@azure/msal-browser 5.6.2 → 5.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (456) hide show
  1. package/README.md +0 -1
  2. package/dist/app/IPublicClientApplication.mjs +1 -1
  3. package/dist/app/PublicClientApplication.mjs +1 -1
  4. package/dist/broker/nativeBroker/NativeStatusCodes.mjs +2 -3
  5. package/dist/broker/nativeBroker/NativeStatusCodes.mjs.map +1 -1
  6. package/dist/broker/nativeBroker/PlatformAuthDOMHandler.mjs +1 -1
  7. package/dist/broker/nativeBroker/PlatformAuthExtensionHandler.mjs +1 -1
  8. package/dist/broker/nativeBroker/PlatformAuthProvider.d.ts +1 -1
  9. package/dist/broker/nativeBroker/PlatformAuthProvider.mjs +2 -2
  10. package/dist/cache/AccountManager.mjs +1 -1
  11. package/dist/cache/AsyncMemoryStorage.mjs +1 -1
  12. package/dist/cache/BrowserCacheManager.mjs +1 -1
  13. package/dist/cache/CacheHelpers.mjs +1 -1
  14. package/dist/cache/CacheKeys.d.ts +1 -0
  15. package/dist/cache/CacheKeys.d.ts.map +1 -1
  16. package/dist/cache/CacheKeys.mjs +3 -2
  17. package/dist/cache/CacheKeys.mjs.map +1 -1
  18. package/dist/cache/CookieStorage.mjs +1 -1
  19. package/dist/cache/DatabaseStorage.mjs +1 -1
  20. package/dist/cache/EncryptedData.mjs +1 -1
  21. package/dist/cache/LocalStorage.mjs +1 -1
  22. package/dist/cache/MemoryStorage.mjs +1 -1
  23. package/dist/cache/SessionStorage.mjs +1 -1
  24. package/dist/cache/TokenCache.d.ts.map +1 -1
  25. package/dist/cache/TokenCache.mjs +9 -9
  26. package/dist/cache/TokenCache.mjs.map +1 -1
  27. package/dist/config/Configuration.d.ts +20 -1
  28. package/dist/config/Configuration.d.ts.map +1 -1
  29. package/dist/config/Configuration.mjs +10 -2
  30. package/dist/config/Configuration.mjs.map +1 -1
  31. package/dist/controllers/NestedAppAuthController.mjs +1 -1
  32. package/dist/controllers/StandardController.d.ts +20 -2
  33. package/dist/controllers/StandardController.d.ts.map +1 -1
  34. package/dist/controllers/StandardController.mjs +204 -37
  35. package/dist/controllers/StandardController.mjs.map +1 -1
  36. package/dist/crypto/BrowserCrypto.mjs +1 -1
  37. package/dist/crypto/CryptoOps.mjs +1 -1
  38. package/dist/crypto/PkceGenerator.mjs +1 -1
  39. package/dist/crypto/SignedHttpRequest.mjs +1 -1
  40. package/dist/custom-auth-path/app/PublicClientApplication.mjs +1 -1
  41. package/dist/custom-auth-path/broker/nativeBroker/NativeStatusCodes.mjs +2 -3
  42. package/dist/custom-auth-path/broker/nativeBroker/NativeStatusCodes.mjs.map +1 -1
  43. package/dist/custom-auth-path/broker/nativeBroker/PlatformAuthDOMHandler.mjs +1 -1
  44. package/dist/custom-auth-path/broker/nativeBroker/PlatformAuthExtensionHandler.mjs +1 -1
  45. package/dist/custom-auth-path/broker/nativeBroker/PlatformAuthProvider.d.ts +1 -1
  46. package/dist/custom-auth-path/broker/nativeBroker/PlatformAuthProvider.mjs +2 -2
  47. package/dist/custom-auth-path/cache/AccountManager.mjs +1 -1
  48. package/dist/custom-auth-path/cache/AsyncMemoryStorage.mjs +1 -1
  49. package/dist/custom-auth-path/cache/BrowserCacheManager.mjs +1 -1
  50. package/dist/custom-auth-path/cache/CacheHelpers.mjs +1 -1
  51. package/dist/custom-auth-path/cache/CacheKeys.d.ts +1 -0
  52. package/dist/custom-auth-path/cache/CacheKeys.d.ts.map +1 -1
  53. package/dist/custom-auth-path/cache/CacheKeys.mjs +3 -2
  54. package/dist/custom-auth-path/cache/CacheKeys.mjs.map +1 -1
  55. package/dist/custom-auth-path/cache/CookieStorage.mjs +1 -1
  56. package/dist/custom-auth-path/cache/DatabaseStorage.mjs +1 -1
  57. package/dist/custom-auth-path/cache/EncryptedData.mjs +1 -1
  58. package/dist/custom-auth-path/cache/LocalStorage.mjs +1 -1
  59. package/dist/custom-auth-path/cache/MemoryStorage.mjs +1 -1
  60. package/dist/custom-auth-path/cache/SessionStorage.mjs +1 -1
  61. package/dist/custom-auth-path/cache/TokenCache.d.ts.map +1 -1
  62. package/dist/custom-auth-path/config/Configuration.d.ts +20 -1
  63. package/dist/custom-auth-path/config/Configuration.d.ts.map +1 -1
  64. package/dist/custom-auth-path/config/Configuration.mjs +10 -2
  65. package/dist/custom-auth-path/config/Configuration.mjs.map +1 -1
  66. package/dist/custom-auth-path/controllers/StandardController.d.ts +20 -2
  67. package/dist/custom-auth-path/controllers/StandardController.d.ts.map +1 -1
  68. package/dist/custom-auth-path/controllers/StandardController.mjs +204 -37
  69. package/dist/custom-auth-path/controllers/StandardController.mjs.map +1 -1
  70. package/dist/custom-auth-path/crypto/BrowserCrypto.mjs +1 -1
  71. package/dist/custom-auth-path/crypto/CryptoOps.mjs +1 -1
  72. package/dist/custom-auth-path/crypto/PkceGenerator.mjs +1 -1
  73. package/dist/custom-auth-path/custom_auth/CustomAuthConstants.d.ts +1 -1
  74. package/dist/custom-auth-path/custom_auth/CustomAuthConstants.mjs +1 -1
  75. package/dist/custom-auth-path/custom_auth/CustomAuthPublicClientApplication.mjs +1 -1
  76. package/dist/custom-auth-path/custom_auth/controller/CustomAuthStandardController.mjs +1 -1
  77. package/dist/custom-auth-path/custom_auth/core/CustomAuthAuthority.mjs +1 -1
  78. package/dist/custom-auth-path/custom_auth/core/auth_flow/AuthFlowErrorBase.mjs +1 -1
  79. package/dist/custom-auth-path/custom_auth/core/auth_flow/AuthFlowResultBase.mjs +1 -1
  80. package/dist/custom-auth-path/custom_auth/core/auth_flow/AuthFlowState.mjs +1 -1
  81. package/dist/custom-auth-path/custom_auth/core/auth_flow/AuthFlowStateTypes.mjs +1 -1
  82. package/dist/custom-auth-path/custom_auth/core/auth_flow/jit/error_type/AuthMethodRegistrationError.mjs +1 -1
  83. package/dist/custom-auth-path/custom_auth/core/auth_flow/jit/result/AuthMethodRegistrationChallengeMethodResult.mjs +1 -1
  84. package/dist/custom-auth-path/custom_auth/core/auth_flow/jit/result/AuthMethodRegistrationSubmitChallengeResult.mjs +1 -1
  85. package/dist/custom-auth-path/custom_auth/core/auth_flow/jit/state/AuthMethodRegistrationCompletedState.mjs +1 -1
  86. package/dist/custom-auth-path/custom_auth/core/auth_flow/jit/state/AuthMethodRegistrationFailedState.mjs +1 -1
  87. package/dist/custom-auth-path/custom_auth/core/auth_flow/jit/state/AuthMethodRegistrationState.mjs +1 -1
  88. package/dist/custom-auth-path/custom_auth/core/auth_flow/mfa/error_type/MfaError.mjs +1 -1
  89. package/dist/custom-auth-path/custom_auth/core/auth_flow/mfa/result/MfaRequestChallengeResult.mjs +1 -1
  90. package/dist/custom-auth-path/custom_auth/core/auth_flow/mfa/result/MfaSubmitChallengeResult.mjs +1 -1
  91. package/dist/custom-auth-path/custom_auth/core/auth_flow/mfa/state/MfaCompletedState.mjs +1 -1
  92. package/dist/custom-auth-path/custom_auth/core/auth_flow/mfa/state/MfaFailedState.mjs +1 -1
  93. package/dist/custom-auth-path/custom_auth/core/auth_flow/mfa/state/MfaState.mjs +1 -1
  94. package/dist/custom-auth-path/custom_auth/core/error/CustomAuthApiError.mjs +1 -1
  95. package/dist/custom-auth-path/custom_auth/core/error/CustomAuthError.mjs +1 -1
  96. package/dist/custom-auth-path/custom_auth/core/error/HttpError.mjs +1 -1
  97. package/dist/custom-auth-path/custom_auth/core/error/HttpErrorCodes.mjs +1 -1
  98. package/dist/custom-auth-path/custom_auth/core/error/InvalidArgumentError.mjs +1 -1
  99. package/dist/custom-auth-path/custom_auth/core/error/InvalidConfigurationError.mjs +1 -1
  100. package/dist/custom-auth-path/custom_auth/core/error/InvalidConfigurationErrorCodes.mjs +1 -1
  101. package/dist/custom-auth-path/custom_auth/core/error/MethodNotImplementedError.mjs +1 -1
  102. package/dist/custom-auth-path/custom_auth/core/error/MsalCustomAuthError.mjs +1 -1
  103. package/dist/custom-auth-path/custom_auth/core/error/NoCachedAccountFoundError.mjs +1 -1
  104. package/dist/custom-auth-path/custom_auth/core/error/ParsedUrlError.mjs +1 -1
  105. package/dist/custom-auth-path/custom_auth/core/error/ParsedUrlErrorCodes.mjs +1 -1
  106. package/dist/custom-auth-path/custom_auth/core/error/UnexpectedError.mjs +1 -1
  107. package/dist/custom-auth-path/custom_auth/core/error/UnsupportedEnvironmentError.mjs +1 -1
  108. package/dist/custom-auth-path/custom_auth/core/error/UserAccountAttributeError.mjs +1 -1
  109. package/dist/custom-auth-path/custom_auth/core/error/UserAlreadySignedInError.mjs +1 -1
  110. package/dist/custom-auth-path/custom_auth/core/interaction_client/CustomAuthInteractionClientBase.mjs +1 -1
  111. package/dist/custom-auth-path/custom_auth/core/interaction_client/CustomAuthInterationClientFactory.mjs +1 -1
  112. package/dist/custom-auth-path/custom_auth/core/interaction_client/jit/JitClient.mjs +1 -1
  113. package/dist/custom-auth-path/custom_auth/core/interaction_client/jit/result/JitActionResult.mjs +1 -1
  114. package/dist/custom-auth-path/custom_auth/core/interaction_client/mfa/MfaClient.mjs +1 -1
  115. package/dist/custom-auth-path/custom_auth/core/interaction_client/mfa/result/MfaActionResult.mjs +1 -1
  116. package/dist/custom-auth-path/custom_auth/core/network_client/custom_auth_api/BaseApiClient.mjs +1 -1
  117. package/dist/custom-auth-path/custom_auth/core/network_client/custom_auth_api/CustomAuthApiClient.mjs +1 -1
  118. package/dist/custom-auth-path/custom_auth/core/network_client/custom_auth_api/CustomAuthApiEndpoint.mjs +1 -1
  119. package/dist/custom-auth-path/custom_auth/core/network_client/custom_auth_api/RegisterApiClient.mjs +1 -1
  120. package/dist/custom-auth-path/custom_auth/core/network_client/custom_auth_api/ResetPasswordApiClient.mjs +1 -1
  121. package/dist/custom-auth-path/custom_auth/core/network_client/custom_auth_api/SignInApiClient.mjs +1 -1
  122. package/dist/custom-auth-path/custom_auth/core/network_client/custom_auth_api/SignupApiClient.mjs +1 -1
  123. package/dist/custom-auth-path/custom_auth/core/network_client/custom_auth_api/types/ApiErrorCodes.mjs +1 -1
  124. package/dist/custom-auth-path/custom_auth/core/network_client/custom_auth_api/types/ApiSuberrors.mjs +1 -1
  125. package/dist/custom-auth-path/custom_auth/core/network_client/http_client/FetchHttpClient.mjs +1 -1
  126. package/dist/custom-auth-path/custom_auth/core/network_client/http_client/IHttpClient.mjs +1 -1
  127. package/dist/custom-auth-path/custom_auth/core/telemetry/PublicApiId.mjs +1 -1
  128. package/dist/custom-auth-path/custom_auth/core/utils/ArgumentValidator.mjs +1 -1
  129. package/dist/custom-auth-path/custom_auth/core/utils/UrlUtils.mjs +1 -1
  130. package/dist/custom-auth-path/custom_auth/get_account/auth_flow/CustomAuthAccountData.mjs +1 -1
  131. package/dist/custom-auth-path/custom_auth/get_account/auth_flow/error_type/GetAccountError.mjs +1 -1
  132. package/dist/custom-auth-path/custom_auth/get_account/auth_flow/result/GetAccessTokenResult.mjs +1 -1
  133. package/dist/custom-auth-path/custom_auth/get_account/auth_flow/result/GetAccountResult.mjs +1 -1
  134. package/dist/custom-auth-path/custom_auth/get_account/auth_flow/result/SignOutResult.mjs +1 -1
  135. package/dist/custom-auth-path/custom_auth/get_account/auth_flow/state/GetAccessTokenState.mjs +1 -1
  136. package/dist/custom-auth-path/custom_auth/get_account/auth_flow/state/GetAccountState.mjs +1 -1
  137. package/dist/custom-auth-path/custom_auth/get_account/auth_flow/state/SignOutState.mjs +1 -1
  138. package/dist/custom-auth-path/custom_auth/get_account/interaction_client/CustomAuthSilentCacheClient.mjs +1 -1
  139. package/dist/custom-auth-path/custom_auth/index.mjs +1 -1
  140. package/dist/custom-auth-path/custom_auth/operating_context/CustomAuthOperatingContext.mjs +1 -1
  141. package/dist/custom-auth-path/custom_auth/reset_password/auth_flow/error_type/ResetPasswordError.mjs +1 -1
  142. package/dist/custom-auth-path/custom_auth/reset_password/auth_flow/result/ResetPasswordResendCodeResult.mjs +1 -1
  143. package/dist/custom-auth-path/custom_auth/reset_password/auth_flow/result/ResetPasswordStartResult.mjs +1 -1
  144. package/dist/custom-auth-path/custom_auth/reset_password/auth_flow/result/ResetPasswordSubmitCodeResult.mjs +1 -1
  145. package/dist/custom-auth-path/custom_auth/reset_password/auth_flow/result/ResetPasswordSubmitPasswordResult.mjs +1 -1
  146. package/dist/custom-auth-path/custom_auth/reset_password/auth_flow/state/ResetPasswordCodeRequiredState.mjs +1 -1
  147. package/dist/custom-auth-path/custom_auth/reset_password/auth_flow/state/ResetPasswordCompletedState.mjs +1 -1
  148. package/dist/custom-auth-path/custom_auth/reset_password/auth_flow/state/ResetPasswordFailedState.mjs +1 -1
  149. package/dist/custom-auth-path/custom_auth/reset_password/auth_flow/state/ResetPasswordPasswordRequiredState.mjs +1 -1
  150. package/dist/custom-auth-path/custom_auth/reset_password/auth_flow/state/ResetPasswordState.mjs +1 -1
  151. package/dist/custom-auth-path/custom_auth/reset_password/interaction_client/ResetPasswordClient.mjs +1 -1
  152. package/dist/custom-auth-path/custom_auth/sign_in/auth_flow/SignInScenario.mjs +1 -1
  153. package/dist/custom-auth-path/custom_auth/sign_in/auth_flow/error_type/SignInError.mjs +1 -1
  154. package/dist/custom-auth-path/custom_auth/sign_in/auth_flow/result/SignInResendCodeResult.mjs +1 -1
  155. package/dist/custom-auth-path/custom_auth/sign_in/auth_flow/result/SignInResult.mjs +1 -1
  156. package/dist/custom-auth-path/custom_auth/sign_in/auth_flow/result/SignInSubmitCodeResult.mjs +1 -1
  157. package/dist/custom-auth-path/custom_auth/sign_in/auth_flow/result/SignInSubmitPasswordResult.mjs +1 -1
  158. package/dist/custom-auth-path/custom_auth/sign_in/auth_flow/state/SignInCodeRequiredState.mjs +1 -1
  159. package/dist/custom-auth-path/custom_auth/sign_in/auth_flow/state/SignInCompletedState.mjs +1 -1
  160. package/dist/custom-auth-path/custom_auth/sign_in/auth_flow/state/SignInContinuationState.mjs +1 -1
  161. package/dist/custom-auth-path/custom_auth/sign_in/auth_flow/state/SignInFailedState.mjs +1 -1
  162. package/dist/custom-auth-path/custom_auth/sign_in/auth_flow/state/SignInPasswordRequiredState.mjs +1 -1
  163. package/dist/custom-auth-path/custom_auth/sign_in/auth_flow/state/SignInState.mjs +1 -1
  164. package/dist/custom-auth-path/custom_auth/sign_in/interaction_client/SignInClient.mjs +1 -1
  165. package/dist/custom-auth-path/custom_auth/sign_in/interaction_client/result/SignInActionResult.mjs +1 -1
  166. package/dist/custom-auth-path/custom_auth/sign_up/auth_flow/error_type/SignUpError.mjs +1 -1
  167. package/dist/custom-auth-path/custom_auth/sign_up/auth_flow/result/SignUpResendCodeResult.mjs +1 -1
  168. package/dist/custom-auth-path/custom_auth/sign_up/auth_flow/result/SignUpResult.mjs +1 -1
  169. package/dist/custom-auth-path/custom_auth/sign_up/auth_flow/result/SignUpSubmitAttributesResult.mjs +1 -1
  170. package/dist/custom-auth-path/custom_auth/sign_up/auth_flow/result/SignUpSubmitCodeResult.mjs +1 -1
  171. package/dist/custom-auth-path/custom_auth/sign_up/auth_flow/result/SignUpSubmitPasswordResult.mjs +1 -1
  172. package/dist/custom-auth-path/custom_auth/sign_up/auth_flow/state/SignUpAttributesRequiredState.mjs +1 -1
  173. package/dist/custom-auth-path/custom_auth/sign_up/auth_flow/state/SignUpCodeRequiredState.mjs +1 -1
  174. package/dist/custom-auth-path/custom_auth/sign_up/auth_flow/state/SignUpCompletedState.mjs +1 -1
  175. package/dist/custom-auth-path/custom_auth/sign_up/auth_flow/state/SignUpFailedState.mjs +1 -1
  176. package/dist/custom-auth-path/custom_auth/sign_up/auth_flow/state/SignUpPasswordRequiredState.mjs +1 -1
  177. package/dist/custom-auth-path/custom_auth/sign_up/auth_flow/state/SignUpState.mjs +1 -1
  178. package/dist/custom-auth-path/custom_auth/sign_up/interaction_client/SignUpClient.mjs +1 -1
  179. package/dist/custom-auth-path/custom_auth/sign_up/interaction_client/result/SignUpActionResult.mjs +1 -1
  180. package/dist/custom-auth-path/encode/Base64Decode.mjs +1 -1
  181. package/dist/custom-auth-path/encode/Base64Encode.mjs +1 -1
  182. package/dist/custom-auth-path/error/BrowserAuthError.mjs +1 -1
  183. package/dist/custom-auth-path/error/BrowserAuthErrorCodes.mjs +1 -1
  184. package/dist/custom-auth-path/error/BrowserConfigurationAuthError.mjs +1 -1
  185. package/dist/custom-auth-path/error/BrowserConfigurationAuthErrorCodes.mjs +1 -1
  186. package/dist/custom-auth-path/error/NativeAuthError.d.ts.map +1 -1
  187. package/dist/custom-auth-path/error/NativeAuthError.mjs +3 -4
  188. package/dist/custom-auth-path/error/NativeAuthError.mjs.map +1 -1
  189. package/dist/custom-auth-path/error/NativeAuthErrorCodes.mjs +1 -1
  190. package/dist/custom-auth-path/event/EventHandler.mjs +1 -1
  191. package/dist/custom-auth-path/event/EventType.mjs +1 -1
  192. package/dist/custom-auth-path/index.d.ts +1 -1
  193. package/dist/custom-auth-path/index.d.ts.map +1 -1
  194. package/dist/custom-auth-path/interaction_client/BaseInteractionClient.mjs +1 -1
  195. package/dist/custom-auth-path/interaction_client/HybridSpaAuthorizationCodeClient.mjs +1 -1
  196. package/dist/custom-auth-path/interaction_client/PlatformAuthInteractionClient.d.ts +12 -12
  197. package/dist/custom-auth-path/interaction_client/PlatformAuthInteractionClient.d.ts.map +1 -1
  198. package/dist/custom-auth-path/interaction_client/PlatformAuthInteractionClient.mjs +39 -26
  199. package/dist/custom-auth-path/interaction_client/PlatformAuthInteractionClient.mjs.map +1 -1
  200. package/dist/custom-auth-path/interaction_client/PopupClient.d.ts.map +1 -1
  201. package/dist/custom-auth-path/interaction_client/PopupClient.mjs +6 -2
  202. package/dist/custom-auth-path/interaction_client/PopupClient.mjs.map +1 -1
  203. package/dist/custom-auth-path/interaction_client/RedirectClient.d.ts.map +1 -1
  204. package/dist/custom-auth-path/interaction_client/RedirectClient.mjs +6 -2
  205. package/dist/custom-auth-path/interaction_client/RedirectClient.mjs.map +1 -1
  206. package/dist/custom-auth-path/interaction_client/SilentAuthCodeClient.mjs +1 -1
  207. package/dist/custom-auth-path/interaction_client/SilentCacheClient.mjs +1 -1
  208. package/dist/custom-auth-path/interaction_client/SilentIframeClient.d.ts +14 -0
  209. package/dist/custom-auth-path/interaction_client/SilentIframeClient.d.ts.map +1 -1
  210. package/dist/custom-auth-path/interaction_client/SilentIframeClient.mjs +47 -5
  211. package/dist/custom-auth-path/interaction_client/SilentIframeClient.mjs.map +1 -1
  212. package/dist/custom-auth-path/interaction_client/SilentRefreshClient.mjs +1 -1
  213. package/dist/custom-auth-path/interaction_client/StandardInteractionClient.mjs +1 -1
  214. package/dist/custom-auth-path/interaction_handler/InteractionHandler.mjs +1 -1
  215. package/dist/custom-auth-path/interaction_handler/SilentHandler.mjs +1 -1
  216. package/dist/custom-auth-path/log-strings-mapping.json +67 -15
  217. package/dist/custom-auth-path/navigation/NavigationClient.mjs +1 -1
  218. package/dist/custom-auth-path/network/FetchClient.mjs +1 -1
  219. package/dist/custom-auth-path/operatingcontext/BaseOperatingContext.mjs +1 -1
  220. package/dist/custom-auth-path/operatingcontext/StandardOperatingContext.mjs +1 -1
  221. package/dist/custom-auth-path/packageMetadata.d.ts +1 -1
  222. package/dist/custom-auth-path/packageMetadata.mjs +2 -2
  223. package/dist/custom-auth-path/protocol/Authorize.d.ts.map +1 -1
  224. package/dist/custom-auth-path/protocol/Authorize.mjs +5 -1
  225. package/dist/custom-auth-path/protocol/Authorize.mjs.map +1 -1
  226. package/dist/custom-auth-path/redirect_bridge/index.d.ts.map +1 -1
  227. package/dist/custom-auth-path/request/RequestHelpers.mjs +1 -1
  228. package/dist/custom-auth-path/response/ResponseHandler.mjs +1 -1
  229. package/dist/custom-auth-path/telemetry/BrowserPerformanceClient.d.ts +1 -0
  230. package/dist/custom-auth-path/telemetry/BrowserPerformanceClient.d.ts.map +1 -1
  231. package/dist/custom-auth-path/telemetry/BrowserPerformanceEvents.d.ts +6 -0
  232. package/dist/custom-auth-path/telemetry/BrowserPerformanceEvents.d.ts.map +1 -1
  233. package/dist/custom-auth-path/telemetry/BrowserPerformanceEvents.mjs +9 -3
  234. package/dist/custom-auth-path/telemetry/BrowserPerformanceEvents.mjs.map +1 -1
  235. package/dist/custom-auth-path/telemetry/BrowserRootPerformanceEvents.d.ts +6 -0
  236. package/dist/custom-auth-path/telemetry/BrowserRootPerformanceEvents.d.ts.map +1 -1
  237. package/dist/custom-auth-path/telemetry/BrowserRootPerformanceEvents.mjs +8 -3
  238. package/dist/custom-auth-path/telemetry/BrowserRootPerformanceEvents.mjs.map +1 -1
  239. package/dist/custom-auth-path/utils/BrowserConstants.mjs +1 -1
  240. package/dist/custom-auth-path/utils/BrowserProtocolUtils.mjs +1 -1
  241. package/dist/custom-auth-path/utils/BrowserUtils.d.ts +2 -2
  242. package/dist/custom-auth-path/utils/BrowserUtils.d.ts.map +1 -1
  243. package/dist/custom-auth-path/utils/BrowserUtils.mjs +27 -3
  244. package/dist/custom-auth-path/utils/BrowserUtils.mjs.map +1 -1
  245. package/dist/custom-auth-path/utils/Helpers.mjs +1 -1
  246. package/dist/custom-auth-path/utils/MsalFrameStatsUtils.mjs +1 -1
  247. package/dist/custom_auth/CustomAuthConstants.d.ts +1 -1
  248. package/dist/encode/Base64Decode.mjs +1 -1
  249. package/dist/encode/Base64Encode.mjs +1 -1
  250. package/dist/error/BrowserAuthError.mjs +1 -1
  251. package/dist/error/BrowserAuthErrorCodes.mjs +1 -1
  252. package/dist/error/BrowserConfigurationAuthError.mjs +1 -1
  253. package/dist/error/BrowserConfigurationAuthErrorCodes.mjs +1 -1
  254. package/dist/error/NativeAuthError.d.ts.map +1 -1
  255. package/dist/error/NativeAuthError.mjs +3 -4
  256. package/dist/error/NativeAuthError.mjs.map +1 -1
  257. package/dist/error/NativeAuthErrorCodes.mjs +1 -1
  258. package/dist/error/NestedAppAuthError.mjs +1 -1
  259. package/dist/event/EventHandler.mjs +1 -1
  260. package/dist/event/EventMessage.mjs +1 -1
  261. package/dist/event/EventType.mjs +1 -1
  262. package/dist/index.d.ts +1 -1
  263. package/dist/index.d.ts.map +1 -1
  264. package/dist/index.mjs +1 -1
  265. package/dist/index.mjs.map +1 -1
  266. package/dist/interaction_client/BaseInteractionClient.mjs +1 -1
  267. package/dist/interaction_client/HybridSpaAuthorizationCodeClient.mjs +1 -1
  268. package/dist/interaction_client/PlatformAuthInteractionClient.d.ts +12 -12
  269. package/dist/interaction_client/PlatformAuthInteractionClient.d.ts.map +1 -1
  270. package/dist/interaction_client/PlatformAuthInteractionClient.mjs +39 -26
  271. package/dist/interaction_client/PlatformAuthInteractionClient.mjs.map +1 -1
  272. package/dist/interaction_client/PopupClient.d.ts.map +1 -1
  273. package/dist/interaction_client/PopupClient.mjs +6 -2
  274. package/dist/interaction_client/PopupClient.mjs.map +1 -1
  275. package/dist/interaction_client/RedirectClient.d.ts.map +1 -1
  276. package/dist/interaction_client/RedirectClient.mjs +6 -2
  277. package/dist/interaction_client/RedirectClient.mjs.map +1 -1
  278. package/dist/interaction_client/SilentAuthCodeClient.mjs +1 -1
  279. package/dist/interaction_client/SilentCacheClient.mjs +1 -1
  280. package/dist/interaction_client/SilentIframeClient.d.ts +14 -0
  281. package/dist/interaction_client/SilentIframeClient.d.ts.map +1 -1
  282. package/dist/interaction_client/SilentIframeClient.mjs +47 -5
  283. package/dist/interaction_client/SilentIframeClient.mjs.map +1 -1
  284. package/dist/interaction_client/SilentRefreshClient.mjs +1 -1
  285. package/dist/interaction_client/StandardInteractionClient.mjs +1 -1
  286. package/dist/interaction_handler/InteractionHandler.mjs +1 -1
  287. package/dist/interaction_handler/SilentHandler.mjs +1 -1
  288. package/dist/log-strings-mapping.json +75 -23
  289. package/dist/naa/BridgeError.mjs +1 -1
  290. package/dist/naa/BridgeProxy.mjs +1 -1
  291. package/dist/naa/BridgeStatusCode.mjs +1 -1
  292. package/dist/naa/mapping/NestedAppAuthAdapter.mjs +1 -1
  293. package/dist/navigation/NavigationClient.mjs +1 -1
  294. package/dist/network/FetchClient.mjs +1 -1
  295. package/dist/operatingcontext/BaseOperatingContext.mjs +1 -1
  296. package/dist/operatingcontext/NestedAppOperatingContext.mjs +1 -1
  297. package/dist/operatingcontext/StandardOperatingContext.mjs +1 -1
  298. package/dist/packageMetadata.d.ts +1 -1
  299. package/dist/packageMetadata.mjs +2 -2
  300. package/dist/protocol/Authorize.d.ts.map +1 -1
  301. package/dist/protocol/Authorize.mjs +5 -1
  302. package/dist/protocol/Authorize.mjs.map +1 -1
  303. package/dist/redirect-bridge/broker/nativeBroker/PlatformAuthProvider.d.ts +1 -1
  304. package/dist/redirect-bridge/cache/CacheKeys.d.ts +1 -0
  305. package/dist/redirect-bridge/cache/CacheKeys.d.ts.map +1 -1
  306. package/dist/redirect-bridge/cache/CacheKeys.mjs +1 -1
  307. package/dist/redirect-bridge/cache/TokenCache.d.ts.map +1 -1
  308. package/dist/redirect-bridge/config/Configuration.d.ts +20 -1
  309. package/dist/redirect-bridge/config/Configuration.d.ts.map +1 -1
  310. package/dist/redirect-bridge/config/Configuration.mjs +1 -1
  311. package/dist/redirect-bridge/controllers/StandardController.d.ts +20 -2
  312. package/dist/redirect-bridge/controllers/StandardController.d.ts.map +1 -1
  313. package/dist/redirect-bridge/custom_auth/CustomAuthConstants.d.ts +1 -1
  314. package/dist/redirect-bridge/encode/Base64Decode.mjs +1 -1
  315. package/dist/redirect-bridge/error/BrowserAuthError.mjs +1 -1
  316. package/dist/redirect-bridge/error/BrowserAuthErrorCodes.mjs +1 -1
  317. package/dist/redirect-bridge/error/NativeAuthError.d.ts.map +1 -1
  318. package/dist/redirect-bridge/index.d.ts +1 -1
  319. package/dist/redirect-bridge/index.d.ts.map +1 -1
  320. package/dist/redirect-bridge/interaction_client/PlatformAuthInteractionClient.d.ts +12 -12
  321. package/dist/redirect-bridge/interaction_client/PlatformAuthInteractionClient.d.ts.map +1 -1
  322. package/dist/redirect-bridge/interaction_client/PopupClient.d.ts.map +1 -1
  323. package/dist/redirect-bridge/interaction_client/RedirectClient.d.ts.map +1 -1
  324. package/dist/redirect-bridge/interaction_client/SilentIframeClient.d.ts +14 -0
  325. package/dist/redirect-bridge/interaction_client/SilentIframeClient.d.ts.map +1 -1
  326. package/dist/redirect-bridge/navigation/NavigationClient.mjs +1 -1
  327. package/dist/redirect-bridge/packageMetadata.d.ts +1 -1
  328. package/dist/redirect-bridge/protocol/Authorize.d.ts.map +1 -1
  329. package/dist/redirect-bridge/redirect_bridge/index.d.ts.map +1 -1
  330. package/dist/redirect-bridge/redirect_bridge/index.mjs +11 -7
  331. package/dist/redirect-bridge/redirect_bridge/index.mjs.map +1 -1
  332. package/dist/redirect-bridge/telemetry/BrowserPerformanceClient.d.ts +1 -0
  333. package/dist/redirect-bridge/telemetry/BrowserPerformanceClient.d.ts.map +1 -1
  334. package/dist/redirect-bridge/telemetry/BrowserPerformanceEvents.d.ts +6 -0
  335. package/dist/redirect-bridge/telemetry/BrowserPerformanceEvents.d.ts.map +1 -1
  336. package/dist/redirect-bridge/telemetry/BrowserRootPerformanceEvents.d.ts +6 -0
  337. package/dist/redirect-bridge/telemetry/BrowserRootPerformanceEvents.d.ts.map +1 -1
  338. package/dist/redirect-bridge/utils/BrowserConstants.mjs +7 -3
  339. package/dist/redirect-bridge/utils/BrowserConstants.mjs.map +1 -1
  340. package/dist/redirect-bridge/utils/BrowserUtils.d.ts +2 -2
  341. package/dist/redirect-bridge/utils/BrowserUtils.d.ts.map +1 -1
  342. package/dist/redirect-bridge/utils/BrowserUtils.mjs +1 -1
  343. package/dist/redirect-bridge/utils/BrowserUtils.mjs.map +1 -1
  344. package/dist/redirect_bridge/index.d.ts.map +1 -1
  345. package/dist/request/RequestHelpers.mjs +1 -1
  346. package/dist/response/ResponseHandler.mjs +1 -1
  347. package/dist/telemetry/BrowserPerformanceClient.d.ts +1 -0
  348. package/dist/telemetry/BrowserPerformanceClient.d.ts.map +1 -1
  349. package/dist/telemetry/BrowserPerformanceClient.mjs +6 -1
  350. package/dist/telemetry/BrowserPerformanceClient.mjs.map +1 -1
  351. package/dist/telemetry/BrowserPerformanceEvents.d.ts +6 -0
  352. package/dist/telemetry/BrowserPerformanceEvents.d.ts.map +1 -1
  353. package/dist/telemetry/BrowserPerformanceEvents.mjs +9 -3
  354. package/dist/telemetry/BrowserPerformanceEvents.mjs.map +1 -1
  355. package/dist/telemetry/BrowserPerformanceMeasurement.mjs +1 -1
  356. package/dist/telemetry/BrowserRootPerformanceEvents.d.ts +6 -0
  357. package/dist/telemetry/BrowserRootPerformanceEvents.d.ts.map +1 -1
  358. package/dist/telemetry/BrowserRootPerformanceEvents.mjs +10 -3
  359. package/dist/telemetry/BrowserRootPerformanceEvents.mjs.map +1 -1
  360. package/dist/utils/BrowserConstants.mjs +1 -1
  361. package/dist/utils/BrowserProtocolUtils.mjs +1 -1
  362. package/dist/utils/BrowserUtils.d.ts +2 -2
  363. package/dist/utils/BrowserUtils.d.ts.map +1 -1
  364. package/dist/utils/BrowserUtils.mjs +27 -3
  365. package/dist/utils/BrowserUtils.mjs.map +1 -1
  366. package/dist/utils/Helpers.mjs +1 -1
  367. package/dist/utils/MsalFrameStatsUtils.mjs +1 -1
  368. package/lib/custom-auth-path/log-strings-mapping.json +67 -15
  369. package/lib/custom-auth-path/msal-custom-auth.cjs +897 -617
  370. package/lib/custom-auth-path/msal-custom-auth.cjs.map +1 -1
  371. package/lib/custom-auth-path/types/broker/nativeBroker/PlatformAuthProvider.d.ts +1 -1
  372. package/lib/custom-auth-path/types/cache/CacheKeys.d.ts +1 -0
  373. package/lib/custom-auth-path/types/cache/CacheKeys.d.ts.map +1 -1
  374. package/lib/custom-auth-path/types/cache/TokenCache.d.ts.map +1 -1
  375. package/lib/custom-auth-path/types/config/Configuration.d.ts +20 -1
  376. package/lib/custom-auth-path/types/config/Configuration.d.ts.map +1 -1
  377. package/lib/custom-auth-path/types/controllers/StandardController.d.ts +20 -2
  378. package/lib/custom-auth-path/types/controllers/StandardController.d.ts.map +1 -1
  379. package/lib/custom-auth-path/types/custom_auth/CustomAuthConstants.d.ts +1 -1
  380. package/lib/custom-auth-path/types/error/NativeAuthError.d.ts.map +1 -1
  381. package/lib/custom-auth-path/types/index.d.ts +1 -1
  382. package/lib/custom-auth-path/types/index.d.ts.map +1 -1
  383. package/lib/custom-auth-path/types/interaction_client/PlatformAuthInteractionClient.d.ts +12 -12
  384. package/lib/custom-auth-path/types/interaction_client/PlatformAuthInteractionClient.d.ts.map +1 -1
  385. package/lib/custom-auth-path/types/interaction_client/PopupClient.d.ts.map +1 -1
  386. package/lib/custom-auth-path/types/interaction_client/RedirectClient.d.ts.map +1 -1
  387. package/lib/custom-auth-path/types/interaction_client/SilentIframeClient.d.ts +14 -0
  388. package/lib/custom-auth-path/types/interaction_client/SilentIframeClient.d.ts.map +1 -1
  389. package/lib/custom-auth-path/types/packageMetadata.d.ts +1 -1
  390. package/lib/custom-auth-path/types/protocol/Authorize.d.ts.map +1 -1
  391. package/lib/custom-auth-path/types/redirect_bridge/index.d.ts.map +1 -1
  392. package/lib/custom-auth-path/types/telemetry/BrowserPerformanceClient.d.ts +1 -0
  393. package/lib/custom-auth-path/types/telemetry/BrowserPerformanceClient.d.ts.map +1 -1
  394. package/lib/custom-auth-path/types/telemetry/BrowserPerformanceEvents.d.ts +6 -0
  395. package/lib/custom-auth-path/types/telemetry/BrowserPerformanceEvents.d.ts.map +1 -1
  396. package/lib/custom-auth-path/types/telemetry/BrowserRootPerformanceEvents.d.ts +6 -0
  397. package/lib/custom-auth-path/types/telemetry/BrowserRootPerformanceEvents.d.ts.map +1 -1
  398. package/lib/custom-auth-path/types/utils/BrowserUtils.d.ts +2 -2
  399. package/lib/custom-auth-path/types/utils/BrowserUtils.d.ts.map +1 -1
  400. package/lib/log-strings-mapping.json +75 -23
  401. package/lib/msal-browser.cjs +1045 -755
  402. package/lib/msal-browser.cjs.map +1 -1
  403. package/lib/msal-browser.js +1045 -755
  404. package/lib/msal-browser.js.map +1 -1
  405. package/lib/msal-browser.min.js +2 -2
  406. package/lib/redirect-bridge/msal-redirect-bridge.js +24 -16
  407. package/lib/redirect-bridge/msal-redirect-bridge.js.map +1 -1
  408. package/lib/redirect-bridge/msal-redirect-bridge.min.js +2 -2
  409. package/lib/types/broker/nativeBroker/PlatformAuthProvider.d.ts +1 -1
  410. package/lib/types/cache/CacheKeys.d.ts +1 -0
  411. package/lib/types/cache/CacheKeys.d.ts.map +1 -1
  412. package/lib/types/cache/TokenCache.d.ts.map +1 -1
  413. package/lib/types/config/Configuration.d.ts +20 -1
  414. package/lib/types/config/Configuration.d.ts.map +1 -1
  415. package/lib/types/controllers/StandardController.d.ts +20 -2
  416. package/lib/types/controllers/StandardController.d.ts.map +1 -1
  417. package/lib/types/custom_auth/CustomAuthConstants.d.ts +1 -1
  418. package/lib/types/error/NativeAuthError.d.ts.map +1 -1
  419. package/lib/types/index.d.ts +1 -1
  420. package/lib/types/index.d.ts.map +1 -1
  421. package/lib/types/interaction_client/PlatformAuthInteractionClient.d.ts +12 -12
  422. package/lib/types/interaction_client/PlatformAuthInteractionClient.d.ts.map +1 -1
  423. package/lib/types/interaction_client/PopupClient.d.ts.map +1 -1
  424. package/lib/types/interaction_client/RedirectClient.d.ts.map +1 -1
  425. package/lib/types/interaction_client/SilentIframeClient.d.ts +14 -0
  426. package/lib/types/interaction_client/SilentIframeClient.d.ts.map +1 -1
  427. package/lib/types/packageMetadata.d.ts +1 -1
  428. package/lib/types/protocol/Authorize.d.ts.map +1 -1
  429. package/lib/types/redirect_bridge/index.d.ts.map +1 -1
  430. package/lib/types/telemetry/BrowserPerformanceClient.d.ts +1 -0
  431. package/lib/types/telemetry/BrowserPerformanceClient.d.ts.map +1 -1
  432. package/lib/types/telemetry/BrowserPerformanceEvents.d.ts +6 -0
  433. package/lib/types/telemetry/BrowserPerformanceEvents.d.ts.map +1 -1
  434. package/lib/types/telemetry/BrowserRootPerformanceEvents.d.ts +6 -0
  435. package/lib/types/telemetry/BrowserRootPerformanceEvents.d.ts.map +1 -1
  436. package/lib/types/utils/BrowserUtils.d.ts +2 -2
  437. package/lib/types/utils/BrowserUtils.d.ts.map +1 -1
  438. package/package.json +2 -2
  439. package/src/broker/nativeBroker/PlatformAuthProvider.ts +1 -1
  440. package/src/cache/CacheKeys.ts +1 -0
  441. package/src/cache/TokenCache.ts +27 -24
  442. package/src/config/Configuration.ts +30 -0
  443. package/src/controllers/StandardController.ts +316 -69
  444. package/src/error/NativeAuthError.ts +1 -2
  445. package/src/index.ts +1 -0
  446. package/src/interaction_client/PlatformAuthInteractionClient.ts +99 -76
  447. package/src/interaction_client/PopupClient.ts +10 -0
  448. package/src/interaction_client/RedirectClient.ts +10 -0
  449. package/src/interaction_client/SilentIframeClient.ts +127 -22
  450. package/src/packageMetadata.ts +1 -1
  451. package/src/protocol/Authorize.ts +8 -0
  452. package/src/redirect_bridge/index.ts +12 -5
  453. package/src/telemetry/BrowserPerformanceClient.ts +6 -0
  454. package/src/telemetry/BrowserPerformanceEvents.ts +9 -0
  455. package/src/telemetry/BrowserRootPerformanceEvents.ts +7 -0
  456. package/src/utils/BrowserUtils.ts +36 -4
@@ -1,8 +1,8 @@
1
- /*! @azure/msal-browser v5.6.2 2026-03-27 */
1
+ /*! @azure/msal-browser v5.7.0 2026-04-16 */
2
2
  'use strict';
3
3
  'use strict';
4
4
 
5
- /*! @azure/msal-common v16.4.0 2026-03-27 */
5
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
6
6
  /*
7
7
  * Copyright (c) Microsoft Corporation. All rights reserved.
8
8
  * Licensed under the MIT License.
@@ -229,7 +229,7 @@ const JsonWebTokenTypes = {
229
229
  // Token renewal offset default in seconds
230
230
  const DEFAULT_TOKEN_RENEWAL_OFFSET_SEC = 300;
231
231
 
232
- /*! @azure/msal-common v16.4.0 2026-03-27 */
232
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
233
233
  /*
234
234
  * Copyright (c) Microsoft Corporation. All rights reserved.
235
235
  * Licensed under the MIT License.
@@ -281,7 +281,7 @@ const EAR_JWE_CRYPTO = "ear_jwe_crypto";
281
281
  const RESOURCE = "resource";
282
282
  const CLI_DATA = "clidata";
283
283
 
284
- /*! @azure/msal-common v16.4.0 2026-03-27 */
284
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
285
285
  /*
286
286
  * Copyright (c) Microsoft Corporation. All rights reserved.
287
287
  * Licensed under the MIT License.
@@ -312,7 +312,7 @@ function createAuthError(code, additionalMessage) {
312
312
  return new AuthError(code, additionalMessage || getDefaultErrorMessage$1(code));
313
313
  }
314
314
 
315
- /*! @azure/msal-common v16.4.0 2026-03-27 */
315
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
316
316
 
317
317
  /*
318
318
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -332,7 +332,7 @@ function createClientConfigurationError(errorCode) {
332
332
  return new ClientConfigurationError(errorCode);
333
333
  }
334
334
 
335
- /*! @azure/msal-common v16.4.0 2026-03-27 */
335
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
336
336
  /*
337
337
  * Copyright (c) Microsoft Corporation. All rights reserved.
338
338
  * Licensed under the MIT License.
@@ -412,7 +412,7 @@ class StringUtils {
412
412
  }
413
413
  }
414
414
 
415
- /*! @azure/msal-common v16.4.0 2026-03-27 */
415
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
416
416
 
417
417
  /*
418
418
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -435,7 +435,7 @@ function createClientAuthError(errorCode, additionalMessage) {
435
435
  return new ClientAuthError(errorCode, additionalMessage);
436
436
  }
437
437
 
438
- /*! @azure/msal-common v16.4.0 2026-03-27 */
438
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
439
439
  /*
440
440
  * Copyright (c) Microsoft Corporation. All rights reserved.
441
441
  * Licensed under the MIT License.
@@ -459,7 +459,7 @@ const cannotAllowPlatformBroker = "cannot_allow_platform_broker";
459
459
  const authorityMismatch = "authority_mismatch";
460
460
  const invalidRequestMethodForEAR = "invalid_request_method_for_EAR";
461
461
 
462
- /*! @azure/msal-common v16.4.0 2026-03-27 */
462
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
463
463
  /*
464
464
  * Copyright (c) Microsoft Corporation. All rights reserved.
465
465
  * Licensed under the MIT License.
@@ -498,7 +498,7 @@ const methodNotImplemented = "method_not_implemented";
498
498
  const resourceParameterRequired = "resource_parameter_required";
499
499
  const misplacedResourceParam = "misplaced_resource_parameter";
500
500
 
501
- /*! @azure/msal-common v16.4.0 2026-03-27 */
501
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
502
502
 
503
503
  /*
504
504
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -693,7 +693,7 @@ class ScopeSet {
693
693
  }
694
694
  }
695
695
 
696
- /*! @azure/msal-common v16.4.0 2026-03-27 */
696
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
697
697
 
698
698
  /*
699
699
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -814,18 +814,29 @@ function addSid(parameters, sid) {
814
814
  parameters.set(SID, sid);
815
815
  }
816
816
  /**
817
- * add claims
818
- * @param claims
819
- */
820
- function addClaims(parameters, claims, clientCapabilities) {
821
- const mergedClaims = addClientCapabilitiesToClaims(claims, clientCapabilities);
822
- try {
823
- JSON.parse(mergedClaims);
824
- }
825
- catch (e) {
826
- throw createClientConfigurationError(invalidClaims);
817
+ * Adds claims to request parameters, conditionally excluding clientCapabilities
818
+ * when skipBrokerClaims is true and a brokered flow is in effect.
819
+ * @param parameters - The request parameters map
820
+ * @param claims - The claims string from the request
821
+ * @param clientCapabilities - The client capabilities from configuration
822
+ * @param skipBrokerClaims - When true and BROKER_CLIENT_ID is present, excludes clientCapabilities from claims
823
+ */
824
+ function addClaims(parameters, claims, clientCapabilities, skipBrokerClaims) {
825
+ // Skip clientCapabilities if skipBrokerClaims is set to true and this is a brokered authentication flow
826
+ const configClaims = skipBrokerClaims && parameters.has(BROKER_CLIENT_ID)
827
+ ? undefined
828
+ : clientCapabilities;
829
+ if (!StringUtils.isEmptyObj(claims) ||
830
+ (configClaims && configClaims.length > 0)) {
831
+ const mergedClaims = addClientCapabilitiesToClaims(claims, configClaims);
832
+ try {
833
+ JSON.parse(mergedClaims);
834
+ }
835
+ catch (e) {
836
+ throw createClientConfigurationError(invalidClaims);
837
+ }
838
+ parameters.set(CLAIMS, mergedClaims);
827
839
  }
828
- parameters.set(CLAIMS, mergedClaims);
829
840
  }
830
841
  /**
831
842
  * add correlationId
@@ -1071,7 +1082,7 @@ function addResource(parameters, resource) {
1071
1082
  }
1072
1083
  }
1073
1084
 
1074
- /*! @azure/msal-common v16.4.0 2026-03-27 */
1085
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
1075
1086
 
1076
1087
  /*
1077
1088
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1180,7 +1191,7 @@ function normalizeUrlForComparison(url) {
1180
1191
  }
1181
1192
  }
1182
1193
 
1183
- /*! @azure/msal-common v16.4.0 2026-03-27 */
1194
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
1184
1195
 
1185
1196
  /*
1186
1197
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1219,7 +1230,7 @@ const DEFAULT_CRYPTO_IMPLEMENTATION = {
1219
1230
  },
1220
1231
  };
1221
1232
 
1222
- /*! @azure/msal-common v16.4.0 2026-03-27 */
1233
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
1223
1234
  /*
1224
1235
  * Copyright (c) Microsoft Corporation. All rights reserved.
1225
1236
  * Licensed under the MIT License.
@@ -1480,12 +1491,12 @@ class Logger {
1480
1491
  }
1481
1492
  }
1482
1493
 
1483
- /*! @azure/msal-common v16.4.0 2026-03-27 */
1494
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
1484
1495
  /* eslint-disable header/header */
1485
1496
  const name$1 = "@azure/msal-common";
1486
- const version$1 = "16.4.0";
1497
+ const version$1 = "16.5.0";
1487
1498
 
1488
- /*! @azure/msal-common v16.4.0 2026-03-27 */
1499
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
1489
1500
  /*
1490
1501
  * Copyright (c) Microsoft Corporation. All rights reserved.
1491
1502
  * Licensed under the MIT License.
@@ -1494,7 +1505,7 @@ const AzureCloudInstance = {
1494
1505
  // AzureCloudInstance is not specified.
1495
1506
  None: "none"};
1496
1507
 
1497
- /*! @azure/msal-common v16.4.0 2026-03-27 */
1508
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
1498
1509
  /*
1499
1510
  * Copyright (c) Microsoft Corporation. All rights reserved.
1500
1511
  * Licensed under the MIT License.
@@ -1576,7 +1587,7 @@ function updateAccountTenantProfileData(baseAccountInfo, tenantProfile, idTokenC
1576
1587
  return updatedAccountInfo;
1577
1588
  }
1578
1589
 
1579
- /*! @azure/msal-common v16.4.0 2026-03-27 */
1590
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
1580
1591
 
1581
1592
  /*
1582
1593
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1656,7 +1667,7 @@ function checkMaxAge(authTime, maxAge) {
1656
1667
  }
1657
1668
  }
1658
1669
 
1659
- /*! @azure/msal-common v16.4.0 2026-03-27 */
1670
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
1660
1671
 
1661
1672
  /*
1662
1673
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1813,7 +1824,7 @@ class UrlString {
1813
1824
  }
1814
1825
  }
1815
1826
 
1816
- /*! @azure/msal-common v16.4.0 2026-03-27 */
1827
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
1817
1828
 
1818
1829
  /*
1819
1830
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1970,7 +1981,7 @@ function getCloudDiscoveryMetadataFromNetworkResponse(response, authorityHost) {
1970
1981
  return null;
1971
1982
  }
1972
1983
 
1973
- /*! @azure/msal-common v16.4.0 2026-03-27 */
1984
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
1974
1985
  /*
1975
1986
  * Copyright (c) Microsoft Corporation. All rights reserved.
1976
1987
  * Licensed under the MIT License.
@@ -1978,7 +1989,7 @@ function getCloudDiscoveryMetadataFromNetworkResponse(response, authorityHost) {
1978
1989
  const cacheQuotaExceeded = "cache_quota_exceeded";
1979
1990
  const cacheErrorUnknown = "cache_error_unknown";
1980
1991
 
1981
- /*! @azure/msal-common v16.4.0 2026-03-27 */
1992
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
1982
1993
 
1983
1994
  /*
1984
1995
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -2016,7 +2027,7 @@ function createCacheError(e) {
2016
2027
  }
2017
2028
  }
2018
2029
 
2019
- /*! @azure/msal-common v16.4.0 2026-03-27 */
2030
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
2020
2031
 
2021
2032
  /*
2022
2033
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -2054,7 +2065,7 @@ function buildClientInfoFromHomeAccountId(homeAccountId) {
2054
2065
  };
2055
2066
  }
2056
2067
 
2057
- /*! @azure/msal-common v16.4.0 2026-03-27 */
2068
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
2058
2069
  /*
2059
2070
  * Copyright (c) Microsoft Corporation. All rights reserved.
2060
2071
  * Licensed under the MIT License.
@@ -2069,7 +2080,7 @@ const AuthorityType = {
2069
2080
  Ciam: 3,
2070
2081
  };
2071
2082
 
2072
- /*! @azure/msal-common v16.4.0 2026-03-27 */
2083
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
2073
2084
  /*
2074
2085
  * Copyright (c) Microsoft Corporation. All rights reserved.
2075
2086
  * Licensed under the MIT License.
@@ -2091,7 +2102,7 @@ function getTenantIdFromIdTokenClaims(idTokenClaims) {
2091
2102
  return null;
2092
2103
  }
2093
2104
 
2094
- /*! @azure/msal-common v16.4.0 2026-03-27 */
2105
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
2095
2106
  /*
2096
2107
  * Copyright (c) Microsoft Corporation. All rights reserved.
2097
2108
  * Licensed under the MIT License.
@@ -2115,7 +2126,7 @@ const ProtocolMode = {
2115
2126
  EAR: "EAR",
2116
2127
  };
2117
2128
 
2118
- /*! @azure/msal-common v16.4.0 2026-03-27 */
2129
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
2119
2130
  /**
2120
2131
  * Returns the AccountInfo interface for this account.
2121
2132
  */
@@ -2290,7 +2301,7 @@ function isAccountEntity(entity) {
2290
2301
  entity.hasOwnProperty("authorityType"));
2291
2302
  }
2292
2303
 
2293
- /*! @azure/msal-common v16.4.0 2026-03-27 */
2304
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
2294
2305
 
2295
2306
  /*
2296
2307
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -3391,7 +3402,7 @@ class DefaultStorageClass extends CacheManager {
3391
3402
  }
3392
3403
  }
3393
3404
 
3394
- /*! @azure/msal-common v16.4.0 2026-03-27 */
3405
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
3395
3406
  /*
3396
3407
  * Copyright (c) Microsoft Corporation. All rights reserved.
3397
3408
  * Licensed under the MIT License.
@@ -3405,7 +3416,7 @@ class DefaultStorageClass extends CacheManager {
3405
3416
  const PerformanceEventStatus = {
3406
3417
  InProgress: 1};
3407
3418
 
3408
- /*! @azure/msal-common v16.4.0 2026-03-27 */
3419
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
3409
3420
 
3410
3421
  /*
3411
3422
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -3460,7 +3471,7 @@ class StubPerformanceClient {
3460
3471
  }
3461
3472
  }
3462
3473
 
3463
- /*! @azure/msal-common v16.4.0 2026-03-27 */
3474
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
3464
3475
 
3465
3476
  /*
3466
3477
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -3555,213 +3566,34 @@ function isOidcProtocolMode(config) {
3555
3566
  return (config.authOptions.authority.options.protocolMode === ProtocolMode.OIDC);
3556
3567
  }
3557
3568
 
3558
- /*! @azure/msal-common v16.4.0 2026-03-27 */
3559
-
3560
- /*
3561
- * Copyright (c) Microsoft Corporation. All rights reserved.
3562
- * Licensed under the MIT License.
3563
- */
3564
- /**
3565
- * Error thrown when there is an error with the server code, for example, unavailability.
3566
- */
3567
- class ServerError extends AuthError {
3568
- constructor(errorCode, errorMessage, subError, errorNo, status) {
3569
- super(errorCode, errorMessage, subError);
3570
- this.name = "ServerError";
3571
- this.errorNo = errorNo;
3572
- this.status = status;
3573
- Object.setPrototypeOf(this, ServerError.prototype);
3574
- }
3575
- }
3576
-
3577
- /*! @azure/msal-common v16.4.0 2026-03-27 */
3578
- /*
3579
- * Copyright (c) Microsoft Corporation. All rights reserved.
3580
- * Licensed under the MIT License.
3581
- */
3582
- /**
3583
- * MSAL-defined interaction required error code indicating no tokens are found in cache.
3584
- * @public
3585
- */
3586
- const noTokensFound = "no_tokens_found";
3587
- /**
3588
- * MSAL-defined error code indicating a native account is unavailable on the platform.
3589
- * @public
3590
- */
3591
- const nativeAccountUnavailable = "native_account_unavailable";
3592
- /**
3593
- * MSAL-defined error code indicating the refresh token has expired and user interaction is needed.
3594
- * @public
3595
- */
3596
- const refreshTokenExpired = "refresh_token_expired";
3597
- /**
3598
- * MSAL-defined error code indicating UI/UX is not allowed (e.g., blocked by policy), requiring alternate interaction.
3599
- * @public
3600
- */
3601
- const uxNotAllowed = "ux_not_allowed";
3602
- /**
3603
- * Server-originated error code indicating interaction is required to complete the request.
3604
- * @public
3605
- */
3606
- const interactionRequired = "interaction_required";
3607
- /**
3608
- * Server-originated error code indicating user consent is required.
3609
- * @public
3610
- */
3611
- const consentRequired = "consent_required";
3612
- /**
3613
- * Server-originated error code indicating user login is required.
3614
- * @public
3615
- */
3616
- const loginRequired = "login_required";
3617
- /**
3618
- * Server-originated error code indicating the token is invalid or corrupted.
3619
- * @public
3620
- */
3621
- const badToken = "bad_token";
3622
- /**
3623
- * Server-originated error code indicating the user is in an interrupted state and interaction is required.
3624
- * @public
3625
- */
3626
- const interruptedUser = "interrupted_user";
3627
-
3628
- /*! @azure/msal-common v16.4.0 2026-03-27 */
3629
-
3630
- /*
3631
- * Copyright (c) Microsoft Corporation. All rights reserved.
3632
- * Licensed under the MIT License.
3633
- */
3634
- /**
3635
- * InteractionRequiredServerErrorMessage contains string constants used by error codes and messages returned by the server indicating interaction is required
3636
- */
3637
- const InteractionRequiredServerErrorMessage = [
3638
- interactionRequired,
3639
- consentRequired,
3640
- loginRequired,
3641
- badToken,
3642
- uxNotAllowed,
3643
- interruptedUser,
3644
- ];
3645
- const InteractionRequiredAuthSubErrorMessage = [
3646
- "message_only",
3647
- "additional_action",
3648
- "basic_action",
3649
- "user_password_expired",
3650
- "consent_required",
3651
- "bad_token",
3652
- "ux_not_allowed",
3653
- "interrupted_user",
3654
- ];
3655
- /**
3656
- * Error thrown when user interaction is required.
3657
- */
3658
- class InteractionRequiredAuthError extends AuthError {
3659
- constructor(errorCode, errorMessage, subError, timestamp, traceId, correlationId, claims, errorNo) {
3660
- super(errorCode, errorMessage, subError);
3661
- Object.setPrototypeOf(this, InteractionRequiredAuthError.prototype);
3662
- this.timestamp = timestamp || "";
3663
- this.traceId = traceId || "";
3664
- this.correlationId = correlationId || "";
3665
- this.claims = claims || "";
3666
- this.name = "InteractionRequiredAuthError";
3667
- this.errorNo = errorNo;
3668
- }
3669
- }
3670
- /**
3671
- * Helper function used to determine if an error thrown by the server requires interaction to resolve
3672
- * @param errorCode
3673
- * @param errorString
3674
- * @param subError
3675
- */
3676
- function isInteractionRequiredError(errorCode, errorString, subError) {
3677
- const isInteractionRequiredErrorCode = !!errorCode &&
3678
- InteractionRequiredServerErrorMessage.indexOf(errorCode) > -1;
3679
- const isInteractionRequiredSubError = !!subError &&
3680
- InteractionRequiredAuthSubErrorMessage.indexOf(subError) > -1;
3681
- const isInteractionRequiredErrorDesc = !!errorString &&
3682
- InteractionRequiredServerErrorMessage.some((irErrorCode) => {
3683
- return errorString.indexOf(irErrorCode) > -1;
3684
- });
3685
- return (isInteractionRequiredErrorCode ||
3686
- isInteractionRequiredErrorDesc ||
3687
- isInteractionRequiredSubError);
3688
- }
3689
- /**
3690
- * Creates an InteractionRequiredAuthError
3691
- */
3692
- function createInteractionRequiredAuthError(errorCode, errorMessage) {
3693
- return new InteractionRequiredAuthError(errorCode, errorMessage);
3694
- }
3695
-
3696
- /*! @azure/msal-common v16.4.0 2026-03-27 */
3697
-
3569
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
3698
3570
  /*
3699
3571
  * Copyright (c) Microsoft Corporation. All rights reserved.
3700
3572
  * Licensed under the MIT License.
3701
3573
  */
3702
3574
  /**
3703
- * Appends user state with random guid, or returns random guid.
3704
- * @param cryptoObj
3705
- * @param userState
3706
- * @param meta
3707
- */
3708
- function setRequestState(cryptoObj, userState, meta) {
3709
- const libraryState = generateLibraryState(cryptoObj, meta);
3710
- return userState
3711
- ? `${libraryState}${RESOURCE_DELIM}${userState}`
3712
- : libraryState;
3713
- }
3714
- /**
3715
- * Generates the state value used by the common library.
3716
- * @param cryptoObj
3717
- * @param meta
3718
- */
3719
- function generateLibraryState(cryptoObj, meta) {
3720
- if (!cryptoObj) {
3721
- throw createClientAuthError(noCryptoObject);
3722
- }
3723
- // Create a state object containing a unique id and the timestamp of the request creation
3724
- const stateObj = {
3725
- id: cryptoObj.createNewGuid(),
3726
- };
3727
- if (meta) {
3728
- stateObj.meta = meta;
3729
- }
3730
- const stateString = JSON.stringify(stateObj);
3731
- return cryptoObj.base64Encode(stateString);
3732
- }
3733
- /**
3734
- * Parses the state into the RequestStateObject, which contains the LibraryState info and the state passed by the user.
3735
- * @param base64Decode
3736
- * @param state
3737
- */
3738
- function parseRequestState(base64Decode, state) {
3739
- if (!base64Decode) {
3740
- throw createClientAuthError(noCryptoObject);
3741
- }
3742
- if (!state) {
3743
- throw createClientAuthError(invalidState);
3575
+ * This class instance helps track the memory changes facilitating
3576
+ * decisions to read from and write to the persistent cache
3577
+ */ class TokenCacheContext {
3578
+ constructor(tokenCache, hasChanged) {
3579
+ this.cache = tokenCache;
3580
+ this.hasChanged = hasChanged;
3744
3581
  }
3745
- try {
3746
- // Split the state between library state and user passed state and decode them separately
3747
- const splitState = state.split(RESOURCE_DELIM);
3748
- const libraryState = splitState[0];
3749
- const userState = splitState.length > 1
3750
- ? splitState.slice(1).join(RESOURCE_DELIM)
3751
- : "";
3752
- const libraryStateString = base64Decode(libraryState);
3753
- const libraryStateObj = JSON.parse(libraryStateString);
3754
- return {
3755
- userRequestState: userState || "",
3756
- libraryState: libraryStateObj,
3757
- };
3582
+ /**
3583
+ * boolean which indicates the changes in cache
3584
+ */
3585
+ get cacheHasChanged() {
3586
+ return this.hasChanged;
3758
3587
  }
3759
- catch (e) {
3760
- throw createClientAuthError(invalidState);
3588
+ /**
3589
+ * function to retrieve the token cache
3590
+ */
3591
+ get tokenCache() {
3592
+ return this.cache;
3761
3593
  }
3762
3594
  }
3763
3595
 
3764
- /*! @azure/msal-common v16.4.0 2026-03-27 */
3596
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
3765
3597
  /*
3766
3598
  * Copyright (c) Microsoft Corporation. All rights reserved.
3767
3599
  * Licensed under the MIT License.
@@ -3826,27 +3658,286 @@ function wasClockTurnedBack(cachedAt) {
3826
3658
  return cachedAtSec > nowSeconds();
3827
3659
  }
3828
3660
 
3829
- /*! @azure/msal-common v16.4.0 2026-03-27 */
3661
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
3662
+
3830
3663
  /*
3831
3664
  * Copyright (c) Microsoft Corporation. All rights reserved.
3832
3665
  * Licensed under the MIT License.
3833
3666
  */
3834
3667
  /**
3835
- * Time spent sending/waiting for the response of a request to the token endpoint
3836
- */
3837
- const NetworkClientSendPostRequestAsync = "networkClientSendPostRequestAsync";
3838
- const RefreshTokenClientExecutePostToTokenEndpoint = "refreshTokenClientExecutePostToTokenEndpoint";
3839
- const AuthorizationCodeClientExecutePostToTokenEndpoint = "authorizationCodeClientExecutePostToTokenEndpoint";
3840
- /**
3841
- * Time spent on the network for refresh token acquisition
3668
+ * Create IdTokenEntity
3669
+ * @param homeAccountId
3670
+ * @param authenticationResult
3671
+ * @param clientId
3672
+ * @param authority
3842
3673
  */
3843
- const RefreshTokenClientExecuteTokenRequest = "refreshTokenClientExecuteTokenRequest";
3674
+ function createIdTokenEntity(homeAccountId, environment, idToken, clientId, tenantId) {
3675
+ const idTokenEntity = {
3676
+ credentialType: CredentialType.ID_TOKEN,
3677
+ homeAccountId: homeAccountId,
3678
+ environment: environment,
3679
+ clientId: clientId,
3680
+ secret: idToken,
3681
+ realm: tenantId,
3682
+ lastUpdatedAt: Date.now().toString(), // Set the last updated time to now
3683
+ };
3684
+ return idTokenEntity;
3685
+ }
3844
3686
  /**
3845
- * Time taken for acquiring refresh token , records RT size
3687
+ * Create AccessTokenEntity
3688
+ * @param homeAccountId
3689
+ * @param environment
3690
+ * @param accessToken
3691
+ * @param clientId
3692
+ * @param tenantId
3693
+ * @param scopes
3694
+ * @param expiresOn
3695
+ * @param extExpiresOn
3846
3696
  */
3847
- const RefreshTokenClientAcquireToken = "refreshTokenClientAcquireToken";
3848
- /**
3849
- * Time taken for acquiring cached refresh token
3697
+ function createAccessTokenEntity(homeAccountId, environment, accessToken, clientId, tenantId, scopes, expiresOn, extExpiresOn, base64Decode, refreshOn, tokenType, userAssertionHash, keyId) {
3698
+ const atEntity = {
3699
+ homeAccountId: homeAccountId,
3700
+ credentialType: CredentialType.ACCESS_TOKEN,
3701
+ secret: accessToken,
3702
+ cachedAt: nowSeconds().toString(),
3703
+ expiresOn: expiresOn.toString(),
3704
+ extendedExpiresOn: extExpiresOn.toString(),
3705
+ environment: environment,
3706
+ clientId: clientId,
3707
+ realm: tenantId,
3708
+ target: scopes,
3709
+ tokenType: tokenType || AuthenticationScheme.BEARER,
3710
+ lastUpdatedAt: Date.now().toString(), // Set the last updated time to now
3711
+ };
3712
+ if (userAssertionHash) {
3713
+ atEntity.userAssertionHash = userAssertionHash;
3714
+ }
3715
+ if (refreshOn) {
3716
+ atEntity.refreshOn = refreshOn.toString();
3717
+ }
3718
+ /*
3719
+ * Create Access Token With Auth Scheme instead of regular access token
3720
+ * Cast to lower to handle "bearer" from ADFS
3721
+ */
3722
+ if (atEntity.tokenType?.toLowerCase() !==
3723
+ AuthenticationScheme.BEARER.toLowerCase()) {
3724
+ atEntity.credentialType =
3725
+ CredentialType.ACCESS_TOKEN_WITH_AUTH_SCHEME;
3726
+ switch (atEntity.tokenType) {
3727
+ case AuthenticationScheme.POP:
3728
+ // Make sure keyId is present and add it to credential
3729
+ const tokenClaims = extractTokenClaims(accessToken, base64Decode);
3730
+ if (!tokenClaims?.cnf?.kid) {
3731
+ throw createClientAuthError(tokenClaimsCnfRequiredForSignedJwt);
3732
+ }
3733
+ atEntity.keyId = tokenClaims.cnf.kid;
3734
+ break;
3735
+ case AuthenticationScheme.SSH:
3736
+ atEntity.keyId = keyId;
3737
+ }
3738
+ }
3739
+ return atEntity;
3740
+ }
3741
+ /**
3742
+ * Create RefreshTokenEntity
3743
+ * @param homeAccountId
3744
+ * @param authenticationResult
3745
+ * @param clientId
3746
+ * @param authority
3747
+ */
3748
+ function createRefreshTokenEntity(homeAccountId, environment, refreshToken, clientId, familyId, userAssertionHash, expiresOn) {
3749
+ const rtEntity = {
3750
+ credentialType: CredentialType.REFRESH_TOKEN,
3751
+ homeAccountId: homeAccountId,
3752
+ environment: environment,
3753
+ clientId: clientId,
3754
+ secret: refreshToken,
3755
+ lastUpdatedAt: Date.now().toString(),
3756
+ };
3757
+ if (userAssertionHash) {
3758
+ rtEntity.userAssertionHash = userAssertionHash;
3759
+ }
3760
+ if (familyId) {
3761
+ rtEntity.familyId = familyId;
3762
+ }
3763
+ if (expiresOn) {
3764
+ rtEntity.expiresOn = expiresOn.toString();
3765
+ }
3766
+ return rtEntity;
3767
+ }
3768
+ function isCredentialEntity(entity) {
3769
+ return (entity.hasOwnProperty("homeAccountId") &&
3770
+ entity.hasOwnProperty("environment") &&
3771
+ entity.hasOwnProperty("credentialType") &&
3772
+ entity.hasOwnProperty("clientId") &&
3773
+ entity.hasOwnProperty("secret"));
3774
+ }
3775
+ /**
3776
+ * Validates an entity: checks for all expected params
3777
+ * @param entity
3778
+ */
3779
+ function isAccessTokenEntity(entity) {
3780
+ if (!entity) {
3781
+ return false;
3782
+ }
3783
+ return (isCredentialEntity(entity) &&
3784
+ entity.hasOwnProperty("realm") &&
3785
+ entity.hasOwnProperty("target") &&
3786
+ (entity["credentialType"] === CredentialType.ACCESS_TOKEN ||
3787
+ entity["credentialType"] ===
3788
+ CredentialType.ACCESS_TOKEN_WITH_AUTH_SCHEME));
3789
+ }
3790
+ /**
3791
+ * Validates an entity: checks for all expected params
3792
+ * @param entity
3793
+ */
3794
+ function isIdTokenEntity(entity) {
3795
+ if (!entity) {
3796
+ return false;
3797
+ }
3798
+ return (isCredentialEntity(entity) &&
3799
+ entity.hasOwnProperty("realm") &&
3800
+ entity["credentialType"] === CredentialType.ID_TOKEN);
3801
+ }
3802
+ /**
3803
+ * Validates an entity: checks for all expected params
3804
+ * @param entity
3805
+ */
3806
+ function isRefreshTokenEntity(entity) {
3807
+ if (!entity) {
3808
+ return false;
3809
+ }
3810
+ return (isCredentialEntity(entity) &&
3811
+ entity["credentialType"] === CredentialType.REFRESH_TOKEN);
3812
+ }
3813
+ /**
3814
+ * validates if a given cache entry is "Telemetry", parses <key,value>
3815
+ * @param key
3816
+ * @param entity
3817
+ */
3818
+ function isServerTelemetryEntity(key, entity) {
3819
+ const validateKey = key.indexOf(SERVER_TELEM_CACHE_KEY) === 0;
3820
+ let validateEntity = true;
3821
+ if (entity) {
3822
+ validateEntity =
3823
+ entity.hasOwnProperty("failedRequests") &&
3824
+ entity.hasOwnProperty("errors") &&
3825
+ entity.hasOwnProperty("cacheHits");
3826
+ }
3827
+ return validateKey && validateEntity;
3828
+ }
3829
+ /**
3830
+ * validates if a given cache entry is "Throttling", parses <key,value>
3831
+ * @param key
3832
+ * @param entity
3833
+ */
3834
+ function isThrottlingEntity(key, entity) {
3835
+ let validateKey = false;
3836
+ if (key) {
3837
+ validateKey = key.indexOf(THROTTLING_PREFIX) === 0;
3838
+ }
3839
+ let validateEntity = true;
3840
+ if (entity) {
3841
+ validateEntity = entity.hasOwnProperty("throttleTime");
3842
+ }
3843
+ return validateKey && validateEntity;
3844
+ }
3845
+ /**
3846
+ * Generate AppMetadata Cache Key as per the schema: appmetadata-<environment>-<client_id>
3847
+ */
3848
+ function generateAppMetadataKey({ environment, clientId, }) {
3849
+ const appMetaDataKeyArray = [
3850
+ APP_METADATA,
3851
+ environment,
3852
+ clientId,
3853
+ ];
3854
+ return appMetaDataKeyArray
3855
+ .join(CACHE_KEY_SEPARATOR$1)
3856
+ .toLowerCase();
3857
+ }
3858
+ /*
3859
+ * Validates an entity: checks for all expected params
3860
+ * @param entity
3861
+ */
3862
+ function isAppMetadataEntity(key, entity) {
3863
+ if (!entity) {
3864
+ return false;
3865
+ }
3866
+ return (key.indexOf(APP_METADATA) === 0 &&
3867
+ entity.hasOwnProperty("clientId") &&
3868
+ entity.hasOwnProperty("environment"));
3869
+ }
3870
+ /**
3871
+ * Validates an entity: checks for all expected params
3872
+ * @param entity
3873
+ */
3874
+ function isAuthorityMetadataEntity(key, entity) {
3875
+ if (!entity) {
3876
+ return false;
3877
+ }
3878
+ return (key.indexOf(AUTHORITY_METADATA_CACHE_KEY) === 0 &&
3879
+ entity.hasOwnProperty("aliases") &&
3880
+ entity.hasOwnProperty("preferred_cache") &&
3881
+ entity.hasOwnProperty("preferred_network") &&
3882
+ entity.hasOwnProperty("canonical_authority") &&
3883
+ entity.hasOwnProperty("authorization_endpoint") &&
3884
+ entity.hasOwnProperty("token_endpoint") &&
3885
+ entity.hasOwnProperty("issuer") &&
3886
+ entity.hasOwnProperty("aliasesFromNetwork") &&
3887
+ entity.hasOwnProperty("endpointsFromNetwork") &&
3888
+ entity.hasOwnProperty("expiresAt") &&
3889
+ entity.hasOwnProperty("jwks_uri"));
3890
+ }
3891
+ /**
3892
+ * Reset the exiresAt value
3893
+ */
3894
+ function generateAuthorityMetadataExpiresAt() {
3895
+ return (nowSeconds() +
3896
+ AUTHORITY_METADATA_REFRESH_TIME_SECONDS);
3897
+ }
3898
+ function updateAuthorityEndpointMetadata(authorityMetadata, updatedValues, fromNetwork) {
3899
+ authorityMetadata.authorization_endpoint =
3900
+ updatedValues.authorization_endpoint;
3901
+ authorityMetadata.token_endpoint = updatedValues.token_endpoint;
3902
+ authorityMetadata.end_session_endpoint = updatedValues.end_session_endpoint;
3903
+ authorityMetadata.issuer = updatedValues.issuer;
3904
+ authorityMetadata.endpointsFromNetwork = fromNetwork;
3905
+ authorityMetadata.jwks_uri = updatedValues.jwks_uri;
3906
+ }
3907
+ function updateCloudDiscoveryMetadata(authorityMetadata, updatedValues, fromNetwork) {
3908
+ authorityMetadata.aliases = updatedValues.aliases;
3909
+ authorityMetadata.preferred_cache = updatedValues.preferred_cache;
3910
+ authorityMetadata.preferred_network = updatedValues.preferred_network;
3911
+ authorityMetadata.aliasesFromNetwork = fromNetwork;
3912
+ }
3913
+ /**
3914
+ * Returns whether or not the data needs to be refreshed
3915
+ */
3916
+ function isAuthorityMetadataExpired(metadata) {
3917
+ return metadata.expiresAt <= nowSeconds();
3918
+ }
3919
+
3920
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
3921
+ /*
3922
+ * Copyright (c) Microsoft Corporation. All rights reserved.
3923
+ * Licensed under the MIT License.
3924
+ */
3925
+ /**
3926
+ * Time spent sending/waiting for the response of a request to the token endpoint
3927
+ */
3928
+ const NetworkClientSendPostRequestAsync = "networkClientSendPostRequestAsync";
3929
+ const RefreshTokenClientExecutePostToTokenEndpoint = "refreshTokenClientExecutePostToTokenEndpoint";
3930
+ const AuthorizationCodeClientExecutePostToTokenEndpoint = "authorizationCodeClientExecutePostToTokenEndpoint";
3931
+ /**
3932
+ * Time spent on the network for refresh token acquisition
3933
+ */
3934
+ const RefreshTokenClientExecuteTokenRequest = "refreshTokenClientExecuteTokenRequest";
3935
+ /**
3936
+ * Time taken for acquiring refresh token , records RT size
3937
+ */
3938
+ const RefreshTokenClientAcquireToken = "refreshTokenClientAcquireToken";
3939
+ /**
3940
+ * Time taken for acquiring cached refresh token
3850
3941
  */
3851
3942
  const RefreshTokenClientAcquireTokenWithCachedRefreshToken = "refreshTokenClientAcquireTokenWithCachedRefreshToken";
3852
3943
  /**
@@ -3897,7 +3988,7 @@ const RegionDiscoveryGetCurrentVersion = "regionDiscoveryGetCurrentVersion";
3897
3988
  const CacheManagerGetRefreshToken = "cacheManagerGetRefreshToken";
3898
3989
  const SetUserData = "setUserData";
3899
3990
 
3900
- /*! @azure/msal-common v16.4.0 2026-03-27 */
3991
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
3901
3992
  /*
3902
3993
  * Copyright (c) Microsoft Corporation. All rights reserved.
3903
3994
  * Licensed under the MIT License.
@@ -3990,7 +4081,7 @@ const invokeAsync = (callback, eventName, logger, telemetryClient, correlationId
3990
4081
  };
3991
4082
  };
3992
4083
 
3993
- /*! @azure/msal-common v16.4.0 2026-03-27 */
4084
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
3994
4085
 
3995
4086
  /*
3996
4087
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4070,293 +4161,213 @@ class PopTokenGenerator {
4070
4161
  }
4071
4162
  }
4072
4163
 
4073
- /*! @azure/msal-common v16.4.0 2026-03-27 */
4164
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
4074
4165
  /*
4075
4166
  * Copyright (c) Microsoft Corporation. All rights reserved.
4076
4167
  * Licensed under the MIT License.
4077
4168
  */
4078
4169
  /**
4079
- * This class instance helps track the memory changes facilitating
4080
- * decisions to read from and write to the persistent cache
4081
- */ class TokenCacheContext {
4082
- constructor(tokenCache, hasChanged) {
4083
- this.cache = tokenCache;
4084
- this.hasChanged = hasChanged;
4085
- }
4086
- /**
4087
- * boolean which indicates the changes in cache
4088
- */
4089
- get cacheHasChanged() {
4090
- return this.hasChanged;
4091
- }
4092
- /**
4093
- * function to retrieve the token cache
4094
- */
4095
- get tokenCache() {
4096
- return this.cache;
4097
- }
4098
- }
4099
-
4100
- /*! @azure/msal-common v16.4.0 2026-03-27 */
4101
-
4102
- /*
4103
- * Copyright (c) Microsoft Corporation. All rights reserved.
4104
- * Licensed under the MIT License.
4170
+ * MSAL-defined interaction required error code indicating no tokens are found in cache.
4171
+ * @public
4105
4172
  */
4173
+ const noTokensFound = "no_tokens_found";
4106
4174
  /**
4107
- * Create IdTokenEntity
4108
- * @param homeAccountId
4109
- * @param authenticationResult
4110
- * @param clientId
4111
- * @param authority
4175
+ * MSAL-defined error code indicating a native account is unavailable on the platform.
4176
+ * @public
4112
4177
  */
4113
- function createIdTokenEntity(homeAccountId, environment, idToken, clientId, tenantId) {
4114
- const idTokenEntity = {
4115
- credentialType: CredentialType.ID_TOKEN,
4116
- homeAccountId: homeAccountId,
4117
- environment: environment,
4118
- clientId: clientId,
4119
- secret: idToken,
4120
- realm: tenantId,
4121
- lastUpdatedAt: Date.now().toString(), // Set the last updated time to now
4122
- };
4123
- return idTokenEntity;
4124
- }
4178
+ const nativeAccountUnavailable = "native_account_unavailable";
4125
4179
  /**
4126
- * Create AccessTokenEntity
4127
- * @param homeAccountId
4128
- * @param environment
4129
- * @param accessToken
4130
- * @param clientId
4131
- * @param tenantId
4132
- * @param scopes
4133
- * @param expiresOn
4134
- * @param extExpiresOn
4180
+ * MSAL-defined error code indicating the refresh token has expired and user interaction is needed.
4181
+ * @public
4135
4182
  */
4136
- function createAccessTokenEntity(homeAccountId, environment, accessToken, clientId, tenantId, scopes, expiresOn, extExpiresOn, base64Decode, refreshOn, tokenType, userAssertionHash, keyId) {
4137
- const atEntity = {
4138
- homeAccountId: homeAccountId,
4139
- credentialType: CredentialType.ACCESS_TOKEN,
4140
- secret: accessToken,
4141
- cachedAt: nowSeconds().toString(),
4142
- expiresOn: expiresOn.toString(),
4143
- extendedExpiresOn: extExpiresOn.toString(),
4144
- environment: environment,
4145
- clientId: clientId,
4146
- realm: tenantId,
4147
- target: scopes,
4148
- tokenType: tokenType || AuthenticationScheme.BEARER,
4149
- lastUpdatedAt: Date.now().toString(), // Set the last updated time to now
4150
- };
4151
- if (userAssertionHash) {
4152
- atEntity.userAssertionHash = userAssertionHash;
4153
- }
4154
- if (refreshOn) {
4155
- atEntity.refreshOn = refreshOn.toString();
4156
- }
4157
- /*
4158
- * Create Access Token With Auth Scheme instead of regular access token
4159
- * Cast to lower to handle "bearer" from ADFS
4160
- */
4161
- if (atEntity.tokenType?.toLowerCase() !==
4162
- AuthenticationScheme.BEARER.toLowerCase()) {
4163
- atEntity.credentialType =
4164
- CredentialType.ACCESS_TOKEN_WITH_AUTH_SCHEME;
4165
- switch (atEntity.tokenType) {
4166
- case AuthenticationScheme.POP:
4167
- // Make sure keyId is present and add it to credential
4168
- const tokenClaims = extractTokenClaims(accessToken, base64Decode);
4169
- if (!tokenClaims?.cnf?.kid) {
4170
- throw createClientAuthError(tokenClaimsCnfRequiredForSignedJwt);
4171
- }
4172
- atEntity.keyId = tokenClaims.cnf.kid;
4173
- break;
4174
- case AuthenticationScheme.SSH:
4175
- atEntity.keyId = keyId;
4176
- }
4177
- }
4178
- return atEntity;
4179
- }
4183
+ const refreshTokenExpired = "refresh_token_expired";
4180
4184
  /**
4181
- * Create RefreshTokenEntity
4182
- * @param homeAccountId
4183
- * @param authenticationResult
4184
- * @param clientId
4185
- * @param authority
4185
+ * MSAL-defined error code indicating UI/UX is not allowed (e.g., blocked by policy), requiring alternate interaction.
4186
+ * @public
4186
4187
  */
4187
- function createRefreshTokenEntity(homeAccountId, environment, refreshToken, clientId, familyId, userAssertionHash, expiresOn) {
4188
- const rtEntity = {
4189
- credentialType: CredentialType.REFRESH_TOKEN,
4190
- homeAccountId: homeAccountId,
4191
- environment: environment,
4192
- clientId: clientId,
4193
- secret: refreshToken,
4194
- lastUpdatedAt: Date.now().toString(),
4195
- };
4196
- if (userAssertionHash) {
4197
- rtEntity.userAssertionHash = userAssertionHash;
4198
- }
4199
- if (familyId) {
4200
- rtEntity.familyId = familyId;
4201
- }
4202
- if (expiresOn) {
4203
- rtEntity.expiresOn = expiresOn.toString();
4204
- }
4205
- return rtEntity;
4206
- }
4207
- function isCredentialEntity(entity) {
4208
- return (entity.hasOwnProperty("homeAccountId") &&
4209
- entity.hasOwnProperty("environment") &&
4210
- entity.hasOwnProperty("credentialType") &&
4211
- entity.hasOwnProperty("clientId") &&
4212
- entity.hasOwnProperty("secret"));
4213
- }
4188
+ const uxNotAllowed = "ux_not_allowed";
4214
4189
  /**
4215
- * Validates an entity: checks for all expected params
4216
- * @param entity
4190
+ * Server-originated error code indicating interaction is required to complete the request.
4191
+ * @public
4217
4192
  */
4218
- function isAccessTokenEntity(entity) {
4219
- if (!entity) {
4220
- return false;
4221
- }
4222
- return (isCredentialEntity(entity) &&
4223
- entity.hasOwnProperty("realm") &&
4224
- entity.hasOwnProperty("target") &&
4225
- (entity["credentialType"] === CredentialType.ACCESS_TOKEN ||
4226
- entity["credentialType"] ===
4227
- CredentialType.ACCESS_TOKEN_WITH_AUTH_SCHEME));
4228
- }
4193
+ const interactionRequired = "interaction_required";
4229
4194
  /**
4230
- * Validates an entity: checks for all expected params
4231
- * @param entity
4195
+ * Server-originated error code indicating user consent is required.
4196
+ * @public
4232
4197
  */
4233
- function isIdTokenEntity(entity) {
4234
- if (!entity) {
4235
- return false;
4236
- }
4237
- return (isCredentialEntity(entity) &&
4238
- entity.hasOwnProperty("realm") &&
4239
- entity["credentialType"] === CredentialType.ID_TOKEN);
4240
- }
4198
+ const consentRequired = "consent_required";
4241
4199
  /**
4242
- * Validates an entity: checks for all expected params
4243
- * @param entity
4200
+ * Server-originated error code indicating user login is required.
4201
+ * @public
4244
4202
  */
4245
- function isRefreshTokenEntity(entity) {
4246
- if (!entity) {
4247
- return false;
4248
- }
4249
- return (isCredentialEntity(entity) &&
4250
- entity["credentialType"] === CredentialType.REFRESH_TOKEN);
4251
- }
4203
+ const loginRequired = "login_required";
4252
4204
  /**
4253
- * validates if a given cache entry is "Telemetry", parses <key,value>
4254
- * @param key
4255
- * @param entity
4205
+ * Server-originated error code indicating the token is invalid or corrupted.
4206
+ * @public
4256
4207
  */
4257
- function isServerTelemetryEntity(key, entity) {
4258
- const validateKey = key.indexOf(SERVER_TELEM_CACHE_KEY) === 0;
4259
- let validateEntity = true;
4260
- if (entity) {
4261
- validateEntity =
4262
- entity.hasOwnProperty("failedRequests") &&
4263
- entity.hasOwnProperty("errors") &&
4264
- entity.hasOwnProperty("cacheHits");
4265
- }
4266
- return validateKey && validateEntity;
4267
- }
4208
+ const badToken = "bad_token";
4268
4209
  /**
4269
- * validates if a given cache entry is "Throttling", parses <key,value>
4270
- * @param key
4271
- * @param entity
4210
+ * Server-originated error code indicating the user is in an interrupted state and interaction is required.
4211
+ * @public
4272
4212
  */
4273
- function isThrottlingEntity(key, entity) {
4274
- let validateKey = false;
4275
- if (key) {
4276
- validateKey = key.indexOf(THROTTLING_PREFIX) === 0;
4277
- }
4278
- let validateEntity = true;
4279
- if (entity) {
4280
- validateEntity = entity.hasOwnProperty("throttleTime");
4213
+ const interruptedUser = "interrupted_user";
4214
+
4215
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
4216
+
4217
+ /*
4218
+ * Copyright (c) Microsoft Corporation. All rights reserved.
4219
+ * Licensed under the MIT License.
4220
+ */
4221
+ /**
4222
+ * InteractionRequiredServerErrorMessage contains string constants used by error codes and messages returned by the server indicating interaction is required
4223
+ */
4224
+ const InteractionRequiredServerErrorMessage = [
4225
+ interactionRequired,
4226
+ consentRequired,
4227
+ loginRequired,
4228
+ badToken,
4229
+ uxNotAllowed,
4230
+ interruptedUser,
4231
+ ];
4232
+ const InteractionRequiredAuthSubErrorMessage = [
4233
+ "message_only",
4234
+ "additional_action",
4235
+ "basic_action",
4236
+ "user_password_expired",
4237
+ "consent_required",
4238
+ "bad_token",
4239
+ "ux_not_allowed",
4240
+ "interrupted_user",
4241
+ ];
4242
+ /**
4243
+ * Error thrown when user interaction is required.
4244
+ */
4245
+ class InteractionRequiredAuthError extends AuthError {
4246
+ constructor(errorCode, errorMessage, subError, timestamp, traceId, correlationId, claims, errorNo) {
4247
+ super(errorCode, errorMessage, subError);
4248
+ Object.setPrototypeOf(this, InteractionRequiredAuthError.prototype);
4249
+ this.timestamp = timestamp || "";
4250
+ this.traceId = traceId || "";
4251
+ this.correlationId = correlationId || "";
4252
+ this.claims = claims || "";
4253
+ this.name = "InteractionRequiredAuthError";
4254
+ this.errorNo = errorNo;
4281
4255
  }
4282
- return validateKey && validateEntity;
4283
4256
  }
4284
4257
  /**
4285
- * Generate AppMetadata Cache Key as per the schema: appmetadata-<environment>-<client_id>
4258
+ * Helper function used to determine if an error thrown by the server requires interaction to resolve
4259
+ * @param errorCode
4260
+ * @param errorString
4261
+ * @param subError
4262
+ */
4263
+ function isInteractionRequiredError(errorCode, errorString, subError) {
4264
+ const isInteractionRequiredErrorCode = !!errorCode &&
4265
+ InteractionRequiredServerErrorMessage.indexOf(errorCode) > -1;
4266
+ const isInteractionRequiredSubError = !!subError &&
4267
+ InteractionRequiredAuthSubErrorMessage.indexOf(subError) > -1;
4268
+ const isInteractionRequiredErrorDesc = !!errorString &&
4269
+ InteractionRequiredServerErrorMessage.some((irErrorCode) => {
4270
+ return errorString.indexOf(irErrorCode) > -1;
4271
+ });
4272
+ return (isInteractionRequiredErrorCode ||
4273
+ isInteractionRequiredErrorDesc ||
4274
+ isInteractionRequiredSubError);
4275
+ }
4276
+ /**
4277
+ * Creates an InteractionRequiredAuthError
4286
4278
  */
4287
- function generateAppMetadataKey({ environment, clientId, }) {
4288
- const appMetaDataKeyArray = [
4289
- APP_METADATA,
4290
- environment,
4291
- clientId,
4292
- ];
4293
- return appMetaDataKeyArray
4294
- .join(CACHE_KEY_SEPARATOR$1)
4295
- .toLowerCase();
4296
- }
4279
+ function createInteractionRequiredAuthError(errorCode, errorMessage) {
4280
+ return new InteractionRequiredAuthError(errorCode, errorMessage);
4281
+ }
4282
+
4283
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
4284
+
4297
4285
  /*
4298
- * Validates an entity: checks for all expected params
4299
- * @param entity
4286
+ * Copyright (c) Microsoft Corporation. All rights reserved.
4287
+ * Licensed under the MIT License.
4300
4288
  */
4301
- function isAppMetadataEntity(key, entity) {
4302
- if (!entity) {
4303
- return false;
4304
- }
4305
- return (key.indexOf(APP_METADATA) === 0 &&
4306
- entity.hasOwnProperty("clientId") &&
4307
- entity.hasOwnProperty("environment"));
4308
- }
4309
4289
  /**
4310
- * Validates an entity: checks for all expected params
4311
- * @param entity
4290
+ * Error thrown when there is an error with the server code, for example, unavailability.
4312
4291
  */
4313
- function isAuthorityMetadataEntity(key, entity) {
4314
- if (!entity) {
4315
- return false;
4292
+ class ServerError extends AuthError {
4293
+ constructor(errorCode, errorMessage, subError, errorNo, status) {
4294
+ super(errorCode, errorMessage, subError);
4295
+ this.name = "ServerError";
4296
+ this.errorNo = errorNo;
4297
+ this.status = status;
4298
+ Object.setPrototypeOf(this, ServerError.prototype);
4316
4299
  }
4317
- return (key.indexOf(AUTHORITY_METADATA_CACHE_KEY) === 0 &&
4318
- entity.hasOwnProperty("aliases") &&
4319
- entity.hasOwnProperty("preferred_cache") &&
4320
- entity.hasOwnProperty("preferred_network") &&
4321
- entity.hasOwnProperty("canonical_authority") &&
4322
- entity.hasOwnProperty("authorization_endpoint") &&
4323
- entity.hasOwnProperty("token_endpoint") &&
4324
- entity.hasOwnProperty("issuer") &&
4325
- entity.hasOwnProperty("aliasesFromNetwork") &&
4326
- entity.hasOwnProperty("endpointsFromNetwork") &&
4327
- entity.hasOwnProperty("expiresAt") &&
4328
- entity.hasOwnProperty("jwks_uri"));
4329
- }
4300
+ }
4301
+
4302
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
4303
+
4304
+ /*
4305
+ * Copyright (c) Microsoft Corporation. All rights reserved.
4306
+ * Licensed under the MIT License.
4307
+ */
4330
4308
  /**
4331
- * Reset the exiresAt value
4309
+ * Appends user state with random guid, or returns random guid.
4310
+ * @param cryptoObj
4311
+ * @param userState
4312
+ * @param meta
4332
4313
  */
4333
- function generateAuthorityMetadataExpiresAt() {
4334
- return (nowSeconds() +
4335
- AUTHORITY_METADATA_REFRESH_TIME_SECONDS);
4336
- }
4337
- function updateAuthorityEndpointMetadata(authorityMetadata, updatedValues, fromNetwork) {
4338
- authorityMetadata.authorization_endpoint =
4339
- updatedValues.authorization_endpoint;
4340
- authorityMetadata.token_endpoint = updatedValues.token_endpoint;
4341
- authorityMetadata.end_session_endpoint = updatedValues.end_session_endpoint;
4342
- authorityMetadata.issuer = updatedValues.issuer;
4343
- authorityMetadata.endpointsFromNetwork = fromNetwork;
4344
- authorityMetadata.jwks_uri = updatedValues.jwks_uri;
4314
+ function setRequestState(cryptoObj, userState, meta) {
4315
+ const libraryState = generateLibraryState(cryptoObj, meta);
4316
+ return userState
4317
+ ? `${libraryState}${RESOURCE_DELIM}${userState}`
4318
+ : libraryState;
4345
4319
  }
4346
- function updateCloudDiscoveryMetadata(authorityMetadata, updatedValues, fromNetwork) {
4347
- authorityMetadata.aliases = updatedValues.aliases;
4348
- authorityMetadata.preferred_cache = updatedValues.preferred_cache;
4349
- authorityMetadata.preferred_network = updatedValues.preferred_network;
4350
- authorityMetadata.aliasesFromNetwork = fromNetwork;
4320
+ /**
4321
+ * Generates the state value used by the common library.
4322
+ * @param cryptoObj
4323
+ * @param meta
4324
+ */
4325
+ function generateLibraryState(cryptoObj, meta) {
4326
+ if (!cryptoObj) {
4327
+ throw createClientAuthError(noCryptoObject);
4328
+ }
4329
+ // Create a state object containing a unique id and the timestamp of the request creation
4330
+ const stateObj = {
4331
+ id: cryptoObj.createNewGuid(),
4332
+ };
4333
+ if (meta) {
4334
+ stateObj.meta = meta;
4335
+ }
4336
+ const stateString = JSON.stringify(stateObj);
4337
+ return cryptoObj.base64Encode(stateString);
4351
4338
  }
4352
4339
  /**
4353
- * Returns whether or not the data needs to be refreshed
4340
+ * Parses the state into the RequestStateObject, which contains the LibraryState info and the state passed by the user.
4341
+ * @param base64Decode
4342
+ * @param state
4354
4343
  */
4355
- function isAuthorityMetadataExpired(metadata) {
4356
- return metadata.expiresAt <= nowSeconds();
4344
+ function parseRequestState(base64Decode, state) {
4345
+ if (!base64Decode) {
4346
+ throw createClientAuthError(noCryptoObject);
4347
+ }
4348
+ if (!state) {
4349
+ throw createClientAuthError(invalidState);
4350
+ }
4351
+ try {
4352
+ // Split the state between library state and user passed state and decode them separately
4353
+ const splitState = state.split(RESOURCE_DELIM);
4354
+ const libraryState = splitState[0];
4355
+ const userState = splitState.length > 1
4356
+ ? splitState.slice(1).join(RESOURCE_DELIM)
4357
+ : "";
4358
+ const libraryStateString = base64Decode(libraryState);
4359
+ const libraryStateObj = JSON.parse(libraryStateString);
4360
+ return {
4361
+ userRequestState: userState || "",
4362
+ libraryState: libraryStateObj,
4363
+ };
4364
+ }
4365
+ catch (e) {
4366
+ throw createClientAuthError(invalidState);
4367
+ }
4357
4368
  }
4358
4369
 
4359
- /*! @azure/msal-common v16.4.0 2026-03-27 */
4370
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
4360
4371
 
4361
4372
  /*
4362
4373
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4512,7 +4523,7 @@ class ResponseHandler {
4512
4523
  if (serverTokenResponse.id_token && !!idTokenClaims) {
4513
4524
  cachedIdToken = createIdTokenEntity(this.homeAccountIdentifier, env, serverTokenResponse.id_token, this.clientId, claimsTenantId || "");
4514
4525
  cachedAccount = buildAccountToCache(this.cacheStorage, authority, this.homeAccountIdentifier, this.cryptoObj.base64Decode, request.correlationId, idTokenClaims, serverTokenResponse.client_info, env, claimsTenantId, authCodePayload, undefined, // nativeAccountId
4515
- this.logger);
4526
+ this.logger, this.performanceClient);
4516
4527
  }
4517
4528
  // AccessToken
4518
4529
  let cachedAccessToken = null;
@@ -4663,17 +4674,24 @@ class ResponseHandler {
4663
4674
  };
4664
4675
  }
4665
4676
  }
4666
- function buildAccountToCache(cacheStorage, authority, homeAccountId, base64Decode, correlationId, idTokenClaims, clientInfo, environment, claimsTenantId, authCodePayload, nativeAccountId, logger) {
4677
+ function buildAccountToCache(cacheStorage, authority, homeAccountId, base64Decode, correlationId, idTokenClaims, clientInfo, environment, claimsTenantId, authCodePayload, nativeAccountId, logger, performanceClient) {
4667
4678
  logger?.verbose("09jz0t", correlationId);
4668
- // Check if base account is already cached
4669
- const accountKeys = cacheStorage.getAccountKeys();
4670
- const baseAccountKey = accountKeys.find((accountKey) => {
4671
- return accountKey.startsWith(homeAccountId);
4672
- });
4673
- let cachedAccount = null;
4674
- if (baseAccountKey) {
4675
- cachedAccount = cacheStorage.getAccount(baseAccountKey, correlationId);
4679
+ /*
4680
+ * Check if base account is already cached. Filter by homeAccountId (identifies
4681
+ * the user's home identity) and environment (identifies the cloud) the two
4682
+ * tenant-agnostic properties that uniquely locate a base AccountEntity.
4683
+ */
4684
+ const accountEnvironment = environment || authority.getPreferredCache();
4685
+ const matchedAccounts = cacheStorage.getAccountsFilteredBy({ homeAccountId, environment: accountEnvironment }, correlationId);
4686
+ performanceClient?.addFields({ cacheMatchedAccounts: matchedAccounts.length }, correlationId);
4687
+ if (matchedAccounts.length > 1) {
4688
+ /*
4689
+ * Base accounts are expected to be unique for a given homeAccountId in normal cache usage.
4690
+ * If multiple matches exist, ignore the cache hit rather than arbitrarily choosing one.
4691
+ */
4692
+ logger?.warning("0x7ad1", correlationId);
4676
4693
  }
4694
+ const cachedAccount = matchedAccounts.length === 1 ? matchedAccounts[0] : null;
4677
4695
  const baseAccount = cachedAccount ||
4678
4696
  createAccountEntity({
4679
4697
  homeAccountId,
@@ -4697,7 +4715,7 @@ function buildAccountToCache(cacheStorage, authority, homeAccountId, base64Decod
4697
4715
  return baseAccount;
4698
4716
  }
4699
4717
 
4700
- /*! @azure/msal-common v16.4.0 2026-03-27 */
4718
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
4701
4719
  /*
4702
4720
  * Copyright (c) Microsoft Corporation. All rights reserved.
4703
4721
  * Licensed under the MIT License.
@@ -4707,7 +4725,7 @@ const CcsCredentialType = {
4707
4725
  UPN: "UPN",
4708
4726
  };
4709
4727
 
4710
- /*! @azure/msal-common v16.4.0 2026-03-27 */
4728
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
4711
4729
  /*
4712
4730
  * Copyright (c) Microsoft Corporation. All rights reserved.
4713
4731
  * Licensed under the MIT License.
@@ -4725,7 +4743,7 @@ async function getClientAssertion(clientAssertion, clientId, tokenEndpoint) {
4725
4743
  }
4726
4744
  }
4727
4745
 
4728
- /*! @azure/msal-common v16.4.0 2026-03-27 */
4746
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
4729
4747
  /*
4730
4748
  * Copyright (c) Microsoft Corporation. All rights reserved.
4731
4749
  * Licensed under the MIT License.
@@ -4746,7 +4764,7 @@ function getRequestThumbprint(clientId, request, homeAccountId) {
4746
4764
  };
4747
4765
  }
4748
4766
 
4749
- /*! @azure/msal-common v16.4.0 2026-03-27 */
4767
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
4750
4768
 
4751
4769
  /*
4752
4770
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4832,7 +4850,7 @@ class ThrottlingUtils {
4832
4850
  }
4833
4851
  }
4834
4852
 
4835
- /*! @azure/msal-common v16.4.0 2026-03-27 */
4853
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
4836
4854
 
4837
4855
  /*
4838
4856
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4863,7 +4881,7 @@ function createNetworkError(error, httpStatus, responseHeaders, additionalError)
4863
4881
  return new NetworkError(error, httpStatus, responseHeaders);
4864
4882
  }
4865
4883
 
4866
- /*! @azure/msal-common v16.4.0 2026-03-27 */
4884
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
4867
4885
 
4868
4886
  /*
4869
4887
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4977,7 +4995,7 @@ async function sendPostRequest(thumbprint, tokenEndpoint, options, correlationId
4977
4995
  return response;
4978
4996
  }
4979
4997
 
4980
- /*! @azure/msal-common v16.4.0 2026-03-27 */
4998
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
4981
4999
  /*
4982
5000
  * Copyright (c) Microsoft Corporation. All rights reserved.
4983
5001
  * Licensed under the MIT License.
@@ -4989,7 +5007,7 @@ function isOpenIdConfigResponse(response) {
4989
5007
  response.hasOwnProperty("jwks_uri"));
4990
5008
  }
4991
5009
 
4992
- /*! @azure/msal-common v16.4.0 2026-03-27 */
5010
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
4993
5011
  /*
4994
5012
  * Copyright (c) Microsoft Corporation. All rights reserved.
4995
5013
  * Licensed under the MIT License.
@@ -4999,7 +5017,7 @@ function isCloudInstanceDiscoveryResponse(response) {
4999
5017
  response.hasOwnProperty("metadata"));
5000
5018
  }
5001
5019
 
5002
- /*! @azure/msal-common v16.4.0 2026-03-27 */
5020
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
5003
5021
  /*
5004
5022
  * Copyright (c) Microsoft Corporation. All rights reserved.
5005
5023
  * Licensed under the MIT License.
@@ -5009,7 +5027,7 @@ function isCloudInstanceDiscoveryErrorResponse(response) {
5009
5027
  response.hasOwnProperty("error_description"));
5010
5028
  }
5011
5029
 
5012
- /*! @azure/msal-common v16.4.0 2026-03-27 */
5030
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
5013
5031
 
5014
5032
  /*
5015
5033
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -5114,7 +5132,7 @@ RegionDiscovery.IMDS_OPTIONS = {
5114
5132
  },
5115
5133
  };
5116
5134
 
5117
- /*! @azure/msal-common v16.4.0 2026-03-27 */
5135
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
5118
5136
 
5119
5137
  /*
5120
5138
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -5934,7 +5952,7 @@ function buildStaticAuthorityOptions(authOptions) {
5934
5952
  };
5935
5953
  }
5936
5954
 
5937
- /*! @azure/msal-common v16.4.0 2026-03-27 */
5955
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
5938
5956
 
5939
5957
  /*
5940
5958
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -5968,7 +5986,7 @@ async function createDiscoveredInstance(authorityUri, networkClient, cacheManage
5968
5986
  }
5969
5987
  }
5970
5988
 
5971
- /*! @azure/msal-common v16.4.0 2026-03-27 */
5989
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
5972
5990
 
5973
5991
  /*
5974
5992
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6133,11 +6151,6 @@ class AuthorizationCodeClient {
6133
6151
  throw createClientConfigurationError(missingSshJwk);
6134
6152
  }
6135
6153
  }
6136
- if (!StringUtils.isEmptyObj(request.claims) ||
6137
- (this.config.authOptions.clientCapabilities &&
6138
- this.config.authOptions.clientCapabilities.length > 0)) {
6139
- addClaims(parameters, request.claims, this.config.authOptions.clientCapabilities);
6140
- }
6141
6154
  let ccsCred = undefined;
6142
6155
  if (request.clientInfo) {
6143
6156
  try {
@@ -6186,6 +6199,7 @@ class AuthorizationCodeClient {
6186
6199
  });
6187
6200
  }
6188
6201
  instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
6202
+ addClaims(parameters, request.claims, this.config.authOptions.clientCapabilities, request.skipBrokerClaims);
6189
6203
  return mapToQueryString(parameters);
6190
6204
  }
6191
6205
  /**
@@ -6229,7 +6243,7 @@ class AuthorizationCodeClient {
6229
6243
  }
6230
6244
  }
6231
6245
 
6232
- /*! @azure/msal-common v16.4.0 2026-03-27 */
6246
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
6233
6247
 
6234
6248
  /*
6235
6249
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6419,11 +6433,6 @@ class RefreshTokenClient {
6419
6433
  throw createClientConfigurationError(missingSshJwk);
6420
6434
  }
6421
6435
  }
6422
- if (!StringUtils.isEmptyObj(request.claims) ||
6423
- (this.config.authOptions.clientCapabilities &&
6424
- this.config.authOptions.clientCapabilities.length > 0)) {
6425
- addClaims(parameters, request.claims, this.config.authOptions.clientCapabilities);
6426
- }
6427
6436
  if (this.config.systemOptions.preventCorsPreflight &&
6428
6437
  request.ccsCredential) {
6429
6438
  switch (request.ccsCredential.type) {
@@ -6450,11 +6459,12 @@ class RefreshTokenClient {
6450
6459
  });
6451
6460
  }
6452
6461
  instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
6462
+ addClaims(parameters, request.claims, this.config.authOptions.clientCapabilities, request.skipBrokerClaims);
6453
6463
  return mapToQueryString(parameters);
6454
6464
  }
6455
6465
  }
6456
6466
 
6457
- /*! @azure/msal-common v16.4.0 2026-03-27 */
6467
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
6458
6468
 
6459
6469
  /*
6460
6470
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6570,7 +6580,7 @@ class SilentFlowClient {
6570
6580
  }
6571
6581
  }
6572
6582
 
6573
- /*! @azure/msal-common v16.4.0 2026-03-27 */
6583
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
6574
6584
 
6575
6585
  /*
6576
6586
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6585,7 +6595,7 @@ const StubbedNetworkModule = {
6585
6595
  },
6586
6596
  };
6587
6597
 
6588
- /*! @azure/msal-common v16.4.0 2026-03-27 */
6598
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
6589
6599
 
6590
6600
  /*
6591
6601
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6709,14 +6719,10 @@ function getStandardAuthorizeRequestParameters(authOptions, request, logger, per
6709
6719
  if (request.state) {
6710
6720
  addState(parameters, request.state);
6711
6721
  }
6712
- if (request.claims ||
6713
- (authOptions.clientCapabilities &&
6714
- authOptions.clientCapabilities.length > 0)) {
6715
- addClaims(parameters, request.claims, authOptions.clientCapabilities);
6716
- }
6717
6722
  if (request.embeddedClientId) {
6718
6723
  addBrokerParameters(parameters, authOptions.clientId, authOptions.redirectUri);
6719
6724
  }
6725
+ addClaims(parameters, request.claims, authOptions.clientCapabilities, request.skipBrokerClaims);
6720
6726
  // If extraQueryParameters includes instance_aware its value will be added when extraQueryParameters are added
6721
6727
  if (authOptions.instanceAware &&
6722
6728
  (!request.extraQueryParameters ||
@@ -6812,7 +6818,7 @@ function extractLoginHint(account) {
6812
6818
  return account.loginHint || account.idTokenClaims?.login_hint || null;
6813
6819
  }
6814
6820
 
6815
- /*! @azure/msal-common v16.4.0 2026-03-27 */
6821
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
6816
6822
 
6817
6823
  /*
6818
6824
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6845,7 +6851,7 @@ function containsResourceParam(params) {
6845
6851
  return Object.prototype.hasOwnProperty.call(params, "resource");
6846
6852
  }
6847
6853
 
6848
- /*! @azure/msal-common v16.4.0 2026-03-27 */
6854
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
6849
6855
  /*
6850
6856
  * Copyright (c) Microsoft Corporation. All rights reserved.
6851
6857
  * Licensed under the MIT License.
@@ -6855,7 +6861,7 @@ function containsResourceParam(params) {
6855
6861
  */
6856
6862
  const unexpectedError = "unexpected_error";
6857
6863
 
6858
- /*! @azure/msal-common v16.4.0 2026-03-27 */
6864
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
6859
6865
 
6860
6866
  /*
6861
6867
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7116,7 +7122,7 @@ class ServerTelemetryManager {
7116
7122
  }
7117
7123
  }
7118
7124
 
7119
- /*! @azure/msal-common v16.4.0 2026-03-27 */
7125
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
7120
7126
 
7121
7127
  /*
7122
7128
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7137,7 +7143,7 @@ function createJoseHeaderError(code) {
7137
7143
  return new JoseHeaderError(code);
7138
7144
  }
7139
7145
 
7140
- /*! @azure/msal-common v16.4.0 2026-03-27 */
7146
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
7141
7147
  /*
7142
7148
  * Copyright (c) Microsoft Corporation. All rights reserved.
7143
7149
  * Licensed under the MIT License.
@@ -7145,7 +7151,7 @@ function createJoseHeaderError(code) {
7145
7151
  const missingKidError = "missing_kid_error";
7146
7152
  const missingAlgError = "missing_alg_error";
7147
7153
 
7148
- /*! @azure/msal-common v16.4.0 2026-03-27 */
7154
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
7149
7155
 
7150
7156
  /*
7151
7157
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7580,7 +7586,7 @@ function ensureArgumentIsJSONString(argName, argValue, correlationId) {
7580
7586
 
7581
7587
  /* eslint-disable header/header */
7582
7588
  const name = "@azure/msal-browser";
7583
- const version = "5.6.2";
7589
+ const version = "5.7.0";
7584
7590
 
7585
7591
  /*
7586
7592
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -8136,6 +8142,7 @@ const StandardInteractionClientGetDiscoveredAuthority = "standardInteractionClie
8136
8142
  * Used to acquire a token from Native component when native brokering is enabled.
8137
8143
  */
8138
8144
  const NativeInteractionClientAcquireToken = "nativeInteractionClientAcquireToken";
8145
+ const NativeInteractionClientAcquireTokenRedirect = "nativeInteractionClientAcquireToken";
8139
8146
  /**
8140
8147
  * acquireTokenByRefreshToken API in RefreshTokenClient (msal-common).
8141
8148
  */
@@ -8200,7 +8207,12 @@ const UrlEncodeArr = "urlEncodeArr";
8200
8207
  const Encrypt = "encrypt";
8201
8208
  const Decrypt = "decrypt";
8202
8209
  const GenerateEarKey = "generateEarKey";
8203
- const DecryptEarResponse = "decryptEarResponse";
8210
+ const DecryptEarResponse = "decryptEarResponse";
8211
+ /**
8212
+ * Background telemetry measurement that tracks whether a late bridge response
8213
+ * arrives after the iframe timeout has already fired.
8214
+ */
8215
+ const WaitForBridgeLateResponse = "waitForBridgeLateResponse";
8204
8216
 
8205
8217
  /*
8206
8218
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -9008,20 +9020,35 @@ function cancelPendingBridgeResponse(logger, correlationId) {
9008
9020
  activeBridgeMonitor = null;
9009
9021
  }
9010
9022
  }
9011
- async function waitForBridgeResponse(timeoutMs, logger, browserCrypto, request, performanceClient) {
9023
+ async function waitForBridgeResponse(timeoutMs, logger, browserCrypto, request, performanceClient, experimentalConfig) {
9012
9024
  return new Promise((resolve, reject) => {
9013
9025
  logger.verbose("1rf6em", request.correlationId);
9014
9026
  const correlationId = request.correlationId;
9015
9027
  performanceClient.addFields({
9016
9028
  redirectBridgeTimeoutMs: timeoutMs,
9029
+ lateResponseExperimentEnabled: experimentalConfig?.iframeTimeoutTelemetry || false,
9017
9030
  }, correlationId);
9018
9031
  const { libraryState } = parseRequestState(browserCrypto.base64Decode, request.state || "");
9019
9032
  const channel = new BroadcastChannel(libraryState.id);
9020
9033
  let responseString = undefined;
9034
+ let timedOut$1 = false;
9035
+ let lateTimeoutId;
9036
+ let lateMeasurement;
9021
9037
  const timeoutId = window.setTimeout(() => {
9022
9038
  // Clear the active monitor
9023
9039
  activeBridgeMonitor = null;
9024
- channel.close();
9040
+ if (experimentalConfig?.iframeTimeoutTelemetry) {
9041
+ lateMeasurement = performanceClient.startMeasurement(WaitForBridgeLateResponse, correlationId);
9042
+ timedOut$1 = true;
9043
+ lateTimeoutId = window.setTimeout(() => {
9044
+ lateMeasurement?.end({ success: false });
9045
+ clearTimeout(lateTimeoutId);
9046
+ channel.close();
9047
+ }, 60000); // 60s late response timeout to allow for telemetry of late responses
9048
+ }
9049
+ else {
9050
+ channel.close();
9051
+ }
9025
9052
  reject(createBrowserAuthError(timedOut, "redirect_bridge_timeout"));
9026
9053
  }, timeoutMs);
9027
9054
  // Track this monitor so it can be cancelled if needed
@@ -9035,6 +9062,14 @@ async function waitForBridgeResponse(timeoutMs, logger, browserCrypto, request,
9035
9062
  const messageVersion = event?.data && typeof event.data.v === "number"
9036
9063
  ? event.data.v
9037
9064
  : undefined;
9065
+ if (timedOut$1) {
9066
+ lateMeasurement?.end({
9067
+ success: responseString ? true : false,
9068
+ });
9069
+ clearTimeout(lateTimeoutId);
9070
+ channel.close();
9071
+ return;
9072
+ }
9038
9073
  performanceClient.addFields({
9039
9074
  redirectBridgeMessageVersion: messageVersion,
9040
9075
  }, correlationId);
@@ -14154,7 +14189,12 @@ const SsoSilent = "ssoSilent";
14154
14189
  // Initialize client application
14155
14190
  const InitializeClientApplication = "initializeClientApplication";
14156
14191
  // Update cache storage
14157
- const LocalStorageUpdated = "localStorageUpdated";
14192
+ const LocalStorageUpdated = "localStorageUpdated";
14193
+ /**
14194
+ * SSO capability verification call (msal-browser).
14195
+ * Fire-and-forget SSO verification call made after interactive authentication completes.
14196
+ */
14197
+ const SsoCapable = "ssoCapable";
14158
14198
 
14159
14199
  /*
14160
14200
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -14171,6 +14211,7 @@ const PLATFORM_AUTH_DOM_SUPPORT = `${PREFIX}.${BROWSER_PREFIX}.platform.auth.dom
14171
14211
  const VERSION_CACHE_KEY = `${PREFIX}.version`;
14172
14212
  const ACCOUNT_KEYS = "account.keys";
14173
14213
  const TOKEN_KEYS = "token.keys";
14214
+ const SSO_CAPABLE = `${PREFIX}.${BROWSER_PREFIX}.sso.capable`;
14174
14215
  function getAccountKeysCacheKey(schema = ACCOUNT_SCHEMA_VERSION) {
14175
14216
  if (schema < 1) {
14176
14217
  return `${PREFIX}.${ACCOUNT_KEYS}`;
@@ -16356,7 +16397,6 @@ const userSwitch = "user_switch";
16356
16397
  const USER_INTERACTION_REQUIRED = "USER_INTERACTION_REQUIRED";
16357
16398
  const USER_CANCEL = "USER_CANCEL";
16358
16399
  const NO_NETWORK = "NO_NETWORK";
16359
- const PERSISTENT_ERROR = "PERSISTENT_ERROR";
16360
16400
  const DISABLED = "DISABLED";
16361
16401
  const ACCOUNT_UNAVAILABLE = "ACCOUNT_UNAVAILABLE";
16362
16402
  const UX_NOT_ALLOWED = "UX_NOT_ALLOWED";
@@ -16380,8 +16420,7 @@ class NativeAuthError extends AuthError {
16380
16420
  function isFatalNativeAuthError(error) {
16381
16421
  if (error.ext &&
16382
16422
  error.ext.status &&
16383
- (error.ext.status === PERSISTENT_ERROR ||
16384
- error.ext.status === DISABLED)) {
16423
+ error.ext.status === DISABLED) {
16385
16424
  return true;
16386
16425
  }
16387
16426
  if (error.ext &&
@@ -16507,12 +16546,12 @@ class PlatformAuthInteractionClient extends BaseInteractionClient {
16507
16546
  async acquireToken(request, cacheLookupPolicy) {
16508
16547
  this.logger.trace("03qeos", this.correlationId);
16509
16548
  // start the perf measurement
16510
- const nativeATMeasurement = this.performanceClient.startMeasurement(NativeInteractionClientAcquireToken, request.correlationId);
16549
+ const nativeATMeasurement = this.performanceClient.startMeasurement(NativeInteractionClientAcquireToken, this.correlationId);
16511
16550
  const reqTimestamp = nowSeconds();
16512
16551
  const serverTelemetryManager = initializeServerTelemetryManager(this.apiId, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger);
16513
16552
  try {
16514
16553
  // initialize native request
16515
- const nativeRequest = await this.initializeNativeRequest(request);
16554
+ const nativeRequest = await this.initializePlatformRequest(request);
16516
16555
  // check if the tokens can be retrieved from internal cache
16517
16556
  try {
16518
16557
  const result = await this.acquireTokensFromCache(this.accountId, nativeRequest);
@@ -16526,6 +16565,10 @@ class PlatformAuthInteractionClient extends BaseInteractionClient {
16526
16565
  catch (e) {
16527
16566
  if (cacheLookupPolicy === CacheLookupPolicy.AccessToken) {
16528
16567
  this.logger.info("0eitbc", this.correlationId);
16568
+ nativeATMeasurement.end({
16569
+ success: false,
16570
+ brokerErrorCode: "cache_request_failed",
16571
+ });
16529
16572
  throw e;
16530
16573
  }
16531
16574
  // continue with a native call for any and all errors
@@ -16547,7 +16590,6 @@ class PlatformAuthInteractionClient extends BaseInteractionClient {
16547
16590
  success: false,
16548
16591
  errorCode: error.errorCode,
16549
16592
  subErrorCode: error.subError,
16550
- isNativeBroker: true,
16551
16593
  });
16552
16594
  throw error;
16553
16595
  });
@@ -16556,6 +16598,9 @@ class PlatformAuthInteractionClient extends BaseInteractionClient {
16556
16598
  if (e instanceof NativeAuthError) {
16557
16599
  serverTelemetryManager.setNativeBrokerErrorCode(e.errorCode);
16558
16600
  }
16601
+ nativeATMeasurement.end({
16602
+ success: false,
16603
+ });
16559
16604
  throw e;
16560
16605
  }
16561
16606
  }
@@ -16588,7 +16633,7 @@ class PlatformAuthInteractionClient extends BaseInteractionClient {
16588
16633
  // fetch the account from browser cache
16589
16634
  const account = this.browserStorage.getBaseAccountInfo({
16590
16635
  nativeAccountId,
16591
- }, request.correlationId);
16636
+ }, this.correlationId);
16592
16637
  if (!account) {
16593
16638
  throw createClientAuthError(noAccountFound);
16594
16639
  }
@@ -16618,7 +16663,7 @@ class PlatformAuthInteractionClient extends BaseInteractionClient {
16618
16663
  */
16619
16664
  async acquireTokenRedirect(request, rootMeasurement, options) {
16620
16665
  this.logger.trace("0luikq", this.correlationId);
16621
- const nativeRequest = await this.initializeNativeRequest(request);
16666
+ const nativeRequest = await this.initializePlatformRequest(request);
16622
16667
  const navigateToLoginRequestUrl = options?.navigateToLoginRequestUrl ?? true;
16623
16668
  try {
16624
16669
  await this.platformAuthProvider.sendMessage(nativeRequest);
@@ -16650,7 +16695,7 @@ class PlatformAuthInteractionClient extends BaseInteractionClient {
16650
16695
  * @param performanceClient {IPerformanceClient?}
16651
16696
  * @param correlationId {string?} correlation identifier
16652
16697
  */
16653
- async handleRedirectPromise(performanceClient, correlationId) {
16698
+ async handleRedirectPromise() {
16654
16699
  this.logger.trace("1c5lhw", this.correlationId);
16655
16700
  if (!this.browserStorage.isInteractionInProgress(true)) {
16656
16701
  this.logger.info("0le6uv", this.correlationId);
@@ -16660,9 +16705,7 @@ class PlatformAuthInteractionClient extends BaseInteractionClient {
16660
16705
  const cachedRequest = this.browserStorage.getCachedNativeRequest();
16661
16706
  if (!cachedRequest) {
16662
16707
  this.logger.verbose("0a6zjb", this.correlationId);
16663
- if (performanceClient && correlationId) {
16664
- performanceClient?.addFields({ errorCode: "no_cached_request" }, correlationId);
16665
- }
16708
+ this.performanceClient?.addFields({ errorCode: "no_cached_request" }, this.correlationId);
16666
16709
  return null;
16667
16710
  }
16668
16711
  const { prompt, ...request } = cachedRequest;
@@ -16677,6 +16720,7 @@ class PlatformAuthInteractionClient extends BaseInteractionClient {
16677
16720
  const authResult = await this.handleNativeResponse(response, request, reqTimestamp);
16678
16721
  const serverTelemetryManager = initializeServerTelemetryManager(this.apiId, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger);
16679
16722
  serverTelemetryManager.clearNativeBrokerErrorCode();
16723
+ this.performanceClient?.addFields({ isNativeBroker: true }, this.correlationId);
16680
16724
  return authResult;
16681
16725
  }
16682
16726
  catch (e) {
@@ -16717,9 +16761,9 @@ class PlatformAuthInteractionClient extends BaseInteractionClient {
16717
16761
  }
16718
16762
  // Get the preferred_cache domain for the given authority
16719
16763
  const authority = await getDiscoveredAuthority(this.config, this.correlationId, this.performanceClient, this.browserStorage, this.logger, request.authority);
16720
- const baseAccount = buildAccountToCache(this.browserStorage, authority, homeAccountIdentifier, base64Decode, this.correlationId, idTokenClaims, response.client_info, undefined, // environment
16764
+ const baseAccount = buildAccountToCache(this.browserStorage, authority, homeAccountIdentifier, base64Decode, this.correlationId, idTokenClaims, response.client_info, authority.getPreferredCache(), // environment
16721
16765
  idTokenClaims.tid, undefined, // auth code payload
16722
- response.account.id);
16766
+ response.account.id, this.logger, this.performanceClient);
16723
16767
  // Ensure expires_in is in number format
16724
16768
  response.expires_in = Number(response.expires_in);
16725
16769
  // generate authenticationResult
@@ -16945,15 +16989,23 @@ class PlatformAuthInteractionClient extends BaseInteractionClient {
16945
16989
  * Translates developer provided request object into NativeRequest object
16946
16990
  * @param request
16947
16991
  */
16948
- async initializeNativeRequest(request) {
16949
- this.logger.trace("04j6wj", this.correlationId);
16992
+ async initializePlatformRequest(request) {
16993
+ this.logger.trace("1xdm2a", this.correlationId);
16950
16994
  const canonicalAuthority = await this.getCanonicalAuthority(request);
16995
+ // ignore config claims if skipBrokerClaims is set to true and this is a brokered authentication flow
16996
+ const configClaims = request.skipBrokerClaims && !!request.embeddedClientId
16997
+ ? undefined
16998
+ : this.config.auth.clientCapabilities;
16951
16999
  // scopes are expected to be received by the native broker as "scope" and will be added to the request below. Other properties that should be dropped from the request to the native broker can be included in the object destructuring here.
16952
- const { scopes, ...remainingProperties } = request;
17000
+ const { scopes, claims, ...remainingProperties } = request;
16953
17001
  const scopeSet = new ScopeSet(scopes || []);
16954
17002
  scopeSet.appendScopes(OIDC_DEFAULT_SCOPES);
17003
+ const mergedClaims = configClaims && configClaims.length
17004
+ ? addClientCapabilitiesToClaims(claims, configClaims)
17005
+ : claims;
16955
17006
  const validatedRequest = {
16956
17007
  ...remainingProperties,
17008
+ claims: mergedClaims,
16957
17009
  accountId: this.accountId,
16958
17010
  clientId: this.config.auth.clientId,
16959
17011
  authority: canonicalAuthority.urlString,
@@ -17023,12 +17075,12 @@ class PlatformAuthInteractionClient extends BaseInteractionClient {
17023
17075
  switch (this.apiId) {
17024
17076
  case ApiId.ssoSilent:
17025
17077
  case ApiId.acquireTokenSilent_silentFlow:
17026
- this.logger.trace("1hiwaz", this.correlationId);
17078
+ this.logger.trace("12n1y2", this.correlationId);
17027
17079
  return PromptValue.NONE;
17028
17080
  }
17029
17081
  // Prompt not provided, request may proceed and native broker decides if it needs to prompt
17030
17082
  if (!prompt) {
17031
- this.logger.trace("1qlu04", this.correlationId);
17083
+ this.logger.trace("0uid1p", this.correlationId);
17032
17084
  return undefined;
17033
17085
  }
17034
17086
  // If request is interactive, check if prompt provided is allowed to go directly to native broker
@@ -17036,10 +17088,10 @@ class PlatformAuthInteractionClient extends BaseInteractionClient {
17036
17088
  case PromptValue.NONE:
17037
17089
  case PromptValue.CONSENT:
17038
17090
  case PromptValue.LOGIN:
17039
- this.logger.trace("1ynje4", this.correlationId);
17091
+ this.logger.trace("0i0hco", this.correlationId);
17040
17092
  return prompt;
17041
17093
  default:
17042
- this.logger.trace("0nkr6q", this.correlationId);
17094
+ this.logger.trace("0w3tpw", this.correlationId);
17043
17095
  throw createBrowserAuthError(nativePromptNotSupported);
17044
17096
  }
17045
17097
  }
@@ -17075,7 +17127,7 @@ class PlatformAuthInteractionClient extends BaseInteractionClient {
17075
17127
  this.performanceClient?.addFields({
17076
17128
  embeddedClientId: child_client_id,
17077
17129
  embeddedRedirectUri: child_redirect_uri,
17078
- }, request.correlationId);
17130
+ }, this.correlationId);
17079
17131
  }
17080
17132
  }
17081
17133
 
@@ -17162,6 +17214,10 @@ async function getStandardParameters(config, authority, request, logger, perform
17162
17214
  if (request.platformBroker) {
17163
17215
  // signal ests that this is a WAM call
17164
17216
  addNativeBroker(parameters);
17217
+ // instrument JS-platform bridge specific fields
17218
+ performanceClient.addFields({
17219
+ isPlatformAuthorizeRequest: true,
17220
+ }, request.correlationId);
17165
17221
  // pass the req_cnf for POP
17166
17222
  if (request.authenticationScheme === AuthenticationScheme.POP) {
17167
17223
  const cryptoOps = new CryptoOps(logger, performanceClient);
@@ -17604,7 +17660,7 @@ const DEFAULT_NATIVE_BROKER_HANDSHAKE_TIMEOUT_MS = 2000;
17604
17660
  *
17605
17661
  * @returns Configuration object
17606
17662
  */
17607
- function buildConfiguration({ auth: userInputAuth, cache: userInputCache, system: userInputSystem, telemetry: userInputTelemetry, }, isBrowserEnvironment) {
17663
+ function buildConfiguration({ auth: userInputAuth, cache: userInputCache, system: userInputSystem, experimental: userInputExperimental, telemetry: userInputTelemetry, }, isBrowserEnvironment) {
17608
17664
  // Default auth options for browser
17609
17665
  const DEFAULT_AUTH_OPTIONS = {
17610
17666
  clientId: "",
@@ -17631,6 +17687,7 @@ function buildConfiguration({ auth: userInputAuth, cache: userInputCache, system
17631
17687
  },
17632
17688
  instanceAware: false,
17633
17689
  isMcp: false,
17690
+ verifySSO: false,
17634
17691
  };
17635
17692
  // Default cache options for browser
17636
17693
  const DEFAULT_CACHE_OPTIONS = {
@@ -17676,6 +17733,9 @@ function buildConfiguration({ auth: userInputAuth, cache: userInputCache, system
17676
17733
  },
17677
17734
  client: new StubPerformanceClient(),
17678
17735
  };
17736
+ const DEFAULT_EXPERIMENTAL_OPTIONS = {
17737
+ iframeTimeoutTelemetry: false,
17738
+ };
17679
17739
  // Throw an error if user has set OIDCOptions without being in OIDC protocol mode
17680
17740
  if (userInputSystem?.protocolMode !== ProtocolMode.OIDC &&
17681
17741
  userInputAuth?.OIDCOptions) {
@@ -17699,6 +17759,10 @@ function buildConfiguration({ auth: userInputAuth, cache: userInputCache, system
17699
17759
  },
17700
17760
  cache: { ...DEFAULT_CACHE_OPTIONS, ...userInputCache },
17701
17761
  system: providedSystemOptions,
17762
+ experimental: {
17763
+ ...DEFAULT_EXPERIMENTAL_OPTIONS,
17764
+ ...userInputExperimental,
17765
+ },
17702
17766
  telemetry: { ...DEFAULT_TELEMETRY_OPTIONS, ...userInputTelemetry },
17703
17767
  };
17704
17768
  return overlayedConfig;
@@ -18158,7 +18222,7 @@ function isDomEnabledForPlatformAuth() {
18158
18222
  }
18159
18223
  }
18160
18224
  /**
18161
- * Returns boolean indicating whether or not the request should attempt to use native broker
18225
+ * Returns boolean indicating whether or not the request should attempt to use platform broker
18162
18226
  * @param logger
18163
18227
  * @param config
18164
18228
  * @param correlationId
@@ -18440,6 +18504,10 @@ class PopupClient extends StandardInteractionClient {
18440
18504
  return;
18441
18505
  }
18442
18506
  }
18507
+ // Redirect bridge requires "state" param to work properly
18508
+ validRequest.state = setRequestState(this.browserCrypto, validRequest.state || "", {
18509
+ interactionType: InteractionType.Popup,
18510
+ });
18443
18511
  // Create logout string and navigate user window to logout.
18444
18512
  const logoutUri = authClient.getLogoutUri(validRequest);
18445
18513
  this.eventHandler.emitEvent(EventType.LOGOUT_SUCCESS, validRequest.correlationId, InteractionType.Popup, validRequest);
@@ -18980,6 +19048,10 @@ class RedirectClient extends StandardInteractionClient {
18980
19048
  }
18981
19049
  }
18982
19050
  }
19051
+ // Redirect bridge requires "state" param to work properly
19052
+ validLogoutRequest.state = setRequestState(this.browserCrypto, validLogoutRequest.state || "", {
19053
+ interactionType: InteractionType.Redirect,
19054
+ });
18983
19055
  // Create logout string and navigate user window to logout.
18984
19056
  const logoutUri = authClient.getLogoutUri(validLogoutRequest);
18985
19057
  if (validLogoutRequest.account?.homeAccountId) {
@@ -19206,7 +19278,7 @@ class SilentIframeClient extends StandardInteractionClient {
19206
19278
  const responseType = this.config.auth.OIDCOptions.responseMode;
19207
19279
  let responseString;
19208
19280
  try {
19209
- responseString = await invokeAsync(waitForBridgeResponse, SilentHandlerMonitorIframeForHash, this.logger, this.performanceClient, correlationId)(this.config.system.iframeBridgeTimeout, this.logger, this.browserCrypto, request, this.performanceClient);
19281
+ responseString = await invokeAsync(waitForBridgeResponse, SilentHandlerMonitorIframeForHash, this.logger, this.performanceClient, correlationId)(this.config.system.iframeBridgeTimeout, this.logger, this.browserCrypto, request, this.performanceClient, this.config.experimental);
19210
19282
  }
19211
19283
  finally {
19212
19284
  invoke(removeHiddenIframe, RemoveHiddenIframe, this.logger, this.performanceClient, correlationId)(iframe);
@@ -19228,6 +19300,38 @@ class SilentIframeClient extends StandardInteractionClient {
19228
19300
  return invokeAsync(handleResponseEAR, HandleResponseEar, this.logger, this.performanceClient, correlationId)(silentRequest, serverParams, this.apiId, this.config, discoveredAuthority, this.browserStorage, this.nativeStorage, this.eventHandler, this.logger, this.performanceClient, this.platformAuthProvider);
19229
19301
  }
19230
19302
  }
19303
+ /**
19304
+ * Verifies SSO capability by making an iframe request to /authorize without exchanging the code for tokens.
19305
+ * This is useful for verifying SSO capability in the background without the overhead of a full token exchange.
19306
+ * @param request - The SSO silent request
19307
+ * @returns true if SSO verification was successful with a valid authorization code, false otherwise
19308
+ */
19309
+ async verifySso(request) {
19310
+ const inputRequest = { ...request };
19311
+ if (!inputRequest.prompt) {
19312
+ inputRequest.prompt = PromptValue.NONE;
19313
+ }
19314
+ // Create silent request
19315
+ const silentRequest = await invokeAsync(initializeAuthorizationRequest, StandardInteractionClientInitializeAuthorizationRequest, this.logger, this.performanceClient, this.correlationId)(inputRequest, InteractionType.Silent, this.config, this.browserCrypto, this.browserStorage, this.logger, this.performanceClient, this.correlationId);
19316
+ const authClient = await invokeAsync(this.createAuthCodeClient.bind(this), StandardInteractionClientCreateAuthCodeClient, this.logger, this.performanceClient, this.correlationId)({
19317
+ serverTelemetryManager: initializeServerTelemetryManager(this.apiId, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger),
19318
+ requestAuthority: silentRequest.authority,
19319
+ requestAzureCloudOptions: silentRequest.azureCloudOptions,
19320
+ requestExtraQueryParameters: silentRequest.extraQueryParameters,
19321
+ account: silentRequest.account,
19322
+ });
19323
+ const { serverParams } = await this.silentAuthorizeHelper(authClient, silentRequest);
19324
+ const correlationId = silentRequest.correlationId;
19325
+ // Validate the response - this checks for errors and validates state
19326
+ validateAuthorizationResponse(serverParams, silentRequest.state);
19327
+ // Verify a valid authorization code is present
19328
+ if (!serverParams.code) {
19329
+ this.logger.warning("0y34ti", correlationId);
19330
+ return false;
19331
+ }
19332
+ this.logger.verbose("0kkkcj", correlationId);
19333
+ return true;
19334
+ }
19231
19335
  /**
19232
19336
  * Currently Unsupported
19233
19337
  */
@@ -19242,6 +19346,16 @@ class SilentIframeClient extends StandardInteractionClient {
19242
19346
  * @param userRequestScopes
19243
19347
  */
19244
19348
  async silentTokenHelper(authClient, request) {
19349
+ const { serverParams, pkceCodes } = await this.silentAuthorizeHelper(authClient, request);
19350
+ return invokeAsync(handleResponseCode, HandleResponseCode, this.logger, this.performanceClient, request.correlationId)(request, serverParams, pkceCodes.verifier, this.apiId, this.config, authClient, this.browserStorage, this.nativeStorage, this.eventHandler, this.logger, this.performanceClient, this.platformAuthProvider);
19351
+ }
19352
+ /**
19353
+ * Shared helper that generates PKCE codes, builds the /authorize URL,
19354
+ * loads it in a hidden iframe, waits for the redirect-bridge response,
19355
+ * and returns the deserialized server parameters along with the PKCE codes
19356
+ * and the request that was sent.
19357
+ */
19358
+ async silentAuthorizeHelper(authClient, request) {
19245
19359
  const correlationId = request.correlationId;
19246
19360
  const pkceCodes = await invokeAsync(generatePkceCodes, GeneratePkceCodes, this.logger, this.performanceClient, correlationId)(this.performanceClient, this.logger, correlationId);
19247
19361
  const silentRequest = {
@@ -19262,13 +19376,13 @@ class SilentIframeClient extends StandardInteractionClient {
19262
19376
  // Wait for response from the redirect bridge.
19263
19377
  let responseString;
19264
19378
  try {
19265
- responseString = await invokeAsync(waitForBridgeResponse, SilentHandlerMonitorIframeForHash, this.logger, this.performanceClient, correlationId)(this.config.system.iframeBridgeTimeout, this.logger, this.browserCrypto, request, this.performanceClient);
19379
+ responseString = await invokeAsync(waitForBridgeResponse, SilentHandlerMonitorIframeForHash, this.logger, this.performanceClient, correlationId)(this.config.system.iframeBridgeTimeout, this.logger, this.browserCrypto, request, this.performanceClient, this.config.experimental);
19266
19380
  }
19267
19381
  finally {
19268
19382
  invoke(removeHiddenIframe, RemoveHiddenIframe, this.logger, this.performanceClient, correlationId)(iframe);
19269
19383
  }
19270
19384
  const serverParams = invoke(deserializeResponse, DeserializeResponse, this.logger, this.performanceClient, correlationId)(responseString, responseType, this.logger, this.correlationId);
19271
- return invokeAsync(handleResponseCode, HandleResponseCode, this.logger, this.performanceClient, correlationId)(request, serverParams, pkceCodes.verifier, this.apiId, this.config, authClient, this.browserStorage, this.nativeStorage, this.eventHandler, this.logger, this.performanceClient, this.platformAuthProvider);
19385
+ return { serverParams, pkceCodes, silentRequest };
19272
19386
  }
19273
19387
  }
19274
19388
 
@@ -19510,22 +19624,32 @@ class StandardController {
19510
19624
  this.nativeInternalStorage = new BrowserCacheManager(this.config.auth.clientId, nativeCacheOptions, this.browserCrypto, this.logger, this.performanceClient, this.eventHandler);
19511
19625
  this.activeSilentTokenRequests = new Map();
19512
19626
  // Register listener functions
19513
- this.trackPageVisibility = this.trackPageVisibility.bind(this);
19627
+ this.trackStateChange = this.trackStateChange.bind(this);
19514
19628
  // Register listener functions
19515
- this.trackPageVisibilityWithMeasurement =
19516
- this.trackPageVisibilityWithMeasurement.bind(this);
19629
+ this.trackStateChangeWithMeasurement =
19630
+ this.trackStateChangeWithMeasurement.bind(this);
19517
19631
  }
19518
19632
  static async createController(operatingContext, request) {
19519
19633
  const controller = new StandardController(operatingContext);
19520
19634
  await controller.initialize(request);
19521
19635
  return controller;
19522
19636
  }
19523
- trackPageVisibility(correlationId) {
19637
+ trackStateChange(correlationId, event) {
19524
19638
  if (!correlationId) {
19525
19639
  return;
19526
19640
  }
19527
- this.logger.info("16v6hv", correlationId);
19528
- this.performanceClient.incrementFields({ visibilityChangeCount: 1 }, correlationId);
19641
+ if (event.type === "visibilitychange") {
19642
+ this.logger.info("16v6hv", correlationId);
19643
+ this.performanceClient.incrementFields({ visibilityChangeCount: 1 }, correlationId);
19644
+ }
19645
+ else if (event.type === "online") {
19646
+ this.logger.info("0zirfd", correlationId);
19647
+ this.performanceClient.incrementFields({ onlineStatusChangeCount: 1 }, correlationId);
19648
+ }
19649
+ else if (event.type === "offline") {
19650
+ this.logger.info("1xk9ef", correlationId);
19651
+ this.performanceClient.incrementFields({ onlineStatusChangeCount: 1 }, correlationId);
19652
+ }
19529
19653
  }
19530
19654
  /**
19531
19655
  * Initializer function to perform async startup tasks such as connecting to WAM extension
@@ -19625,22 +19749,25 @@ class StandardController {
19625
19749
  }
19626
19750
  const loggedInAccounts = this.getAllAccounts();
19627
19751
  const platformBrokerRequest = this.browserStorage.getCachedNativeRequest();
19628
- const useNative = platformBrokerRequest &&
19629
- this.platformAuthProvider &&
19630
- !options?.hash;
19752
+ const useNative = platformBrokerRequest && !options?.hash;
19631
19753
  let rootMeasurement;
19632
19754
  let redirectResponse;
19755
+ let cachedRedirectRequest;
19633
19756
  try {
19634
19757
  if (useNative && this.platformAuthProvider) {
19635
19758
  const correlationId = platformBrokerRequest?.correlationId || "";
19636
19759
  this.eventHandler.emitEvent(EventType.HANDLE_REDIRECT_START, correlationId, InteractionType.Redirect);
19637
19760
  rootMeasurement = this.performanceClient.startMeasurement(AcquireTokenRedirect, correlationId);
19638
19761
  this.logger.trace("12v7is", correlationId);
19762
+ rootMeasurement.add({
19763
+ isPlatformBrokerRequest: true,
19764
+ });
19639
19765
  const nativeClient = new PlatformAuthInteractionClient(this.config, this.browserStorage, this.browserCrypto, this.logger, this.eventHandler, this.navigationClient, ApiId.handleRedirectPromise, this.performanceClient, this.platformAuthProvider, platformBrokerRequest.accountId, this.nativeInternalStorage, platformBrokerRequest.correlationId);
19640
- redirectResponse = invokeAsync(nativeClient.handleRedirectPromise.bind(nativeClient), HandleNativeRedirectPromiseMeasurement, this.logger, this.performanceClient, rootMeasurement.event.correlationId)(this.performanceClient, rootMeasurement.event.correlationId);
19766
+ redirectResponse = invokeAsync(nativeClient.handleRedirectPromise.bind(nativeClient), HandleNativeRedirectPromiseMeasurement, this.logger, this.performanceClient, rootMeasurement.event.correlationId)();
19641
19767
  }
19642
19768
  else {
19643
19769
  const [standardRequest, codeVerifier] = this.browserStorage.getCachedRequest("");
19770
+ cachedRedirectRequest = standardRequest;
19644
19771
  const correlationId = standardRequest.correlationId;
19645
19772
  this.eventHandler.emitEvent(EventType.HANDLE_REDIRECT_START, correlationId, InteractionType.Redirect);
19646
19773
  // Reset rootMeasurement now that we have correlationId
@@ -19669,6 +19796,8 @@ class StandardController {
19669
19796
  rootMeasurement.end({
19670
19797
  success: true,
19671
19798
  }, undefined, result.account);
19799
+ // Fire-and-forget SSO capability verification in background
19800
+ this.verifySsoCapability(cachedRedirectRequest, InteractionType.Redirect);
19672
19801
  }
19673
19802
  else {
19674
19803
  /*
@@ -19734,12 +19863,14 @@ class StandardController {
19734
19863
  if (this.platformAuthProvider &&
19735
19864
  this.canUsePlatformBroker(request)) {
19736
19865
  const nativeClient = new PlatformAuthInteractionClient(this.config, this.browserStorage, this.browserCrypto, this.logger, this.eventHandler, this.navigationClient, ApiId.acquireTokenRedirect, this.performanceClient, this.platformAuthProvider, this.getNativeAccountId(request), this.nativeInternalStorage, correlationId);
19737
- result = nativeClient
19738
- .acquireTokenRedirect(request, atrMeasurement)
19739
- .catch((e) => {
19866
+ result = invokeAsync(nativeClient.acquireTokenRedirect.bind(nativeClient), NativeInteractionClientAcquireTokenRedirect, this.logger, this.performanceClient, correlationId)(request, atrMeasurement).catch((e) => {
19867
+ atrMeasurement.add({
19868
+ brokerErrorName: e.name,
19869
+ brokerErrorCode: e.errorCode,
19870
+ });
19740
19871
  if (e instanceof NativeAuthError &&
19741
19872
  isFatalNativeAuthError(e)) {
19742
- this.platformAuthProvider = undefined; // If extension gets uninstalled during session prevent future requests from continuing to attempt
19873
+ this.platformAuthProvider = undefined; // If extension gets uninstalled during session prevent future requests from continuing to attempt platform broker calls
19743
19874
  const redirectClient = this.createRedirectClient(correlationId);
19744
19875
  return redirectClient.acquireToken(request);
19745
19876
  }
@@ -19805,6 +19936,9 @@ class StandardController {
19805
19936
  let result;
19806
19937
  const pkce = this.getPreGeneratedPkceCodes(correlationId);
19807
19938
  if (this.canUsePlatformBroker(request)) {
19939
+ atPopupMeasurement.add({
19940
+ isPlatformBrokerRequest: true,
19941
+ });
19808
19942
  result = this.acquireTokenNative({
19809
19943
  ...request,
19810
19944
  correlationId,
@@ -19817,9 +19951,13 @@ class StandardController {
19817
19951
  return response;
19818
19952
  })
19819
19953
  .catch((e) => {
19954
+ atPopupMeasurement.add({
19955
+ brokerErrorName: e.name,
19956
+ brokerErrorCode: e.errorCode,
19957
+ });
19820
19958
  if (e instanceof NativeAuthError &&
19821
19959
  isFatalNativeAuthError(e)) {
19822
- this.platformAuthProvider = undefined; // If extension gets uninstalled during session prevent future requests from continuing to attempt
19960
+ this.platformAuthProvider = undefined; // If extension gets uninstalled during session prevent future requests from continuing to attempt platform broker calls
19823
19961
  const popupClient = this.createPopupClient(correlationId);
19824
19962
  return popupClient.acquireToken(request, pkce);
19825
19963
  }
@@ -19850,6 +19988,8 @@ class StandardController {
19850
19988
  accessTokenSize: result.accessToken.length,
19851
19989
  idTokenSize: result.idToken.length,
19852
19990
  }, undefined, result.account);
19991
+ // SSO capability verification in background
19992
+ this.verifySsoCapability(request, InteractionType.Popup);
19853
19993
  return result;
19854
19994
  })
19855
19995
  .catch((e) => {
@@ -19867,15 +20007,137 @@ class StandardController {
19867
20007
  }
19868
20008
  });
19869
20009
  }
19870
- trackPageVisibilityWithMeasurement() {
20010
+ trackStateChangeWithMeasurement(event) {
19871
20011
  const measurement = this.ssoSilentMeasurement ||
19872
20012
  this.acquireTokenByCodeAsyncMeasurement;
19873
20013
  if (!measurement) {
19874
20014
  return;
19875
20015
  }
19876
- measurement.increment({
19877
- visibilityChangeCount: 1,
20016
+ if (event.type === "visibilitychange") {
20017
+ this.logger.info("0yzimq", measurement.event.correlationId);
20018
+ measurement.increment({
20019
+ visibilityChangeCount: 1,
20020
+ });
20021
+ }
20022
+ else if (event.type === "online") {
20023
+ this.logger.info("1caf53", measurement.event.correlationId);
20024
+ measurement.increment({
20025
+ onlineStatusChangeCount: 1,
20026
+ });
20027
+ }
20028
+ else if (event.type === "offline") {
20029
+ this.logger.info("0fdyk7", measurement.event.correlationId);
20030
+ measurement.increment({
20031
+ onlineStatusChangeCount: 1,
20032
+ });
20033
+ }
20034
+ }
20035
+ addStateChangeListeners(listener) {
20036
+ document.addEventListener("visibilitychange", listener);
20037
+ window.addEventListener("online", listener);
20038
+ window.addEventListener("offline", listener);
20039
+ }
20040
+ removeStateChangeListeners(listener) {
20041
+ document.removeEventListener("visibilitychange", listener);
20042
+ window.removeEventListener("online", listener);
20043
+ window.removeEventListener("offline", listener);
20044
+ }
20045
+ /**
20046
+ * Reads the cached ssoCapable value from localStorage.
20047
+ * @returns The cached ssoCapable boolean value, or undefined if not cached or expired.
20048
+ */
20049
+ getCachedSsoCapable() {
20050
+ try {
20051
+ const cachedValue = window.localStorage.getItem(SSO_CAPABLE);
20052
+ if (cachedValue) {
20053
+ const parsed = JSON.parse(cachedValue);
20054
+ if (parsed &&
20055
+ typeof parsed.ssoCapable === "boolean" &&
20056
+ parsed.expiresOn &&
20057
+ Date.now() < parsed.expiresOn) {
20058
+ return parsed.ssoCapable;
20059
+ }
20060
+ }
20061
+ }
20062
+ catch {
20063
+ // If parsing fails, return undefined
20064
+ }
20065
+ return undefined;
20066
+ }
20067
+ /**
20068
+ * SSO capability verification in the background.
20069
+ * This method makes an iframe request to /authorize to verify SSO capability without calling /token.
20070
+ * This method does not block the caller and tracks telemetry for success/failure.
20071
+ * This method only executes if verifySSO is set to true in the auth configuration.
20072
+ * The result is cached in localStorage with a 24-hour TTL; the SSO verification call
20073
+ * is only attempted when the cached value is absent or expired.
20074
+ * @param request - The original request used for the authentication flow
20075
+ * @param interactionType - The interactionType of the AT operation for logging purposes
20076
+ */
20077
+ verifySsoCapability(request, interactionType) {
20078
+ // Check if SSO capability verification is enabled
20079
+ if (!this.config.auth.verifySSO) {
20080
+ return;
20081
+ }
20082
+ // Check TTL: derive ssoCapable state from localStorage and skip if not expired
20083
+ const ssoCacheKey = SSO_CAPABLE;
20084
+ const SSO_CAPABLE_TTL_MS = 24 * 60 * 60 * 1000; // 24 hours
20085
+ const cachedSsoCapable = this.getCachedSsoCapable();
20086
+ if (cachedSsoCapable !== undefined) {
20087
+ this.logger.verbose("13poou", "");
20088
+ return;
20089
+ }
20090
+ const correlationId = createNewGuid();
20091
+ const ssoCapableMeasurement = this.performanceClient.startMeasurement(SsoCapable, correlationId);
20092
+ ssoCapableMeasurement.add({
20093
+ "ext.interactionType": interactionType,
19878
20094
  });
20095
+ this.logger.verbose("0pbr0i", correlationId);
20096
+ /*
20097
+ * Use setTimeout to ensure this runs in a separate macrotask after the current call stack completes
20098
+ * This ensures the result is returned to the caller before the SSO verification starts and doesn't affect performance
20099
+ */
20100
+ setTimeout(() => {
20101
+ const ssoVerificationRequest = {
20102
+ ...request,
20103
+ correlationId: correlationId,
20104
+ };
20105
+ const silentIframeClient = this.createSilentIframeClient(correlationId);
20106
+ silentIframeClient
20107
+ .verifySso(ssoVerificationRequest)
20108
+ .then((result) => {
20109
+ this.logger.verbose("1gd1iv", correlationId);
20110
+ // TBD to add profileTelemetry later in localStorage with 24h TTL
20111
+ try {
20112
+ const cacheEntry = JSON.stringify({
20113
+ ssoCapable: result,
20114
+ expiresOn: Date.now() + SSO_CAPABLE_TTL_MS,
20115
+ });
20116
+ window.localStorage.setItem(ssoCacheKey, cacheEntry);
20117
+ }
20118
+ catch {
20119
+ this.logger.warning("18lmoj", correlationId);
20120
+ }
20121
+ ssoCapableMeasurement.end({
20122
+ fromCache: false,
20123
+ success: result,
20124
+ }, undefined);
20125
+ })
20126
+ .catch((error) => {
20127
+ this.logger.warning("05g83w", correlationId);
20128
+ // reset the cache
20129
+ try {
20130
+ window.localStorage.removeItem(ssoCacheKey);
20131
+ }
20132
+ catch {
20133
+ this.logger.warning("0nlf9q", correlationId);
20134
+ }
20135
+ ssoCapableMeasurement.end({
20136
+ fromCache: false,
20137
+ success: false,
20138
+ }, error);
20139
+ });
20140
+ }, 0);
19879
20141
  }
19880
20142
  // #endregion
19881
20143
  // #region Silent Flow
@@ -19898,28 +20160,35 @@ class StandardController {
19898
20160
  const correlationId = this.getRequestCorrelationId(request);
19899
20161
  const validRequest = {
19900
20162
  ...request,
19901
- // will be PromptValue.NONE or PromptValue.NO_SESSION
19902
- prompt: request.prompt,
19903
20163
  correlationId: correlationId,
19904
20164
  };
19905
20165
  this.ssoSilentMeasurement = this.performanceClient.startMeasurement(SsoSilent, correlationId);
19906
20166
  this.ssoSilentMeasurement?.add({
19907
20167
  scenarioId: request.scenarioId,
20168
+ ssoCapable: this.getCachedSsoCapable(),
19908
20169
  });
19909
20170
  preflightCheck(this.initialized, this.ssoSilentMeasurement, this.config, validRequest);
19910
20171
  this.ssoSilentMeasurement?.increment({
19911
20172
  visibilityChangeCount: 0,
20173
+ onlineStatusChangeCount: 0,
19912
20174
  });
19913
- document.addEventListener("visibilitychange", this.trackPageVisibilityWithMeasurement);
20175
+ this.addStateChangeListeners(this.trackStateChangeWithMeasurement);
19914
20176
  const loggedInAccounts = this.getAllAccounts();
19915
20177
  this.logger.verbose("0w1b45", correlationId);
19916
20178
  this.eventHandler.emitEvent(EventType.ACQUIRE_TOKEN_START, correlationId, InteractionType.Silent, validRequest);
19917
20179
  let result;
19918
20180
  if (this.canUsePlatformBroker(validRequest)) {
20181
+ this.ssoSilentMeasurement?.add({
20182
+ isPlatformBrokerRequest: true,
20183
+ });
19919
20184
  result = this.acquireTokenNative(validRequest, ApiId.ssoSilent).catch((e) => {
20185
+ this.ssoSilentMeasurement?.add({
20186
+ brokerErrorName: e.name,
20187
+ brokerErrorCode: e.errorCode,
20188
+ });
19920
20189
  // If native token acquisition fails for availability reasons fallback to standard flow
19921
20190
  if (e instanceof NativeAuthError && isFatalNativeAuthError(e)) {
19922
- this.platformAuthProvider = undefined; // If extension gets uninstalled during session prevent future requests from continuing to attempt
20191
+ this.platformAuthProvider = undefined; // If extension gets uninstalled during session prevent future requests from continuing to attempt platform broker calls
19923
20192
  const silentIframeClient = this.createSilentIframeClient(validRequest.correlationId);
19924
20193
  return silentIframeClient.acquireToken(validRequest);
19925
20194
  }
@@ -19953,7 +20222,7 @@ class StandardController {
19953
20222
  throw e;
19954
20223
  })
19955
20224
  .finally(() => {
19956
- document.removeEventListener("visibilitychange", this.trackPageVisibilityWithMeasurement);
20225
+ this.removeStateChangeListeners(this.trackStateChangeWithMeasurement);
19957
20226
  });
19958
20227
  }
19959
20228
  /**
@@ -19992,7 +20261,6 @@ class StandardController {
19992
20261
  this.hybridAuthCodeResponses.delete(hybridAuthCode);
19993
20262
  atbcMeasurement.end({
19994
20263
  success: true,
19995
- isNativeBroker: result.fromPlatformBroker,
19996
20264
  accessTokenSize: result.accessToken.length,
19997
20265
  idTokenSize: result.idToken.length,
19998
20266
  }, undefined, result.account);
@@ -20016,10 +20284,17 @@ class StandardController {
20016
20284
  }
20017
20285
  else if (request.nativeAccountId) {
20018
20286
  if (this.canUsePlatformBroker(request, request.nativeAccountId)) {
20287
+ atbcMeasurement.add({
20288
+ isPlatformBrokerRequest: true,
20289
+ });
20019
20290
  const result = await this.acquireTokenNative({
20020
20291
  ...request,
20021
20292
  correlationId,
20022
20293
  }, ApiId.acquireTokenByCode, request.nativeAccountId).catch((e) => {
20294
+ atbcMeasurement.add({
20295
+ brokerErrorName: e.name,
20296
+ brokerErrorCode: e.errorCode,
20297
+ });
20023
20298
  // If native token acquisition fails for availability reasons fallback to standard flow
20024
20299
  if (e instanceof NativeAuthError &&
20025
20300
  isFatalNativeAuthError(e)) {
@@ -20060,8 +20335,9 @@ class StandardController {
20060
20335
  this.performanceClient.startMeasurement(AcquireTokenByCodeAsync, correlationId);
20061
20336
  this.acquireTokenByCodeAsyncMeasurement?.increment({
20062
20337
  visibilityChangeCount: 0,
20338
+ onlineStatusChangeCount: 0,
20063
20339
  });
20064
- document.addEventListener("visibilitychange", this.trackPageVisibilityWithMeasurement);
20340
+ this.addStateChangeListeners(this.trackStateChangeWithMeasurement);
20065
20341
  const silentAuthCodeClient = this.createSilentAuthCodeClient(correlationId);
20066
20342
  const silentTokenResult = await silentAuthCodeClient
20067
20343
  .acquireToken(request)
@@ -20069,7 +20345,6 @@ class StandardController {
20069
20345
  this.acquireTokenByCodeAsyncMeasurement?.end({
20070
20346
  success: true,
20071
20347
  fromCache: response.fromCache,
20072
- isNativeBroker: response.fromPlatformBroker,
20073
20348
  });
20074
20349
  return response;
20075
20350
  })
@@ -20080,7 +20355,7 @@ class StandardController {
20080
20355
  throw tokenRenewalError;
20081
20356
  })
20082
20357
  .finally(() => {
20083
- document.removeEventListener("visibilitychange", this.trackPageVisibilityWithMeasurement);
20358
+ this.removeStateChangeListeners(this.trackStateChangeWithMeasurement);
20084
20359
  });
20085
20360
  return silentTokenResult;
20086
20361
  }
@@ -20238,7 +20513,7 @@ class StandardController {
20238
20513
  throw createBrowserAuthError(nativeConnectionNotEstablished);
20239
20514
  }
20240
20515
  const nativeClient = new PlatformAuthInteractionClient(this.config, this.browserStorage, this.browserCrypto, this.logger, this.eventHandler, this.navigationClient, apiId, this.performanceClient, this.platformAuthProvider, accountId || this.getNativeAccountId(request), this.nativeInternalStorage, correlationId);
20241
- return nativeClient.acquireToken(request, cacheLookupPolicy);
20516
+ return invokeAsync(nativeClient.acquireToken.bind(nativeClient), NativeInteractionClientAcquireToken, this.logger, this.performanceClient, correlationId)(request, cacheLookupPolicy);
20242
20517
  }
20243
20518
  /**
20244
20519
  * Returns boolean indicating if this request can use the platform broker
@@ -20252,7 +20527,7 @@ class StandardController {
20252
20527
  return false;
20253
20528
  }
20254
20529
  if (!isPlatformAuthAllowed(this.config, this.logger, correlationId, this.platformAuthProvider, request.authenticationScheme)) {
20255
- this.logger.trace("1m4bzf", correlationId);
20530
+ this.logger.trace("0yoy1g", correlationId);
20256
20531
  return false;
20257
20532
  }
20258
20533
  if (request.prompt) {
@@ -20471,6 +20746,7 @@ class StandardController {
20471
20746
  atsMeasurement.add({
20472
20747
  cacheLookupPolicy: request.cacheLookupPolicy,
20473
20748
  scenarioId: request.scenarioId,
20749
+ ssoCapable: this.getCachedSsoCapable(),
20474
20750
  });
20475
20751
  preflightCheck(this.initialized, atsMeasurement, this.config, request);
20476
20752
  this.logger.verbose("0x1c4s", correlationId);
@@ -20483,7 +20759,6 @@ class StandardController {
20483
20759
  atsMeasurement.end({
20484
20760
  success: true,
20485
20761
  fromCache: result.fromCache,
20486
- isNativeBroker: result.fromPlatformBroker,
20487
20762
  accessTokenSize: result.accessToken.length,
20488
20763
  idTokenSize: result.idToken.length,
20489
20764
  }, undefined, result.account);
@@ -20542,12 +20817,12 @@ class StandardController {
20542
20817
  * @returns {Promise.<AuthenticationResult>} - a promise that is fulfilled when this function has completed, or rejected if an error was raised. Returns the {@link AuthResponse}
20543
20818
  */
20544
20819
  async acquireTokenSilentAsync(request, account) {
20545
- const trackPageVisibility = () => this.trackPageVisibility(request.correlationId);
20820
+ const trackStateChange = (event) => this.trackStateChange(request.correlationId, event);
20546
20821
  this.eventHandler.emitEvent(EventType.ACQUIRE_TOKEN_START, request.correlationId, InteractionType.Silent, request);
20547
20822
  if (request.correlationId) {
20548
- this.performanceClient.incrementFields({ visibilityChangeCount: 0 }, request.correlationId);
20823
+ this.performanceClient.incrementFields({ visibilityChangeCount: 0, onlineStatusChangeCount: 0 }, request.correlationId);
20549
20824
  }
20550
- document.addEventListener("visibilitychange", trackPageVisibility);
20825
+ this.addStateChangeListeners(trackStateChange);
20551
20826
  const silentRequest = await invokeAsync(initializeSilentRequest, InitializeSilentRequest, this.logger, this.performanceClient, request.correlationId)(request, account, this.config, this.performanceClient, this.logger);
20552
20827
  const cacheLookupPolicy = request.cacheLookupPolicy || CacheLookupPolicy.Default;
20553
20828
  const result = this.acquireTokenSilentNoIframe(silentRequest, cacheLookupPolicy).catch(async (refreshTokenError) => {
@@ -20629,7 +20904,7 @@ class StandardController {
20629
20904
  throw tokenRenewalError;
20630
20905
  })
20631
20906
  .finally(() => {
20632
- document.removeEventListener("visibilitychange", trackPageVisibility);
20907
+ this.removeStateChangeListeners(trackStateChange);
20633
20908
  });
20634
20909
  }
20635
20910
  /**
@@ -20643,7 +20918,12 @@ class StandardController {
20643
20918
  if (isPlatformAuthAllowed(this.config, this.logger, silentRequest.correlationId, this.platformAuthProvider, silentRequest.authenticationScheme) &&
20644
20919
  silentRequest.account.nativeAccountId) {
20645
20920
  this.logger.verbose("0sczo4", silentRequest.correlationId);
20921
+ this.performanceClient.addFields({ isPlatformBrokerRequest: true }, silentRequest.correlationId);
20646
20922
  return this.acquireTokenNative(silentRequest, ApiId.acquireTokenSilent_silentFlow, silentRequest.account.nativeAccountId, cacheLookupPolicy).catch(async (e) => {
20923
+ this.performanceClient.addFields({
20924
+ brokerErrorName: e.name,
20925
+ brokerErrorCode: e.errorCode,
20926
+ }, silentRequest.correlationId);
20647
20927
  // If native token acquisition fails for availability reasons fallback to web flow
20648
20928
  if (e instanceof NativeAuthError && isFatalNativeAuthError(e)) {
20649
20929
  this.logger.verbose("07rkmb", silentRequest.correlationId);