@azure/msal-browser 5.6.2 → 5.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (456) hide show
  1. package/README.md +0 -1
  2. package/dist/app/IPublicClientApplication.mjs +1 -1
  3. package/dist/app/PublicClientApplication.mjs +1 -1
  4. package/dist/broker/nativeBroker/NativeStatusCodes.mjs +2 -3
  5. package/dist/broker/nativeBroker/NativeStatusCodes.mjs.map +1 -1
  6. package/dist/broker/nativeBroker/PlatformAuthDOMHandler.mjs +1 -1
  7. package/dist/broker/nativeBroker/PlatformAuthExtensionHandler.mjs +1 -1
  8. package/dist/broker/nativeBroker/PlatformAuthProvider.d.ts +1 -1
  9. package/dist/broker/nativeBroker/PlatformAuthProvider.mjs +2 -2
  10. package/dist/cache/AccountManager.mjs +1 -1
  11. package/dist/cache/AsyncMemoryStorage.mjs +1 -1
  12. package/dist/cache/BrowserCacheManager.mjs +1 -1
  13. package/dist/cache/CacheHelpers.mjs +1 -1
  14. package/dist/cache/CacheKeys.d.ts +1 -0
  15. package/dist/cache/CacheKeys.d.ts.map +1 -1
  16. package/dist/cache/CacheKeys.mjs +3 -2
  17. package/dist/cache/CacheKeys.mjs.map +1 -1
  18. package/dist/cache/CookieStorage.mjs +1 -1
  19. package/dist/cache/DatabaseStorage.mjs +1 -1
  20. package/dist/cache/EncryptedData.mjs +1 -1
  21. package/dist/cache/LocalStorage.mjs +1 -1
  22. package/dist/cache/MemoryStorage.mjs +1 -1
  23. package/dist/cache/SessionStorage.mjs +1 -1
  24. package/dist/cache/TokenCache.d.ts.map +1 -1
  25. package/dist/cache/TokenCache.mjs +9 -9
  26. package/dist/cache/TokenCache.mjs.map +1 -1
  27. package/dist/config/Configuration.d.ts +20 -1
  28. package/dist/config/Configuration.d.ts.map +1 -1
  29. package/dist/config/Configuration.mjs +10 -2
  30. package/dist/config/Configuration.mjs.map +1 -1
  31. package/dist/controllers/NestedAppAuthController.mjs +1 -1
  32. package/dist/controllers/StandardController.d.ts +20 -2
  33. package/dist/controllers/StandardController.d.ts.map +1 -1
  34. package/dist/controllers/StandardController.mjs +204 -37
  35. package/dist/controllers/StandardController.mjs.map +1 -1
  36. package/dist/crypto/BrowserCrypto.mjs +1 -1
  37. package/dist/crypto/CryptoOps.mjs +1 -1
  38. package/dist/crypto/PkceGenerator.mjs +1 -1
  39. package/dist/crypto/SignedHttpRequest.mjs +1 -1
  40. package/dist/custom-auth-path/app/PublicClientApplication.mjs +1 -1
  41. package/dist/custom-auth-path/broker/nativeBroker/NativeStatusCodes.mjs +2 -3
  42. package/dist/custom-auth-path/broker/nativeBroker/NativeStatusCodes.mjs.map +1 -1
  43. package/dist/custom-auth-path/broker/nativeBroker/PlatformAuthDOMHandler.mjs +1 -1
  44. package/dist/custom-auth-path/broker/nativeBroker/PlatformAuthExtensionHandler.mjs +1 -1
  45. package/dist/custom-auth-path/broker/nativeBroker/PlatformAuthProvider.d.ts +1 -1
  46. package/dist/custom-auth-path/broker/nativeBroker/PlatformAuthProvider.mjs +2 -2
  47. package/dist/custom-auth-path/cache/AccountManager.mjs +1 -1
  48. package/dist/custom-auth-path/cache/AsyncMemoryStorage.mjs +1 -1
  49. package/dist/custom-auth-path/cache/BrowserCacheManager.mjs +1 -1
  50. package/dist/custom-auth-path/cache/CacheHelpers.mjs +1 -1
  51. package/dist/custom-auth-path/cache/CacheKeys.d.ts +1 -0
  52. package/dist/custom-auth-path/cache/CacheKeys.d.ts.map +1 -1
  53. package/dist/custom-auth-path/cache/CacheKeys.mjs +3 -2
  54. package/dist/custom-auth-path/cache/CacheKeys.mjs.map +1 -1
  55. package/dist/custom-auth-path/cache/CookieStorage.mjs +1 -1
  56. package/dist/custom-auth-path/cache/DatabaseStorage.mjs +1 -1
  57. package/dist/custom-auth-path/cache/EncryptedData.mjs +1 -1
  58. package/dist/custom-auth-path/cache/LocalStorage.mjs +1 -1
  59. package/dist/custom-auth-path/cache/MemoryStorage.mjs +1 -1
  60. package/dist/custom-auth-path/cache/SessionStorage.mjs +1 -1
  61. package/dist/custom-auth-path/cache/TokenCache.d.ts.map +1 -1
  62. package/dist/custom-auth-path/config/Configuration.d.ts +20 -1
  63. package/dist/custom-auth-path/config/Configuration.d.ts.map +1 -1
  64. package/dist/custom-auth-path/config/Configuration.mjs +10 -2
  65. package/dist/custom-auth-path/config/Configuration.mjs.map +1 -1
  66. package/dist/custom-auth-path/controllers/StandardController.d.ts +20 -2
  67. package/dist/custom-auth-path/controllers/StandardController.d.ts.map +1 -1
  68. package/dist/custom-auth-path/controllers/StandardController.mjs +204 -37
  69. package/dist/custom-auth-path/controllers/StandardController.mjs.map +1 -1
  70. package/dist/custom-auth-path/crypto/BrowserCrypto.mjs +1 -1
  71. package/dist/custom-auth-path/crypto/CryptoOps.mjs +1 -1
  72. package/dist/custom-auth-path/crypto/PkceGenerator.mjs +1 -1
  73. package/dist/custom-auth-path/custom_auth/CustomAuthConstants.d.ts +1 -1
  74. package/dist/custom-auth-path/custom_auth/CustomAuthConstants.mjs +1 -1
  75. package/dist/custom-auth-path/custom_auth/CustomAuthPublicClientApplication.mjs +1 -1
  76. package/dist/custom-auth-path/custom_auth/controller/CustomAuthStandardController.mjs +1 -1
  77. package/dist/custom-auth-path/custom_auth/core/CustomAuthAuthority.mjs +1 -1
  78. package/dist/custom-auth-path/custom_auth/core/auth_flow/AuthFlowErrorBase.mjs +1 -1
  79. package/dist/custom-auth-path/custom_auth/core/auth_flow/AuthFlowResultBase.mjs +1 -1
  80. package/dist/custom-auth-path/custom_auth/core/auth_flow/AuthFlowState.mjs +1 -1
  81. package/dist/custom-auth-path/custom_auth/core/auth_flow/AuthFlowStateTypes.mjs +1 -1
  82. package/dist/custom-auth-path/custom_auth/core/auth_flow/jit/error_type/AuthMethodRegistrationError.mjs +1 -1
  83. package/dist/custom-auth-path/custom_auth/core/auth_flow/jit/result/AuthMethodRegistrationChallengeMethodResult.mjs +1 -1
  84. package/dist/custom-auth-path/custom_auth/core/auth_flow/jit/result/AuthMethodRegistrationSubmitChallengeResult.mjs +1 -1
  85. package/dist/custom-auth-path/custom_auth/core/auth_flow/jit/state/AuthMethodRegistrationCompletedState.mjs +1 -1
  86. package/dist/custom-auth-path/custom_auth/core/auth_flow/jit/state/AuthMethodRegistrationFailedState.mjs +1 -1
  87. package/dist/custom-auth-path/custom_auth/core/auth_flow/jit/state/AuthMethodRegistrationState.mjs +1 -1
  88. package/dist/custom-auth-path/custom_auth/core/auth_flow/mfa/error_type/MfaError.mjs +1 -1
  89. package/dist/custom-auth-path/custom_auth/core/auth_flow/mfa/result/MfaRequestChallengeResult.mjs +1 -1
  90. package/dist/custom-auth-path/custom_auth/core/auth_flow/mfa/result/MfaSubmitChallengeResult.mjs +1 -1
  91. package/dist/custom-auth-path/custom_auth/core/auth_flow/mfa/state/MfaCompletedState.mjs +1 -1
  92. package/dist/custom-auth-path/custom_auth/core/auth_flow/mfa/state/MfaFailedState.mjs +1 -1
  93. package/dist/custom-auth-path/custom_auth/core/auth_flow/mfa/state/MfaState.mjs +1 -1
  94. package/dist/custom-auth-path/custom_auth/core/error/CustomAuthApiError.mjs +1 -1
  95. package/dist/custom-auth-path/custom_auth/core/error/CustomAuthError.mjs +1 -1
  96. package/dist/custom-auth-path/custom_auth/core/error/HttpError.mjs +1 -1
  97. package/dist/custom-auth-path/custom_auth/core/error/HttpErrorCodes.mjs +1 -1
  98. package/dist/custom-auth-path/custom_auth/core/error/InvalidArgumentError.mjs +1 -1
  99. package/dist/custom-auth-path/custom_auth/core/error/InvalidConfigurationError.mjs +1 -1
  100. package/dist/custom-auth-path/custom_auth/core/error/InvalidConfigurationErrorCodes.mjs +1 -1
  101. package/dist/custom-auth-path/custom_auth/core/error/MethodNotImplementedError.mjs +1 -1
  102. package/dist/custom-auth-path/custom_auth/core/error/MsalCustomAuthError.mjs +1 -1
  103. package/dist/custom-auth-path/custom_auth/core/error/NoCachedAccountFoundError.mjs +1 -1
  104. package/dist/custom-auth-path/custom_auth/core/error/ParsedUrlError.mjs +1 -1
  105. package/dist/custom-auth-path/custom_auth/core/error/ParsedUrlErrorCodes.mjs +1 -1
  106. package/dist/custom-auth-path/custom_auth/core/error/UnexpectedError.mjs +1 -1
  107. package/dist/custom-auth-path/custom_auth/core/error/UnsupportedEnvironmentError.mjs +1 -1
  108. package/dist/custom-auth-path/custom_auth/core/error/UserAccountAttributeError.mjs +1 -1
  109. package/dist/custom-auth-path/custom_auth/core/error/UserAlreadySignedInError.mjs +1 -1
  110. package/dist/custom-auth-path/custom_auth/core/interaction_client/CustomAuthInteractionClientBase.mjs +1 -1
  111. package/dist/custom-auth-path/custom_auth/core/interaction_client/CustomAuthInterationClientFactory.mjs +1 -1
  112. package/dist/custom-auth-path/custom_auth/core/interaction_client/jit/JitClient.mjs +1 -1
  113. package/dist/custom-auth-path/custom_auth/core/interaction_client/jit/result/JitActionResult.mjs +1 -1
  114. package/dist/custom-auth-path/custom_auth/core/interaction_client/mfa/MfaClient.mjs +1 -1
  115. package/dist/custom-auth-path/custom_auth/core/interaction_client/mfa/result/MfaActionResult.mjs +1 -1
  116. package/dist/custom-auth-path/custom_auth/core/network_client/custom_auth_api/BaseApiClient.mjs +1 -1
  117. package/dist/custom-auth-path/custom_auth/core/network_client/custom_auth_api/CustomAuthApiClient.mjs +1 -1
  118. package/dist/custom-auth-path/custom_auth/core/network_client/custom_auth_api/CustomAuthApiEndpoint.mjs +1 -1
  119. package/dist/custom-auth-path/custom_auth/core/network_client/custom_auth_api/RegisterApiClient.mjs +1 -1
  120. package/dist/custom-auth-path/custom_auth/core/network_client/custom_auth_api/ResetPasswordApiClient.mjs +1 -1
  121. package/dist/custom-auth-path/custom_auth/core/network_client/custom_auth_api/SignInApiClient.mjs +1 -1
  122. package/dist/custom-auth-path/custom_auth/core/network_client/custom_auth_api/SignupApiClient.mjs +1 -1
  123. package/dist/custom-auth-path/custom_auth/core/network_client/custom_auth_api/types/ApiErrorCodes.mjs +1 -1
  124. package/dist/custom-auth-path/custom_auth/core/network_client/custom_auth_api/types/ApiSuberrors.mjs +1 -1
  125. package/dist/custom-auth-path/custom_auth/core/network_client/http_client/FetchHttpClient.mjs +1 -1
  126. package/dist/custom-auth-path/custom_auth/core/network_client/http_client/IHttpClient.mjs +1 -1
  127. package/dist/custom-auth-path/custom_auth/core/telemetry/PublicApiId.mjs +1 -1
  128. package/dist/custom-auth-path/custom_auth/core/utils/ArgumentValidator.mjs +1 -1
  129. package/dist/custom-auth-path/custom_auth/core/utils/UrlUtils.mjs +1 -1
  130. package/dist/custom-auth-path/custom_auth/get_account/auth_flow/CustomAuthAccountData.mjs +1 -1
  131. package/dist/custom-auth-path/custom_auth/get_account/auth_flow/error_type/GetAccountError.mjs +1 -1
  132. package/dist/custom-auth-path/custom_auth/get_account/auth_flow/result/GetAccessTokenResult.mjs +1 -1
  133. package/dist/custom-auth-path/custom_auth/get_account/auth_flow/result/GetAccountResult.mjs +1 -1
  134. package/dist/custom-auth-path/custom_auth/get_account/auth_flow/result/SignOutResult.mjs +1 -1
  135. package/dist/custom-auth-path/custom_auth/get_account/auth_flow/state/GetAccessTokenState.mjs +1 -1
  136. package/dist/custom-auth-path/custom_auth/get_account/auth_flow/state/GetAccountState.mjs +1 -1
  137. package/dist/custom-auth-path/custom_auth/get_account/auth_flow/state/SignOutState.mjs +1 -1
  138. package/dist/custom-auth-path/custom_auth/get_account/interaction_client/CustomAuthSilentCacheClient.mjs +1 -1
  139. package/dist/custom-auth-path/custom_auth/index.mjs +1 -1
  140. package/dist/custom-auth-path/custom_auth/operating_context/CustomAuthOperatingContext.mjs +1 -1
  141. package/dist/custom-auth-path/custom_auth/reset_password/auth_flow/error_type/ResetPasswordError.mjs +1 -1
  142. package/dist/custom-auth-path/custom_auth/reset_password/auth_flow/result/ResetPasswordResendCodeResult.mjs +1 -1
  143. package/dist/custom-auth-path/custom_auth/reset_password/auth_flow/result/ResetPasswordStartResult.mjs +1 -1
  144. package/dist/custom-auth-path/custom_auth/reset_password/auth_flow/result/ResetPasswordSubmitCodeResult.mjs +1 -1
  145. package/dist/custom-auth-path/custom_auth/reset_password/auth_flow/result/ResetPasswordSubmitPasswordResult.mjs +1 -1
  146. package/dist/custom-auth-path/custom_auth/reset_password/auth_flow/state/ResetPasswordCodeRequiredState.mjs +1 -1
  147. package/dist/custom-auth-path/custom_auth/reset_password/auth_flow/state/ResetPasswordCompletedState.mjs +1 -1
  148. package/dist/custom-auth-path/custom_auth/reset_password/auth_flow/state/ResetPasswordFailedState.mjs +1 -1
  149. package/dist/custom-auth-path/custom_auth/reset_password/auth_flow/state/ResetPasswordPasswordRequiredState.mjs +1 -1
  150. package/dist/custom-auth-path/custom_auth/reset_password/auth_flow/state/ResetPasswordState.mjs +1 -1
  151. package/dist/custom-auth-path/custom_auth/reset_password/interaction_client/ResetPasswordClient.mjs +1 -1
  152. package/dist/custom-auth-path/custom_auth/sign_in/auth_flow/SignInScenario.mjs +1 -1
  153. package/dist/custom-auth-path/custom_auth/sign_in/auth_flow/error_type/SignInError.mjs +1 -1
  154. package/dist/custom-auth-path/custom_auth/sign_in/auth_flow/result/SignInResendCodeResult.mjs +1 -1
  155. package/dist/custom-auth-path/custom_auth/sign_in/auth_flow/result/SignInResult.mjs +1 -1
  156. package/dist/custom-auth-path/custom_auth/sign_in/auth_flow/result/SignInSubmitCodeResult.mjs +1 -1
  157. package/dist/custom-auth-path/custom_auth/sign_in/auth_flow/result/SignInSubmitPasswordResult.mjs +1 -1
  158. package/dist/custom-auth-path/custom_auth/sign_in/auth_flow/state/SignInCodeRequiredState.mjs +1 -1
  159. package/dist/custom-auth-path/custom_auth/sign_in/auth_flow/state/SignInCompletedState.mjs +1 -1
  160. package/dist/custom-auth-path/custom_auth/sign_in/auth_flow/state/SignInContinuationState.mjs +1 -1
  161. package/dist/custom-auth-path/custom_auth/sign_in/auth_flow/state/SignInFailedState.mjs +1 -1
  162. package/dist/custom-auth-path/custom_auth/sign_in/auth_flow/state/SignInPasswordRequiredState.mjs +1 -1
  163. package/dist/custom-auth-path/custom_auth/sign_in/auth_flow/state/SignInState.mjs +1 -1
  164. package/dist/custom-auth-path/custom_auth/sign_in/interaction_client/SignInClient.mjs +1 -1
  165. package/dist/custom-auth-path/custom_auth/sign_in/interaction_client/result/SignInActionResult.mjs +1 -1
  166. package/dist/custom-auth-path/custom_auth/sign_up/auth_flow/error_type/SignUpError.mjs +1 -1
  167. package/dist/custom-auth-path/custom_auth/sign_up/auth_flow/result/SignUpResendCodeResult.mjs +1 -1
  168. package/dist/custom-auth-path/custom_auth/sign_up/auth_flow/result/SignUpResult.mjs +1 -1
  169. package/dist/custom-auth-path/custom_auth/sign_up/auth_flow/result/SignUpSubmitAttributesResult.mjs +1 -1
  170. package/dist/custom-auth-path/custom_auth/sign_up/auth_flow/result/SignUpSubmitCodeResult.mjs +1 -1
  171. package/dist/custom-auth-path/custom_auth/sign_up/auth_flow/result/SignUpSubmitPasswordResult.mjs +1 -1
  172. package/dist/custom-auth-path/custom_auth/sign_up/auth_flow/state/SignUpAttributesRequiredState.mjs +1 -1
  173. package/dist/custom-auth-path/custom_auth/sign_up/auth_flow/state/SignUpCodeRequiredState.mjs +1 -1
  174. package/dist/custom-auth-path/custom_auth/sign_up/auth_flow/state/SignUpCompletedState.mjs +1 -1
  175. package/dist/custom-auth-path/custom_auth/sign_up/auth_flow/state/SignUpFailedState.mjs +1 -1
  176. package/dist/custom-auth-path/custom_auth/sign_up/auth_flow/state/SignUpPasswordRequiredState.mjs +1 -1
  177. package/dist/custom-auth-path/custom_auth/sign_up/auth_flow/state/SignUpState.mjs +1 -1
  178. package/dist/custom-auth-path/custom_auth/sign_up/interaction_client/SignUpClient.mjs +1 -1
  179. package/dist/custom-auth-path/custom_auth/sign_up/interaction_client/result/SignUpActionResult.mjs +1 -1
  180. package/dist/custom-auth-path/encode/Base64Decode.mjs +1 -1
  181. package/dist/custom-auth-path/encode/Base64Encode.mjs +1 -1
  182. package/dist/custom-auth-path/error/BrowserAuthError.mjs +1 -1
  183. package/dist/custom-auth-path/error/BrowserAuthErrorCodes.mjs +1 -1
  184. package/dist/custom-auth-path/error/BrowserConfigurationAuthError.mjs +1 -1
  185. package/dist/custom-auth-path/error/BrowserConfigurationAuthErrorCodes.mjs +1 -1
  186. package/dist/custom-auth-path/error/NativeAuthError.d.ts.map +1 -1
  187. package/dist/custom-auth-path/error/NativeAuthError.mjs +3 -4
  188. package/dist/custom-auth-path/error/NativeAuthError.mjs.map +1 -1
  189. package/dist/custom-auth-path/error/NativeAuthErrorCodes.mjs +1 -1
  190. package/dist/custom-auth-path/event/EventHandler.mjs +1 -1
  191. package/dist/custom-auth-path/event/EventType.mjs +1 -1
  192. package/dist/custom-auth-path/index.d.ts +1 -1
  193. package/dist/custom-auth-path/index.d.ts.map +1 -1
  194. package/dist/custom-auth-path/interaction_client/BaseInteractionClient.mjs +1 -1
  195. package/dist/custom-auth-path/interaction_client/HybridSpaAuthorizationCodeClient.mjs +1 -1
  196. package/dist/custom-auth-path/interaction_client/PlatformAuthInteractionClient.d.ts +12 -12
  197. package/dist/custom-auth-path/interaction_client/PlatformAuthInteractionClient.d.ts.map +1 -1
  198. package/dist/custom-auth-path/interaction_client/PlatformAuthInteractionClient.mjs +39 -26
  199. package/dist/custom-auth-path/interaction_client/PlatformAuthInteractionClient.mjs.map +1 -1
  200. package/dist/custom-auth-path/interaction_client/PopupClient.d.ts.map +1 -1
  201. package/dist/custom-auth-path/interaction_client/PopupClient.mjs +6 -2
  202. package/dist/custom-auth-path/interaction_client/PopupClient.mjs.map +1 -1
  203. package/dist/custom-auth-path/interaction_client/RedirectClient.d.ts.map +1 -1
  204. package/dist/custom-auth-path/interaction_client/RedirectClient.mjs +6 -2
  205. package/dist/custom-auth-path/interaction_client/RedirectClient.mjs.map +1 -1
  206. package/dist/custom-auth-path/interaction_client/SilentAuthCodeClient.mjs +1 -1
  207. package/dist/custom-auth-path/interaction_client/SilentCacheClient.mjs +1 -1
  208. package/dist/custom-auth-path/interaction_client/SilentIframeClient.d.ts +14 -0
  209. package/dist/custom-auth-path/interaction_client/SilentIframeClient.d.ts.map +1 -1
  210. package/dist/custom-auth-path/interaction_client/SilentIframeClient.mjs +47 -5
  211. package/dist/custom-auth-path/interaction_client/SilentIframeClient.mjs.map +1 -1
  212. package/dist/custom-auth-path/interaction_client/SilentRefreshClient.mjs +1 -1
  213. package/dist/custom-auth-path/interaction_client/StandardInteractionClient.mjs +1 -1
  214. package/dist/custom-auth-path/interaction_handler/InteractionHandler.mjs +1 -1
  215. package/dist/custom-auth-path/interaction_handler/SilentHandler.mjs +1 -1
  216. package/dist/custom-auth-path/log-strings-mapping.json +67 -15
  217. package/dist/custom-auth-path/navigation/NavigationClient.mjs +1 -1
  218. package/dist/custom-auth-path/network/FetchClient.mjs +1 -1
  219. package/dist/custom-auth-path/operatingcontext/BaseOperatingContext.mjs +1 -1
  220. package/dist/custom-auth-path/operatingcontext/StandardOperatingContext.mjs +1 -1
  221. package/dist/custom-auth-path/packageMetadata.d.ts +1 -1
  222. package/dist/custom-auth-path/packageMetadata.mjs +2 -2
  223. package/dist/custom-auth-path/protocol/Authorize.d.ts.map +1 -1
  224. package/dist/custom-auth-path/protocol/Authorize.mjs +5 -1
  225. package/dist/custom-auth-path/protocol/Authorize.mjs.map +1 -1
  226. package/dist/custom-auth-path/redirect_bridge/index.d.ts.map +1 -1
  227. package/dist/custom-auth-path/request/RequestHelpers.mjs +1 -1
  228. package/dist/custom-auth-path/response/ResponseHandler.mjs +1 -1
  229. package/dist/custom-auth-path/telemetry/BrowserPerformanceClient.d.ts +1 -0
  230. package/dist/custom-auth-path/telemetry/BrowserPerformanceClient.d.ts.map +1 -1
  231. package/dist/custom-auth-path/telemetry/BrowserPerformanceEvents.d.ts +6 -0
  232. package/dist/custom-auth-path/telemetry/BrowserPerformanceEvents.d.ts.map +1 -1
  233. package/dist/custom-auth-path/telemetry/BrowserPerformanceEvents.mjs +9 -3
  234. package/dist/custom-auth-path/telemetry/BrowserPerformanceEvents.mjs.map +1 -1
  235. package/dist/custom-auth-path/telemetry/BrowserRootPerformanceEvents.d.ts +6 -0
  236. package/dist/custom-auth-path/telemetry/BrowserRootPerformanceEvents.d.ts.map +1 -1
  237. package/dist/custom-auth-path/telemetry/BrowserRootPerformanceEvents.mjs +8 -3
  238. package/dist/custom-auth-path/telemetry/BrowserRootPerformanceEvents.mjs.map +1 -1
  239. package/dist/custom-auth-path/utils/BrowserConstants.mjs +1 -1
  240. package/dist/custom-auth-path/utils/BrowserProtocolUtils.mjs +1 -1
  241. package/dist/custom-auth-path/utils/BrowserUtils.d.ts +2 -2
  242. package/dist/custom-auth-path/utils/BrowserUtils.d.ts.map +1 -1
  243. package/dist/custom-auth-path/utils/BrowserUtils.mjs +27 -3
  244. package/dist/custom-auth-path/utils/BrowserUtils.mjs.map +1 -1
  245. package/dist/custom-auth-path/utils/Helpers.mjs +1 -1
  246. package/dist/custom-auth-path/utils/MsalFrameStatsUtils.mjs +1 -1
  247. package/dist/custom_auth/CustomAuthConstants.d.ts +1 -1
  248. package/dist/encode/Base64Decode.mjs +1 -1
  249. package/dist/encode/Base64Encode.mjs +1 -1
  250. package/dist/error/BrowserAuthError.mjs +1 -1
  251. package/dist/error/BrowserAuthErrorCodes.mjs +1 -1
  252. package/dist/error/BrowserConfigurationAuthError.mjs +1 -1
  253. package/dist/error/BrowserConfigurationAuthErrorCodes.mjs +1 -1
  254. package/dist/error/NativeAuthError.d.ts.map +1 -1
  255. package/dist/error/NativeAuthError.mjs +3 -4
  256. package/dist/error/NativeAuthError.mjs.map +1 -1
  257. package/dist/error/NativeAuthErrorCodes.mjs +1 -1
  258. package/dist/error/NestedAppAuthError.mjs +1 -1
  259. package/dist/event/EventHandler.mjs +1 -1
  260. package/dist/event/EventMessage.mjs +1 -1
  261. package/dist/event/EventType.mjs +1 -1
  262. package/dist/index.d.ts +1 -1
  263. package/dist/index.d.ts.map +1 -1
  264. package/dist/index.mjs +1 -1
  265. package/dist/index.mjs.map +1 -1
  266. package/dist/interaction_client/BaseInteractionClient.mjs +1 -1
  267. package/dist/interaction_client/HybridSpaAuthorizationCodeClient.mjs +1 -1
  268. package/dist/interaction_client/PlatformAuthInteractionClient.d.ts +12 -12
  269. package/dist/interaction_client/PlatformAuthInteractionClient.d.ts.map +1 -1
  270. package/dist/interaction_client/PlatformAuthInteractionClient.mjs +39 -26
  271. package/dist/interaction_client/PlatformAuthInteractionClient.mjs.map +1 -1
  272. package/dist/interaction_client/PopupClient.d.ts.map +1 -1
  273. package/dist/interaction_client/PopupClient.mjs +6 -2
  274. package/dist/interaction_client/PopupClient.mjs.map +1 -1
  275. package/dist/interaction_client/RedirectClient.d.ts.map +1 -1
  276. package/dist/interaction_client/RedirectClient.mjs +6 -2
  277. package/dist/interaction_client/RedirectClient.mjs.map +1 -1
  278. package/dist/interaction_client/SilentAuthCodeClient.mjs +1 -1
  279. package/dist/interaction_client/SilentCacheClient.mjs +1 -1
  280. package/dist/interaction_client/SilentIframeClient.d.ts +14 -0
  281. package/dist/interaction_client/SilentIframeClient.d.ts.map +1 -1
  282. package/dist/interaction_client/SilentIframeClient.mjs +47 -5
  283. package/dist/interaction_client/SilentIframeClient.mjs.map +1 -1
  284. package/dist/interaction_client/SilentRefreshClient.mjs +1 -1
  285. package/dist/interaction_client/StandardInteractionClient.mjs +1 -1
  286. package/dist/interaction_handler/InteractionHandler.mjs +1 -1
  287. package/dist/interaction_handler/SilentHandler.mjs +1 -1
  288. package/dist/log-strings-mapping.json +75 -23
  289. package/dist/naa/BridgeError.mjs +1 -1
  290. package/dist/naa/BridgeProxy.mjs +1 -1
  291. package/dist/naa/BridgeStatusCode.mjs +1 -1
  292. package/dist/naa/mapping/NestedAppAuthAdapter.mjs +1 -1
  293. package/dist/navigation/NavigationClient.mjs +1 -1
  294. package/dist/network/FetchClient.mjs +1 -1
  295. package/dist/operatingcontext/BaseOperatingContext.mjs +1 -1
  296. package/dist/operatingcontext/NestedAppOperatingContext.mjs +1 -1
  297. package/dist/operatingcontext/StandardOperatingContext.mjs +1 -1
  298. package/dist/packageMetadata.d.ts +1 -1
  299. package/dist/packageMetadata.mjs +2 -2
  300. package/dist/protocol/Authorize.d.ts.map +1 -1
  301. package/dist/protocol/Authorize.mjs +5 -1
  302. package/dist/protocol/Authorize.mjs.map +1 -1
  303. package/dist/redirect-bridge/broker/nativeBroker/PlatformAuthProvider.d.ts +1 -1
  304. package/dist/redirect-bridge/cache/CacheKeys.d.ts +1 -0
  305. package/dist/redirect-bridge/cache/CacheKeys.d.ts.map +1 -1
  306. package/dist/redirect-bridge/cache/CacheKeys.mjs +1 -1
  307. package/dist/redirect-bridge/cache/TokenCache.d.ts.map +1 -1
  308. package/dist/redirect-bridge/config/Configuration.d.ts +20 -1
  309. package/dist/redirect-bridge/config/Configuration.d.ts.map +1 -1
  310. package/dist/redirect-bridge/config/Configuration.mjs +1 -1
  311. package/dist/redirect-bridge/controllers/StandardController.d.ts +20 -2
  312. package/dist/redirect-bridge/controllers/StandardController.d.ts.map +1 -1
  313. package/dist/redirect-bridge/custom_auth/CustomAuthConstants.d.ts +1 -1
  314. package/dist/redirect-bridge/encode/Base64Decode.mjs +1 -1
  315. package/dist/redirect-bridge/error/BrowserAuthError.mjs +1 -1
  316. package/dist/redirect-bridge/error/BrowserAuthErrorCodes.mjs +1 -1
  317. package/dist/redirect-bridge/error/NativeAuthError.d.ts.map +1 -1
  318. package/dist/redirect-bridge/index.d.ts +1 -1
  319. package/dist/redirect-bridge/index.d.ts.map +1 -1
  320. package/dist/redirect-bridge/interaction_client/PlatformAuthInteractionClient.d.ts +12 -12
  321. package/dist/redirect-bridge/interaction_client/PlatformAuthInteractionClient.d.ts.map +1 -1
  322. package/dist/redirect-bridge/interaction_client/PopupClient.d.ts.map +1 -1
  323. package/dist/redirect-bridge/interaction_client/RedirectClient.d.ts.map +1 -1
  324. package/dist/redirect-bridge/interaction_client/SilentIframeClient.d.ts +14 -0
  325. package/dist/redirect-bridge/interaction_client/SilentIframeClient.d.ts.map +1 -1
  326. package/dist/redirect-bridge/navigation/NavigationClient.mjs +1 -1
  327. package/dist/redirect-bridge/packageMetadata.d.ts +1 -1
  328. package/dist/redirect-bridge/protocol/Authorize.d.ts.map +1 -1
  329. package/dist/redirect-bridge/redirect_bridge/index.d.ts.map +1 -1
  330. package/dist/redirect-bridge/redirect_bridge/index.mjs +11 -7
  331. package/dist/redirect-bridge/redirect_bridge/index.mjs.map +1 -1
  332. package/dist/redirect-bridge/telemetry/BrowserPerformanceClient.d.ts +1 -0
  333. package/dist/redirect-bridge/telemetry/BrowserPerformanceClient.d.ts.map +1 -1
  334. package/dist/redirect-bridge/telemetry/BrowserPerformanceEvents.d.ts +6 -0
  335. package/dist/redirect-bridge/telemetry/BrowserPerformanceEvents.d.ts.map +1 -1
  336. package/dist/redirect-bridge/telemetry/BrowserRootPerformanceEvents.d.ts +6 -0
  337. package/dist/redirect-bridge/telemetry/BrowserRootPerformanceEvents.d.ts.map +1 -1
  338. package/dist/redirect-bridge/utils/BrowserConstants.mjs +7 -3
  339. package/dist/redirect-bridge/utils/BrowserConstants.mjs.map +1 -1
  340. package/dist/redirect-bridge/utils/BrowserUtils.d.ts +2 -2
  341. package/dist/redirect-bridge/utils/BrowserUtils.d.ts.map +1 -1
  342. package/dist/redirect-bridge/utils/BrowserUtils.mjs +1 -1
  343. package/dist/redirect-bridge/utils/BrowserUtils.mjs.map +1 -1
  344. package/dist/redirect_bridge/index.d.ts.map +1 -1
  345. package/dist/request/RequestHelpers.mjs +1 -1
  346. package/dist/response/ResponseHandler.mjs +1 -1
  347. package/dist/telemetry/BrowserPerformanceClient.d.ts +1 -0
  348. package/dist/telemetry/BrowserPerformanceClient.d.ts.map +1 -1
  349. package/dist/telemetry/BrowserPerformanceClient.mjs +6 -1
  350. package/dist/telemetry/BrowserPerformanceClient.mjs.map +1 -1
  351. package/dist/telemetry/BrowserPerformanceEvents.d.ts +6 -0
  352. package/dist/telemetry/BrowserPerformanceEvents.d.ts.map +1 -1
  353. package/dist/telemetry/BrowserPerformanceEvents.mjs +9 -3
  354. package/dist/telemetry/BrowserPerformanceEvents.mjs.map +1 -1
  355. package/dist/telemetry/BrowserPerformanceMeasurement.mjs +1 -1
  356. package/dist/telemetry/BrowserRootPerformanceEvents.d.ts +6 -0
  357. package/dist/telemetry/BrowserRootPerformanceEvents.d.ts.map +1 -1
  358. package/dist/telemetry/BrowserRootPerformanceEvents.mjs +10 -3
  359. package/dist/telemetry/BrowserRootPerformanceEvents.mjs.map +1 -1
  360. package/dist/utils/BrowserConstants.mjs +1 -1
  361. package/dist/utils/BrowserProtocolUtils.mjs +1 -1
  362. package/dist/utils/BrowserUtils.d.ts +2 -2
  363. package/dist/utils/BrowserUtils.d.ts.map +1 -1
  364. package/dist/utils/BrowserUtils.mjs +27 -3
  365. package/dist/utils/BrowserUtils.mjs.map +1 -1
  366. package/dist/utils/Helpers.mjs +1 -1
  367. package/dist/utils/MsalFrameStatsUtils.mjs +1 -1
  368. package/lib/custom-auth-path/log-strings-mapping.json +67 -15
  369. package/lib/custom-auth-path/msal-custom-auth.cjs +897 -617
  370. package/lib/custom-auth-path/msal-custom-auth.cjs.map +1 -1
  371. package/lib/custom-auth-path/types/broker/nativeBroker/PlatformAuthProvider.d.ts +1 -1
  372. package/lib/custom-auth-path/types/cache/CacheKeys.d.ts +1 -0
  373. package/lib/custom-auth-path/types/cache/CacheKeys.d.ts.map +1 -1
  374. package/lib/custom-auth-path/types/cache/TokenCache.d.ts.map +1 -1
  375. package/lib/custom-auth-path/types/config/Configuration.d.ts +20 -1
  376. package/lib/custom-auth-path/types/config/Configuration.d.ts.map +1 -1
  377. package/lib/custom-auth-path/types/controllers/StandardController.d.ts +20 -2
  378. package/lib/custom-auth-path/types/controllers/StandardController.d.ts.map +1 -1
  379. package/lib/custom-auth-path/types/custom_auth/CustomAuthConstants.d.ts +1 -1
  380. package/lib/custom-auth-path/types/error/NativeAuthError.d.ts.map +1 -1
  381. package/lib/custom-auth-path/types/index.d.ts +1 -1
  382. package/lib/custom-auth-path/types/index.d.ts.map +1 -1
  383. package/lib/custom-auth-path/types/interaction_client/PlatformAuthInteractionClient.d.ts +12 -12
  384. package/lib/custom-auth-path/types/interaction_client/PlatformAuthInteractionClient.d.ts.map +1 -1
  385. package/lib/custom-auth-path/types/interaction_client/PopupClient.d.ts.map +1 -1
  386. package/lib/custom-auth-path/types/interaction_client/RedirectClient.d.ts.map +1 -1
  387. package/lib/custom-auth-path/types/interaction_client/SilentIframeClient.d.ts +14 -0
  388. package/lib/custom-auth-path/types/interaction_client/SilentIframeClient.d.ts.map +1 -1
  389. package/lib/custom-auth-path/types/packageMetadata.d.ts +1 -1
  390. package/lib/custom-auth-path/types/protocol/Authorize.d.ts.map +1 -1
  391. package/lib/custom-auth-path/types/redirect_bridge/index.d.ts.map +1 -1
  392. package/lib/custom-auth-path/types/telemetry/BrowserPerformanceClient.d.ts +1 -0
  393. package/lib/custom-auth-path/types/telemetry/BrowserPerformanceClient.d.ts.map +1 -1
  394. package/lib/custom-auth-path/types/telemetry/BrowserPerformanceEvents.d.ts +6 -0
  395. package/lib/custom-auth-path/types/telemetry/BrowserPerformanceEvents.d.ts.map +1 -1
  396. package/lib/custom-auth-path/types/telemetry/BrowserRootPerformanceEvents.d.ts +6 -0
  397. package/lib/custom-auth-path/types/telemetry/BrowserRootPerformanceEvents.d.ts.map +1 -1
  398. package/lib/custom-auth-path/types/utils/BrowserUtils.d.ts +2 -2
  399. package/lib/custom-auth-path/types/utils/BrowserUtils.d.ts.map +1 -1
  400. package/lib/log-strings-mapping.json +75 -23
  401. package/lib/msal-browser.cjs +1045 -755
  402. package/lib/msal-browser.cjs.map +1 -1
  403. package/lib/msal-browser.js +1045 -755
  404. package/lib/msal-browser.js.map +1 -1
  405. package/lib/msal-browser.min.js +2 -2
  406. package/lib/redirect-bridge/msal-redirect-bridge.js +24 -16
  407. package/lib/redirect-bridge/msal-redirect-bridge.js.map +1 -1
  408. package/lib/redirect-bridge/msal-redirect-bridge.min.js +2 -2
  409. package/lib/types/broker/nativeBroker/PlatformAuthProvider.d.ts +1 -1
  410. package/lib/types/cache/CacheKeys.d.ts +1 -0
  411. package/lib/types/cache/CacheKeys.d.ts.map +1 -1
  412. package/lib/types/cache/TokenCache.d.ts.map +1 -1
  413. package/lib/types/config/Configuration.d.ts +20 -1
  414. package/lib/types/config/Configuration.d.ts.map +1 -1
  415. package/lib/types/controllers/StandardController.d.ts +20 -2
  416. package/lib/types/controllers/StandardController.d.ts.map +1 -1
  417. package/lib/types/custom_auth/CustomAuthConstants.d.ts +1 -1
  418. package/lib/types/error/NativeAuthError.d.ts.map +1 -1
  419. package/lib/types/index.d.ts +1 -1
  420. package/lib/types/index.d.ts.map +1 -1
  421. package/lib/types/interaction_client/PlatformAuthInteractionClient.d.ts +12 -12
  422. package/lib/types/interaction_client/PlatformAuthInteractionClient.d.ts.map +1 -1
  423. package/lib/types/interaction_client/PopupClient.d.ts.map +1 -1
  424. package/lib/types/interaction_client/RedirectClient.d.ts.map +1 -1
  425. package/lib/types/interaction_client/SilentIframeClient.d.ts +14 -0
  426. package/lib/types/interaction_client/SilentIframeClient.d.ts.map +1 -1
  427. package/lib/types/packageMetadata.d.ts +1 -1
  428. package/lib/types/protocol/Authorize.d.ts.map +1 -1
  429. package/lib/types/redirect_bridge/index.d.ts.map +1 -1
  430. package/lib/types/telemetry/BrowserPerformanceClient.d.ts +1 -0
  431. package/lib/types/telemetry/BrowserPerformanceClient.d.ts.map +1 -1
  432. package/lib/types/telemetry/BrowserPerformanceEvents.d.ts +6 -0
  433. package/lib/types/telemetry/BrowserPerformanceEvents.d.ts.map +1 -1
  434. package/lib/types/telemetry/BrowserRootPerformanceEvents.d.ts +6 -0
  435. package/lib/types/telemetry/BrowserRootPerformanceEvents.d.ts.map +1 -1
  436. package/lib/types/utils/BrowserUtils.d.ts +2 -2
  437. package/lib/types/utils/BrowserUtils.d.ts.map +1 -1
  438. package/package.json +2 -2
  439. package/src/broker/nativeBroker/PlatformAuthProvider.ts +1 -1
  440. package/src/cache/CacheKeys.ts +1 -0
  441. package/src/cache/TokenCache.ts +27 -24
  442. package/src/config/Configuration.ts +30 -0
  443. package/src/controllers/StandardController.ts +316 -69
  444. package/src/error/NativeAuthError.ts +1 -2
  445. package/src/index.ts +1 -0
  446. package/src/interaction_client/PlatformAuthInteractionClient.ts +99 -76
  447. package/src/interaction_client/PopupClient.ts +10 -0
  448. package/src/interaction_client/RedirectClient.ts +10 -0
  449. package/src/interaction_client/SilentIframeClient.ts +127 -22
  450. package/src/packageMetadata.ts +1 -1
  451. package/src/protocol/Authorize.ts +8 -0
  452. package/src/redirect_bridge/index.ts +12 -5
  453. package/src/telemetry/BrowserPerformanceClient.ts +6 -0
  454. package/src/telemetry/BrowserPerformanceEvents.ts +9 -0
  455. package/src/telemetry/BrowserRootPerformanceEvents.ts +7 -0
  456. package/src/utils/BrowserUtils.ts +36 -4
@@ -1,8 +1,8 @@
1
- /*! @azure/msal-browser v5.6.2 2026-03-27 */
1
+ /*! @azure/msal-browser v5.7.0 2026-04-16 */
2
2
  'use strict';
3
3
  'use strict';
4
4
 
5
- /*! @azure/msal-common v16.4.0 2026-03-27 */
5
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
6
6
  /*
7
7
  * Copyright (c) Microsoft Corporation. All rights reserved.
8
8
  * Licensed under the MIT License.
@@ -234,7 +234,7 @@ const JsonWebTokenTypes$1 = {
234
234
  // Token renewal offset default in seconds
235
235
  const DEFAULT_TOKEN_RENEWAL_OFFSET_SEC = 300;
236
236
 
237
- /*! @azure/msal-common v16.4.0 2026-03-27 */
237
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
238
238
  /*
239
239
  * Copyright (c) Microsoft Corporation. All rights reserved.
240
240
  * Licensed under the MIT License.
@@ -286,7 +286,7 @@ const EAR_JWE_CRYPTO = "ear_jwe_crypto";
286
286
  const RESOURCE = "resource";
287
287
  const CLI_DATA = "clidata";
288
288
 
289
- /*! @azure/msal-common v16.4.0 2026-03-27 */
289
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
290
290
  /*
291
291
  * Copyright (c) Microsoft Corporation. All rights reserved.
292
292
  * Licensed under the MIT License.
@@ -317,7 +317,7 @@ function createAuthError(code, additionalMessage) {
317
317
  return new AuthError(code, additionalMessage || getDefaultErrorMessage$1(code));
318
318
  }
319
319
 
320
- /*! @azure/msal-common v16.4.0 2026-03-27 */
320
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
321
321
 
322
322
  /*
323
323
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -337,7 +337,7 @@ function createClientConfigurationError(errorCode) {
337
337
  return new ClientConfigurationError(errorCode);
338
338
  }
339
339
 
340
- /*! @azure/msal-common v16.4.0 2026-03-27 */
340
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
341
341
  /*
342
342
  * Copyright (c) Microsoft Corporation. All rights reserved.
343
343
  * Licensed under the MIT License.
@@ -417,7 +417,7 @@ class StringUtils {
417
417
  }
418
418
  }
419
419
 
420
- /*! @azure/msal-common v16.4.0 2026-03-27 */
420
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
421
421
 
422
422
  /*
423
423
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -440,7 +440,7 @@ function createClientAuthError(errorCode, additionalMessage) {
440
440
  return new ClientAuthError(errorCode, additionalMessage);
441
441
  }
442
442
 
443
- /*! @azure/msal-common v16.4.0 2026-03-27 */
443
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
444
444
  /*
445
445
  * Copyright (c) Microsoft Corporation. All rights reserved.
446
446
  * Licensed under the MIT License.
@@ -494,7 +494,7 @@ var ClientConfigurationErrorCodes = /*#__PURE__*/Object.freeze({
494
494
  urlParseError: urlParseError
495
495
  });
496
496
 
497
- /*! @azure/msal-common v16.4.0 2026-03-27 */
497
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
498
498
  /*
499
499
  * Copyright (c) Microsoft Corporation. All rights reserved.
500
500
  * Licensed under the MIT License.
@@ -582,7 +582,7 @@ var ClientAuthErrorCodes = /*#__PURE__*/Object.freeze({
582
582
  userCanceled: userCanceled
583
583
  });
584
584
 
585
- /*! @azure/msal-common v16.4.0 2026-03-27 */
585
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
586
586
 
587
587
  /*
588
588
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -777,7 +777,7 @@ class ScopeSet {
777
777
  }
778
778
  }
779
779
 
780
- /*! @azure/msal-common v16.4.0 2026-03-27 */
780
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
781
781
 
782
782
  /*
783
783
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -898,18 +898,29 @@ function addSid(parameters, sid) {
898
898
  parameters.set(SID, sid);
899
899
  }
900
900
  /**
901
- * add claims
902
- * @param claims
903
- */
904
- function addClaims(parameters, claims, clientCapabilities) {
905
- const mergedClaims = addClientCapabilitiesToClaims$1(claims, clientCapabilities);
906
- try {
907
- JSON.parse(mergedClaims);
908
- }
909
- catch (e) {
910
- throw createClientConfigurationError(invalidClaims);
901
+ * Adds claims to request parameters, conditionally excluding clientCapabilities
902
+ * when skipBrokerClaims is true and a brokered flow is in effect.
903
+ * @param parameters - The request parameters map
904
+ * @param claims - The claims string from the request
905
+ * @param clientCapabilities - The client capabilities from configuration
906
+ * @param skipBrokerClaims - When true and BROKER_CLIENT_ID is present, excludes clientCapabilities from claims
907
+ */
908
+ function addClaims(parameters, claims, clientCapabilities, skipBrokerClaims) {
909
+ // Skip clientCapabilities if skipBrokerClaims is set to true and this is a brokered authentication flow
910
+ const configClaims = skipBrokerClaims && parameters.has(BROKER_CLIENT_ID)
911
+ ? undefined
912
+ : clientCapabilities;
913
+ if (!StringUtils.isEmptyObj(claims) ||
914
+ (configClaims && configClaims.length > 0)) {
915
+ const mergedClaims = addClientCapabilitiesToClaims$1(claims, configClaims);
916
+ try {
917
+ JSON.parse(mergedClaims);
918
+ }
919
+ catch (e) {
920
+ throw createClientConfigurationError(invalidClaims);
921
+ }
922
+ parameters.set(CLAIMS, mergedClaims);
911
923
  }
912
- parameters.set(CLAIMS, mergedClaims);
913
924
  }
914
925
  /**
915
926
  * add correlationId
@@ -1155,7 +1166,7 @@ function addResource(parameters, resource) {
1155
1166
  }
1156
1167
  }
1157
1168
 
1158
- /*! @azure/msal-common v16.4.0 2026-03-27 */
1169
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
1159
1170
 
1160
1171
  /*
1161
1172
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1264,7 +1275,7 @@ function normalizeUrlForComparison(url) {
1264
1275
  }
1265
1276
  }
1266
1277
 
1267
- /*! @azure/msal-common v16.4.0 2026-03-27 */
1278
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
1268
1279
 
1269
1280
  /*
1270
1281
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1303,7 +1314,7 @@ const DEFAULT_CRYPTO_IMPLEMENTATION = {
1303
1314
  },
1304
1315
  };
1305
1316
 
1306
- /*! @azure/msal-common v16.4.0 2026-03-27 */
1317
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
1307
1318
  /*
1308
1319
  * Copyright (c) Microsoft Corporation. All rights reserved.
1309
1320
  * Licensed under the MIT License.
@@ -1578,12 +1589,12 @@ class Logger {
1578
1589
  }
1579
1590
  }
1580
1591
 
1581
- /*! @azure/msal-common v16.4.0 2026-03-27 */
1592
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
1582
1593
  /* eslint-disable header/header */
1583
1594
  const name$1 = "@azure/msal-common";
1584
- const version$1 = "16.4.0";
1595
+ const version$1 = "16.5.0";
1585
1596
 
1586
- /*! @azure/msal-common v16.4.0 2026-03-27 */
1597
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
1587
1598
  /*
1588
1599
  * Copyright (c) Microsoft Corporation. All rights reserved.
1589
1600
  * Licensed under the MIT License.
@@ -1603,7 +1614,7 @@ const AzureCloudInstance = {
1603
1614
  AzureUsGovernment: "https://login.microsoftonline.us",
1604
1615
  };
1605
1616
 
1606
- /*! @azure/msal-common v16.4.0 2026-03-27 */
1617
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
1607
1618
  /*
1608
1619
  * Copyright (c) Microsoft Corporation. All rights reserved.
1609
1620
  * Licensed under the MIT License.
@@ -1685,7 +1696,7 @@ function updateAccountTenantProfileData(baseAccountInfo, tenantProfile, idTokenC
1685
1696
  return updatedAccountInfo;
1686
1697
  }
1687
1698
 
1688
- /*! @azure/msal-common v16.4.0 2026-03-27 */
1699
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
1689
1700
 
1690
1701
  /*
1691
1702
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1765,7 +1776,7 @@ function checkMaxAge(authTime, maxAge) {
1765
1776
  }
1766
1777
  }
1767
1778
 
1768
- /*! @azure/msal-common v16.4.0 2026-03-27 */
1779
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
1769
1780
 
1770
1781
  /*
1771
1782
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1922,7 +1933,7 @@ class UrlString {
1922
1933
  }
1923
1934
  }
1924
1935
 
1925
- /*! @azure/msal-common v16.4.0 2026-03-27 */
1936
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
1926
1937
 
1927
1938
  /*
1928
1939
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -2079,7 +2090,7 @@ function getCloudDiscoveryMetadataFromNetworkResponse(response, authorityHost) {
2079
2090
  return null;
2080
2091
  }
2081
2092
 
2082
- /*! @azure/msal-common v16.4.0 2026-03-27 */
2093
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
2083
2094
  /*
2084
2095
  * Copyright (c) Microsoft Corporation. All rights reserved.
2085
2096
  * Licensed under the MIT License.
@@ -2087,7 +2098,7 @@ function getCloudDiscoveryMetadataFromNetworkResponse(response, authorityHost) {
2087
2098
  const cacheQuotaExceeded = "cache_quota_exceeded";
2088
2099
  const cacheErrorUnknown = "cache_error_unknown";
2089
2100
 
2090
- /*! @azure/msal-common v16.4.0 2026-03-27 */
2101
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
2091
2102
 
2092
2103
  /*
2093
2104
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -2125,7 +2136,7 @@ function createCacheError(e) {
2125
2136
  }
2126
2137
  }
2127
2138
 
2128
- /*! @azure/msal-common v16.4.0 2026-03-27 */
2139
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
2129
2140
 
2130
2141
  /*
2131
2142
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -2163,7 +2174,7 @@ function buildClientInfoFromHomeAccountId(homeAccountId) {
2163
2174
  };
2164
2175
  }
2165
2176
 
2166
- /*! @azure/msal-common v16.4.0 2026-03-27 */
2177
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
2167
2178
  /*
2168
2179
  * Copyright (c) Microsoft Corporation. All rights reserved.
2169
2180
  * Licensed under the MIT License.
@@ -2178,7 +2189,7 @@ const AuthorityType = {
2178
2189
  Ciam: 3,
2179
2190
  };
2180
2191
 
2181
- /*! @azure/msal-common v16.4.0 2026-03-27 */
2192
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
2182
2193
  /*
2183
2194
  * Copyright (c) Microsoft Corporation. All rights reserved.
2184
2195
  * Licensed under the MIT License.
@@ -2200,7 +2211,7 @@ function getTenantIdFromIdTokenClaims(idTokenClaims) {
2200
2211
  return null;
2201
2212
  }
2202
2213
 
2203
- /*! @azure/msal-common v16.4.0 2026-03-27 */
2214
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
2204
2215
  /*
2205
2216
  * Copyright (c) Microsoft Corporation. All rights reserved.
2206
2217
  * Licensed under the MIT License.
@@ -2224,7 +2235,7 @@ const ProtocolMode = {
2224
2235
  EAR: "EAR",
2225
2236
  };
2226
2237
 
2227
- /*! @azure/msal-common v16.4.0 2026-03-27 */
2238
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
2228
2239
  /**
2229
2240
  * Returns the AccountInfo interface for this account.
2230
2241
  */
@@ -2399,7 +2410,7 @@ function isAccountEntity(entity) {
2399
2410
  entity.hasOwnProperty("authorityType"));
2400
2411
  }
2401
2412
 
2402
- /*! @azure/msal-common v16.4.0 2026-03-27 */
2413
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
2403
2414
 
2404
2415
  /*
2405
2416
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -3501,7 +3512,7 @@ class DefaultStorageClass extends CacheManager {
3501
3512
  }
3502
3513
  }
3503
3514
 
3504
- /*! @azure/msal-common v16.4.0 2026-03-27 */
3515
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
3505
3516
  /*
3506
3517
  * Copyright (c) Microsoft Corporation. All rights reserved.
3507
3518
  * Licensed under the MIT License.
@@ -3546,12 +3557,13 @@ const IntFields = new Set([
3546
3557
  "currRefreshCount",
3547
3558
  "expiredCacheRemovedCount",
3548
3559
  "upgradedCacheCount",
3560
+ "cacheMatchedAccounts",
3549
3561
  "networkRtt",
3550
3562
  "redirectBridgeTimeoutMs",
3551
3563
  "redirectBridgeMessageVersion",
3552
3564
  ]);
3553
3565
 
3554
- /*! @azure/msal-common v16.4.0 2026-03-27 */
3566
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
3555
3567
 
3556
3568
  /*
3557
3569
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -3606,7 +3618,7 @@ class StubPerformanceClient {
3606
3618
  }
3607
3619
  }
3608
3620
 
3609
- /*! @azure/msal-common v16.4.0 2026-03-27 */
3621
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
3610
3622
 
3611
3623
  /*
3612
3624
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -3701,226 +3713,34 @@ function isOidcProtocolMode(config) {
3701
3713
  return (config.authOptions.authority.options.protocolMode === ProtocolMode.OIDC);
3702
3714
  }
3703
3715
 
3704
- /*! @azure/msal-common v16.4.0 2026-03-27 */
3705
-
3706
- /*
3707
- * Copyright (c) Microsoft Corporation. All rights reserved.
3708
- * Licensed under the MIT License.
3709
- */
3710
- /**
3711
- * Error thrown when there is an error with the server code, for example, unavailability.
3712
- */
3713
- class ServerError extends AuthError {
3714
- constructor(errorCode, errorMessage, subError, errorNo, status) {
3715
- super(errorCode, errorMessage, subError);
3716
- this.name = "ServerError";
3717
- this.errorNo = errorNo;
3718
- this.status = status;
3719
- Object.setPrototypeOf(this, ServerError.prototype);
3720
- }
3721
- }
3722
-
3723
- /*! @azure/msal-common v16.4.0 2026-03-27 */
3724
- /*
3725
- * Copyright (c) Microsoft Corporation. All rights reserved.
3726
- * Licensed under the MIT License.
3727
- */
3728
- /**
3729
- * MSAL-defined interaction required error code indicating no tokens are found in cache.
3730
- * @public
3731
- */
3732
- const noTokensFound = "no_tokens_found";
3733
- /**
3734
- * MSAL-defined error code indicating a native account is unavailable on the platform.
3735
- * @public
3736
- */
3737
- const nativeAccountUnavailable = "native_account_unavailable";
3738
- /**
3739
- * MSAL-defined error code indicating the refresh token has expired and user interaction is needed.
3740
- * @public
3741
- */
3742
- const refreshTokenExpired = "refresh_token_expired";
3743
- /**
3744
- * MSAL-defined error code indicating UI/UX is not allowed (e.g., blocked by policy), requiring alternate interaction.
3745
- * @public
3746
- */
3747
- const uxNotAllowed = "ux_not_allowed";
3748
- /**
3749
- * Server-originated error code indicating interaction is required to complete the request.
3750
- * @public
3751
- */
3752
- const interactionRequired = "interaction_required";
3753
- /**
3754
- * Server-originated error code indicating user consent is required.
3755
- * @public
3756
- */
3757
- const consentRequired = "consent_required";
3758
- /**
3759
- * Server-originated error code indicating user login is required.
3760
- * @public
3761
- */
3762
- const loginRequired = "login_required";
3763
- /**
3764
- * Server-originated error code indicating the token is invalid or corrupted.
3765
- * @public
3766
- */
3767
- const badToken = "bad_token";
3768
- /**
3769
- * Server-originated error code indicating the user is in an interrupted state and interaction is required.
3770
- * @public
3771
- */
3772
- const interruptedUser = "interrupted_user";
3773
-
3774
- var InteractionRequiredAuthErrorCodes = /*#__PURE__*/Object.freeze({
3775
- __proto__: null,
3776
- badToken: badToken,
3777
- consentRequired: consentRequired,
3778
- interactionRequired: interactionRequired,
3779
- interruptedUser: interruptedUser,
3780
- loginRequired: loginRequired,
3781
- nativeAccountUnavailable: nativeAccountUnavailable,
3782
- noTokensFound: noTokensFound,
3783
- refreshTokenExpired: refreshTokenExpired,
3784
- uxNotAllowed: uxNotAllowed
3785
- });
3786
-
3787
- /*! @azure/msal-common v16.4.0 2026-03-27 */
3788
-
3789
- /*
3790
- * Copyright (c) Microsoft Corporation. All rights reserved.
3791
- * Licensed under the MIT License.
3792
- */
3793
- /**
3794
- * InteractionRequiredServerErrorMessage contains string constants used by error codes and messages returned by the server indicating interaction is required
3795
- */
3796
- const InteractionRequiredServerErrorMessage = [
3797
- interactionRequired,
3798
- consentRequired,
3799
- loginRequired,
3800
- badToken,
3801
- uxNotAllowed,
3802
- interruptedUser,
3803
- ];
3804
- const InteractionRequiredAuthSubErrorMessage = [
3805
- "message_only",
3806
- "additional_action",
3807
- "basic_action",
3808
- "user_password_expired",
3809
- "consent_required",
3810
- "bad_token",
3811
- "ux_not_allowed",
3812
- "interrupted_user",
3813
- ];
3814
- /**
3815
- * Error thrown when user interaction is required.
3816
- */
3817
- class InteractionRequiredAuthError extends AuthError {
3818
- constructor(errorCode, errorMessage, subError, timestamp, traceId, correlationId, claims, errorNo) {
3819
- super(errorCode, errorMessage, subError);
3820
- Object.setPrototypeOf(this, InteractionRequiredAuthError.prototype);
3821
- this.timestamp = timestamp || "";
3822
- this.traceId = traceId || "";
3823
- this.correlationId = correlationId || "";
3824
- this.claims = claims || "";
3825
- this.name = "InteractionRequiredAuthError";
3826
- this.errorNo = errorNo;
3827
- }
3828
- }
3829
- /**
3830
- * Helper function used to determine if an error thrown by the server requires interaction to resolve
3831
- * @param errorCode
3832
- * @param errorString
3833
- * @param subError
3834
- */
3835
- function isInteractionRequiredError(errorCode, errorString, subError) {
3836
- const isInteractionRequiredErrorCode = !!errorCode &&
3837
- InteractionRequiredServerErrorMessage.indexOf(errorCode) > -1;
3838
- const isInteractionRequiredSubError = !!subError &&
3839
- InteractionRequiredAuthSubErrorMessage.indexOf(subError) > -1;
3840
- const isInteractionRequiredErrorDesc = !!errorString &&
3841
- InteractionRequiredServerErrorMessage.some((irErrorCode) => {
3842
- return errorString.indexOf(irErrorCode) > -1;
3843
- });
3844
- return (isInteractionRequiredErrorCode ||
3845
- isInteractionRequiredErrorDesc ||
3846
- isInteractionRequiredSubError);
3847
- }
3848
- /**
3849
- * Creates an InteractionRequiredAuthError
3850
- */
3851
- function createInteractionRequiredAuthError(errorCode, errorMessage) {
3852
- return new InteractionRequiredAuthError(errorCode, errorMessage);
3853
- }
3854
-
3855
- /*! @azure/msal-common v16.4.0 2026-03-27 */
3856
-
3716
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
3857
3717
  /*
3858
3718
  * Copyright (c) Microsoft Corporation. All rights reserved.
3859
3719
  * Licensed under the MIT License.
3860
3720
  */
3861
3721
  /**
3862
- * Appends user state with random guid, or returns random guid.
3863
- * @param cryptoObj
3864
- * @param userState
3865
- * @param meta
3866
- */
3867
- function setRequestState(cryptoObj, userState, meta) {
3868
- const libraryState = generateLibraryState(cryptoObj, meta);
3869
- return userState
3870
- ? `${libraryState}${RESOURCE_DELIM}${userState}`
3871
- : libraryState;
3872
- }
3873
- /**
3874
- * Generates the state value used by the common library.
3875
- * @param cryptoObj
3876
- * @param meta
3877
- */
3878
- function generateLibraryState(cryptoObj, meta) {
3879
- if (!cryptoObj) {
3880
- throw createClientAuthError(noCryptoObject);
3881
- }
3882
- // Create a state object containing a unique id and the timestamp of the request creation
3883
- const stateObj = {
3884
- id: cryptoObj.createNewGuid(),
3885
- };
3886
- if (meta) {
3887
- stateObj.meta = meta;
3888
- }
3889
- const stateString = JSON.stringify(stateObj);
3890
- return cryptoObj.base64Encode(stateString);
3891
- }
3892
- /**
3893
- * Parses the state into the RequestStateObject, which contains the LibraryState info and the state passed by the user.
3894
- * @param base64Decode
3895
- * @param state
3896
- */
3897
- function parseRequestState(base64Decode, state) {
3898
- if (!base64Decode) {
3899
- throw createClientAuthError(noCryptoObject);
3900
- }
3901
- if (!state) {
3902
- throw createClientAuthError(invalidState);
3722
+ * This class instance helps track the memory changes facilitating
3723
+ * decisions to read from and write to the persistent cache
3724
+ */ class TokenCacheContext {
3725
+ constructor(tokenCache, hasChanged) {
3726
+ this.cache = tokenCache;
3727
+ this.hasChanged = hasChanged;
3903
3728
  }
3904
- try {
3905
- // Split the state between library state and user passed state and decode them separately
3906
- const splitState = state.split(RESOURCE_DELIM);
3907
- const libraryState = splitState[0];
3908
- const userState = splitState.length > 1
3909
- ? splitState.slice(1).join(RESOURCE_DELIM)
3910
- : "";
3911
- const libraryStateString = base64Decode(libraryState);
3912
- const libraryStateObj = JSON.parse(libraryStateString);
3913
- return {
3914
- userRequestState: userState || "",
3915
- libraryState: libraryStateObj,
3916
- };
3729
+ /**
3730
+ * boolean which indicates the changes in cache
3731
+ */
3732
+ get cacheHasChanged() {
3733
+ return this.hasChanged;
3917
3734
  }
3918
- catch (e) {
3919
- throw createClientAuthError(invalidState);
3735
+ /**
3736
+ * function to retrieve the token cache
3737
+ */
3738
+ get tokenCache() {
3739
+ return this.cache;
3920
3740
  }
3921
3741
  }
3922
3742
 
3923
- /*! @azure/msal-common v16.4.0 2026-03-27 */
3743
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
3924
3744
  /*
3925
3745
  * Copyright (c) Microsoft Corporation. All rights reserved.
3926
3746
  * Licensed under the MIT License.
@@ -3985,21 +3805,280 @@ function wasClockTurnedBack(cachedAt) {
3985
3805
  return cachedAtSec > nowSeconds();
3986
3806
  }
3987
3807
 
3988
- /*! @azure/msal-common v16.4.0 2026-03-27 */
3808
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
3809
+
3989
3810
  /*
3990
3811
  * Copyright (c) Microsoft Corporation. All rights reserved.
3991
3812
  * Licensed under the MIT License.
3992
3813
  */
3993
3814
  /**
3994
- * Time spent sending/waiting for the response of a request to the token endpoint
3995
- */
3996
- const NetworkClientSendPostRequestAsync = "networkClientSendPostRequestAsync";
3997
- const RefreshTokenClientExecutePostToTokenEndpoint = "refreshTokenClientExecutePostToTokenEndpoint";
3998
- const AuthorizationCodeClientExecutePostToTokenEndpoint = "authorizationCodeClientExecutePostToTokenEndpoint";
3999
- /**
4000
- * Time spent on the network for refresh token acquisition
3815
+ * Create IdTokenEntity
3816
+ * @param homeAccountId
3817
+ * @param authenticationResult
3818
+ * @param clientId
3819
+ * @param authority
4001
3820
  */
4002
- const RefreshTokenClientExecuteTokenRequest = "refreshTokenClientExecuteTokenRequest";
3821
+ function createIdTokenEntity(homeAccountId, environment, idToken, clientId, tenantId) {
3822
+ const idTokenEntity = {
3823
+ credentialType: CredentialType.ID_TOKEN,
3824
+ homeAccountId: homeAccountId,
3825
+ environment: environment,
3826
+ clientId: clientId,
3827
+ secret: idToken,
3828
+ realm: tenantId,
3829
+ lastUpdatedAt: Date.now().toString(), // Set the last updated time to now
3830
+ };
3831
+ return idTokenEntity;
3832
+ }
3833
+ /**
3834
+ * Create AccessTokenEntity
3835
+ * @param homeAccountId
3836
+ * @param environment
3837
+ * @param accessToken
3838
+ * @param clientId
3839
+ * @param tenantId
3840
+ * @param scopes
3841
+ * @param expiresOn
3842
+ * @param extExpiresOn
3843
+ */
3844
+ function createAccessTokenEntity(homeAccountId, environment, accessToken, clientId, tenantId, scopes, expiresOn, extExpiresOn, base64Decode, refreshOn, tokenType, userAssertionHash, keyId) {
3845
+ const atEntity = {
3846
+ homeAccountId: homeAccountId,
3847
+ credentialType: CredentialType.ACCESS_TOKEN,
3848
+ secret: accessToken,
3849
+ cachedAt: nowSeconds().toString(),
3850
+ expiresOn: expiresOn.toString(),
3851
+ extendedExpiresOn: extExpiresOn.toString(),
3852
+ environment: environment,
3853
+ clientId: clientId,
3854
+ realm: tenantId,
3855
+ target: scopes,
3856
+ tokenType: tokenType || AuthenticationScheme$1.BEARER,
3857
+ lastUpdatedAt: Date.now().toString(), // Set the last updated time to now
3858
+ };
3859
+ if (userAssertionHash) {
3860
+ atEntity.userAssertionHash = userAssertionHash;
3861
+ }
3862
+ if (refreshOn) {
3863
+ atEntity.refreshOn = refreshOn.toString();
3864
+ }
3865
+ /*
3866
+ * Create Access Token With Auth Scheme instead of regular access token
3867
+ * Cast to lower to handle "bearer" from ADFS
3868
+ */
3869
+ if (atEntity.tokenType?.toLowerCase() !==
3870
+ AuthenticationScheme$1.BEARER.toLowerCase()) {
3871
+ atEntity.credentialType =
3872
+ CredentialType.ACCESS_TOKEN_WITH_AUTH_SCHEME;
3873
+ switch (atEntity.tokenType) {
3874
+ case AuthenticationScheme$1.POP:
3875
+ // Make sure keyId is present and add it to credential
3876
+ const tokenClaims = extractTokenClaims(accessToken, base64Decode);
3877
+ if (!tokenClaims?.cnf?.kid) {
3878
+ throw createClientAuthError(tokenClaimsCnfRequiredForSignedJwt);
3879
+ }
3880
+ atEntity.keyId = tokenClaims.cnf.kid;
3881
+ break;
3882
+ case AuthenticationScheme$1.SSH:
3883
+ atEntity.keyId = keyId;
3884
+ }
3885
+ }
3886
+ return atEntity;
3887
+ }
3888
+ /**
3889
+ * Create RefreshTokenEntity
3890
+ * @param homeAccountId
3891
+ * @param authenticationResult
3892
+ * @param clientId
3893
+ * @param authority
3894
+ */
3895
+ function createRefreshTokenEntity(homeAccountId, environment, refreshToken, clientId, familyId, userAssertionHash, expiresOn) {
3896
+ const rtEntity = {
3897
+ credentialType: CredentialType.REFRESH_TOKEN,
3898
+ homeAccountId: homeAccountId,
3899
+ environment: environment,
3900
+ clientId: clientId,
3901
+ secret: refreshToken,
3902
+ lastUpdatedAt: Date.now().toString(),
3903
+ };
3904
+ if (userAssertionHash) {
3905
+ rtEntity.userAssertionHash = userAssertionHash;
3906
+ }
3907
+ if (familyId) {
3908
+ rtEntity.familyId = familyId;
3909
+ }
3910
+ if (expiresOn) {
3911
+ rtEntity.expiresOn = expiresOn.toString();
3912
+ }
3913
+ return rtEntity;
3914
+ }
3915
+ function isCredentialEntity(entity) {
3916
+ return (entity.hasOwnProperty("homeAccountId") &&
3917
+ entity.hasOwnProperty("environment") &&
3918
+ entity.hasOwnProperty("credentialType") &&
3919
+ entity.hasOwnProperty("clientId") &&
3920
+ entity.hasOwnProperty("secret"));
3921
+ }
3922
+ /**
3923
+ * Validates an entity: checks for all expected params
3924
+ * @param entity
3925
+ */
3926
+ function isAccessTokenEntity(entity) {
3927
+ if (!entity) {
3928
+ return false;
3929
+ }
3930
+ return (isCredentialEntity(entity) &&
3931
+ entity.hasOwnProperty("realm") &&
3932
+ entity.hasOwnProperty("target") &&
3933
+ (entity["credentialType"] === CredentialType.ACCESS_TOKEN ||
3934
+ entity["credentialType"] ===
3935
+ CredentialType.ACCESS_TOKEN_WITH_AUTH_SCHEME));
3936
+ }
3937
+ /**
3938
+ * Validates an entity: checks for all expected params
3939
+ * @param entity
3940
+ */
3941
+ function isIdTokenEntity(entity) {
3942
+ if (!entity) {
3943
+ return false;
3944
+ }
3945
+ return (isCredentialEntity(entity) &&
3946
+ entity.hasOwnProperty("realm") &&
3947
+ entity["credentialType"] === CredentialType.ID_TOKEN);
3948
+ }
3949
+ /**
3950
+ * Validates an entity: checks for all expected params
3951
+ * @param entity
3952
+ */
3953
+ function isRefreshTokenEntity(entity) {
3954
+ if (!entity) {
3955
+ return false;
3956
+ }
3957
+ return (isCredentialEntity(entity) &&
3958
+ entity["credentialType"] === CredentialType.REFRESH_TOKEN);
3959
+ }
3960
+ /**
3961
+ * validates if a given cache entry is "Telemetry", parses <key,value>
3962
+ * @param key
3963
+ * @param entity
3964
+ */
3965
+ function isServerTelemetryEntity(key, entity) {
3966
+ const validateKey = key.indexOf(SERVER_TELEM_CACHE_KEY) === 0;
3967
+ let validateEntity = true;
3968
+ if (entity) {
3969
+ validateEntity =
3970
+ entity.hasOwnProperty("failedRequests") &&
3971
+ entity.hasOwnProperty("errors") &&
3972
+ entity.hasOwnProperty("cacheHits");
3973
+ }
3974
+ return validateKey && validateEntity;
3975
+ }
3976
+ /**
3977
+ * validates if a given cache entry is "Throttling", parses <key,value>
3978
+ * @param key
3979
+ * @param entity
3980
+ */
3981
+ function isThrottlingEntity(key, entity) {
3982
+ let validateKey = false;
3983
+ if (key) {
3984
+ validateKey = key.indexOf(THROTTLING_PREFIX) === 0;
3985
+ }
3986
+ let validateEntity = true;
3987
+ if (entity) {
3988
+ validateEntity = entity.hasOwnProperty("throttleTime");
3989
+ }
3990
+ return validateKey && validateEntity;
3991
+ }
3992
+ /**
3993
+ * Generate AppMetadata Cache Key as per the schema: appmetadata-<environment>-<client_id>
3994
+ */
3995
+ function generateAppMetadataKey({ environment, clientId, }) {
3996
+ const appMetaDataKeyArray = [
3997
+ APP_METADATA,
3998
+ environment,
3999
+ clientId,
4000
+ ];
4001
+ return appMetaDataKeyArray
4002
+ .join(CACHE_KEY_SEPARATOR$1)
4003
+ .toLowerCase();
4004
+ }
4005
+ /*
4006
+ * Validates an entity: checks for all expected params
4007
+ * @param entity
4008
+ */
4009
+ function isAppMetadataEntity(key, entity) {
4010
+ if (!entity) {
4011
+ return false;
4012
+ }
4013
+ return (key.indexOf(APP_METADATA) === 0 &&
4014
+ entity.hasOwnProperty("clientId") &&
4015
+ entity.hasOwnProperty("environment"));
4016
+ }
4017
+ /**
4018
+ * Validates an entity: checks for all expected params
4019
+ * @param entity
4020
+ */
4021
+ function isAuthorityMetadataEntity(key, entity) {
4022
+ if (!entity) {
4023
+ return false;
4024
+ }
4025
+ return (key.indexOf(AUTHORITY_METADATA_CACHE_KEY) === 0 &&
4026
+ entity.hasOwnProperty("aliases") &&
4027
+ entity.hasOwnProperty("preferred_cache") &&
4028
+ entity.hasOwnProperty("preferred_network") &&
4029
+ entity.hasOwnProperty("canonical_authority") &&
4030
+ entity.hasOwnProperty("authorization_endpoint") &&
4031
+ entity.hasOwnProperty("token_endpoint") &&
4032
+ entity.hasOwnProperty("issuer") &&
4033
+ entity.hasOwnProperty("aliasesFromNetwork") &&
4034
+ entity.hasOwnProperty("endpointsFromNetwork") &&
4035
+ entity.hasOwnProperty("expiresAt") &&
4036
+ entity.hasOwnProperty("jwks_uri"));
4037
+ }
4038
+ /**
4039
+ * Reset the exiresAt value
4040
+ */
4041
+ function generateAuthorityMetadataExpiresAt() {
4042
+ return (nowSeconds() +
4043
+ AUTHORITY_METADATA_REFRESH_TIME_SECONDS);
4044
+ }
4045
+ function updateAuthorityEndpointMetadata(authorityMetadata, updatedValues, fromNetwork) {
4046
+ authorityMetadata.authorization_endpoint =
4047
+ updatedValues.authorization_endpoint;
4048
+ authorityMetadata.token_endpoint = updatedValues.token_endpoint;
4049
+ authorityMetadata.end_session_endpoint = updatedValues.end_session_endpoint;
4050
+ authorityMetadata.issuer = updatedValues.issuer;
4051
+ authorityMetadata.endpointsFromNetwork = fromNetwork;
4052
+ authorityMetadata.jwks_uri = updatedValues.jwks_uri;
4053
+ }
4054
+ function updateCloudDiscoveryMetadata(authorityMetadata, updatedValues, fromNetwork) {
4055
+ authorityMetadata.aliases = updatedValues.aliases;
4056
+ authorityMetadata.preferred_cache = updatedValues.preferred_cache;
4057
+ authorityMetadata.preferred_network = updatedValues.preferred_network;
4058
+ authorityMetadata.aliasesFromNetwork = fromNetwork;
4059
+ }
4060
+ /**
4061
+ * Returns whether or not the data needs to be refreshed
4062
+ */
4063
+ function isAuthorityMetadataExpired(metadata) {
4064
+ return metadata.expiresAt <= nowSeconds();
4065
+ }
4066
+
4067
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
4068
+ /*
4069
+ * Copyright (c) Microsoft Corporation. All rights reserved.
4070
+ * Licensed under the MIT License.
4071
+ */
4072
+ /**
4073
+ * Time spent sending/waiting for the response of a request to the token endpoint
4074
+ */
4075
+ const NetworkClientSendPostRequestAsync = "networkClientSendPostRequestAsync";
4076
+ const RefreshTokenClientExecutePostToTokenEndpoint = "refreshTokenClientExecutePostToTokenEndpoint";
4077
+ const AuthorizationCodeClientExecutePostToTokenEndpoint = "authorizationCodeClientExecutePostToTokenEndpoint";
4078
+ /**
4079
+ * Time spent on the network for refresh token acquisition
4080
+ */
4081
+ const RefreshTokenClientExecuteTokenRequest = "refreshTokenClientExecuteTokenRequest";
4003
4082
  /**
4004
4083
  * Time taken for acquiring refresh token , records RT size
4005
4084
  */
@@ -4056,7 +4135,7 @@ const RegionDiscoveryGetCurrentVersion = "regionDiscoveryGetCurrentVersion";
4056
4135
  const CacheManagerGetRefreshToken = "cacheManagerGetRefreshToken";
4057
4136
  const SetUserData = "setUserData";
4058
4137
 
4059
- /*! @azure/msal-common v16.4.0 2026-03-27 */
4138
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
4060
4139
  /*
4061
4140
  * Copyright (c) Microsoft Corporation. All rights reserved.
4062
4141
  * Licensed under the MIT License.
@@ -4149,7 +4228,7 @@ const invokeAsync = (callback, eventName, logger, telemetryClient, correlationId
4149
4228
  };
4150
4229
  };
4151
4230
 
4152
- /*! @azure/msal-common v16.4.0 2026-03-27 */
4231
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
4153
4232
 
4154
4233
  /*
4155
4234
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4229,293 +4308,226 @@ class PopTokenGenerator {
4229
4308
  }
4230
4309
  }
4231
4310
 
4232
- /*! @azure/msal-common v16.4.0 2026-03-27 */
4311
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
4233
4312
  /*
4234
4313
  * Copyright (c) Microsoft Corporation. All rights reserved.
4235
4314
  * Licensed under the MIT License.
4236
4315
  */
4237
4316
  /**
4238
- * This class instance helps track the memory changes facilitating
4239
- * decisions to read from and write to the persistent cache
4240
- */ class TokenCacheContext {
4241
- constructor(tokenCache, hasChanged) {
4242
- this.cache = tokenCache;
4243
- this.hasChanged = hasChanged;
4244
- }
4245
- /**
4246
- * boolean which indicates the changes in cache
4247
- */
4248
- get cacheHasChanged() {
4249
- return this.hasChanged;
4250
- }
4251
- /**
4252
- * function to retrieve the token cache
4253
- */
4254
- get tokenCache() {
4255
- return this.cache;
4256
- }
4257
- }
4258
-
4259
- /*! @azure/msal-common v16.4.0 2026-03-27 */
4260
-
4261
- /*
4262
- * Copyright (c) Microsoft Corporation. All rights reserved.
4263
- * Licensed under the MIT License.
4317
+ * MSAL-defined interaction required error code indicating no tokens are found in cache.
4318
+ * @public
4264
4319
  */
4320
+ const noTokensFound = "no_tokens_found";
4265
4321
  /**
4266
- * Create IdTokenEntity
4267
- * @param homeAccountId
4268
- * @param authenticationResult
4269
- * @param clientId
4270
- * @param authority
4322
+ * MSAL-defined error code indicating a native account is unavailable on the platform.
4323
+ * @public
4271
4324
  */
4272
- function createIdTokenEntity(homeAccountId, environment, idToken, clientId, tenantId) {
4273
- const idTokenEntity = {
4274
- credentialType: CredentialType.ID_TOKEN,
4275
- homeAccountId: homeAccountId,
4276
- environment: environment,
4277
- clientId: clientId,
4278
- secret: idToken,
4279
- realm: tenantId,
4280
- lastUpdatedAt: Date.now().toString(), // Set the last updated time to now
4281
- };
4282
- return idTokenEntity;
4283
- }
4325
+ const nativeAccountUnavailable = "native_account_unavailable";
4284
4326
  /**
4285
- * Create AccessTokenEntity
4286
- * @param homeAccountId
4287
- * @param environment
4288
- * @param accessToken
4289
- * @param clientId
4290
- * @param tenantId
4291
- * @param scopes
4292
- * @param expiresOn
4293
- * @param extExpiresOn
4327
+ * MSAL-defined error code indicating the refresh token has expired and user interaction is needed.
4328
+ * @public
4294
4329
  */
4295
- function createAccessTokenEntity(homeAccountId, environment, accessToken, clientId, tenantId, scopes, expiresOn, extExpiresOn, base64Decode, refreshOn, tokenType, userAssertionHash, keyId) {
4296
- const atEntity = {
4297
- homeAccountId: homeAccountId,
4298
- credentialType: CredentialType.ACCESS_TOKEN,
4299
- secret: accessToken,
4300
- cachedAt: nowSeconds().toString(),
4301
- expiresOn: expiresOn.toString(),
4302
- extendedExpiresOn: extExpiresOn.toString(),
4303
- environment: environment,
4304
- clientId: clientId,
4305
- realm: tenantId,
4306
- target: scopes,
4307
- tokenType: tokenType || AuthenticationScheme$1.BEARER,
4308
- lastUpdatedAt: Date.now().toString(), // Set the last updated time to now
4309
- };
4310
- if (userAssertionHash) {
4311
- atEntity.userAssertionHash = userAssertionHash;
4312
- }
4313
- if (refreshOn) {
4314
- atEntity.refreshOn = refreshOn.toString();
4315
- }
4316
- /*
4317
- * Create Access Token With Auth Scheme instead of regular access token
4318
- * Cast to lower to handle "bearer" from ADFS
4319
- */
4320
- if (atEntity.tokenType?.toLowerCase() !==
4321
- AuthenticationScheme$1.BEARER.toLowerCase()) {
4322
- atEntity.credentialType =
4323
- CredentialType.ACCESS_TOKEN_WITH_AUTH_SCHEME;
4324
- switch (atEntity.tokenType) {
4325
- case AuthenticationScheme$1.POP:
4326
- // Make sure keyId is present and add it to credential
4327
- const tokenClaims = extractTokenClaims(accessToken, base64Decode);
4328
- if (!tokenClaims?.cnf?.kid) {
4329
- throw createClientAuthError(tokenClaimsCnfRequiredForSignedJwt);
4330
- }
4331
- atEntity.keyId = tokenClaims.cnf.kid;
4332
- break;
4333
- case AuthenticationScheme$1.SSH:
4334
- atEntity.keyId = keyId;
4335
- }
4336
- }
4337
- return atEntity;
4338
- }
4330
+ const refreshTokenExpired = "refresh_token_expired";
4339
4331
  /**
4340
- * Create RefreshTokenEntity
4341
- * @param homeAccountId
4342
- * @param authenticationResult
4343
- * @param clientId
4344
- * @param authority
4332
+ * MSAL-defined error code indicating UI/UX is not allowed (e.g., blocked by policy), requiring alternate interaction.
4333
+ * @public
4345
4334
  */
4346
- function createRefreshTokenEntity(homeAccountId, environment, refreshToken, clientId, familyId, userAssertionHash, expiresOn) {
4347
- const rtEntity = {
4348
- credentialType: CredentialType.REFRESH_TOKEN,
4349
- homeAccountId: homeAccountId,
4350
- environment: environment,
4351
- clientId: clientId,
4352
- secret: refreshToken,
4353
- lastUpdatedAt: Date.now().toString(),
4354
- };
4355
- if (userAssertionHash) {
4356
- rtEntity.userAssertionHash = userAssertionHash;
4357
- }
4358
- if (familyId) {
4359
- rtEntity.familyId = familyId;
4360
- }
4361
- if (expiresOn) {
4362
- rtEntity.expiresOn = expiresOn.toString();
4363
- }
4364
- return rtEntity;
4365
- }
4366
- function isCredentialEntity(entity) {
4367
- return (entity.hasOwnProperty("homeAccountId") &&
4368
- entity.hasOwnProperty("environment") &&
4369
- entity.hasOwnProperty("credentialType") &&
4370
- entity.hasOwnProperty("clientId") &&
4371
- entity.hasOwnProperty("secret"));
4372
- }
4335
+ const uxNotAllowed = "ux_not_allowed";
4373
4336
  /**
4374
- * Validates an entity: checks for all expected params
4375
- * @param entity
4337
+ * Server-originated error code indicating interaction is required to complete the request.
4338
+ * @public
4376
4339
  */
4377
- function isAccessTokenEntity(entity) {
4378
- if (!entity) {
4379
- return false;
4380
- }
4381
- return (isCredentialEntity(entity) &&
4382
- entity.hasOwnProperty("realm") &&
4383
- entity.hasOwnProperty("target") &&
4384
- (entity["credentialType"] === CredentialType.ACCESS_TOKEN ||
4385
- entity["credentialType"] ===
4386
- CredentialType.ACCESS_TOKEN_WITH_AUTH_SCHEME));
4387
- }
4340
+ const interactionRequired = "interaction_required";
4388
4341
  /**
4389
- * Validates an entity: checks for all expected params
4390
- * @param entity
4342
+ * Server-originated error code indicating user consent is required.
4343
+ * @public
4391
4344
  */
4392
- function isIdTokenEntity(entity) {
4393
- if (!entity) {
4394
- return false;
4395
- }
4396
- return (isCredentialEntity(entity) &&
4397
- entity.hasOwnProperty("realm") &&
4398
- entity["credentialType"] === CredentialType.ID_TOKEN);
4399
- }
4345
+ const consentRequired = "consent_required";
4400
4346
  /**
4401
- * Validates an entity: checks for all expected params
4402
- * @param entity
4347
+ * Server-originated error code indicating user login is required.
4348
+ * @public
4403
4349
  */
4404
- function isRefreshTokenEntity(entity) {
4405
- if (!entity) {
4406
- return false;
4407
- }
4408
- return (isCredentialEntity(entity) &&
4409
- entity["credentialType"] === CredentialType.REFRESH_TOKEN);
4410
- }
4350
+ const loginRequired = "login_required";
4411
4351
  /**
4412
- * validates if a given cache entry is "Telemetry", parses <key,value>
4413
- * @param key
4414
- * @param entity
4352
+ * Server-originated error code indicating the token is invalid or corrupted.
4353
+ * @public
4415
4354
  */
4416
- function isServerTelemetryEntity(key, entity) {
4417
- const validateKey = key.indexOf(SERVER_TELEM_CACHE_KEY) === 0;
4418
- let validateEntity = true;
4419
- if (entity) {
4420
- validateEntity =
4421
- entity.hasOwnProperty("failedRequests") &&
4422
- entity.hasOwnProperty("errors") &&
4423
- entity.hasOwnProperty("cacheHits");
4424
- }
4425
- return validateKey && validateEntity;
4426
- }
4355
+ const badToken = "bad_token";
4427
4356
  /**
4428
- * validates if a given cache entry is "Throttling", parses <key,value>
4429
- * @param key
4430
- * @param entity
4357
+ * Server-originated error code indicating the user is in an interrupted state and interaction is required.
4358
+ * @public
4431
4359
  */
4432
- function isThrottlingEntity(key, entity) {
4433
- let validateKey = false;
4434
- if (key) {
4435
- validateKey = key.indexOf(THROTTLING_PREFIX) === 0;
4436
- }
4437
- let validateEntity = true;
4438
- if (entity) {
4439
- validateEntity = entity.hasOwnProperty("throttleTime");
4360
+ const interruptedUser = "interrupted_user";
4361
+
4362
+ var InteractionRequiredAuthErrorCodes = /*#__PURE__*/Object.freeze({
4363
+ __proto__: null,
4364
+ badToken: badToken,
4365
+ consentRequired: consentRequired,
4366
+ interactionRequired: interactionRequired,
4367
+ interruptedUser: interruptedUser,
4368
+ loginRequired: loginRequired,
4369
+ nativeAccountUnavailable: nativeAccountUnavailable,
4370
+ noTokensFound: noTokensFound,
4371
+ refreshTokenExpired: refreshTokenExpired,
4372
+ uxNotAllowed: uxNotAllowed
4373
+ });
4374
+
4375
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
4376
+
4377
+ /*
4378
+ * Copyright (c) Microsoft Corporation. All rights reserved.
4379
+ * Licensed under the MIT License.
4380
+ */
4381
+ /**
4382
+ * InteractionRequiredServerErrorMessage contains string constants used by error codes and messages returned by the server indicating interaction is required
4383
+ */
4384
+ const InteractionRequiredServerErrorMessage = [
4385
+ interactionRequired,
4386
+ consentRequired,
4387
+ loginRequired,
4388
+ badToken,
4389
+ uxNotAllowed,
4390
+ interruptedUser,
4391
+ ];
4392
+ const InteractionRequiredAuthSubErrorMessage = [
4393
+ "message_only",
4394
+ "additional_action",
4395
+ "basic_action",
4396
+ "user_password_expired",
4397
+ "consent_required",
4398
+ "bad_token",
4399
+ "ux_not_allowed",
4400
+ "interrupted_user",
4401
+ ];
4402
+ /**
4403
+ * Error thrown when user interaction is required.
4404
+ */
4405
+ class InteractionRequiredAuthError extends AuthError {
4406
+ constructor(errorCode, errorMessage, subError, timestamp, traceId, correlationId, claims, errorNo) {
4407
+ super(errorCode, errorMessage, subError);
4408
+ Object.setPrototypeOf(this, InteractionRequiredAuthError.prototype);
4409
+ this.timestamp = timestamp || "";
4410
+ this.traceId = traceId || "";
4411
+ this.correlationId = correlationId || "";
4412
+ this.claims = claims || "";
4413
+ this.name = "InteractionRequiredAuthError";
4414
+ this.errorNo = errorNo;
4440
4415
  }
4441
- return validateKey && validateEntity;
4442
4416
  }
4443
4417
  /**
4444
- * Generate AppMetadata Cache Key as per the schema: appmetadata-<environment>-<client_id>
4418
+ * Helper function used to determine if an error thrown by the server requires interaction to resolve
4419
+ * @param errorCode
4420
+ * @param errorString
4421
+ * @param subError
4445
4422
  */
4446
- function generateAppMetadataKey({ environment, clientId, }) {
4447
- const appMetaDataKeyArray = [
4448
- APP_METADATA,
4449
- environment,
4450
- clientId,
4451
- ];
4452
- return appMetaDataKeyArray
4453
- .join(CACHE_KEY_SEPARATOR$1)
4454
- .toLowerCase();
4423
+ function isInteractionRequiredError(errorCode, errorString, subError) {
4424
+ const isInteractionRequiredErrorCode = !!errorCode &&
4425
+ InteractionRequiredServerErrorMessage.indexOf(errorCode) > -1;
4426
+ const isInteractionRequiredSubError = !!subError &&
4427
+ InteractionRequiredAuthSubErrorMessage.indexOf(subError) > -1;
4428
+ const isInteractionRequiredErrorDesc = !!errorString &&
4429
+ InteractionRequiredServerErrorMessage.some((irErrorCode) => {
4430
+ return errorString.indexOf(irErrorCode) > -1;
4431
+ });
4432
+ return (isInteractionRequiredErrorCode ||
4433
+ isInteractionRequiredErrorDesc ||
4434
+ isInteractionRequiredSubError);
4455
4435
  }
4436
+ /**
4437
+ * Creates an InteractionRequiredAuthError
4438
+ */
4439
+ function createInteractionRequiredAuthError(errorCode, errorMessage) {
4440
+ return new InteractionRequiredAuthError(errorCode, errorMessage);
4441
+ }
4442
+
4443
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
4444
+
4456
4445
  /*
4457
- * Validates an entity: checks for all expected params
4458
- * @param entity
4446
+ * Copyright (c) Microsoft Corporation. All rights reserved.
4447
+ * Licensed under the MIT License.
4459
4448
  */
4460
- function isAppMetadataEntity(key, entity) {
4461
- if (!entity) {
4462
- return false;
4463
- }
4464
- return (key.indexOf(APP_METADATA) === 0 &&
4465
- entity.hasOwnProperty("clientId") &&
4466
- entity.hasOwnProperty("environment"));
4467
- }
4468
4449
  /**
4469
- * Validates an entity: checks for all expected params
4470
- * @param entity
4450
+ * Error thrown when there is an error with the server code, for example, unavailability.
4471
4451
  */
4472
- function isAuthorityMetadataEntity(key, entity) {
4473
- if (!entity) {
4474
- return false;
4452
+ class ServerError extends AuthError {
4453
+ constructor(errorCode, errorMessage, subError, errorNo, status) {
4454
+ super(errorCode, errorMessage, subError);
4455
+ this.name = "ServerError";
4456
+ this.errorNo = errorNo;
4457
+ this.status = status;
4458
+ Object.setPrototypeOf(this, ServerError.prototype);
4475
4459
  }
4476
- return (key.indexOf(AUTHORITY_METADATA_CACHE_KEY) === 0 &&
4477
- entity.hasOwnProperty("aliases") &&
4478
- entity.hasOwnProperty("preferred_cache") &&
4479
- entity.hasOwnProperty("preferred_network") &&
4480
- entity.hasOwnProperty("canonical_authority") &&
4481
- entity.hasOwnProperty("authorization_endpoint") &&
4482
- entity.hasOwnProperty("token_endpoint") &&
4483
- entity.hasOwnProperty("issuer") &&
4484
- entity.hasOwnProperty("aliasesFromNetwork") &&
4485
- entity.hasOwnProperty("endpointsFromNetwork") &&
4486
- entity.hasOwnProperty("expiresAt") &&
4487
- entity.hasOwnProperty("jwks_uri"));
4488
- }
4460
+ }
4461
+
4462
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
4463
+
4464
+ /*
4465
+ * Copyright (c) Microsoft Corporation. All rights reserved.
4466
+ * Licensed under the MIT License.
4467
+ */
4489
4468
  /**
4490
- * Reset the exiresAt value
4469
+ * Appends user state with random guid, or returns random guid.
4470
+ * @param cryptoObj
4471
+ * @param userState
4472
+ * @param meta
4491
4473
  */
4492
- function generateAuthorityMetadataExpiresAt() {
4493
- return (nowSeconds() +
4494
- AUTHORITY_METADATA_REFRESH_TIME_SECONDS);
4495
- }
4496
- function updateAuthorityEndpointMetadata(authorityMetadata, updatedValues, fromNetwork) {
4497
- authorityMetadata.authorization_endpoint =
4498
- updatedValues.authorization_endpoint;
4499
- authorityMetadata.token_endpoint = updatedValues.token_endpoint;
4500
- authorityMetadata.end_session_endpoint = updatedValues.end_session_endpoint;
4501
- authorityMetadata.issuer = updatedValues.issuer;
4502
- authorityMetadata.endpointsFromNetwork = fromNetwork;
4503
- authorityMetadata.jwks_uri = updatedValues.jwks_uri;
4474
+ function setRequestState(cryptoObj, userState, meta) {
4475
+ const libraryState = generateLibraryState(cryptoObj, meta);
4476
+ return userState
4477
+ ? `${libraryState}${RESOURCE_DELIM}${userState}`
4478
+ : libraryState;
4504
4479
  }
4505
- function updateCloudDiscoveryMetadata(authorityMetadata, updatedValues, fromNetwork) {
4506
- authorityMetadata.aliases = updatedValues.aliases;
4507
- authorityMetadata.preferred_cache = updatedValues.preferred_cache;
4508
- authorityMetadata.preferred_network = updatedValues.preferred_network;
4509
- authorityMetadata.aliasesFromNetwork = fromNetwork;
4480
+ /**
4481
+ * Generates the state value used by the common library.
4482
+ * @param cryptoObj
4483
+ * @param meta
4484
+ */
4485
+ function generateLibraryState(cryptoObj, meta) {
4486
+ if (!cryptoObj) {
4487
+ throw createClientAuthError(noCryptoObject);
4488
+ }
4489
+ // Create a state object containing a unique id and the timestamp of the request creation
4490
+ const stateObj = {
4491
+ id: cryptoObj.createNewGuid(),
4492
+ };
4493
+ if (meta) {
4494
+ stateObj.meta = meta;
4495
+ }
4496
+ const stateString = JSON.stringify(stateObj);
4497
+ return cryptoObj.base64Encode(stateString);
4510
4498
  }
4511
4499
  /**
4512
- * Returns whether or not the data needs to be refreshed
4500
+ * Parses the state into the RequestStateObject, which contains the LibraryState info and the state passed by the user.
4501
+ * @param base64Decode
4502
+ * @param state
4513
4503
  */
4514
- function isAuthorityMetadataExpired(metadata) {
4515
- return metadata.expiresAt <= nowSeconds();
4504
+ function parseRequestState(base64Decode, state) {
4505
+ if (!base64Decode) {
4506
+ throw createClientAuthError(noCryptoObject);
4507
+ }
4508
+ if (!state) {
4509
+ throw createClientAuthError(invalidState);
4510
+ }
4511
+ try {
4512
+ // Split the state between library state and user passed state and decode them separately
4513
+ const splitState = state.split(RESOURCE_DELIM);
4514
+ const libraryState = splitState[0];
4515
+ const userState = splitState.length > 1
4516
+ ? splitState.slice(1).join(RESOURCE_DELIM)
4517
+ : "";
4518
+ const libraryStateString = base64Decode(libraryState);
4519
+ const libraryStateObj = JSON.parse(libraryStateString);
4520
+ return {
4521
+ userRequestState: userState || "",
4522
+ libraryState: libraryStateObj,
4523
+ };
4524
+ }
4525
+ catch (e) {
4526
+ throw createClientAuthError(invalidState);
4527
+ }
4516
4528
  }
4517
4529
 
4518
- /*! @azure/msal-common v16.4.0 2026-03-27 */
4530
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
4519
4531
 
4520
4532
  /*
4521
4533
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4671,7 +4683,7 @@ class ResponseHandler {
4671
4683
  if (serverTokenResponse.id_token && !!idTokenClaims) {
4672
4684
  cachedIdToken = createIdTokenEntity(this.homeAccountIdentifier, env, serverTokenResponse.id_token, this.clientId, claimsTenantId || "");
4673
4685
  cachedAccount = buildAccountToCache(this.cacheStorage, authority, this.homeAccountIdentifier, this.cryptoObj.base64Decode, request.correlationId, idTokenClaims, serverTokenResponse.client_info, env, claimsTenantId, authCodePayload, undefined, // nativeAccountId
4674
- this.logger);
4686
+ this.logger, this.performanceClient);
4675
4687
  }
4676
4688
  // AccessToken
4677
4689
  let cachedAccessToken = null;
@@ -4822,17 +4834,24 @@ class ResponseHandler {
4822
4834
  };
4823
4835
  }
4824
4836
  }
4825
- function buildAccountToCache(cacheStorage, authority, homeAccountId, base64Decode, correlationId, idTokenClaims, clientInfo, environment, claimsTenantId, authCodePayload, nativeAccountId, logger) {
4837
+ function buildAccountToCache(cacheStorage, authority, homeAccountId, base64Decode, correlationId, idTokenClaims, clientInfo, environment, claimsTenantId, authCodePayload, nativeAccountId, logger, performanceClient) {
4826
4838
  logger?.verbose("09jz0t", correlationId);
4827
- // Check if base account is already cached
4828
- const accountKeys = cacheStorage.getAccountKeys();
4829
- const baseAccountKey = accountKeys.find((accountKey) => {
4830
- return accountKey.startsWith(homeAccountId);
4831
- });
4832
- let cachedAccount = null;
4833
- if (baseAccountKey) {
4834
- cachedAccount = cacheStorage.getAccount(baseAccountKey, correlationId);
4839
+ /*
4840
+ * Check if base account is already cached. Filter by homeAccountId (identifies
4841
+ * the user's home identity) and environment (identifies the cloud) the two
4842
+ * tenant-agnostic properties that uniquely locate a base AccountEntity.
4843
+ */
4844
+ const accountEnvironment = environment || authority.getPreferredCache();
4845
+ const matchedAccounts = cacheStorage.getAccountsFilteredBy({ homeAccountId, environment: accountEnvironment }, correlationId);
4846
+ performanceClient?.addFields({ cacheMatchedAccounts: matchedAccounts.length }, correlationId);
4847
+ if (matchedAccounts.length > 1) {
4848
+ /*
4849
+ * Base accounts are expected to be unique for a given homeAccountId in normal cache usage.
4850
+ * If multiple matches exist, ignore the cache hit rather than arbitrarily choosing one.
4851
+ */
4852
+ logger?.warning("0x7ad1", correlationId);
4835
4853
  }
4854
+ const cachedAccount = matchedAccounts.length === 1 ? matchedAccounts[0] : null;
4836
4855
  const baseAccount = cachedAccount ||
4837
4856
  createAccountEntity({
4838
4857
  homeAccountId,
@@ -4856,7 +4875,7 @@ function buildAccountToCache(cacheStorage, authority, homeAccountId, base64Decod
4856
4875
  return baseAccount;
4857
4876
  }
4858
4877
 
4859
- /*! @azure/msal-common v16.4.0 2026-03-27 */
4878
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
4860
4879
  /*
4861
4880
  * Copyright (c) Microsoft Corporation. All rights reserved.
4862
4881
  * Licensed under the MIT License.
@@ -4866,7 +4885,7 @@ const CcsCredentialType = {
4866
4885
  UPN: "UPN",
4867
4886
  };
4868
4887
 
4869
- /*! @azure/msal-common v16.4.0 2026-03-27 */
4888
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
4870
4889
  /*
4871
4890
  * Copyright (c) Microsoft Corporation. All rights reserved.
4872
4891
  * Licensed under the MIT License.
@@ -4884,7 +4903,7 @@ async function getClientAssertion(clientAssertion, clientId, tokenEndpoint) {
4884
4903
  }
4885
4904
  }
4886
4905
 
4887
- /*! @azure/msal-common v16.4.0 2026-03-27 */
4906
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
4888
4907
  /*
4889
4908
  * Copyright (c) Microsoft Corporation. All rights reserved.
4890
4909
  * Licensed under the MIT License.
@@ -4905,7 +4924,7 @@ function getRequestThumbprint(clientId, request, homeAccountId) {
4905
4924
  };
4906
4925
  }
4907
4926
 
4908
- /*! @azure/msal-common v16.4.0 2026-03-27 */
4927
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
4909
4928
 
4910
4929
  /*
4911
4930
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4991,7 +5010,7 @@ class ThrottlingUtils {
4991
5010
  }
4992
5011
  }
4993
5012
 
4994
- /*! @azure/msal-common v16.4.0 2026-03-27 */
5013
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
4995
5014
 
4996
5015
  /*
4997
5016
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -5022,7 +5041,7 @@ function createNetworkError(error, httpStatus, responseHeaders, additionalError)
5022
5041
  return new NetworkError(error, httpStatus, responseHeaders);
5023
5042
  }
5024
5043
 
5025
- /*! @azure/msal-common v16.4.0 2026-03-27 */
5044
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
5026
5045
 
5027
5046
  /*
5028
5047
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -5136,7 +5155,7 @@ async function sendPostRequest(thumbprint, tokenEndpoint, options, correlationId
5136
5155
  return response;
5137
5156
  }
5138
5157
 
5139
- /*! @azure/msal-common v16.4.0 2026-03-27 */
5158
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
5140
5159
  /*
5141
5160
  * Copyright (c) Microsoft Corporation. All rights reserved.
5142
5161
  * Licensed under the MIT License.
@@ -5148,7 +5167,7 @@ function isOpenIdConfigResponse(response) {
5148
5167
  response.hasOwnProperty("jwks_uri"));
5149
5168
  }
5150
5169
 
5151
- /*! @azure/msal-common v16.4.0 2026-03-27 */
5170
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
5152
5171
  /*
5153
5172
  * Copyright (c) Microsoft Corporation. All rights reserved.
5154
5173
  * Licensed under the MIT License.
@@ -5158,7 +5177,7 @@ function isCloudInstanceDiscoveryResponse(response) {
5158
5177
  response.hasOwnProperty("metadata"));
5159
5178
  }
5160
5179
 
5161
- /*! @azure/msal-common v16.4.0 2026-03-27 */
5180
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
5162
5181
  /*
5163
5182
  * Copyright (c) Microsoft Corporation. All rights reserved.
5164
5183
  * Licensed under the MIT License.
@@ -5168,7 +5187,7 @@ function isCloudInstanceDiscoveryErrorResponse(response) {
5168
5187
  response.hasOwnProperty("error_description"));
5169
5188
  }
5170
5189
 
5171
- /*! @azure/msal-common v16.4.0 2026-03-27 */
5190
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
5172
5191
 
5173
5192
  /*
5174
5193
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -5273,7 +5292,7 @@ RegionDiscovery.IMDS_OPTIONS = {
5273
5292
  },
5274
5293
  };
5275
5294
 
5276
- /*! @azure/msal-common v16.4.0 2026-03-27 */
5295
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
5277
5296
 
5278
5297
  /*
5279
5298
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6093,7 +6112,7 @@ function buildStaticAuthorityOptions(authOptions) {
6093
6112
  };
6094
6113
  }
6095
6114
 
6096
- /*! @azure/msal-common v16.4.0 2026-03-27 */
6115
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
6097
6116
 
6098
6117
  /*
6099
6118
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6127,7 +6146,7 @@ async function createDiscoveredInstance(authorityUri, networkClient, cacheManage
6127
6146
  }
6128
6147
  }
6129
6148
 
6130
- /*! @azure/msal-common v16.4.0 2026-03-27 */
6149
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
6131
6150
 
6132
6151
  /*
6133
6152
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6292,11 +6311,6 @@ class AuthorizationCodeClient {
6292
6311
  throw createClientConfigurationError(missingSshJwk);
6293
6312
  }
6294
6313
  }
6295
- if (!StringUtils.isEmptyObj(request.claims) ||
6296
- (this.config.authOptions.clientCapabilities &&
6297
- this.config.authOptions.clientCapabilities.length > 0)) {
6298
- addClaims(parameters, request.claims, this.config.authOptions.clientCapabilities);
6299
- }
6300
6314
  let ccsCred = undefined;
6301
6315
  if (request.clientInfo) {
6302
6316
  try {
@@ -6345,6 +6359,7 @@ class AuthorizationCodeClient {
6345
6359
  });
6346
6360
  }
6347
6361
  instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
6362
+ addClaims(parameters, request.claims, this.config.authOptions.clientCapabilities, request.skipBrokerClaims);
6348
6363
  return mapToQueryString(parameters);
6349
6364
  }
6350
6365
  /**
@@ -6388,7 +6403,7 @@ class AuthorizationCodeClient {
6388
6403
  }
6389
6404
  }
6390
6405
 
6391
- /*! @azure/msal-common v16.4.0 2026-03-27 */
6406
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
6392
6407
 
6393
6408
  /*
6394
6409
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6578,11 +6593,6 @@ class RefreshTokenClient {
6578
6593
  throw createClientConfigurationError(missingSshJwk);
6579
6594
  }
6580
6595
  }
6581
- if (!StringUtils.isEmptyObj(request.claims) ||
6582
- (this.config.authOptions.clientCapabilities &&
6583
- this.config.authOptions.clientCapabilities.length > 0)) {
6584
- addClaims(parameters, request.claims, this.config.authOptions.clientCapabilities);
6585
- }
6586
6596
  if (this.config.systemOptions.preventCorsPreflight &&
6587
6597
  request.ccsCredential) {
6588
6598
  switch (request.ccsCredential.type) {
@@ -6609,11 +6619,12 @@ class RefreshTokenClient {
6609
6619
  });
6610
6620
  }
6611
6621
  instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
6622
+ addClaims(parameters, request.claims, this.config.authOptions.clientCapabilities, request.skipBrokerClaims);
6612
6623
  return mapToQueryString(parameters);
6613
6624
  }
6614
6625
  }
6615
6626
 
6616
- /*! @azure/msal-common v16.4.0 2026-03-27 */
6627
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
6617
6628
 
6618
6629
  /*
6619
6630
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6729,7 +6740,7 @@ class SilentFlowClient {
6729
6740
  }
6730
6741
  }
6731
6742
 
6732
- /*! @azure/msal-common v16.4.0 2026-03-27 */
6743
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
6733
6744
 
6734
6745
  /*
6735
6746
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6744,7 +6755,7 @@ const StubbedNetworkModule = {
6744
6755
  },
6745
6756
  };
6746
6757
 
6747
- /*! @azure/msal-common v16.4.0 2026-03-27 */
6758
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
6748
6759
 
6749
6760
  /*
6750
6761
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6868,14 +6879,10 @@ function getStandardAuthorizeRequestParameters(authOptions, request, logger, per
6868
6879
  if (request.state) {
6869
6880
  addState(parameters, request.state);
6870
6881
  }
6871
- if (request.claims ||
6872
- (authOptions.clientCapabilities &&
6873
- authOptions.clientCapabilities.length > 0)) {
6874
- addClaims(parameters, request.claims, authOptions.clientCapabilities);
6875
- }
6876
6882
  if (request.embeddedClientId) {
6877
6883
  addBrokerParameters(parameters, authOptions.clientId, authOptions.redirectUri);
6878
6884
  }
6885
+ addClaims(parameters, request.claims, authOptions.clientCapabilities, request.skipBrokerClaims);
6879
6886
  // If extraQueryParameters includes instance_aware its value will be added when extraQueryParameters are added
6880
6887
  if (authOptions.instanceAware &&
6881
6888
  (!request.extraQueryParameters ||
@@ -6971,7 +6978,7 @@ function extractLoginHint(account) {
6971
6978
  return account.loginHint || account.idTokenClaims?.login_hint || null;
6972
6979
  }
6973
6980
 
6974
- /*! @azure/msal-common v16.4.0 2026-03-27 */
6981
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
6975
6982
 
6976
6983
  /*
6977
6984
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7004,7 +7011,7 @@ function containsResourceParam(params) {
7004
7011
  return Object.prototype.hasOwnProperty.call(params, "resource");
7005
7012
  }
7006
7013
 
7007
- /*! @azure/msal-common v16.4.0 2026-03-27 */
7014
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
7008
7015
 
7009
7016
  /*
7010
7017
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7062,7 +7069,7 @@ class AuthenticationHeaderParser {
7062
7069
  }
7063
7070
  }
7064
7071
 
7065
- /*! @azure/msal-common v16.4.0 2026-03-27 */
7072
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
7066
7073
  /*
7067
7074
  * Copyright (c) Microsoft Corporation. All rights reserved.
7068
7075
  * Licensed under the MIT License.
@@ -7079,7 +7086,7 @@ var AuthErrorCodes = /*#__PURE__*/Object.freeze({
7079
7086
  unexpectedError: unexpectedError
7080
7087
  });
7081
7088
 
7082
- /*! @azure/msal-common v16.4.0 2026-03-27 */
7089
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
7083
7090
 
7084
7091
  /*
7085
7092
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7340,7 +7347,7 @@ class ServerTelemetryManager {
7340
7347
  }
7341
7348
  }
7342
7349
 
7343
- /*! @azure/msal-common v16.4.0 2026-03-27 */
7350
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
7344
7351
 
7345
7352
  /*
7346
7353
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7361,7 +7368,7 @@ function createJoseHeaderError(code) {
7361
7368
  return new JoseHeaderError(code);
7362
7369
  }
7363
7370
 
7364
- /*! @azure/msal-common v16.4.0 2026-03-27 */
7371
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
7365
7372
  /*
7366
7373
  * Copyright (c) Microsoft Corporation. All rights reserved.
7367
7374
  * Licensed under the MIT License.
@@ -7369,7 +7376,7 @@ function createJoseHeaderError(code) {
7369
7376
  const missingKidError = "missing_kid_error";
7370
7377
  const missingAlgError = "missing_alg_error";
7371
7378
 
7372
- /*! @azure/msal-common v16.4.0 2026-03-27 */
7379
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
7373
7380
 
7374
7381
  /*
7375
7382
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7409,7 +7416,7 @@ class JoseHeader {
7409
7416
  }
7410
7417
  }
7411
7418
 
7412
- /*! @azure/msal-common v16.4.0 2026-03-27 */
7419
+ /*! @azure/msal-common v16.5.0 2026-04-16 */
7413
7420
 
7414
7421
  /*
7415
7422
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7939,6 +7946,137 @@ class PerformanceClient {
7939
7946
  }
7940
7947
  }
7941
7948
 
7949
+ /*
7950
+ * Copyright (c) Microsoft Corporation. All rights reserved.
7951
+ * Licensed under the MIT License.
7952
+ */
7953
+ /**
7954
+ * acquireTokenFromCache (msal-browser).
7955
+ * Internal API for acquiring token from cache
7956
+ */
7957
+ const AcquireTokenFromCache = "acquireTokenFromCache";
7958
+ /**
7959
+ * acquireTokenByRefreshToken API (msal-browser and msal-node).
7960
+ * Used to renew an access token using a refresh token against the token endpoint.
7961
+ */
7962
+ const AcquireTokenByRefreshToken = "acquireTokenByRefreshToken";
7963
+ /**
7964
+ * acquireTokenSilentAsync (msal-browser).
7965
+ * Internal API for acquireTokenSilent.
7966
+ */
7967
+ const AcquireTokenSilentAsync = "acquireTokenSilentAsync";
7968
+ /**
7969
+ * getPublicKeyThumbprint API in CryptoOpts class (msal-browser).
7970
+ * Used to generate a public/private keypair and generate a public key thumbprint for pop requests.
7971
+ */
7972
+ const CryptoOptsGetPublicKeyThumbprint = "cryptoOptsGetPublicKeyThumbprint";
7973
+ /**
7974
+ * signJwt API in CryptoOpts class (msal-browser).
7975
+ * Used to signed a pop token.
7976
+ */
7977
+ const CryptoOptsSignJwt = "cryptoOptsSignJwt";
7978
+ /**
7979
+ * acquireToken API in the SilentCacheClient class (msal-browser).
7980
+ * Used to read access tokens from the cache.
7981
+ */
7982
+ const SilentCacheClientAcquireToken = "silentCacheClientAcquireToken";
7983
+ /**
7984
+ * acquireToken API in the SilentIframeClient class (msal-browser).
7985
+ * Used to acquire a new set of tokens from the authorize endpoint in a hidden iframe.
7986
+ */
7987
+ const SilentIframeClientAcquireToken = "silentIframeClientAcquireToken";
7988
+ const AwaitConcurrentIframe = "awaitConcurrentIframe"; // Time spent waiting for a concurrent iframe to complete
7989
+ /**
7990
+ * acquireToken API in SilentRereshClient (msal-browser).
7991
+ * Used to acquire a new set of tokens from the token endpoint using a refresh token.
7992
+ */
7993
+ const SilentRefreshClientAcquireToken = "silentRefreshClientAcquireToken";
7994
+ /**
7995
+ * getDiscoveredAuthority API in StandardInteractionClient class (msal-browser).
7996
+ * Used to load authority metadata for a request.
7997
+ */
7998
+ const StandardInteractionClientGetDiscoveredAuthority = "standardInteractionClientGetDiscoveredAuthority";
7999
+ /**
8000
+ * acquireToken API in NativeInteractionClient class (msal-browser).
8001
+ * Used to acquire a token from Native component when native brokering is enabled.
8002
+ */
8003
+ const NativeInteractionClientAcquireToken = "nativeInteractionClientAcquireToken";
8004
+ const NativeInteractionClientAcquireTokenRedirect = "nativeInteractionClientAcquireToken";
8005
+ /**
8006
+ * acquireTokenByRefreshToken API in RefreshTokenClient (msal-common).
8007
+ */
8008
+ const RefreshTokenClientAcquireTokenByRefreshToken = "refreshTokenClientAcquireTokenByRefreshToken";
8009
+ /**
8010
+ * acquireTokenBySilentIframe (msal-browser).
8011
+ * Internal API for acquiring token by silent Iframe
8012
+ */
8013
+ const AcquireTokenBySilentIframe = "acquireTokenBySilentIframe";
8014
+ /**
8015
+ * Internal API for initializing base request in BaseInteractionClient (msal-browser)
8016
+ */
8017
+ const InitializeBaseRequest = "initializeBaseRequest";
8018
+ /**
8019
+ * Internal API for initializing silent request in SilentCacheClient (msal-browser)
8020
+ */
8021
+ const InitializeSilentRequest = "initializeSilentRequest";
8022
+ const InitializeCache = "initializeCache";
8023
+ /**
8024
+ * Helper function in SilentIframeClient class (msal-browser).
8025
+ */
8026
+ const SilentIframeClientTokenHelper = "silentIframeClientTokenHelper";
8027
+ /**
8028
+ * SilentHandler
8029
+ */
8030
+ const SilentHandlerInitiateAuthRequest = "silentHandlerInitiateAuthRequest";
8031
+ const SilentHandlerMonitorIframeForHash = "silentHandlerMonitorIframeForHash";
8032
+ const SilentHandlerLoadFrameSync = "silentHandlerLoadFrameSync";
8033
+ /**
8034
+ * Helper functions in StandardInteractionClient class (msal-browser)
8035
+ */
8036
+ const StandardInteractionClientCreateAuthCodeClient = "standardInteractionClientCreateAuthCodeClient";
8037
+ const StandardInteractionClientGetClientConfiguration = "standardInteractionClientGetClientConfiguration";
8038
+ const StandardInteractionClientInitializeAuthorizationRequest = "standardInteractionClientInitializeAuthorizationRequest";
8039
+ const SilentFlowClientAcquireCachedToken = "silentFlowClientAcquireCachedToken";
8040
+ const GetStandardParams = "getStandardParams";
8041
+ const HandleCodeResponse = "handleCodeResponse";
8042
+ const HandleResponseEar = "handleResponseEar";
8043
+ const HandleResponsePlatformBroker = "handleResponsePlatformBroker";
8044
+ const HandleResponseCode = "handleResponseCode";
8045
+ const AuthClientAcquireToken = "authClientAcquireToken";
8046
+ const DeserializeResponse = "deserializeResponse";
8047
+ const AuthorityFactoryCreateDiscoveredInstance = "authorityFactoryCreateDiscoveredInstance";
8048
+ const AcquireTokenByCodeAsync = "acquireTokenByCodeAsync";
8049
+ const HandleRedirectPromiseMeasurement = "handleRedirectPromise";
8050
+ const HandleNativeRedirectPromiseMeasurement = "handleNativeRedirectPromise";
8051
+ const NativeMessageHandlerHandshake = "nativeMessageHandlerHandshake";
8052
+ const RemoveHiddenIframe = "removeHiddenIframe";
8053
+ const ImportExistingCache = "importExistingCache";
8054
+ /**
8055
+ * Crypto Operations
8056
+ */
8057
+ const GeneratePkceCodes = "generatePkceCodes";
8058
+ const GenerateCodeVerifier = "generateCodeVerifier";
8059
+ const GenerateCodeChallengeFromVerifier = "generateCodeChallengeFromVerifier";
8060
+ const Sha256Digest = "sha256Digest";
8061
+ const GetRandomValues = "getRandomValues";
8062
+ const GenerateHKDF = "generateHKDF";
8063
+ const GenerateBaseKey = "generateBaseKey";
8064
+ const Base64Decode = "base64Decode";
8065
+ const UrlEncodeArr = "urlEncodeArr";
8066
+ const Encrypt = "encrypt";
8067
+ const Decrypt = "decrypt";
8068
+ const GenerateEarKey = "generateEarKey";
8069
+ const DecryptEarResponse = "decryptEarResponse";
8070
+ const LoadAccount = "loadAccount";
8071
+ const LoadIdToken = "loadIdToken";
8072
+ const LoadAccessToken = "loadAccessToken";
8073
+ const LoadRefreshToken = "loadRefreshToken";
8074
+ /**
8075
+ * Background telemetry measurement that tracks whether a late bridge response
8076
+ * arrives after the iframe timeout has already fired.
8077
+ */
8078
+ const WaitForBridgeLateResponse$1 = "waitForBridgeLateResponse";
8079
+
7942
8080
  /*
7943
8081
  * Copyright (c) Microsoft Corporation. All rights reserved.
7944
8082
  * Licensed under the MIT License.
@@ -8845,20 +8983,35 @@ function cancelPendingBridgeResponse(logger, correlationId) {
8845
8983
  activeBridgeMonitor = null;
8846
8984
  }
8847
8985
  }
8848
- async function waitForBridgeResponse(timeoutMs, logger, browserCrypto, request, performanceClient) {
8986
+ async function waitForBridgeResponse(timeoutMs, logger, browserCrypto, request, performanceClient, experimentalConfig) {
8849
8987
  return new Promise((resolve, reject) => {
8850
8988
  logger.verbose("1rf6em", request.correlationId);
8851
8989
  const correlationId = request.correlationId;
8852
8990
  performanceClient.addFields({
8853
8991
  redirectBridgeTimeoutMs: timeoutMs,
8992
+ lateResponseExperimentEnabled: experimentalConfig?.iframeTimeoutTelemetry || false,
8854
8993
  }, correlationId);
8855
8994
  const { libraryState } = parseRequestState(browserCrypto.base64Decode, request.state || "");
8856
8995
  const channel = new BroadcastChannel(libraryState.id);
8857
8996
  let responseString = undefined;
8997
+ let timedOut$1 = false;
8998
+ let lateTimeoutId;
8999
+ let lateMeasurement;
8858
9000
  const timeoutId = window.setTimeout(() => {
8859
9001
  // Clear the active monitor
8860
9002
  activeBridgeMonitor = null;
8861
- channel.close();
9003
+ if (experimentalConfig?.iframeTimeoutTelemetry) {
9004
+ lateMeasurement = performanceClient.startMeasurement(WaitForBridgeLateResponse$1, correlationId);
9005
+ timedOut$1 = true;
9006
+ lateTimeoutId = window.setTimeout(() => {
9007
+ lateMeasurement?.end({ success: false });
9008
+ clearTimeout(lateTimeoutId);
9009
+ channel.close();
9010
+ }, 60000); // 60s late response timeout to allow for telemetry of late responses
9011
+ }
9012
+ else {
9013
+ channel.close();
9014
+ }
8862
9015
  reject(createBrowserAuthError(timedOut, "redirect_bridge_timeout"));
8863
9016
  }, timeoutMs);
8864
9017
  // Track this monitor so it can be cancelled if needed
@@ -8872,6 +9025,14 @@ async function waitForBridgeResponse(timeoutMs, logger, browserCrypto, request,
8872
9025
  const messageVersion = event?.data && typeof event.data.v === "number"
8873
9026
  ? event.data.v
8874
9027
  : undefined;
9028
+ if (timedOut$1) {
9029
+ lateMeasurement?.end({
9030
+ success: responseString ? true : false,
9031
+ });
9032
+ clearTimeout(lateTimeoutId);
9033
+ channel.close();
9034
+ return;
9035
+ }
8875
9036
  performanceClient.addFields({
8876
9037
  redirectBridgeMessageVersion: messageVersion,
8877
9038
  }, correlationId);
@@ -9034,131 +9195,6 @@ var BrowserUtils = /*#__PURE__*/Object.freeze({
9034
9195
  waitForBridgeResponse: waitForBridgeResponse
9035
9196
  });
9036
9197
 
9037
- /*
9038
- * Copyright (c) Microsoft Corporation. All rights reserved.
9039
- * Licensed under the MIT License.
9040
- */
9041
- /**
9042
- * acquireTokenFromCache (msal-browser).
9043
- * Internal API for acquiring token from cache
9044
- */
9045
- const AcquireTokenFromCache = "acquireTokenFromCache";
9046
- /**
9047
- * acquireTokenByRefreshToken API (msal-browser and msal-node).
9048
- * Used to renew an access token using a refresh token against the token endpoint.
9049
- */
9050
- const AcquireTokenByRefreshToken = "acquireTokenByRefreshToken";
9051
- /**
9052
- * acquireTokenSilentAsync (msal-browser).
9053
- * Internal API for acquireTokenSilent.
9054
- */
9055
- const AcquireTokenSilentAsync = "acquireTokenSilentAsync";
9056
- /**
9057
- * getPublicKeyThumbprint API in CryptoOpts class (msal-browser).
9058
- * Used to generate a public/private keypair and generate a public key thumbprint for pop requests.
9059
- */
9060
- const CryptoOptsGetPublicKeyThumbprint = "cryptoOptsGetPublicKeyThumbprint";
9061
- /**
9062
- * signJwt API in CryptoOpts class (msal-browser).
9063
- * Used to signed a pop token.
9064
- */
9065
- const CryptoOptsSignJwt = "cryptoOptsSignJwt";
9066
- /**
9067
- * acquireToken API in the SilentCacheClient class (msal-browser).
9068
- * Used to read access tokens from the cache.
9069
- */
9070
- const SilentCacheClientAcquireToken = "silentCacheClientAcquireToken";
9071
- /**
9072
- * acquireToken API in the SilentIframeClient class (msal-browser).
9073
- * Used to acquire a new set of tokens from the authorize endpoint in a hidden iframe.
9074
- */
9075
- const SilentIframeClientAcquireToken = "silentIframeClientAcquireToken";
9076
- const AwaitConcurrentIframe = "awaitConcurrentIframe"; // Time spent waiting for a concurrent iframe to complete
9077
- /**
9078
- * acquireToken API in SilentRereshClient (msal-browser).
9079
- * Used to acquire a new set of tokens from the token endpoint using a refresh token.
9080
- */
9081
- const SilentRefreshClientAcquireToken = "silentRefreshClientAcquireToken";
9082
- /**
9083
- * getDiscoveredAuthority API in StandardInteractionClient class (msal-browser).
9084
- * Used to load authority metadata for a request.
9085
- */
9086
- const StandardInteractionClientGetDiscoveredAuthority = "standardInteractionClientGetDiscoveredAuthority";
9087
- /**
9088
- * acquireToken API in NativeInteractionClient class (msal-browser).
9089
- * Used to acquire a token from Native component when native brokering is enabled.
9090
- */
9091
- const NativeInteractionClientAcquireToken = "nativeInteractionClientAcquireToken";
9092
- /**
9093
- * acquireTokenByRefreshToken API in RefreshTokenClient (msal-common).
9094
- */
9095
- const RefreshTokenClientAcquireTokenByRefreshToken = "refreshTokenClientAcquireTokenByRefreshToken";
9096
- /**
9097
- * acquireTokenBySilentIframe (msal-browser).
9098
- * Internal API for acquiring token by silent Iframe
9099
- */
9100
- const AcquireTokenBySilentIframe = "acquireTokenBySilentIframe";
9101
- /**
9102
- * Internal API for initializing base request in BaseInteractionClient (msal-browser)
9103
- */
9104
- const InitializeBaseRequest = "initializeBaseRequest";
9105
- /**
9106
- * Internal API for initializing silent request in SilentCacheClient (msal-browser)
9107
- */
9108
- const InitializeSilentRequest = "initializeSilentRequest";
9109
- const InitializeCache = "initializeCache";
9110
- /**
9111
- * Helper function in SilentIframeClient class (msal-browser).
9112
- */
9113
- const SilentIframeClientTokenHelper = "silentIframeClientTokenHelper";
9114
- /**
9115
- * SilentHandler
9116
- */
9117
- const SilentHandlerInitiateAuthRequest = "silentHandlerInitiateAuthRequest";
9118
- const SilentHandlerMonitorIframeForHash = "silentHandlerMonitorIframeForHash";
9119
- const SilentHandlerLoadFrameSync = "silentHandlerLoadFrameSync";
9120
- /**
9121
- * Helper functions in StandardInteractionClient class (msal-browser)
9122
- */
9123
- const StandardInteractionClientCreateAuthCodeClient = "standardInteractionClientCreateAuthCodeClient";
9124
- const StandardInteractionClientGetClientConfiguration = "standardInteractionClientGetClientConfiguration";
9125
- const StandardInteractionClientInitializeAuthorizationRequest = "standardInteractionClientInitializeAuthorizationRequest";
9126
- const SilentFlowClientAcquireCachedToken = "silentFlowClientAcquireCachedToken";
9127
- const GetStandardParams = "getStandardParams";
9128
- const HandleCodeResponse = "handleCodeResponse";
9129
- const HandleResponseEar = "handleResponseEar";
9130
- const HandleResponsePlatformBroker = "handleResponsePlatformBroker";
9131
- const HandleResponseCode = "handleResponseCode";
9132
- const AuthClientAcquireToken = "authClientAcquireToken";
9133
- const DeserializeResponse = "deserializeResponse";
9134
- const AuthorityFactoryCreateDiscoveredInstance = "authorityFactoryCreateDiscoveredInstance";
9135
- const AcquireTokenByCodeAsync = "acquireTokenByCodeAsync";
9136
- const HandleRedirectPromiseMeasurement = "handleRedirectPromise";
9137
- const HandleNativeRedirectPromiseMeasurement = "handleNativeRedirectPromise";
9138
- const NativeMessageHandlerHandshake = "nativeMessageHandlerHandshake";
9139
- const RemoveHiddenIframe = "removeHiddenIframe";
9140
- const ImportExistingCache = "importExistingCache";
9141
- /**
9142
- * Crypto Operations
9143
- */
9144
- const GeneratePkceCodes = "generatePkceCodes";
9145
- const GenerateCodeVerifier = "generateCodeVerifier";
9146
- const GenerateCodeChallengeFromVerifier = "generateCodeChallengeFromVerifier";
9147
- const Sha256Digest = "sha256Digest";
9148
- const GetRandomValues = "getRandomValues";
9149
- const GenerateHKDF = "generateHKDF";
9150
- const GenerateBaseKey = "generateBaseKey";
9151
- const Base64Decode = "base64Decode";
9152
- const UrlEncodeArr = "urlEncodeArr";
9153
- const Encrypt = "encrypt";
9154
- const Decrypt = "decrypt";
9155
- const GenerateEarKey = "generateEarKey";
9156
- const DecryptEarResponse = "decryptEarResponse";
9157
- const LoadAccount = "loadAccount";
9158
- const LoadIdToken = "loadIdToken";
9159
- const LoadAccessToken = "loadAccessToken";
9160
- const LoadRefreshToken = "loadRefreshToken";
9161
-
9162
9198
  /*
9163
9199
  * Copyright (c) Microsoft Corporation. All rights reserved.
9164
9200
  * Licensed under the MIT License.
@@ -9766,7 +9802,14 @@ const InitializeClientApplication = "initializeClientApplication";
9766
9802
  // Update cache storage
9767
9803
  const LocalStorageUpdated = "localStorageUpdated";
9768
9804
  // Load external tokens
9769
- const LoadExternalTokens = "loadExternalTokens";
9805
+ const LoadExternalTokens = "loadExternalTokens";
9806
+ /**
9807
+ * SSO capability verification call (msal-browser).
9808
+ * Fire-and-forget SSO verification call made after interactive authentication completes.
9809
+ */
9810
+ const SsoCapable = "ssoCapable";
9811
+ // Wait for late response from bridge after timeout has already occurred
9812
+ const WaitForBridgeLateResponse = "waitForBridgeLateResponse";
9770
9813
 
9771
9814
  var BrowserRootPerformanceEvents = /*#__PURE__*/Object.freeze({
9772
9815
  __proto__: null,
@@ -9778,7 +9821,9 @@ var BrowserRootPerformanceEvents = /*#__PURE__*/Object.freeze({
9778
9821
  InitializeClientApplication: InitializeClientApplication,
9779
9822
  LoadExternalTokens: LoadExternalTokens,
9780
9823
  LocalStorageUpdated: LocalStorageUpdated,
9781
- SsoSilent: SsoSilent
9824
+ SsoCapable: SsoCapable,
9825
+ SsoSilent: SsoSilent,
9826
+ WaitForBridgeLateResponse: WaitForBridgeLateResponse
9782
9827
  });
9783
9828
 
9784
9829
  /*
@@ -9797,6 +9842,7 @@ const PLATFORM_AUTH_DOM_SUPPORT = `${PREFIX}.${BROWSER_PREFIX}.platform.auth.dom
9797
9842
  const VERSION_CACHE_KEY = `${PREFIX}.version`;
9798
9843
  const ACCOUNT_KEYS = "account.keys";
9799
9844
  const TOKEN_KEYS = "token.keys";
9845
+ const SSO_CAPABLE = `${PREFIX}.${BROWSER_PREFIX}.sso.capable`;
9800
9846
  function getAccountKeysCacheKey(schema = ACCOUNT_SCHEMA_VERSION) {
9801
9847
  if (schema < 1) {
9802
9848
  return `${PREFIX}.${ACCOUNT_KEYS}`;
@@ -10295,7 +10341,7 @@ const EventType = {
10295
10341
 
10296
10342
  /* eslint-disable header/header */
10297
10343
  const name = "@azure/msal-browser";
10298
- const version = "5.6.2";
10344
+ const version = "5.7.0";
10299
10345
 
10300
10346
  /*
10301
10347
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -12398,7 +12444,6 @@ const unsupportedMethod = "unsupported_method";
12398
12444
  const USER_INTERACTION_REQUIRED = "USER_INTERACTION_REQUIRED";
12399
12445
  const USER_CANCEL = "USER_CANCEL";
12400
12446
  const NO_NETWORK = "NO_NETWORK";
12401
- const PERSISTENT_ERROR = "PERSISTENT_ERROR";
12402
12447
  const DISABLED = "DISABLED";
12403
12448
  const ACCOUNT_UNAVAILABLE = "ACCOUNT_UNAVAILABLE";
12404
12449
  const UX_NOT_ALLOWED = "UX_NOT_ALLOWED";
@@ -12422,8 +12467,7 @@ class NativeAuthError extends AuthError {
12422
12467
  function isFatalNativeAuthError(error) {
12423
12468
  if (error.ext &&
12424
12469
  error.ext.status &&
12425
- (error.ext.status === PERSISTENT_ERROR ||
12426
- error.ext.status === DISABLED)) {
12470
+ error.ext.status === DISABLED) {
12427
12471
  return true;
12428
12472
  }
12429
12473
  if (error.ext &&
@@ -12549,12 +12593,12 @@ class PlatformAuthInteractionClient extends BaseInteractionClient {
12549
12593
  async acquireToken(request, cacheLookupPolicy) {
12550
12594
  this.logger.trace("03qeos", this.correlationId);
12551
12595
  // start the perf measurement
12552
- const nativeATMeasurement = this.performanceClient.startMeasurement(NativeInteractionClientAcquireToken, request.correlationId);
12596
+ const nativeATMeasurement = this.performanceClient.startMeasurement(NativeInteractionClientAcquireToken, this.correlationId);
12553
12597
  const reqTimestamp = nowSeconds();
12554
12598
  const serverTelemetryManager = initializeServerTelemetryManager(this.apiId, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger);
12555
12599
  try {
12556
12600
  // initialize native request
12557
- const nativeRequest = await this.initializeNativeRequest(request);
12601
+ const nativeRequest = await this.initializePlatformRequest(request);
12558
12602
  // check if the tokens can be retrieved from internal cache
12559
12603
  try {
12560
12604
  const result = await this.acquireTokensFromCache(this.accountId, nativeRequest);
@@ -12568,6 +12612,10 @@ class PlatformAuthInteractionClient extends BaseInteractionClient {
12568
12612
  catch (e) {
12569
12613
  if (cacheLookupPolicy === CacheLookupPolicy.AccessToken) {
12570
12614
  this.logger.info("0eitbc", this.correlationId);
12615
+ nativeATMeasurement.end({
12616
+ success: false,
12617
+ brokerErrorCode: "cache_request_failed",
12618
+ });
12571
12619
  throw e;
12572
12620
  }
12573
12621
  // continue with a native call for any and all errors
@@ -12589,7 +12637,6 @@ class PlatformAuthInteractionClient extends BaseInteractionClient {
12589
12637
  success: false,
12590
12638
  errorCode: error.errorCode,
12591
12639
  subErrorCode: error.subError,
12592
- isNativeBroker: true,
12593
12640
  });
12594
12641
  throw error;
12595
12642
  });
@@ -12598,6 +12645,9 @@ class PlatformAuthInteractionClient extends BaseInteractionClient {
12598
12645
  if (e instanceof NativeAuthError) {
12599
12646
  serverTelemetryManager.setNativeBrokerErrorCode(e.errorCode);
12600
12647
  }
12648
+ nativeATMeasurement.end({
12649
+ success: false,
12650
+ });
12601
12651
  throw e;
12602
12652
  }
12603
12653
  }
@@ -12630,7 +12680,7 @@ class PlatformAuthInteractionClient extends BaseInteractionClient {
12630
12680
  // fetch the account from browser cache
12631
12681
  const account = this.browserStorage.getBaseAccountInfo({
12632
12682
  nativeAccountId,
12633
- }, request.correlationId);
12683
+ }, this.correlationId);
12634
12684
  if (!account) {
12635
12685
  throw createClientAuthError(noAccountFound);
12636
12686
  }
@@ -12660,7 +12710,7 @@ class PlatformAuthInteractionClient extends BaseInteractionClient {
12660
12710
  */
12661
12711
  async acquireTokenRedirect(request, rootMeasurement, options) {
12662
12712
  this.logger.trace("0luikq", this.correlationId);
12663
- const nativeRequest = await this.initializeNativeRequest(request);
12713
+ const nativeRequest = await this.initializePlatformRequest(request);
12664
12714
  const navigateToLoginRequestUrl = options?.navigateToLoginRequestUrl ?? true;
12665
12715
  try {
12666
12716
  await this.platformAuthProvider.sendMessage(nativeRequest);
@@ -12692,7 +12742,7 @@ class PlatformAuthInteractionClient extends BaseInteractionClient {
12692
12742
  * @param performanceClient {IPerformanceClient?}
12693
12743
  * @param correlationId {string?} correlation identifier
12694
12744
  */
12695
- async handleRedirectPromise(performanceClient, correlationId) {
12745
+ async handleRedirectPromise() {
12696
12746
  this.logger.trace("1c5lhw", this.correlationId);
12697
12747
  if (!this.browserStorage.isInteractionInProgress(true)) {
12698
12748
  this.logger.info("0le6uv", this.correlationId);
@@ -12702,9 +12752,7 @@ class PlatformAuthInteractionClient extends BaseInteractionClient {
12702
12752
  const cachedRequest = this.browserStorage.getCachedNativeRequest();
12703
12753
  if (!cachedRequest) {
12704
12754
  this.logger.verbose("0a6zjb", this.correlationId);
12705
- if (performanceClient && correlationId) {
12706
- performanceClient?.addFields({ errorCode: "no_cached_request" }, correlationId);
12707
- }
12755
+ this.performanceClient?.addFields({ errorCode: "no_cached_request" }, this.correlationId);
12708
12756
  return null;
12709
12757
  }
12710
12758
  const { prompt, ...request } = cachedRequest;
@@ -12719,6 +12767,7 @@ class PlatformAuthInteractionClient extends BaseInteractionClient {
12719
12767
  const authResult = await this.handleNativeResponse(response, request, reqTimestamp);
12720
12768
  const serverTelemetryManager = initializeServerTelemetryManager(this.apiId, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger);
12721
12769
  serverTelemetryManager.clearNativeBrokerErrorCode();
12770
+ this.performanceClient?.addFields({ isNativeBroker: true }, this.correlationId);
12722
12771
  return authResult;
12723
12772
  }
12724
12773
  catch (e) {
@@ -12759,9 +12808,9 @@ class PlatformAuthInteractionClient extends BaseInteractionClient {
12759
12808
  }
12760
12809
  // Get the preferred_cache domain for the given authority
12761
12810
  const authority = await getDiscoveredAuthority(this.config, this.correlationId, this.performanceClient, this.browserStorage, this.logger, request.authority);
12762
- const baseAccount = buildAccountToCache(this.browserStorage, authority, homeAccountIdentifier, base64Decode, this.correlationId, idTokenClaims, response.client_info, undefined, // environment
12811
+ const baseAccount = buildAccountToCache(this.browserStorage, authority, homeAccountIdentifier, base64Decode, this.correlationId, idTokenClaims, response.client_info, authority.getPreferredCache(), // environment
12763
12812
  idTokenClaims.tid, undefined, // auth code payload
12764
- response.account.id);
12813
+ response.account.id, this.logger, this.performanceClient);
12765
12814
  // Ensure expires_in is in number format
12766
12815
  response.expires_in = Number(response.expires_in);
12767
12816
  // generate authenticationResult
@@ -12987,15 +13036,23 @@ class PlatformAuthInteractionClient extends BaseInteractionClient {
12987
13036
  * Translates developer provided request object into NativeRequest object
12988
13037
  * @param request
12989
13038
  */
12990
- async initializeNativeRequest(request) {
12991
- this.logger.trace("04j6wj", this.correlationId);
13039
+ async initializePlatformRequest(request) {
13040
+ this.logger.trace("1xdm2a", this.correlationId);
12992
13041
  const canonicalAuthority = await this.getCanonicalAuthority(request);
13042
+ // ignore config claims if skipBrokerClaims is set to true and this is a brokered authentication flow
13043
+ const configClaims = request.skipBrokerClaims && !!request.embeddedClientId
13044
+ ? undefined
13045
+ : this.config.auth.clientCapabilities;
12993
13046
  // scopes are expected to be received by the native broker as "scope" and will be added to the request below. Other properties that should be dropped from the request to the native broker can be included in the object destructuring here.
12994
- const { scopes, ...remainingProperties } = request;
13047
+ const { scopes, claims, ...remainingProperties } = request;
12995
13048
  const scopeSet = new ScopeSet(scopes || []);
12996
13049
  scopeSet.appendScopes(OIDC_DEFAULT_SCOPES$1);
13050
+ const mergedClaims = configClaims && configClaims.length
13051
+ ? addClientCapabilitiesToClaims$1(claims, configClaims)
13052
+ : claims;
12997
13053
  const validatedRequest = {
12998
13054
  ...remainingProperties,
13055
+ claims: mergedClaims,
12999
13056
  accountId: this.accountId,
13000
13057
  clientId: this.config.auth.clientId,
13001
13058
  authority: canonicalAuthority.urlString,
@@ -13065,12 +13122,12 @@ class PlatformAuthInteractionClient extends BaseInteractionClient {
13065
13122
  switch (this.apiId) {
13066
13123
  case ApiId.ssoSilent:
13067
13124
  case ApiId.acquireTokenSilent_silentFlow:
13068
- this.logger.trace("1hiwaz", this.correlationId);
13125
+ this.logger.trace("12n1y2", this.correlationId);
13069
13126
  return PromptValue$1.NONE;
13070
13127
  }
13071
13128
  // Prompt not provided, request may proceed and native broker decides if it needs to prompt
13072
13129
  if (!prompt) {
13073
- this.logger.trace("1qlu04", this.correlationId);
13130
+ this.logger.trace("0uid1p", this.correlationId);
13074
13131
  return undefined;
13075
13132
  }
13076
13133
  // If request is interactive, check if prompt provided is allowed to go directly to native broker
@@ -13078,10 +13135,10 @@ class PlatformAuthInteractionClient extends BaseInteractionClient {
13078
13135
  case PromptValue$1.NONE:
13079
13136
  case PromptValue$1.CONSENT:
13080
13137
  case PromptValue$1.LOGIN:
13081
- this.logger.trace("1ynje4", this.correlationId);
13138
+ this.logger.trace("0i0hco", this.correlationId);
13082
13139
  return prompt;
13083
13140
  default:
13084
- this.logger.trace("0nkr6q", this.correlationId);
13141
+ this.logger.trace("0w3tpw", this.correlationId);
13085
13142
  throw createBrowserAuthError(nativePromptNotSupported);
13086
13143
  }
13087
13144
  }
@@ -13117,7 +13174,7 @@ class PlatformAuthInteractionClient extends BaseInteractionClient {
13117
13174
  this.performanceClient?.addFields({
13118
13175
  embeddedClientId: child_client_id,
13119
13176
  embeddedRedirectUri: child_redirect_uri,
13120
- }, request.correlationId);
13177
+ }, this.correlationId);
13121
13178
  }
13122
13179
  }
13123
13180
 
@@ -13204,6 +13261,10 @@ async function getStandardParameters(config, authority, request, logger, perform
13204
13261
  if (request.platformBroker) {
13205
13262
  // signal ests that this is a WAM call
13206
13263
  addNativeBroker(parameters);
13264
+ // instrument JS-platform bridge specific fields
13265
+ performanceClient.addFields({
13266
+ isPlatformAuthorizeRequest: true,
13267
+ }, request.correlationId);
13207
13268
  // pass the req_cnf for POP
13208
13269
  if (request.authenticationScheme === AuthenticationScheme$1.POP) {
13209
13270
  const cryptoOps = new CryptoOps(logger, performanceClient);
@@ -13646,7 +13707,7 @@ const DEFAULT_NATIVE_BROKER_HANDSHAKE_TIMEOUT_MS = 2000;
13646
13707
  *
13647
13708
  * @returns Configuration object
13648
13709
  */
13649
- function buildConfiguration({ auth: userInputAuth, cache: userInputCache, system: userInputSystem, telemetry: userInputTelemetry, }, isBrowserEnvironment) {
13710
+ function buildConfiguration({ auth: userInputAuth, cache: userInputCache, system: userInputSystem, experimental: userInputExperimental, telemetry: userInputTelemetry, }, isBrowserEnvironment) {
13650
13711
  // Default auth options for browser
13651
13712
  const DEFAULT_AUTH_OPTIONS = {
13652
13713
  clientId: "",
@@ -13673,6 +13734,7 @@ function buildConfiguration({ auth: userInputAuth, cache: userInputCache, system
13673
13734
  },
13674
13735
  instanceAware: false,
13675
13736
  isMcp: false,
13737
+ verifySSO: false,
13676
13738
  };
13677
13739
  // Default cache options for browser
13678
13740
  const DEFAULT_CACHE_OPTIONS = {
@@ -13718,6 +13780,9 @@ function buildConfiguration({ auth: userInputAuth, cache: userInputCache, system
13718
13780
  },
13719
13781
  client: new StubPerformanceClient(),
13720
13782
  };
13783
+ const DEFAULT_EXPERIMENTAL_OPTIONS = {
13784
+ iframeTimeoutTelemetry: false,
13785
+ };
13721
13786
  // Throw an error if user has set OIDCOptions without being in OIDC protocol mode
13722
13787
  if (userInputSystem?.protocolMode !== ProtocolMode.OIDC &&
13723
13788
  userInputAuth?.OIDCOptions) {
@@ -13741,6 +13806,10 @@ function buildConfiguration({ auth: userInputAuth, cache: userInputCache, system
13741
13806
  },
13742
13807
  cache: { ...DEFAULT_CACHE_OPTIONS, ...userInputCache },
13743
13808
  system: providedSystemOptions,
13809
+ experimental: {
13810
+ ...DEFAULT_EXPERIMENTAL_OPTIONS,
13811
+ ...userInputExperimental,
13812
+ },
13744
13813
  telemetry: { ...DEFAULT_TELEMETRY_OPTIONS, ...userInputTelemetry },
13745
13814
  };
13746
13815
  return overlayedConfig;
@@ -14218,7 +14287,7 @@ function isDomEnabledForPlatformAuth() {
14218
14287
  }
14219
14288
  }
14220
14289
  /**
14221
- * Returns boolean indicating whether or not the request should attempt to use native broker
14290
+ * Returns boolean indicating whether or not the request should attempt to use platform broker
14222
14291
  * @param logger
14223
14292
  * @param config
14224
14293
  * @param correlationId
@@ -14500,6 +14569,10 @@ class PopupClient extends StandardInteractionClient {
14500
14569
  return;
14501
14570
  }
14502
14571
  }
14572
+ // Redirect bridge requires "state" param to work properly
14573
+ validRequest.state = setRequestState(this.browserCrypto, validRequest.state || "", {
14574
+ interactionType: exports.InteractionType.Popup,
14575
+ });
14503
14576
  // Create logout string and navigate user window to logout.
14504
14577
  const logoutUri = authClient.getLogoutUri(validRequest);
14505
14578
  this.eventHandler.emitEvent(EventType.LOGOUT_SUCCESS, validRequest.correlationId, exports.InteractionType.Popup, validRequest);
@@ -15040,6 +15113,10 @@ class RedirectClient extends StandardInteractionClient {
15040
15113
  }
15041
15114
  }
15042
15115
  }
15116
+ // Redirect bridge requires "state" param to work properly
15117
+ validLogoutRequest.state = setRequestState(this.browserCrypto, validLogoutRequest.state || "", {
15118
+ interactionType: exports.InteractionType.Redirect,
15119
+ });
15043
15120
  // Create logout string and navigate user window to logout.
15044
15121
  const logoutUri = authClient.getLogoutUri(validLogoutRequest);
15045
15122
  if (validLogoutRequest.account?.homeAccountId) {
@@ -15266,7 +15343,7 @@ class SilentIframeClient extends StandardInteractionClient {
15266
15343
  const responseType = this.config.auth.OIDCOptions.responseMode;
15267
15344
  let responseString;
15268
15345
  try {
15269
- responseString = await invokeAsync(waitForBridgeResponse, SilentHandlerMonitorIframeForHash, this.logger, this.performanceClient, correlationId)(this.config.system.iframeBridgeTimeout, this.logger, this.browserCrypto, request, this.performanceClient);
15346
+ responseString = await invokeAsync(waitForBridgeResponse, SilentHandlerMonitorIframeForHash, this.logger, this.performanceClient, correlationId)(this.config.system.iframeBridgeTimeout, this.logger, this.browserCrypto, request, this.performanceClient, this.config.experimental);
15270
15347
  }
15271
15348
  finally {
15272
15349
  invoke(removeHiddenIframe, RemoveHiddenIframe, this.logger, this.performanceClient, correlationId)(iframe);
@@ -15288,6 +15365,38 @@ class SilentIframeClient extends StandardInteractionClient {
15288
15365
  return invokeAsync(handleResponseEAR, HandleResponseEar, this.logger, this.performanceClient, correlationId)(silentRequest, serverParams, this.apiId, this.config, discoveredAuthority, this.browserStorage, this.nativeStorage, this.eventHandler, this.logger, this.performanceClient, this.platformAuthProvider);
15289
15366
  }
15290
15367
  }
15368
+ /**
15369
+ * Verifies SSO capability by making an iframe request to /authorize without exchanging the code for tokens.
15370
+ * This is useful for verifying SSO capability in the background without the overhead of a full token exchange.
15371
+ * @param request - The SSO silent request
15372
+ * @returns true if SSO verification was successful with a valid authorization code, false otherwise
15373
+ */
15374
+ async verifySso(request) {
15375
+ const inputRequest = { ...request };
15376
+ if (!inputRequest.prompt) {
15377
+ inputRequest.prompt = PromptValue$1.NONE;
15378
+ }
15379
+ // Create silent request
15380
+ const silentRequest = await invokeAsync(initializeAuthorizationRequest, StandardInteractionClientInitializeAuthorizationRequest, this.logger, this.performanceClient, this.correlationId)(inputRequest, exports.InteractionType.Silent, this.config, this.browserCrypto, this.browserStorage, this.logger, this.performanceClient, this.correlationId);
15381
+ const authClient = await invokeAsync(this.createAuthCodeClient.bind(this), StandardInteractionClientCreateAuthCodeClient, this.logger, this.performanceClient, this.correlationId)({
15382
+ serverTelemetryManager: initializeServerTelemetryManager(this.apiId, this.config.auth.clientId, this.correlationId, this.browserStorage, this.logger),
15383
+ requestAuthority: silentRequest.authority,
15384
+ requestAzureCloudOptions: silentRequest.azureCloudOptions,
15385
+ requestExtraQueryParameters: silentRequest.extraQueryParameters,
15386
+ account: silentRequest.account,
15387
+ });
15388
+ const { serverParams } = await this.silentAuthorizeHelper(authClient, silentRequest);
15389
+ const correlationId = silentRequest.correlationId;
15390
+ // Validate the response - this checks for errors and validates state
15391
+ validateAuthorizationResponse(serverParams, silentRequest.state);
15392
+ // Verify a valid authorization code is present
15393
+ if (!serverParams.code) {
15394
+ this.logger.warning("0y34ti", correlationId);
15395
+ return false;
15396
+ }
15397
+ this.logger.verbose("0kkkcj", correlationId);
15398
+ return true;
15399
+ }
15291
15400
  /**
15292
15401
  * Currently Unsupported
15293
15402
  */
@@ -15302,6 +15411,16 @@ class SilentIframeClient extends StandardInteractionClient {
15302
15411
  * @param userRequestScopes
15303
15412
  */
15304
15413
  async silentTokenHelper(authClient, request) {
15414
+ const { serverParams, pkceCodes } = await this.silentAuthorizeHelper(authClient, request);
15415
+ return invokeAsync(handleResponseCode, HandleResponseCode, this.logger, this.performanceClient, request.correlationId)(request, serverParams, pkceCodes.verifier, this.apiId, this.config, authClient, this.browserStorage, this.nativeStorage, this.eventHandler, this.logger, this.performanceClient, this.platformAuthProvider);
15416
+ }
15417
+ /**
15418
+ * Shared helper that generates PKCE codes, builds the /authorize URL,
15419
+ * loads it in a hidden iframe, waits for the redirect-bridge response,
15420
+ * and returns the deserialized server parameters along with the PKCE codes
15421
+ * and the request that was sent.
15422
+ */
15423
+ async silentAuthorizeHelper(authClient, request) {
15305
15424
  const correlationId = request.correlationId;
15306
15425
  const pkceCodes = await invokeAsync(generatePkceCodes, GeneratePkceCodes, this.logger, this.performanceClient, correlationId)(this.performanceClient, this.logger, correlationId);
15307
15426
  const silentRequest = {
@@ -15322,13 +15441,13 @@ class SilentIframeClient extends StandardInteractionClient {
15322
15441
  // Wait for response from the redirect bridge.
15323
15442
  let responseString;
15324
15443
  try {
15325
- responseString = await invokeAsync(waitForBridgeResponse, SilentHandlerMonitorIframeForHash, this.logger, this.performanceClient, correlationId)(this.config.system.iframeBridgeTimeout, this.logger, this.browserCrypto, request, this.performanceClient);
15444
+ responseString = await invokeAsync(waitForBridgeResponse, SilentHandlerMonitorIframeForHash, this.logger, this.performanceClient, correlationId)(this.config.system.iframeBridgeTimeout, this.logger, this.browserCrypto, request, this.performanceClient, this.config.experimental);
15326
15445
  }
15327
15446
  finally {
15328
15447
  invoke(removeHiddenIframe, RemoveHiddenIframe, this.logger, this.performanceClient, correlationId)(iframe);
15329
15448
  }
15330
15449
  const serverParams = invoke(deserializeResponse, DeserializeResponse, this.logger, this.performanceClient, correlationId)(responseString, responseType, this.logger, this.correlationId);
15331
- return invokeAsync(handleResponseCode, HandleResponseCode, this.logger, this.performanceClient, correlationId)(request, serverParams, pkceCodes.verifier, this.apiId, this.config, authClient, this.browserStorage, this.nativeStorage, this.eventHandler, this.logger, this.performanceClient, this.platformAuthProvider);
15450
+ return { serverParams, pkceCodes, silentRequest };
15332
15451
  }
15333
15452
  }
15334
15453
 
@@ -15582,22 +15701,32 @@ class StandardController {
15582
15701
  this.nativeInternalStorage = new BrowserCacheManager(this.config.auth.clientId, nativeCacheOptions, this.browserCrypto, this.logger, this.performanceClient, this.eventHandler);
15583
15702
  this.activeSilentTokenRequests = new Map();
15584
15703
  // Register listener functions
15585
- this.trackPageVisibility = this.trackPageVisibility.bind(this);
15704
+ this.trackStateChange = this.trackStateChange.bind(this);
15586
15705
  // Register listener functions
15587
- this.trackPageVisibilityWithMeasurement =
15588
- this.trackPageVisibilityWithMeasurement.bind(this);
15706
+ this.trackStateChangeWithMeasurement =
15707
+ this.trackStateChangeWithMeasurement.bind(this);
15589
15708
  }
15590
15709
  static async createController(operatingContext, request) {
15591
15710
  const controller = new StandardController(operatingContext);
15592
15711
  await controller.initialize(request);
15593
15712
  return controller;
15594
15713
  }
15595
- trackPageVisibility(correlationId) {
15714
+ trackStateChange(correlationId, event) {
15596
15715
  if (!correlationId) {
15597
15716
  return;
15598
15717
  }
15599
- this.logger.info("16v6hv", correlationId);
15600
- this.performanceClient.incrementFields({ visibilityChangeCount: 1 }, correlationId);
15718
+ if (event.type === "visibilitychange") {
15719
+ this.logger.info("16v6hv", correlationId);
15720
+ this.performanceClient.incrementFields({ visibilityChangeCount: 1 }, correlationId);
15721
+ }
15722
+ else if (event.type === "online") {
15723
+ this.logger.info("0zirfd", correlationId);
15724
+ this.performanceClient.incrementFields({ onlineStatusChangeCount: 1 }, correlationId);
15725
+ }
15726
+ else if (event.type === "offline") {
15727
+ this.logger.info("1xk9ef", correlationId);
15728
+ this.performanceClient.incrementFields({ onlineStatusChangeCount: 1 }, correlationId);
15729
+ }
15601
15730
  }
15602
15731
  /**
15603
15732
  * Initializer function to perform async startup tasks such as connecting to WAM extension
@@ -15697,22 +15826,25 @@ class StandardController {
15697
15826
  }
15698
15827
  const loggedInAccounts = this.getAllAccounts();
15699
15828
  const platformBrokerRequest = this.browserStorage.getCachedNativeRequest();
15700
- const useNative = platformBrokerRequest &&
15701
- this.platformAuthProvider &&
15702
- !options?.hash;
15829
+ const useNative = platformBrokerRequest && !options?.hash;
15703
15830
  let rootMeasurement;
15704
15831
  let redirectResponse;
15832
+ let cachedRedirectRequest;
15705
15833
  try {
15706
15834
  if (useNative && this.platformAuthProvider) {
15707
15835
  const correlationId = platformBrokerRequest?.correlationId || "";
15708
15836
  this.eventHandler.emitEvent(EventType.HANDLE_REDIRECT_START, correlationId, exports.InteractionType.Redirect);
15709
15837
  rootMeasurement = this.performanceClient.startMeasurement(AcquireTokenRedirect, correlationId);
15710
15838
  this.logger.trace("12v7is", correlationId);
15839
+ rootMeasurement.add({
15840
+ isPlatformBrokerRequest: true,
15841
+ });
15711
15842
  const nativeClient = new PlatformAuthInteractionClient(this.config, this.browserStorage, this.browserCrypto, this.logger, this.eventHandler, this.navigationClient, ApiId.handleRedirectPromise, this.performanceClient, this.platformAuthProvider, platformBrokerRequest.accountId, this.nativeInternalStorage, platformBrokerRequest.correlationId);
15712
- redirectResponse = invokeAsync(nativeClient.handleRedirectPromise.bind(nativeClient), HandleNativeRedirectPromiseMeasurement, this.logger, this.performanceClient, rootMeasurement.event.correlationId)(this.performanceClient, rootMeasurement.event.correlationId);
15843
+ redirectResponse = invokeAsync(nativeClient.handleRedirectPromise.bind(nativeClient), HandleNativeRedirectPromiseMeasurement, this.logger, this.performanceClient, rootMeasurement.event.correlationId)();
15713
15844
  }
15714
15845
  else {
15715
15846
  const [standardRequest, codeVerifier] = this.browserStorage.getCachedRequest("");
15847
+ cachedRedirectRequest = standardRequest;
15716
15848
  const correlationId = standardRequest.correlationId;
15717
15849
  this.eventHandler.emitEvent(EventType.HANDLE_REDIRECT_START, correlationId, exports.InteractionType.Redirect);
15718
15850
  // Reset rootMeasurement now that we have correlationId
@@ -15741,6 +15873,8 @@ class StandardController {
15741
15873
  rootMeasurement.end({
15742
15874
  success: true,
15743
15875
  }, undefined, result.account);
15876
+ // Fire-and-forget SSO capability verification in background
15877
+ this.verifySsoCapability(cachedRedirectRequest, exports.InteractionType.Redirect);
15744
15878
  }
15745
15879
  else {
15746
15880
  /*
@@ -15806,12 +15940,14 @@ class StandardController {
15806
15940
  if (this.platformAuthProvider &&
15807
15941
  this.canUsePlatformBroker(request)) {
15808
15942
  const nativeClient = new PlatformAuthInteractionClient(this.config, this.browserStorage, this.browserCrypto, this.logger, this.eventHandler, this.navigationClient, ApiId.acquireTokenRedirect, this.performanceClient, this.platformAuthProvider, this.getNativeAccountId(request), this.nativeInternalStorage, correlationId);
15809
- result = nativeClient
15810
- .acquireTokenRedirect(request, atrMeasurement)
15811
- .catch((e) => {
15943
+ result = invokeAsync(nativeClient.acquireTokenRedirect.bind(nativeClient), NativeInteractionClientAcquireTokenRedirect, this.logger, this.performanceClient, correlationId)(request, atrMeasurement).catch((e) => {
15944
+ atrMeasurement.add({
15945
+ brokerErrorName: e.name,
15946
+ brokerErrorCode: e.errorCode,
15947
+ });
15812
15948
  if (e instanceof NativeAuthError &&
15813
15949
  isFatalNativeAuthError(e)) {
15814
- this.platformAuthProvider = undefined; // If extension gets uninstalled during session prevent future requests from continuing to attempt
15950
+ this.platformAuthProvider = undefined; // If extension gets uninstalled during session prevent future requests from continuing to attempt platform broker calls
15815
15951
  const redirectClient = this.createRedirectClient(correlationId);
15816
15952
  return redirectClient.acquireToken(request);
15817
15953
  }
@@ -15877,6 +16013,9 @@ class StandardController {
15877
16013
  let result;
15878
16014
  const pkce = this.getPreGeneratedPkceCodes(correlationId);
15879
16015
  if (this.canUsePlatformBroker(request)) {
16016
+ atPopupMeasurement.add({
16017
+ isPlatformBrokerRequest: true,
16018
+ });
15880
16019
  result = this.acquireTokenNative({
15881
16020
  ...request,
15882
16021
  correlationId,
@@ -15889,9 +16028,13 @@ class StandardController {
15889
16028
  return response;
15890
16029
  })
15891
16030
  .catch((e) => {
16031
+ atPopupMeasurement.add({
16032
+ brokerErrorName: e.name,
16033
+ brokerErrorCode: e.errorCode,
16034
+ });
15892
16035
  if (e instanceof NativeAuthError &&
15893
16036
  isFatalNativeAuthError(e)) {
15894
- this.platformAuthProvider = undefined; // If extension gets uninstalled during session prevent future requests from continuing to attempt
16037
+ this.platformAuthProvider = undefined; // If extension gets uninstalled during session prevent future requests from continuing to attempt platform broker calls
15895
16038
  const popupClient = this.createPopupClient(correlationId);
15896
16039
  return popupClient.acquireToken(request, pkce);
15897
16040
  }
@@ -15922,6 +16065,8 @@ class StandardController {
15922
16065
  accessTokenSize: result.accessToken.length,
15923
16066
  idTokenSize: result.idToken.length,
15924
16067
  }, undefined, result.account);
16068
+ // SSO capability verification in background
16069
+ this.verifySsoCapability(request, exports.InteractionType.Popup);
15925
16070
  return result;
15926
16071
  })
15927
16072
  .catch((e) => {
@@ -15939,15 +16084,137 @@ class StandardController {
15939
16084
  }
15940
16085
  });
15941
16086
  }
15942
- trackPageVisibilityWithMeasurement() {
16087
+ trackStateChangeWithMeasurement(event) {
15943
16088
  const measurement = this.ssoSilentMeasurement ||
15944
16089
  this.acquireTokenByCodeAsyncMeasurement;
15945
16090
  if (!measurement) {
15946
16091
  return;
15947
16092
  }
15948
- measurement.increment({
15949
- visibilityChangeCount: 1,
16093
+ if (event.type === "visibilitychange") {
16094
+ this.logger.info("0yzimq", measurement.event.correlationId);
16095
+ measurement.increment({
16096
+ visibilityChangeCount: 1,
16097
+ });
16098
+ }
16099
+ else if (event.type === "online") {
16100
+ this.logger.info("1caf53", measurement.event.correlationId);
16101
+ measurement.increment({
16102
+ onlineStatusChangeCount: 1,
16103
+ });
16104
+ }
16105
+ else if (event.type === "offline") {
16106
+ this.logger.info("0fdyk7", measurement.event.correlationId);
16107
+ measurement.increment({
16108
+ onlineStatusChangeCount: 1,
16109
+ });
16110
+ }
16111
+ }
16112
+ addStateChangeListeners(listener) {
16113
+ document.addEventListener("visibilitychange", listener);
16114
+ window.addEventListener("online", listener);
16115
+ window.addEventListener("offline", listener);
16116
+ }
16117
+ removeStateChangeListeners(listener) {
16118
+ document.removeEventListener("visibilitychange", listener);
16119
+ window.removeEventListener("online", listener);
16120
+ window.removeEventListener("offline", listener);
16121
+ }
16122
+ /**
16123
+ * Reads the cached ssoCapable value from localStorage.
16124
+ * @returns The cached ssoCapable boolean value, or undefined if not cached or expired.
16125
+ */
16126
+ getCachedSsoCapable() {
16127
+ try {
16128
+ const cachedValue = window.localStorage.getItem(SSO_CAPABLE);
16129
+ if (cachedValue) {
16130
+ const parsed = JSON.parse(cachedValue);
16131
+ if (parsed &&
16132
+ typeof parsed.ssoCapable === "boolean" &&
16133
+ parsed.expiresOn &&
16134
+ Date.now() < parsed.expiresOn) {
16135
+ return parsed.ssoCapable;
16136
+ }
16137
+ }
16138
+ }
16139
+ catch {
16140
+ // If parsing fails, return undefined
16141
+ }
16142
+ return undefined;
16143
+ }
16144
+ /**
16145
+ * SSO capability verification in the background.
16146
+ * This method makes an iframe request to /authorize to verify SSO capability without calling /token.
16147
+ * This method does not block the caller and tracks telemetry for success/failure.
16148
+ * This method only executes if verifySSO is set to true in the auth configuration.
16149
+ * The result is cached in localStorage with a 24-hour TTL; the SSO verification call
16150
+ * is only attempted when the cached value is absent or expired.
16151
+ * @param request - The original request used for the authentication flow
16152
+ * @param interactionType - The interactionType of the AT operation for logging purposes
16153
+ */
16154
+ verifySsoCapability(request, interactionType) {
16155
+ // Check if SSO capability verification is enabled
16156
+ if (!this.config.auth.verifySSO) {
16157
+ return;
16158
+ }
16159
+ // Check TTL: derive ssoCapable state from localStorage and skip if not expired
16160
+ const ssoCacheKey = SSO_CAPABLE;
16161
+ const SSO_CAPABLE_TTL_MS = 24 * 60 * 60 * 1000; // 24 hours
16162
+ const cachedSsoCapable = this.getCachedSsoCapable();
16163
+ if (cachedSsoCapable !== undefined) {
16164
+ this.logger.verbose("13poou", "");
16165
+ return;
16166
+ }
16167
+ const correlationId = createNewGuid();
16168
+ const ssoCapableMeasurement = this.performanceClient.startMeasurement(SsoCapable, correlationId);
16169
+ ssoCapableMeasurement.add({
16170
+ "ext.interactionType": interactionType,
15950
16171
  });
16172
+ this.logger.verbose("0pbr0i", correlationId);
16173
+ /*
16174
+ * Use setTimeout to ensure this runs in a separate macrotask after the current call stack completes
16175
+ * This ensures the result is returned to the caller before the SSO verification starts and doesn't affect performance
16176
+ */
16177
+ setTimeout(() => {
16178
+ const ssoVerificationRequest = {
16179
+ ...request,
16180
+ correlationId: correlationId,
16181
+ };
16182
+ const silentIframeClient = this.createSilentIframeClient(correlationId);
16183
+ silentIframeClient
16184
+ .verifySso(ssoVerificationRequest)
16185
+ .then((result) => {
16186
+ this.logger.verbose("1gd1iv", correlationId);
16187
+ // TBD to add profileTelemetry later in localStorage with 24h TTL
16188
+ try {
16189
+ const cacheEntry = JSON.stringify({
16190
+ ssoCapable: result,
16191
+ expiresOn: Date.now() + SSO_CAPABLE_TTL_MS,
16192
+ });
16193
+ window.localStorage.setItem(ssoCacheKey, cacheEntry);
16194
+ }
16195
+ catch {
16196
+ this.logger.warning("18lmoj", correlationId);
16197
+ }
16198
+ ssoCapableMeasurement.end({
16199
+ fromCache: false,
16200
+ success: result,
16201
+ }, undefined);
16202
+ })
16203
+ .catch((error) => {
16204
+ this.logger.warning("05g83w", correlationId);
16205
+ // reset the cache
16206
+ try {
16207
+ window.localStorage.removeItem(ssoCacheKey);
16208
+ }
16209
+ catch {
16210
+ this.logger.warning("0nlf9q", correlationId);
16211
+ }
16212
+ ssoCapableMeasurement.end({
16213
+ fromCache: false,
16214
+ success: false,
16215
+ }, error);
16216
+ });
16217
+ }, 0);
15951
16218
  }
15952
16219
  // #endregion
15953
16220
  // #region Silent Flow
@@ -15970,28 +16237,35 @@ class StandardController {
15970
16237
  const correlationId = this.getRequestCorrelationId(request);
15971
16238
  const validRequest = {
15972
16239
  ...request,
15973
- // will be PromptValue.NONE or PromptValue.NO_SESSION
15974
- prompt: request.prompt,
15975
16240
  correlationId: correlationId,
15976
16241
  };
15977
16242
  this.ssoSilentMeasurement = this.performanceClient.startMeasurement(SsoSilent, correlationId);
15978
16243
  this.ssoSilentMeasurement?.add({
15979
16244
  scenarioId: request.scenarioId,
16245
+ ssoCapable: this.getCachedSsoCapable(),
15980
16246
  });
15981
16247
  preflightCheck(this.initialized, this.ssoSilentMeasurement, this.config, validRequest);
15982
16248
  this.ssoSilentMeasurement?.increment({
15983
16249
  visibilityChangeCount: 0,
16250
+ onlineStatusChangeCount: 0,
15984
16251
  });
15985
- document.addEventListener("visibilitychange", this.trackPageVisibilityWithMeasurement);
16252
+ this.addStateChangeListeners(this.trackStateChangeWithMeasurement);
15986
16253
  const loggedInAccounts = this.getAllAccounts();
15987
16254
  this.logger.verbose("0w1b45", correlationId);
15988
16255
  this.eventHandler.emitEvent(EventType.ACQUIRE_TOKEN_START, correlationId, exports.InteractionType.Silent, validRequest);
15989
16256
  let result;
15990
16257
  if (this.canUsePlatformBroker(validRequest)) {
16258
+ this.ssoSilentMeasurement?.add({
16259
+ isPlatformBrokerRequest: true,
16260
+ });
15991
16261
  result = this.acquireTokenNative(validRequest, ApiId.ssoSilent).catch((e) => {
16262
+ this.ssoSilentMeasurement?.add({
16263
+ brokerErrorName: e.name,
16264
+ brokerErrorCode: e.errorCode,
16265
+ });
15992
16266
  // If native token acquisition fails for availability reasons fallback to standard flow
15993
16267
  if (e instanceof NativeAuthError && isFatalNativeAuthError(e)) {
15994
- this.platformAuthProvider = undefined; // If extension gets uninstalled during session prevent future requests from continuing to attempt
16268
+ this.platformAuthProvider = undefined; // If extension gets uninstalled during session prevent future requests from continuing to attempt platform broker calls
15995
16269
  const silentIframeClient = this.createSilentIframeClient(validRequest.correlationId);
15996
16270
  return silentIframeClient.acquireToken(validRequest);
15997
16271
  }
@@ -16025,7 +16299,7 @@ class StandardController {
16025
16299
  throw e;
16026
16300
  })
16027
16301
  .finally(() => {
16028
- document.removeEventListener("visibilitychange", this.trackPageVisibilityWithMeasurement);
16302
+ this.removeStateChangeListeners(this.trackStateChangeWithMeasurement);
16029
16303
  });
16030
16304
  }
16031
16305
  /**
@@ -16064,7 +16338,6 @@ class StandardController {
16064
16338
  this.hybridAuthCodeResponses.delete(hybridAuthCode);
16065
16339
  atbcMeasurement.end({
16066
16340
  success: true,
16067
- isNativeBroker: result.fromPlatformBroker,
16068
16341
  accessTokenSize: result.accessToken.length,
16069
16342
  idTokenSize: result.idToken.length,
16070
16343
  }, undefined, result.account);
@@ -16088,10 +16361,17 @@ class StandardController {
16088
16361
  }
16089
16362
  else if (request.nativeAccountId) {
16090
16363
  if (this.canUsePlatformBroker(request, request.nativeAccountId)) {
16364
+ atbcMeasurement.add({
16365
+ isPlatformBrokerRequest: true,
16366
+ });
16091
16367
  const result = await this.acquireTokenNative({
16092
16368
  ...request,
16093
16369
  correlationId,
16094
16370
  }, ApiId.acquireTokenByCode, request.nativeAccountId).catch((e) => {
16371
+ atbcMeasurement.add({
16372
+ brokerErrorName: e.name,
16373
+ brokerErrorCode: e.errorCode,
16374
+ });
16095
16375
  // If native token acquisition fails for availability reasons fallback to standard flow
16096
16376
  if (e instanceof NativeAuthError &&
16097
16377
  isFatalNativeAuthError(e)) {
@@ -16132,8 +16412,9 @@ class StandardController {
16132
16412
  this.performanceClient.startMeasurement(AcquireTokenByCodeAsync, correlationId);
16133
16413
  this.acquireTokenByCodeAsyncMeasurement?.increment({
16134
16414
  visibilityChangeCount: 0,
16415
+ onlineStatusChangeCount: 0,
16135
16416
  });
16136
- document.addEventListener("visibilitychange", this.trackPageVisibilityWithMeasurement);
16417
+ this.addStateChangeListeners(this.trackStateChangeWithMeasurement);
16137
16418
  const silentAuthCodeClient = this.createSilentAuthCodeClient(correlationId);
16138
16419
  const silentTokenResult = await silentAuthCodeClient
16139
16420
  .acquireToken(request)
@@ -16141,7 +16422,6 @@ class StandardController {
16141
16422
  this.acquireTokenByCodeAsyncMeasurement?.end({
16142
16423
  success: true,
16143
16424
  fromCache: response.fromCache,
16144
- isNativeBroker: response.fromPlatformBroker,
16145
16425
  });
16146
16426
  return response;
16147
16427
  })
@@ -16152,7 +16432,7 @@ class StandardController {
16152
16432
  throw tokenRenewalError;
16153
16433
  })
16154
16434
  .finally(() => {
16155
- document.removeEventListener("visibilitychange", this.trackPageVisibilityWithMeasurement);
16435
+ this.removeStateChangeListeners(this.trackStateChangeWithMeasurement);
16156
16436
  });
16157
16437
  return silentTokenResult;
16158
16438
  }
@@ -16310,7 +16590,7 @@ class StandardController {
16310
16590
  throw createBrowserAuthError(nativeConnectionNotEstablished);
16311
16591
  }
16312
16592
  const nativeClient = new PlatformAuthInteractionClient(this.config, this.browserStorage, this.browserCrypto, this.logger, this.eventHandler, this.navigationClient, apiId, this.performanceClient, this.platformAuthProvider, accountId || this.getNativeAccountId(request), this.nativeInternalStorage, correlationId);
16313
- return nativeClient.acquireToken(request, cacheLookupPolicy);
16593
+ return invokeAsync(nativeClient.acquireToken.bind(nativeClient), NativeInteractionClientAcquireToken, this.logger, this.performanceClient, correlationId)(request, cacheLookupPolicy);
16314
16594
  }
16315
16595
  /**
16316
16596
  * Returns boolean indicating if this request can use the platform broker
@@ -16324,7 +16604,7 @@ class StandardController {
16324
16604
  return false;
16325
16605
  }
16326
16606
  if (!isPlatformAuthAllowed(this.config, this.logger, correlationId, this.platformAuthProvider, request.authenticationScheme)) {
16327
- this.logger.trace("1m4bzf", correlationId);
16607
+ this.logger.trace("0yoy1g", correlationId);
16328
16608
  return false;
16329
16609
  }
16330
16610
  if (request.prompt) {
@@ -16543,6 +16823,7 @@ class StandardController {
16543
16823
  atsMeasurement.add({
16544
16824
  cacheLookupPolicy: request.cacheLookupPolicy,
16545
16825
  scenarioId: request.scenarioId,
16826
+ ssoCapable: this.getCachedSsoCapable(),
16546
16827
  });
16547
16828
  preflightCheck(this.initialized, atsMeasurement, this.config, request);
16548
16829
  this.logger.verbose("0x1c4s", correlationId);
@@ -16555,7 +16836,6 @@ class StandardController {
16555
16836
  atsMeasurement.end({
16556
16837
  success: true,
16557
16838
  fromCache: result.fromCache,
16558
- isNativeBroker: result.fromPlatformBroker,
16559
16839
  accessTokenSize: result.accessToken.length,
16560
16840
  idTokenSize: result.idToken.length,
16561
16841
  }, undefined, result.account);
@@ -16614,12 +16894,12 @@ class StandardController {
16614
16894
  * @returns {Promise.<AuthenticationResult>} - a promise that is fulfilled when this function has completed, or rejected if an error was raised. Returns the {@link AuthResponse}
16615
16895
  */
16616
16896
  async acquireTokenSilentAsync(request, account) {
16617
- const trackPageVisibility = () => this.trackPageVisibility(request.correlationId);
16897
+ const trackStateChange = (event) => this.trackStateChange(request.correlationId, event);
16618
16898
  this.eventHandler.emitEvent(EventType.ACQUIRE_TOKEN_START, request.correlationId, exports.InteractionType.Silent, request);
16619
16899
  if (request.correlationId) {
16620
- this.performanceClient.incrementFields({ visibilityChangeCount: 0 }, request.correlationId);
16900
+ this.performanceClient.incrementFields({ visibilityChangeCount: 0, onlineStatusChangeCount: 0 }, request.correlationId);
16621
16901
  }
16622
- document.addEventListener("visibilitychange", trackPageVisibility);
16902
+ this.addStateChangeListeners(trackStateChange);
16623
16903
  const silentRequest = await invokeAsync(initializeSilentRequest, InitializeSilentRequest, this.logger, this.performanceClient, request.correlationId)(request, account, this.config, this.performanceClient, this.logger);
16624
16904
  const cacheLookupPolicy = request.cacheLookupPolicy || CacheLookupPolicy.Default;
16625
16905
  const result = this.acquireTokenSilentNoIframe(silentRequest, cacheLookupPolicy).catch(async (refreshTokenError) => {
@@ -16701,7 +16981,7 @@ class StandardController {
16701
16981
  throw tokenRenewalError;
16702
16982
  })
16703
16983
  .finally(() => {
16704
- document.removeEventListener("visibilitychange", trackPageVisibility);
16984
+ this.removeStateChangeListeners(trackStateChange);
16705
16985
  });
16706
16986
  }
16707
16987
  /**
@@ -16715,7 +16995,12 @@ class StandardController {
16715
16995
  if (isPlatformAuthAllowed(this.config, this.logger, silentRequest.correlationId, this.platformAuthProvider, silentRequest.authenticationScheme) &&
16716
16996
  silentRequest.account.nativeAccountId) {
16717
16997
  this.logger.verbose("0sczo4", silentRequest.correlationId);
16998
+ this.performanceClient.addFields({ isPlatformBrokerRequest: true }, silentRequest.correlationId);
16718
16999
  return this.acquireTokenNative(silentRequest, ApiId.acquireTokenSilent_silentFlow, silentRequest.account.nativeAccountId, cacheLookupPolicy).catch(async (e) => {
17000
+ this.performanceClient.addFields({
17001
+ brokerErrorName: e.name,
17002
+ brokerErrorCode: e.errorCode,
17003
+ }, silentRequest.correlationId);
16719
17004
  // If native token acquisition fails for availability reasons fallback to web flow
16720
17005
  if (e instanceof NativeAuthError && isFatalNativeAuthError(e)) {
16721
17006
  this.logger.verbose("07rkmb", silentRequest.correlationId);
@@ -18301,7 +18586,7 @@ async function loadExternalTokens(config, request, response, options, performanc
18301
18586
  const storage = new BrowserCacheManager(browserConfig.auth.clientId, browserConfig.cache, cryptoOps, logger, browserConfig.telemetry.client, new EventHandler(logger), buildStaticAuthorityOptions(browserConfig.auth));
18302
18587
  const authorityString = request.authority || browserConfig.auth.authority;
18303
18588
  const authority = await createDiscoveredInstance(Authority.generateAuthority(authorityString, request.azureCloudOptions), browserConfig.system.networkClient, storage, authorityOptions, logger, correlationId, performanceClient);
18304
- const cacheRecordAccount = await invokeAsync(loadAccount, LoadAccount, logger, performanceClient, correlationId)(request, options.clientInfo || response.client_info || "", correlationId, storage, logger, cryptoOps, authority, idTokenClaims);
18589
+ const cacheRecordAccount = await invokeAsync(loadAccount, LoadAccount, logger, performanceClient, correlationId)(request, options.clientInfo || response.client_info || "", correlationId, storage, logger, cryptoOps, authority, idTokenClaims, performanceClient);
18305
18590
  const idToken = await invokeAsync(loadIdToken, LoadIdToken, logger, performanceClient, correlationId)(response, cacheRecordAccount.homeAccountId, cacheRecordAccount.environment, cacheRecordAccount.realm, kmsi, correlationId, storage, logger, config.auth.clientId);
18306
18591
  const accessToken = await invokeAsync(loadAccessToken, LoadAccessToken, logger, performanceClient, correlationId)(request, response, cacheRecordAccount.homeAccountId, cacheRecordAccount.environment, cacheRecordAccount.realm, kmsi, options, correlationId, storage, logger, config.auth.clientId);
18307
18592
  const refreshToken = await invokeAsync(loadRefreshToken, LoadRefreshToken, logger, performanceClient, correlationId)(response, cacheRecordAccount.homeAccountId, cacheRecordAccount.environment, kmsi, correlationId, storage, logger, config.auth.clientId, performanceClient);
@@ -18327,7 +18612,7 @@ async function loadExternalTokens(config, request, response, options, performanc
18327
18612
  * @param requestHomeAccountId
18328
18613
  * @returns `AccountEntity`
18329
18614
  */
18330
- async function loadAccount(request, clientInfo, correlationId, storage, logger, cryptoObj, authority, idTokenClaims) {
18615
+ async function loadAccount(request, clientInfo, correlationId, storage, logger, cryptoObj, authority, idTokenClaims, performanceClient) {
18331
18616
  logger.verbose("0ke46k", correlationId);
18332
18617
  if (request.account) {
18333
18618
  const accountEntity = createAccountEntityFromAccountInfo(request.account);
@@ -18342,7 +18627,7 @@ async function loadAccount(request, clientInfo, correlationId, storage, logger,
18342
18627
  const claimsTenantId = idTokenClaims?.tid;
18343
18628
  const cachedAccount = buildAccountToCache(storage, authority, homeAccountId, base64Decode, correlationId, idTokenClaims, clientInfo, authority.getPreferredCache(), claimsTenantId, undefined, // authCodePayload
18344
18629
  undefined, // nativeAccountId
18345
- logger);
18630
+ logger, performanceClient);
18346
18631
  await storage.setAccount(cachedAccount, correlationId, isKmsi(idTokenClaims || {}), ApiId.loadExternalTokens);
18347
18632
  return cachedAccount;
18348
18633
  }
@@ -18614,6 +18899,9 @@ class BrowserPerformanceClient extends PerformanceClient {
18614
18899
  getPageVisibility() {
18615
18900
  return document.visibilityState?.toString() || null;
18616
18901
  }
18902
+ getOnlineStatus() {
18903
+ return typeof navigator !== "undefined" ? navigator.onLine : null;
18904
+ }
18617
18905
  deleteIncompleteSubMeasurements(inProgressEvent) {
18618
18906
  void getPerfMeasurementModule()?.then((module) => {
18619
18907
  const rootEvent = this.eventsByCorrelationId.get(inProgressEvent.event.correlationId);
@@ -18640,6 +18928,7 @@ class BrowserPerformanceClient extends PerformanceClient {
18640
18928
  startMeasurement(measureName, correlationId) {
18641
18929
  // Capture page visibilityState and then invoke start/end measurement
18642
18930
  const startPageVisibility = this.getPageVisibility();
18931
+ const startOnlineStatus = this.getOnlineStatus();
18643
18932
  const inProgressEvent = super.startMeasurement(measureName, correlationId);
18644
18933
  const startTime = supportsBrowserPerformanceNow()
18645
18934
  ? window.performance.now()
@@ -18655,6 +18944,7 @@ class BrowserPerformanceClient extends PerformanceClient {
18655
18944
  const res = inProgressEvent.end({
18656
18945
  ...event,
18657
18946
  startPageVisibility,
18947
+ startOnlineStatus,
18658
18948
  endPageVisibility: this.getPageVisibility(),
18659
18949
  durationMs: getPerfDurationMs(startTime),
18660
18950
  networkEffectiveType: networkInfo.effectiveType,