return createBrowserAuthError(noNetworkConnectivity);
16954
+ error = createBrowserAuthError(noNetworkConnectivity, correlationId);
16955
+ break;
16866
16956
  case UI_NOT_ALLOWED:
16867
- return createInteractionRequiredAuthError(uiNotAllowed);
16957
+ error = createInteractionRequiredAuthError(uiNotAllowed, correlationId);
16958
+ break;
16959
+ default:
16960
+ error = new NativeAuthError(code, correlationId, description, ext);
16868
16961
  }
16962
+ return error;
16869
16963
  }
16870
- return new NativeAuthError(code, description, ext);
16964
+ error = new NativeAuthError(code, correlationId, description, ext);
16965
+ return error;
16871
16966
  }
16872
16967
 
16873
16968
  /*
@@ -17023,7 +17118,7 @@
17023
17118
  return {
17024
17119
  authority: request.authority,
17025
17120
  correlationId: this.correlationId,
17026
- scopes: ScopeSet.fromString(request.scope).asArray(),
17121
+ scopes: ScopeSet.fromString(request.scope, this.correlationId).asArray(),
17027
17122
  account: cachedAccount,
17028
17123
  forceRefresh: false,
17029
17124
  };
@@ -17037,21 +17132,21 @@
17037
17132
  async acquireTokensFromCache(nativeAccountId, request) {
17038
17133
  if (!nativeAccountId) {
17039
17134
  this.logger.warning("NativeInteractionClient:acquireTokensFromCache - No nativeAccountId provided", this.correlationId);
17040
- throw createClientAuthError(noAccountFound);
17135
+ throw createClientAuthError(noAccountFound, this.correlationId);
17041
17136
  }
17042
17137
  // fetch the account from browser cache
17043
17138
  const account = this.browserStorage.getBaseAccountInfo({
17044
17139
  nativeAccountId,
17045
17140
  }, this.correlationId);
17046
17141
  if (!account) {
17047
- throw createClientAuthError(noAccountFound);
17142
+ throw createClientAuthError(noAccountFound, this.correlationId);
17048
17143
  }
17049
17144
  // leverage silent flow for cached tokens retrieval
17050
17145
  try {
17051
17146
  const silentRequest = this.createSilentCacheRequest(request, account);
17052
17147
  const result = await this.silentCacheClient.acquireToken(silentRequest);
17053
17148
  const idToken = this.browserStorage.getIdToken(account, this.correlationId, this.browserStorage.getTokenKeys(), account.tenantId);
17054
- const idTokenClaims = extractTokenClaims(idToken?.secret || "", base64Decode);
17149
+ const idTokenClaims = extractTokenClaims(idToken?.secret || "", base64Decode, this.correlationId);
17055
17150
  const fullAccount = updateAccountTenantProfileData(account, undefined, // tenantProfile optional
17056
17151
  idTokenClaims, idToken?.secret);
17057
17152
  return {
@@ -17095,7 +17190,7 @@
17095
17190
  noHistory: false,
17096
17191
  };
17097
17192
  const redirectUri = navigateToLoginRequestUrl
17098
- ? UrlString.getAbsoluteUrl(request.redirectStartPage || window.location.href, getCurrentUri())
17193
+ ? UrlString.getAbsoluteUrl(request.redirectStartPage || window.location.href, getCurrentUri(), this.correlationId)
17099
17194
  : getRedirectUri(request.redirectUri, this.config.auth.redirectUri, this.logger, this.correlationId);
17100
17195
  rootMeasurement.end({ success: true });
17101
17196
  await this.navigationClient.navigateExternal(redirectUri, navigationOptions); // Need to treat this as external to ensure handleRedirectPromise is run again
@@ -17154,7 +17249,7 @@
17154
17249
  async handleNativeResponse(response, request, reqTimestamp) {
17155
17250
  this.logger.trace("NativeInteractionClient - handleNativeResponse called.", this.correlationId);
17156
17251
  // generate identifiers
17157
- const idTokenClaims = extractTokenClaims(response.id_token, base64Decode);
17252
+ const idTokenClaims = extractTokenClaims(response.id_token, base64Decode, this.correlationId);
17158
17253
  const homeAccountIdentifier = this.createHomeAccountIdentifier(response, idTokenClaims);
17159
17254
  const cachedhomeAccountId = this.browserStorage.getAccountInfoFilteredBy({
17160
17255
  nativeAccountId: request.accountId,
@@ -17167,7 +17262,7 @@
17167
17262
  else if (homeAccountIdentifier !== cachedhomeAccountId &&
17168
17263
  response.account.id !== request.accountId) {
17169
17264
  // User switch in native broker prompt is not supported. All users must first sign in through web flow to ensure server state is in sync
17170
- throw createNativeAuthError(userSwitch);
17265
+ throw createNativeAuthError(userSwitch, this.correlationId);
17171
17266
  }
17172
17267
  // Get the preferred_cache domain for the given authority
17173
17268
  const authority = await getDiscoveredAuthority(this.config, this.correlationId, this.performanceClient, this.browserStorage, this.logger, request.authority);
@@ -17203,8 +17298,8 @@
17203
17298
  */
17204
17299
  generateScopes(requestScopes, responseScopes) {
17205
17300
  return responseScopes
17206
- ? ScopeSet.fromString(responseScopes)
17207
- : ScopeSet.fromString(requestScopes);
17301
+ ? ScopeSet.fromString(responseScopes, this.correlationId)
17302
+ : ScopeSet.fromString(requestScopes, this.correlationId);
17208
17303
  }
17209
17304
  /**
17210
17305
  * If PoP token is requesred, records the PoP token if returned from the WAM, else generates one in the browser
@@ -17237,7 +17332,7 @@
17237
17332
  * PopTokenGenerator to query the full key for signing
17238
17333
  */
17239
17334
  if (!request.keyId) {
17240
- throw createClientAuthError(keyIdMissing);
17335
+ throw createClientAuthError(keyIdMissing, this.correlationId);
17241
17336
  }
17242
17337
  return popTokenGenerator.signPopToken(response.access_token, request.keyId, shrParameters);
17243
17338
  }
@@ -17274,6 +17369,12 @@
17274
17369
  */
17275
17370
  if (accountInfo.nativeAccountId !== response.account.id) {
17276
17371
  accountInfo.nativeAccountId = response.account.id;
17372
+ // Also update the matching tenant profile (source of truth)
17373
+ const targetTenantId = tid || accountInfo.tenantId;
17374
+ const tenantProfile = accountInfo.tenantProfiles?.get(targetTenantId);
17375
+ if (tenantProfile) {
17376
+ tenantProfile.nativeAccountId = response.account.id;
17377
+ }
17277
17378
  }
17278
17379
  // generate PoP token as needed
17279
17380
  const responseAccessToken = await this.generatePopAccessToken(response, request);
@@ -17330,7 +17431,7 @@
17330
17431
  : response.expires_in) || 0;
17331
17432
  const tokenExpirationSeconds = reqTimestamp + expiresIn;
17332
17433
  const responseScopes = this.generateScopes(response.scope, request.scope);
17333
- const cachedAccessToken = createAccessTokenEntity(homeAccountIdentifier, environment, response.access_token, request.clientId, idTokenClaims.tid || tenantId, responseScopes.printScopes(), tokenExpirationSeconds, 0, base64Decode, undefined, request.tokenType, undefined, request.keyId);
17434
+ const cachedAccessToken = createAccessTokenEntity(homeAccountIdentifier, environment, response.access_token, request.clientId, idTokenClaims.tid || tenantId, responseScopes.printScopes(), tokenExpirationSeconds, 0, base64Decode, request.correlationId, undefined, request.tokenType, undefined, request.keyId);
17334
17435
  // save idtoken credential in configured browser storage
17335
17436
  if (!!cachedIdToken && request.storeInCache?.idToken !== false) {
17336
17437
  await this.browserStorage.setIdTokenCredential(cachedIdToken, this.correlationId, isKmsi(idTokenClaims));
@@ -17413,11 +17514,9 @@
17413
17514
  : this.config.auth.clientCapabilities;
17414
17515
  // scopes are expected to be received by the native broker as "scope" and will be added to the request below. Other properties that should be dropped from the request to the native broker can be included in the object destructuring here.
17415
17516
  const { scopes, claims, ...remainingProperties } = request;
17416
- const scopeSet = new ScopeSet(scopes || []);
17517
+ const scopeSet = new ScopeSet(scopes || [], this.correlationId);
17417
17518
  scopeSet.appendScopes(OIDC_DEFAULT_SCOPES);
17418
- const mergedClaims = configClaims && configClaims.length
17419
- ? addClientCapabilitiesToClaims(claims, configClaims)
17420
- : claims;
17519
+ const mergedClaims = buildMergedClaims(claims, configClaims?.length ? configClaims : undefined);
17421
17520
  const validatedRequest = {
17422
17521
  ...remainingProperties,
17423
17522
  claims: mergedClaims,
@@ -17438,7 +17537,7 @@
17438
17537
  };
17439
17538
  // Check for PoP token requests: signPopToken should only be set to true if popKid is not set
17440
17539
  if (validatedRequest.signPopToken && !!request.popKid) {
17441
- throw createBrowserAuthError(invalidPopTokenRequest);
17540
+ throw createBrowserAuthError(invalidPopTokenRequest, this.correlationId);
17442
17541
  }
17443
17542
  this.handleExtraBrokerParams(validatedRequest);
17444
17543
  validatedRequest.extraParameters =
@@ -17481,7 +17580,7 @@
17481
17580
  await getDiscoveredAuthority(this.config, this.correlationId, this.performanceClient, this.browserStorage, this.logger, requestAuthority, azureCloudOptions, undefined, // requestExtraQueryParameters
17482
17581
  account);
17483
17582
  }
17484
- const canonicalAuthority = new UrlString(requestAuthority);
17583
+ const canonicalAuthority = new UrlString(requestAuthority, this.correlationId);
17485
17584
  canonicalAuthority.validateAsUri();
17486
17585
  return canonicalAuthority;
17487
17586
  }
@@ -17507,7 +17606,7 @@
17507
17606
  return prompt;
17508
17607
  default:
17509
17608
  this.logger.trace(`initializePlatformRequest: prompt = '${prompt}' is not compatible with native flow`, this.correlationId);
17510
- throw createBrowserAuthError(nativePromptNotSupported);
17609
+ throw createBrowserAuthError(nativePromptNotSupported, this.correlationId);
17511
17610
  }
17512
17611
  }
17513
17612
  /**
@@ -17663,7 +17762,7 @@
17663
17762
  */
17664
17763
  async function getAuthCodeRequestUrl(config, authority, request, logger, performanceClient) {
17665
17764
  if (!request.codeChallenge) {
17666
- throw createClientConfigurationError(pkceParamsMissing);
17765
+ throw createClientConfigurationError(pkceParamsMissing, request.correlationId);
17667
17766
  }
17668
17767
  const parameters = await invokeAsync(getStandardParameters, GetStandardParams, logger, performanceClient, request.correlationId)(config, authority, request, logger, performanceClient);
17669
17768
  addResponseType(parameters, OAuthResponseType.CODE);
@@ -17680,7 +17779,7 @@
17680
17779
  */
17681
17780
  async function getEARForm(frame, config, authority, request, logger, performanceClient) {
17682
17781
  if (!request.earJwk) {
17683
- throw createBrowserAuthError(earJwkEmpty);
17782
+ throw createBrowserAuthError(earJwkEmpty, request.correlationId);
17684
17783
  }
17685
17784
  const parameters = await getStandardParameters(config, authority, request, logger, performanceClient);
17686
17785
  addResponseType(parameters, OAuthResponseType.IDTOKEN_TOKEN_REFRESHTOKEN);
@@ -17754,11 +17853,11 @@
17754
17853
  async function handleResponsePlatformBroker(request, accountId, apiId, config, browserStorage, nativeStorage, eventHandler, logger, performanceClient, platformAuthProvider) {
17755
17854
  logger.verbose("Account id found, calling WAM for token", request.correlationId);
17756
17855
  if (!platformAuthProvider) {
17757
- throw createBrowserAuthError(nativeConnectionNotEstablished);
17856
+ throw createBrowserAuthError(nativeConnectionNotEstablished, request.correlationId);
17758
17857
  }
17759
17858
  const browserCrypto = new CryptoOps(logger, performanceClient);
17760
17859
  const nativeInteractionClient = new PlatformAuthInteractionClient(config, browserStorage, browserCrypto, logger, eventHandler, config.system.navigationClient, apiId, performanceClient, platformAuthProvider, accountId, nativeStorage, request.correlationId);
17761
- const { userRequestState } = parseRequestState(browserCrypto.base64Decode, request.state);
17860
+ const { userRequestState } = parseRequestState(browserCrypto.base64Decode, request.state, request.correlationId);
17762
17861
  return invokeAsync(nativeInteractionClient.acquireToken.bind(nativeInteractionClient), NativeInteractionClientAcquireToken, logger, performanceClient, request.correlationId)({
17763
17862
  ...request,
17764
17863
  state: userRequestState,
@@ -17816,12 +17915,12 @@
17816
17915
  // Instrument clientdata telemetry fields from the authorize response
17817
17916
  instrumentClientData(response, request.correlationId, performanceClient);
17818
17917
  // Validate state & check response for errors
17819
- validateAuthorizationResponse(response, request.state);
17918
+ validateAuthorizationResponse(response, request.state, request.correlationId);
17820
17919
  if (!response.ear_jwe) {
17821
- throw createBrowserAuthError(earJweEmpty);
17920
+ throw createBrowserAuthError(earJweEmpty, request.correlationId);
17822
17921
  }
17823
17922
  if (!request.earJwk) {
17824
- throw createBrowserAuthError(earJwkEmpty);
17923
+ throw createBrowserAuthError(earJwkEmpty, request.correlationId);
17825
17924
  }
17826
17925
  const decryptedData = JSON.parse(await invokeAsync(decryptEarResponse, DecryptEarResponse, logger, performanceClient, request.correlationId)(request.earJwk, response.ear_jwe));
17827
17926
  if (decryptedData.accountId) {
@@ -17878,7 +17977,7 @@
17878
17977
  return pkceCodeVerifierB64;
17879
17978
  }
17880
17979
  catch (e) {
17881
- throw createBrowserAuthError(pkceNotCreated);
17980
+ throw createBrowserAuthError(pkceNotCreated, correlationId);
17882
17981
  }
17883
17982
  }
17884
17983
  /**
@@ -17893,7 +17992,7 @@
17893
17992
  return urlEncodeArr(new Uint8Array(pkceHashedCodeVerifier));
17894
17993
  }
17895
17994
  catch (e) {
17896
- throw createBrowserAuthError(pkceNotCreated);
17995
+ throw createBrowserAuthError(pkceNotCreated, correlationId);
17897
17996
  }
17898
17997
  }
17899
17998
 
@@ -17932,7 +18031,7 @@
17932
18031
  }
17933
18032
  return new Promise((resolve, reject) => {
17934
18033
  setTimeout(() => {
17935
- reject(createBrowserAuthError(timedOut, "failed_to_redirect"));
18034
+ reject(createBrowserAuthError(timedOut, "", "failed_to_redirect"));
17936
18035
  }, options.timeout);
17937
18036
  });
17938
18037
  }
@@ -17966,7 +18065,7 @@
17966
18065
  catch (e) {
17967
18066
  throw createNetworkError(createBrowserAuthError(window.navigator.onLine
17968
18067
  ? getRequestFailed
17969
- : noNetworkConnectivity), undefined, undefined, e);
18068
+ : noNetworkConnectivity, ""), undefined, undefined, e);
17970
18069
  }
17971
18070
  responseHeaders = getHeaderDict(response.headers);
17972
18071
  try {
@@ -17978,7 +18077,7 @@
17978
18077
  };
17979
18078
  }
17980
18079
  catch (e) {
17981
- throw createNetworkError(createBrowserAuthError(failedToParseResponse), responseStatus, responseHeaders, e);
18080
+ throw createNetworkError(createBrowserAuthError(failedToParseResponse, ""), responseStatus, responseHeaders, e);
17982
18081
  }
17983
18082
  }
17984
18083
  /**
@@ -18003,7 +18102,7 @@
18003
18102
  catch (e) {
18004
18103
  throw createNetworkError(createBrowserAuthError(window.navigator.onLine
18005
18104
  ? postRequestFailed
18006
- : noNetworkConnectivity), undefined, undefined, e);
18105
+ : noNetworkConnectivity, ""), undefined, undefined, e);
18007
18106
  }
18008
18107
  responseHeaders = getHeaderDict(response.headers);
18009
18108
  try {
@@ -18015,7 +18114,7 @@
18015
18114
  };
18016
18115
  }
18017
18116
  catch (e) {
18018
- throw createNetworkError(createBrowserAuthError(failedToParseResponse), responseStatus, responseHeaders, e);
18117
+ throw createNetworkError(createBrowserAuthError(failedToParseResponse, ""), responseStatus, responseHeaders, e);
18019
18118
  }
18020
18119
  }
18021
18120
  }
@@ -18036,7 +18135,7 @@
18036
18135
  return headers;
18037
18136
  }
18038
18137
  catch (e) {
18039
- throw createNetworkError(createBrowserAuthError(failedToBuildHeaders), undefined, undefined, e);
18138
+ throw createNetworkError(createBrowserAuthError(failedToBuildHeaders, ""), undefined, undefined, e);
18040
18139
  }
18041
18140
  }
18042
18141
  /**
@@ -18053,7 +18152,7 @@
18053
18152
  return headerDict;
18054
18153
  }
18055
18154
  catch (e) {
18056
- throw createBrowserAuthError(failedToParseHeaders);
18155
+ throw createBrowserAuthError(failedToParseHeaders, "");
18057
18156
  }
18058
18157
  }
18059
18158
 
@@ -18156,14 +18255,14 @@
18156
18255
  // Throw an error if user has set OIDCOptions without being in OIDC protocol mode
18157
18256
  if (userInputSystem?.protocolMode !== ProtocolMode.OIDC &&
18158
18257
  userInputAuth?.OIDCOptions) {
18159
- const logger = new Logger(providedSystemOptions.loggerOptions);
18160
- logger.warning(JSON.stringify(createClientConfigurationError(cannotSetOIDCOptions)), "");
18258
+ const logger = new Logger(providedSystemOptions.loggerOptions, name, version);
18259
+ logger.warning(JSON.stringify(createClientConfigurationError(cannotSetOIDCOptions, "")), "");
18161
18260
  }
18162
18261
  // Throw an error if user has set allowPlatformBroker to true with OIDC protocol mode
18163
18262
  if (userInputSystem?.protocolMode &&
18164
18263
  userInputSystem.protocolMode === ProtocolMode.OIDC &&
18165
18264
  providedSystemOptions?.allowPlatformBroker) {
18166
- throw createClientConfigurationError(cannotAllowPlatformBroker);
18265
+ throw createClientConfigurationError(cannotAllowPlatformBroker, "");
18167
18266
  }
18168
18267
  const overlayedConfig = {
18169
18268
  auth: {
@@ -18287,7 +18386,7 @@
18287
18386
  extensionHandshakeTimedOut: true,
18288
18387
  success: false,
18289
18388
  });
18290
- reject(createBrowserAuthError(nativeHandshakeTimeout));
18389
+ reject(createBrowserAuthError(nativeHandshakeTimeout, ""));
18291
18390
  this.handshakeResolvers.delete(req.responseId);
18292
18391
  }, this.handshakeTimeoutMs); // Use a reasonable timeout in milliseconds here
18293
18392
  });
@@ -18333,7 +18432,7 @@
18333
18432
  success: false,
18334
18433
  extensionInstalled: false,
18335
18434
  });
18336
- handshakeResolver.reject(createBrowserAuthError(nativeExtensionNotInstalled));
18435
+ handshakeResolver.reject(createBrowserAuthError(nativeExtensionNotInstalled, ""));
18337
18436
  }
18338
18437
  }
18339
18438
  /**
@@ -18356,19 +18455,19 @@
18356
18455
  this.logger.trace(`'${this.platformAuthType}' - Received response from browser extension`, correlationId);
18357
18456
  this.logger.tracePii(`'${this.platformAuthType}' - Received response from browser extension: '${JSON.stringify(response)}'`, correlationId);
18358
18457
  if (response.status !== "Success") {
18359
- resolver.reject(createNativeAuthError(response.code, response.description, response.ext));
18458
+ resolver.reject(createNativeAuthError(response.code, correlationId, response.description, response.ext));
18360
18459
  }
18361
18460
  else if (response.result) {
18362
18461
  if (response.result["code"] &&
18363
18462
  response.result["description"]) {
18364
- resolver.reject(createNativeAuthError(response.result["code"], response.result["description"], response.result["ext"]));
18463
+ resolver.reject(createNativeAuthError(response.result["code"], correlationId, response.result["description"], response.result["ext"]));
18365
18464
  }
18366
18465
  else {
18367
18466
  resolver.resolve(response.result);
18368
18467
  }
18369
18468
  }
18370
18469
  else {
18371
- throw createAuthError(unexpectedError, "Event does not contain result.");
18470
+ throw createAuthError(unexpectedError, correlationId, "Event does not contain result.");
18372
18471
  }
18373
18472
  this.resolvers.delete(request.responseId);
18374
18473
  }
@@ -18417,7 +18516,7 @@
18417
18516
  return response;
18418
18517
  }
18419
18518
  else {
18420
- throw createAuthError(unexpectedError, "Response missing expected properties.");
18519
+ throw createAuthError(unexpectedError, "", "Response missing expected properties.");
18421
18520
  }
18422
18521
  }
18423
18522
  /**
@@ -18541,7 +18640,7 @@
18541
18640
  errorResponse.error &&
18542
18641
  errorResponse.error.code) {
18543
18642
  this.logger.trace(`'${this.platformAuthType}' - platform broker returned error response`, correlationId);
18544
- throw createNativeAuthError(errorResponse.error.code, errorResponse.error.description, {
18643
+ throw createNativeAuthError(errorResponse.error.code, correlationId, errorResponse.error.description, {
18545
18644
  error: parseInt(errorResponse.error.errorCode),
18546
18645
  protocol_error: errorResponse.error.protocolError,
18547
18646
  status: errorResponse.error.status,
@@ -18550,7 +18649,7 @@
18550
18649
  }
18551
18650
  }
18552
18651
  }
18553
- throw createAuthError(unexpectedError, "Response missing expected properties.");
18652
+ throw createAuthError(unexpectedError, correlationId, "Response missing expected properties.");
18554
18653
  }
18555
18654
  convertToPlatformBrokerResponse(response, correlationId) {
18556
18655
  this.logger.trace(`'${this.platformAuthType}' - convertToNativeResponse called`, correlationId);
@@ -18634,7 +18733,7 @@
18634
18733
  // throw an error if allowPlatformBroker is not enabled and allowPlatformBrokerWithDOM is enabled
18635
18734
  if (!config.system.allowPlatformBroker &&
18636
18735
  config.experimental.allowPlatformBrokerWithDOM) {
18637
- throw createClientConfigurationError(invalidPlatformBrokerConfiguration);
18736
+ throw createClientConfigurationError(invalidPlatformBrokerConfiguration, "");
18638
18737
  }
18639
18738
  if (!config.system.allowPlatformBroker) {
18640
18739
  logger.trace("isPlatformAuthAllowed: allowPlatformBroker is not enabled, returning false", correlationId);
@@ -18812,7 +18911,7 @@
18812
18911
  // Close the synchronous popup if an error is thrown before the window unload event is registered
18813
18912
  popupParams.popup?.close();
18814
18913
  if (e instanceof AuthError) {
18815
- e.setCorrelationId(this.correlationId);
18914
+ e.correlationId = this.correlationId;
18816
18915
  serverTelemetryManager.cacheFailedRequest(e);
18817
18916
  }
18818
18917
  throw e;
@@ -18903,7 +19002,7 @@
18903
19002
  timeout: this.config.system.redirectNavigationTimeout,
18904
19003
  noHistory: false,
18905
19004
  };
18906
- const absoluteUrl = UrlString.getAbsoluteUrl(mainWindowRedirectUri, getCurrentUri());
19005
+ const absoluteUrl = UrlString.getAbsoluteUrl(mainWindowRedirectUri, getCurrentUri(), this.correlationId);
18907
19006
  await this.navigationClient.navigateInternal(absoluteUrl, navigationOptions);
18908
19007
  }
18909
19008
  popupParams.popup?.close();
@@ -18913,7 +19012,7 @@
18913
19012
  // Redirect bridge requires "state" param to work properly
18914
19013
  validRequest.state = setRequestState(this.browserCrypto, validRequest.state || "", {
18915
19014
  interactionType: InteractionType.Popup,
18916
- });
19015
+ }, validRequest.correlationId);
18917
19016
  // Create logout string and navigate user window to logout.
18918
19017
  const logoutUri = authClient.getLogoutUri(validRequest);
18919
19018
  this.eventHandler.emitEvent(EventType.LOGOUT_SUCCESS, validRequest.correlationId, InteractionType.Popup, validRequest);
@@ -18929,7 +19028,7 @@
18929
19028
  timeout: this.config.system.redirectNavigationTimeout,
18930
19029
  noHistory: false,
18931
19030
  };
18932
- const absoluteUrl = UrlString.getAbsoluteUrl(mainWindowRedirectUri, getCurrentUri());
19031
+ const absoluteUrl = UrlString.getAbsoluteUrl(mainWindowRedirectUri, getCurrentUri(), this.correlationId);
18933
19032
  this.logger.verbose("Redirecting main window to url specified in the request", this.correlationId);
18934
19033
  this.logger.verbosePii(`Redirecting main window to: '${absoluteUrl}'`, this.correlationId);
18935
19034
  await this.navigationClient.navigateInternal(absoluteUrl, navigationOptions);
@@ -18942,7 +19041,7 @@
18942
19041
  // Close the synchronous popup if an error is thrown before the window unload event is registered
18943
19042
  popupParams.popup?.close();
18944
19043
  if (e instanceof AuthError) {
18945
- e.setCorrelationId(this.correlationId);
19044
+ e.correlationId = this.correlationId;
18946
19045
  serverTelemetryManager.cacheFailedRequest(e);
18947
19046
  }
18948
19047
  this.eventHandler.emitEvent(EventType.LOGOUT_FAILURE, this.correlationId, InteractionType.Popup, null, e);
@@ -18965,7 +19064,7 @@
18965
19064
  else {
18966
19065
  // Throw error if request URL is empty.
18967
19066
  this.logger.error("Navigate url is empty", this.correlationId);
18968
- throw createBrowserAuthError(emptyNavigateUri);
19067
+ throw createBrowserAuthError(emptyNavigateUri, this.correlationId);
18969
19068
  }
18970
19069
  }
18971
19070
  /**
@@ -18997,7 +19096,7 @@
18997
19096
  }
18998
19097
  // Popup will be null if popups are blocked
18999
19098
  if (!popupWindow) {
19000
- throw createBrowserAuthError(emptyWindowError);
19099
+ throw createBrowserAuthError(emptyWindowError, this.correlationId);
19001
19100
  }
19002
19101
  try {
19003
19102
  popupWindow.document.title = "Microsoft Authentication";
@@ -19020,7 +19119,7 @@
19020
19119
  }
19021
19120
  catch (e) {
19022
19121
  this.logger.error(`error opening popup '${e.message}'`, this.correlationId);
19023
- throw createBrowserAuthError(popupWindowError);
19122
+ throw createBrowserAuthError(popupWindowError, this.correlationId);
19024
19123
  }
19025
19124
  }
19026
19125
  /**
@@ -19150,7 +19249,7 @@
19150
19249
  }
19151
19250
  catch (e) {
19152
19251
  if (e instanceof AuthError) {
19153
- e.setCorrelationId(this.correlationId);
19252
+ e.correlationId = this.correlationId;
19154
19253
  }
19155
19254
  window.removeEventListener("pageshow", handleBackButton);
19156
19255
  throw e;
@@ -19191,7 +19290,7 @@
19191
19290
  }
19192
19291
  catch (e) {
19193
19292
  if (e instanceof AuthError) {
19194
- e.setCorrelationId(this.correlationId);
19293
+ e.correlationId = this.correlationId;
19195
19294
  serverTelemetryManager.cacheFailedRequest(e);
19196
19295
  }
19197
19296
  throw e;
@@ -19217,7 +19316,7 @@
19217
19316
  form.submit();
19218
19317
  return new Promise((resolve, reject) => {
19219
19318
  setTimeout(() => {
19220
- reject(createBrowserAuthError(timedOut, "failed_to_redirect"));
19319
+ reject(createBrowserAuthError(timedOut, "", "failed_to_redirect"));
19221
19320
  }, this.config.system.redirectNavigationTimeout);
19222
19321
  });
19223
19322
  }
@@ -19234,7 +19333,7 @@
19234
19333
  form.submit();
19235
19334
  return new Promise((resolve, reject) => {
19236
19335
  setTimeout(() => {
19237
- reject(createBrowserAuthError(timedOut, "failed_to_redirect"));
19336
+ reject(createBrowserAuthError(timedOut, "", "failed_to_redirect"));
19238
19337
  }, this.config.system.redirectNavigationTimeout);
19239
19338
  });
19240
19339
  }
@@ -19306,7 +19405,7 @@
19306
19405
  let processHashOnRedirect = true;
19307
19406
  if (!loginRequestUrl) {
19308
19407
  // Redirect to home page if login request url is empty
19309
- const homepage = getHomepage();
19408
+ const homepage = getHomepage(this.correlationId);
19310
19409
  // Cache the homepage under ORIGIN_URI to ensure cached hash is processed on homepage
19311
19410
  this.browserStorage.setTemporaryCache(TemporaryCacheKeys.ORIGIN_URI, homepage, true);
19312
19411
  this.logger.warning("Unable to get valid login request url from cache, redirecting to home page", this.correlationId);
@@ -19328,7 +19427,7 @@
19328
19427
  }
19329
19428
  catch (e) {
19330
19429
  if (e instanceof AuthError) {
19331
- e.setCorrelationId(this.correlationId);
19430
+ e.correlationId = this.correlationId;
19332
19431
  serverTelemetryManager.cacheFailedRequest(e);
19333
19432
  }
19334
19433
  throw e;
@@ -19358,7 +19457,7 @@
19358
19457
  let response = getDeserializedResponse(responseString);
19359
19458
  if (response) {
19360
19459
  try {
19361
- validateInteractionType(response, this.browserCrypto, InteractionType.Redirect);
19460
+ validateInteractionType(response, this.browserCrypto, InteractionType.Redirect, this.correlationId);
19362
19461
  }
19363
19462
  catch (e) {
19364
19463
  if (e instanceof AuthError) {
@@ -19389,7 +19488,7 @@
19389
19488
  async handleResponse(serverParams, request, codeVerifier, serverTelemetryManager) {
19390
19489
  const state = serverParams.state;
19391
19490
  if (!state) {
19392
- throw createBrowserAuthError(noStateInHash);
19491
+ throw createBrowserAuthError(noStateInHash, request.correlationId);
19393
19492
  }
19394
19493
  const { authority, azureCloudOptions, extraQueryParameters, account } = request;
19395
19494
  if (serverParams.ear_jwe) {
@@ -19440,7 +19539,7 @@
19440
19539
  else {
19441
19540
  // Throw error if request URL is empty.
19442
19541
  this.logger.info("RedirectHandler.initiateAuthRequest: Navigate url is empty", this.correlationId);
19443
- throw createBrowserAuthError(emptyNavigateUri);
19542
+ throw createBrowserAuthError(emptyNavigateUri, this.correlationId);
19444
19543
  }
19445
19544
  }
19446
19545
  /**
@@ -19481,7 +19580,7 @@
19481
19580
  // Redirect bridge requires "state" param to work properly
19482
19581
  validLogoutRequest.state = setRequestState(this.browserCrypto, validLogoutRequest.state || "", {
19483
19582
  interactionType: InteractionType.Redirect,
19484
- });
19583
+ }, validLogoutRequest.correlationId);
19485
19584
  // Create logout string and navigate user window to logout.
19486
19585
  const logoutUri = authClient.getLogoutUri(validLogoutRequest);
19487
19586
  if (validLogoutRequest.account?.homeAccountId) {
@@ -19517,7 +19616,7 @@
19517
19616
  }
19518
19617
  catch (e) {
19519
19618
  if (e instanceof AuthError) {
19520
- e.setCorrelationId(this.correlationId);
19619
+ e.correlationId = this.correlationId;
19521
19620
  serverTelemetryManager.cacheFailedRequest(e);
19522
19621
  }
19523
19622
  this.eventHandler.emitEvent(EventType.LOGOUT_FAILURE, this.correlationId, InteractionType.Redirect, null, e);
@@ -19532,7 +19631,7 @@
19532
19631
  */
19533
19632
  getRedirectStartPage(requestStartPage) {
19534
19633
  const redirectStartPage = requestStartPage || window.location.href;
19535
- const absoluteRedirectStartPage = UrlString.getAbsoluteUrl(redirectStartPage, getCurrentUri());
19634
+ const absoluteRedirectStartPage = UrlString.getAbsoluteUrl(redirectStartPage, getCurrentUri(), this.correlationId);
19536
19635
  // Sanity check the URL before it is cached so we never persist a malformed value (e.g. the literal string "null")
19537
19636
  validateUrl(absoluteRedirectStartPage, this.logger, this.correlationId);
19538
19637
  return absoluteRedirectStartPage;
@@ -19552,7 +19651,7 @@
19552
19651
  if (!requestUrl) {
19553
19652
  // Throw error if request URL is empty.
19554
19653
  logger.info("Navigate url is empty", correlationId);
19555
- throw createBrowserAuthError(emptyNavigateUri);
19654
+ throw createBrowserAuthError(emptyNavigateUri, correlationId);
19556
19655
  }
19557
19656
  frame.src = requestUrl;
19558
19657
  return frame;
@@ -19669,7 +19768,7 @@
19669
19768
  }
19670
19769
  catch (e) {
19671
19770
  if (e instanceof AuthError) {
19672
- e.setCorrelationId(this.correlationId);
19771
+ e.correlationId = this.correlationId;
19673
19772
  serverTelemetryManager.cacheFailedRequest(e);
19674
19773
  }
19675
19774
  if (!authClient ||
@@ -19757,7 +19856,7 @@
19757
19856
  const { serverParams } = await this.silentAuthorizeHelper(authClient, silentRequest);
19758
19857
  const correlationId = silentRequest.correlationId;
19759
19858
  // Validate the response - this checks for errors and validates state
19760
- validateAuthorizationResponse(serverParams, silentRequest.state);
19859
+ validateAuthorizationResponse(serverParams, silentRequest.state, correlationId);
19761
19860
  // Verify a valid authorization code is present
19762
19861
  if (!serverParams.code) {
19763
19862
  this.logger.warning("SSO verification response did not contain an authorization code", correlationId);
@@ -19771,7 +19870,7 @@
19771
19870
  */
19772
19871
  logout() {
19773
19872
  // Synchronous so we must reject
19774
- return Promise.reject(createBrowserAuthError(silentLogoutUnsupported));
19873
+ return Promise.reject(createBrowserAuthError(silentLogoutUnsupported, ""));
19775
19874
  }
19776
19875
  /**
19777
19876
  * Helper which acquires an authorization code silently using a hidden iframe from given url
@@ -19865,7 +19964,7 @@
19865
19964
  });
19866
19965
  // Send request to renew token. Auth module will throw errors if token cannot be renewed.
19867
19966
  return invokeAsync(refreshTokenClient.acquireTokenByRefreshToken.bind(refreshTokenClient), RefreshTokenClientAcquireTokenByRefreshToken, this.logger, this.performanceClient, request.correlationId)(silentRequest, ApiId.acquireTokenSilent_silentFlow).catch((e) => {
19868
- e.setCorrelationId(this.correlationId);
19967
+ e.correlationId = this.correlationId;
19869
19968
  serverTelemetryManager.cacheFailedRequest(e);
19870
19969
  throw e;
19871
19970
  });
@@ -19875,7 +19974,7 @@
19875
19974
  */
19876
19975
  logout() {
19877
19976
  // Synchronous so we must reject
19878
- return Promise.reject(createBrowserAuthError(silentLogoutUnsupported));
19977
+ return Promise.reject(createBrowserAuthError(silentLogoutUnsupported, ""));
19879
19978
  }
19880
19979
  /**
19881
19980
  * Creates a Refresh Client with the given authority, or the default authority.
@@ -19927,7 +20026,7 @@
19927
20026
  async acquireToken(request) {
19928
20027
  // Auth code payload is required
19929
20028
  if (!request.code) {
19930
- throw createBrowserAuthError(authCodeRequired);
20029
+ throw createBrowserAuthError(authCodeRequired, this.correlationId);
19931
20030
  }
19932
20031
  // Create silent request
19933
20032
  const silentRequest = await invokeAsync(initializeAuthorizationRequest, StandardInteractionClientInitializeAuthorizationRequest, this.logger, this.performanceClient, this.correlationId)(request, InteractionType.Silent, this.config, this.browserCrypto, this.browserStorage, this.logger, this.performanceClient,
@@ -19965,7 +20064,7 @@
19965
20064
  }
19966
20065
  catch (e) {
19967
20066
  if (e instanceof AuthError) {
19968
- e.setCorrelationId(this.correlationId);
20067
+ e.correlationId = this.correlationId;
19969
20068
  serverTelemetryManager.cacheFailedRequest(e);
19970
20069
  }
19971
20070
  throw e;
@@ -19976,7 +20075,7 @@
19976
20075
  */
19977
20076
  logout() {
19978
20077
  // Synchronous so we must reject
19979
- return Promise.reject(createBrowserAuthError(silentLogoutUnsupported));
20078
+ return Promise.reject(createBrowserAuthError(silentLogoutUnsupported, ""));
19980
20079
  }
19981
20080
  }
19982
20081
 
@@ -20696,7 +20795,7 @@
20696
20795
  try {
20697
20796
  if (request.code && request.nativeAccountId) {
20698
20797
  // Throw error in case server returns both spa_code and spa_accountid in exchange for auth code.
20699
- throw createBrowserAuthError(spaCodeAndNativeAccountIdPresent);
20798
+ throw createBrowserAuthError(spaCodeAndNativeAccountIdPresent, correlationId);
20700
20799
  }
20701
20800
  else if (request.code) {
20702
20801
  const hybridAuthCode = request.code;
@@ -20759,11 +20858,11 @@
20759
20858
  return result;
20760
20859
  }
20761
20860
  else {
20762
- throw createBrowserAuthError(unableToAcquireTokenFromNativePlatform);
20861
+ throw createBrowserAuthError(unableToAcquireTokenFromNativePlatform, correlationId);
20763
20862
  }
20764
20863
  }
20765
20864
  else {
20766
- throw createBrowserAuthError(authCodeOrNativeAccountIdRequired);
20865
+ throw createBrowserAuthError(authCodeOrNativeAccountIdRequired, correlationId);
20767
20866
  }
20768
20867
  }
20769
20868
  catch (e) {
@@ -20825,7 +20924,7 @@
20825
20924
  const silentCacheClient = this.createSilentCacheClient(commonRequest.correlationId);
20826
20925
  return invokeAsync(silentCacheClient.acquireToken.bind(silentCacheClient), SilentCacheClientAcquireToken, this.logger, this.performanceClient, commonRequest.correlationId)(commonRequest);
20827
20926
  default:
20828
- throw createClientAuthError(tokenRefreshRequired);
20927
+ throw createClientAuthError(tokenRefreshRequired, commonRequest.correlationId);
20829
20928
  }
20830
20929
  }
20831
20930
  /**
@@ -20843,7 +20942,7 @@
20843
20942
  const silentRefreshClient = this.createSilentRefreshClient(commonRequest.correlationId);
20844
20943
  return invokeAsync(silentRefreshClient.acquireToken.bind(silentRefreshClient), SilentRefreshClientAcquireToken, this.logger, this.performanceClient, commonRequest.correlationId)(commonRequest);
20845
20944
  default:
20846
- throw createClientAuthError(tokenRefreshRequired);
20945
+ throw createClientAuthError(tokenRefreshRequired, commonRequest.correlationId);
20847
20946
  }
20848
20947
  }
20849
20948
  /**
@@ -20952,7 +21051,7 @@
20952
21051
  ? toSecondsFromDate(result.expiresOn)
20953
21052
  : 0, result.extExpiresOn
20954
21053
  ? toSecondsFromDate(result.extExpiresOn)
20955
- : 0, base64Decode, undefined, // refreshOn
21054
+ : 0, base64Decode, request.correlationId || "", undefined, // refreshOn
20956
21055
  result.tokenType, undefined, // userAssertionHash
20957
21056
  request.sshKid);
20958
21057
  if (request.resource) {
@@ -20977,7 +21076,7 @@
20977
21076
  const correlationId = this.getRequestCorrelationId(request);
20978
21077
  this.logger.trace("acquireTokenNative called", correlationId);
20979
21078
  if (!this.platformAuthProvider) {
20980
- throw createBrowserAuthError(nativeConnectionNotEstablished);
21079
+ throw createBrowserAuthError(nativeConnectionNotEstablished, correlationId);
20981
21080
  }
20982
21081
  const nativeClient = new PlatformAuthInteractionClient(this.config, this.browserStorage, this.browserCrypto, this.logger, this.eventHandler, this.navigationClient, apiId, this.performanceClient, this.platformAuthProvider, accountId || this.getNativeAccountId(request), this.nativeInternalStorage, correlationId);
20983
21082
  return invokeAsync(nativeClient.acquireToken.bind(nativeClient), NativeInteractionClientAcquireToken, this.logger, this.performanceClient, correlationId)(request, cacheLookupPolicy);
@@ -21221,7 +21320,7 @@
21221
21320
  this.logger.verbose("acquireTokenSilent called", correlationId);
21222
21321
  const account = request.account || this.getActiveAccount();
21223
21322
  if (!account) {
21224
- throw createBrowserAuthError(noAccountError);
21323
+ throw createBrowserAuthError(noAccountError, correlationId);
21225
21324
  }
21226
21325
  return this.acquireTokenSilentDeduped(request, account, correlationId)
21227
21326
  .then((result) => {
@@ -21240,7 +21339,7 @@
21240
21339
  .catch((error) => {
21241
21340
  if (error instanceof AuthError) {
21242
21341
  // Ensures PWB scenarios can correctly match request to response
21243
- error.setCorrelationId(correlationId);
21342
+ error.correlationId = correlationId;
21244
21343
  }
21245
21344
  atsMeasurement.end({
21246
21345
  success: false,
@@ -21398,7 +21497,7 @@
21398
21497
  this.logger.verbose("acquireTokenSilent - native platform unavailable, falling back to web flow", silentRequest.correlationId);
21399
21498
  this.platformAuthProvider = undefined; // Prevent future requests from continuing to attempt
21400
21499
  // Cache will not contain tokens, given that previous WAM requests succeeded. Skip cache and RT renewal and go straight to iframe renewal
21401
- throw createClientAuthError(tokenRefreshRequired);
21500
+ throw createClientAuthError(tokenRefreshRequired, silentRequest.correlationId);
21402
21501
  }
21403
21502
  throw e;
21404
21503
  });
@@ -21507,7 +21606,7 @@
21507
21606
  this.logger.verbose("The SDK can only be used in a browser environment.", "");
21508
21607
  throw new UnsupportedEnvironmentError();
21509
21608
  }
21510
- this.logger = this.logger.clone(DefaultPackageInfo.SKU, DefaultPackageInfo.VERSION);
21609
+ this.logger = this.logger.clone(name, DefaultPackageInfo.VERSION);
21511
21610
  this.customAuthConfig = operatingContext.getCustomAuthConfig();
21512
21611
  this.authority = new CustomAuthAuthority(this.customAuthConfig.auth.authority, this.customAuthConfig, this.networkClient, this.browserStorage, this.logger, this.performanceClient, this.customAuthConfig.customAuth?.authApiProxyUrl);
21513
21612
  const interactionClientFactory = new CustomAuthInterationClientFactory(this.customAuthConfig, this.browserStorage, this.browserCrypto, this.logger, this.eventHandler, this.navigationClient, this.performanceClient, customAuthApiClient ??