npm - @cosmotech/core - Versions diffs - 3.0.0 → 3.0.2 - Mend

@cosmotech/core 3.0.0 → 3.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/index.esm.js CHANGED Viewed

@@ -42500,7 +42500,7 @@ var AuthDev = {
   acquireTokensByRequest
 };
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -42774,7 +42774,7 @@ const JsonWebTokenTypes = {
 // Token renewal offset default in seconds
 const DEFAULT_TOKEN_RENEWAL_OFFSET_SEC = 300;
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -42785,7 +42785,7 @@ const DEFAULT_TOKEN_RENEWAL_OFFSET_SEC = 300;
 const unexpectedError = "unexpected_error";
 const postRequestFailed$1 = "post_request_failed";
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -42820,7 +42820,7 @@ function createAuthError(code, additionalMessage) {
         : AuthErrorMessages[code]);
 }
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -42871,7 +42871,7 @@ const methodNotImplemented = "method_not_implemented";
 const nestedAppAuthBridgeDisabled = "nested_app_auth_bridge_disabled";
 const platformBrokerError = "platform_broker_error";
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -42946,7 +42946,7 @@ function createClientAuthError(errorCode, additionalMessage) {
     return new ClientAuthError(errorCode, additionalMessage);
 }
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -42985,7 +42985,7 @@ const DEFAULT_CRYPTO_IMPLEMENTATION = {
     },
 };
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -43176,12 +43176,12 @@ class Logger {
     }
 }
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /* eslint-disable header/header */
 const name$2 = "@azure/msal-common";
-const version$1 = "15.14.1";
+const version$1 = "15.16.1";
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -43190,7 +43190,7 @@ const AzureCloudInstance = {
     // AzureCloudInstance is not specified.
     None: "none"};
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -43220,7 +43220,7 @@ const invalidRequestMethodForEAR = "invalid_request_method_for_EAR";
 const invalidAuthorizePostBodyParameters = "invalid_authorize_post_body_parameters";
 const invalidPlatformBrokerConfiguration = "invalid_platform_broker_configuration";
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -43266,7 +43266,7 @@ function createClientConfigurationError(errorCode) {
     return new ClientConfigurationError(errorCode);
 }
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -43361,9 +43361,48 @@ class StringUtils {
             .replace(/\?/g, "\\?"));
         return regex.test(input);
     }
+    /**
+     * Tests if a given string matches a given pattern using stricter, anchored matching semantics.
+     *
+     * Differences from `matchPattern` (legacy):
+     * - All regex metacharacters (including `.`) in the pattern are treated as literals,
+     *   so `example.com` matches only `example.com` and not `exampleXcom`.
+     * - The generated regex is anchored with `^` and `$` so partial/substring matches
+     *   are not allowed.
+     * - `*` is the only supported wildcard. Its behaviour depends on the URL component:
+     *   - `host` component: `*` matches any sequence of characters that does NOT include
+     *     a dot (`.`), keeping wildcards within a single DNS label boundary.
+     *   - All other components: `*` matches any sequence of characters (including `/`).
+     *
+     * @param pattern - The `protectedResourceMap` key pattern to match against. `*` is a
+     *   multi-character wildcard; all other characters are treated as literals.
+     * @param input - The URL component value (e.g. host, pathname) extracted from the
+     *   outgoing request URL to test against the pattern.
+     * @param options - Optional. Provide `component` to enable component-aware wildcard
+     *   semantics. Accepted values: `"host"`, `"path"`, `"protocol"`, `"search"`,
+     *   `"hash"`. Defaults to path-style (permissive) matching when omitted.
+     * @returns `true` if the full input string matches the pattern; `false` otherwise.
+     */
+    static matchPatternStrict(pattern, input, options) {
+        const component = options?.component;
+        // Step 1: Escape all regex special characters so literals are matched literally.
+        let regexBody = pattern.replace(/[.+^${}()|[\]\\*?]/g, "\\$&");
+        // Step 2: Replace the escaped '*' with its component-aware regex equivalent.
+        if (component === "host") {
+            regexBody = regexBody.replace(/\\\*/g, "[^.]*");
+        }
+        else {
+            // PATH, PROTOCOL, SEARCH, HASH, or unspecified: '*' matches any characters.
+            regexBody = regexBody.replace(/\\\*/g, ".*");
+        }
+        // Step 3: Anchor for full-string matching.
+        // eslint-disable-next-line security/detect-non-literal-regexp
+        const regex = new RegExp(`^${regexBody}$`);
+        return regex.test(input);
+    }
 }
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -43558,7 +43597,7 @@ class ScopeSet {
     }
 }
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -43598,7 +43637,7 @@ function buildClientInfoFromHomeAccountId(homeAccountId) {
     };
 }
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -43680,7 +43719,7 @@ function updateAccountTenantProfileData(baseAccountInfo, tenantProfile, idTokenC
     return updatedAccountInfo;
 }
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -43695,7 +43734,7 @@ const AuthorityType = {
     Ciam: 3,
 };
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -43717,7 +43756,7 @@ function getTenantIdFromIdTokenClaims(idTokenClaims) {
     return null;
 }
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -43741,7 +43780,7 @@ const ProtocolMode = {
     EAR: "EAR",
 };
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -43976,7 +44015,7 @@ class AccountEntity {
     }
 }
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -44057,7 +44096,7 @@ function checkMaxAge(authTime, maxAge) {
     }
 }
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -44173,7 +44212,7 @@ function normalizeUrlForComparison(url) {
     }
 }
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -44337,7 +44376,7 @@ class UrlString {
     }
 }
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -44366,6 +44405,27 @@ const rawMetdataJSON = {
             authorization_endpoint: "https://login.microsoftonline.us/{tenantid}/oauth2/v2.0/authorize",
             end_session_endpoint: "https://login.microsoftonline.us/{tenantid}/oauth2/v2.0/logout",
         },
+        "login.sovcloud-identity.fr": {
+            token_endpoint: "https://login.sovcloud-identity.fr/{tenantid}/oauth2/v2.0/token",
+            jwks_uri: "https://login.sovcloud-identity.fr/{tenantid}/discovery/v2.0/keys",
+            issuer: "https://login.sovcloud-identity.fr/{tenantid}/v2.0",
+            authorization_endpoint: "https://login.sovcloud-identity.fr/{tenantid}/oauth2/v2.0/authorize",
+            end_session_endpoint: "https://login.sovcloud-identity.fr/{tenantid}/oauth2/v2.0/logout",
+        },
+        "login.sovcloud-identity.de": {
+            token_endpoint: "https://login.sovcloud-identity.de/{tenantid}/oauth2/v2.0/token",
+            jwks_uri: "https://login.sovcloud-identity.de/{tenantid}/discovery/v2.0/keys",
+            issuer: "https://login.sovcloud-identity.de/{tenantid}/v2.0",
+            authorization_endpoint: "https://login.sovcloud-identity.de/{tenantid}/oauth2/v2.0/authorize",
+            end_session_endpoint: "https://login.sovcloud-identity.de/{tenantid}/oauth2/v2.0/logout",
+        },
+        "login.sovcloud-identity.sg": {
+            token_endpoint: "https://login.sovcloud-identity.sg/common/oauth2/v2.0/token",
+            jwks_uri: "https://login.sovcloud-identity.sg/common/discovery/v2.0/keys",
+            issuer: "https://login.sovcloud-identity.sg/{tenantid}/v2.0",
+            authorization_endpoint: "https://login.sovcloud-identity.sg/common/oauth2/v2.0/authorize",
+            end_session_endpoint: "https://login.sovcloud-identity.sg/common/oauth2/v2.0/logout",
+        },
     },
     instanceDiscoveryMetadata: {
         metadata: [
@@ -44405,6 +44465,21 @@ const rawMetdataJSON = {
                 preferred_cache: "login-us.microsoftonline.com",
                 aliases: ["login-us.microsoftonline.com"],
             },
+            {
+                preferred_network: "login.sovcloud-identity.fr",
+                preferred_cache: "login.sovcloud-identity.fr",
+                aliases: ["login.sovcloud-identity.fr"],
+            },
+            {
+                preferred_network: "login.sovcloud-identity.de",
+                preferred_cache: "login.sovcloud-identity.de",
+                aliases: ["login.sovcloud-identity.de"],
+            },
+            {
+                preferred_network: "login.sovcloud-identity.sg",
+                preferred_cache: "login.sovcloud-identity.sg",
+                aliases: ["login.sovcloud-identity.sg"],
+            },
         ],
     },
 };
@@ -44476,7 +44551,7 @@ function getCloudDiscoveryMetadataFromNetworkResponse(response, authorityHost) {
     return null;
 }
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -44484,7 +44559,7 @@ function getCloudDiscoveryMetadataFromNetworkResponse(response, authorityHost) {
 const cacheQuotaExceeded = "cache_quota_exceeded";
 const cacheErrorUnknown = "cache_error_unknown";
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -44529,7 +44604,7 @@ function createCacheError(e) {
     }
 }
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -45639,7 +45714,7 @@ class DefaultStorageClass extends CacheManager {
     }
 }
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -45901,6 +45976,11 @@ const PerformanceEvents = {
     LoadIdToken: "loadIdToken",
     LoadAccessToken: "loadAccessToken",
     LoadRefreshToken: "loadRefreshToken",
+    /**
+     * SSO capability verification call (msal-browser).
+     * Fire-and-forget SSO verification call made after interactive authentication completes.
+     */
+    SsoCapable: "ssoCapable",
 };
 /**
  * State of the performance event.
@@ -45911,7 +45991,7 @@ const PerformanceEvents = {
 const PerformanceEventStatus = {
     InProgress: 1};
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -45990,7 +46070,7 @@ class StubPerformanceClient {
     }
 }
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -46090,7 +46170,7 @@ function isOidcProtocolMode(config) {
     return (config.authOptions.authority.options.protocolMode === ProtocolMode.OIDC);
 }
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -46100,7 +46180,7 @@ const CcsCredentialType = {
     UPN: "UPN",
 };
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -46150,7 +46230,7 @@ const INSTANCE_AWARE = "instance_aware";
 const EAR_JWK = "ear_jwk";
 const EAR_JWE_CRYPTO = "ear_jwe_crypto";
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -46530,7 +46610,7 @@ function addPostBodyParameters(parameters, bodyParameters) {
     });
 }
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -46542,7 +46622,7 @@ function isOpenIdConfigResponse(response) {
         response.hasOwnProperty("jwks_uri"));
 }
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -46552,7 +46632,7 @@ function isCloudInstanceDiscoveryResponse(response) {
         response.hasOwnProperty("metadata"));
 }
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -46562,7 +46642,7 @@ function isCloudInstanceDiscoveryErrorResponse(response) {
         response.hasOwnProperty("error_description"));
 }
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -46658,7 +46738,7 @@ const invokeAsync = (callback, eventName, logger, telemetryClient, correlationId
     };
 };
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -46764,7 +46844,7 @@ RegionDiscovery.IMDS_OPTIONS = {
     },
 };
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -46829,7 +46909,7 @@ function wasClockTurnedBack(cachedAt) {
     return cachedAtSec > nowSeconds();
 }
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -47091,7 +47171,7 @@ function isAuthorityMetadataExpired(metadata) {
     return metadata.expiresAt <= nowSeconds();
 }
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -47930,7 +48010,7 @@ function buildStaticAuthorityOptions(authOptions) {
     };
 }
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -47961,7 +48041,7 @@ async function createDiscoveredInstance(authorityUri, networkClient, cacheManage
     }
 }
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -47980,7 +48060,7 @@ class ServerError extends AuthError {
     }
 }
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -48001,7 +48081,7 @@ function getRequestThumbprint(clientId, request, homeAccountId) {
     };
 }
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -48088,7 +48168,7 @@ class ThrottlingUtils {
     }
 }
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -48119,7 +48199,7 @@ function createNetworkError(error, httpStatus, responseHeaders, additionalError)
     return new NetworkError(error, httpStatus, responseHeaders);
 }
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -48267,23 +48347,58 @@ class BaseClient {
     }
 }
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
  */
-// Codes defined by MSAL
+/**
+ * MSAL-defined interaction required error code indicating no tokens are found in cache.
+ * @public
+ */
 const noTokensFound = "no_tokens_found";
+/**
+ * MSAL-defined error code indicating a native account is unavailable on the platform.
+ * @public
+ */
 const nativeAccountUnavailable = "native_account_unavailable";
+/**
+ * MSAL-defined error code indicating the refresh token has expired and user interaction is needed.
+ * @public
+ */
 const refreshTokenExpired = "refresh_token_expired";
+/**
+ * MSAL-defined error code indicating UI/UX is not allowed (e.g., blocked by policy), requiring alternate interaction.
+ * @public
+ */
 const uxNotAllowed = "ux_not_allowed";
-// Codes potentially returned by server
+/**
+ * Server-originated error code indicating interaction is required to complete the request.
+ * @public
+ */
 const interactionRequired = "interaction_required";
+/**
+ * Server-originated error code indicating user consent is required.
+ * @public
+ */
 const consentRequired = "consent_required";
+/**
+ * Server-originated error code indicating user login is required.
+ * @public
+ */
 const loginRequired = "login_required";
-const badToken = "bad_token";
+/**
+ * Server-originated error code indicating the token is invalid or corrupted.
+ * @public
+ */
+const badToken = "bad_token";
+/**
+ * Server-originated error code indicating the user was interrupted and must reattempt the flow.
+ * @public
+ */
+const interruptedUser = "interrupted_user";
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -48298,6 +48413,7 @@ const InteractionRequiredServerErrorMessage = [
     loginRequired,
     badToken,
     uxNotAllowed,
+    interruptedUser,
 ];
 const InteractionRequiredAuthSubErrorMessage = [
     "message_only",
@@ -48306,6 +48422,7 @@ const InteractionRequiredAuthSubErrorMessage = [
     "user_password_expired",
     "consent_required",
     "bad_token",
+    "interrupted_user",
 ];
 const InteractionRequiredAuthErrorMessages = {
     [noTokensFound]: "No refresh token found in the cache. Please sign-in.",
@@ -48313,6 +48430,7 @@ const InteractionRequiredAuthErrorMessages = {
     [refreshTokenExpired]: "Refresh token has expired.",
     [badToken]: "Identity provider returned bad_token due to an expired or invalid refresh token. Please invoke an interactive API to resolve.",
     [uxNotAllowed]: "`canShowUI` flag in Edge was set to false. User interaction required on web page. Please invoke an interactive API to resolve.",
+    [interruptedUser]: "The user could not be authenticated due to an interrupted state. Please invoke an interactive API to resolve.",
 };
 /**
  * Error thrown when user interaction is required.
@@ -48355,7 +48473,7 @@ function createInteractionRequiredAuthError(errorCode) {
     return new InteractionRequiredAuthError(errorCode, InteractionRequiredAuthErrorMessages[errorCode]);
 }
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -48427,7 +48545,7 @@ class ProtocolUtils {
     }
 }
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -48509,7 +48627,7 @@ class PopTokenGenerator {
     }
 }
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -48536,7 +48654,7 @@ class PopTokenGenerator {
     }
 }
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -48875,7 +48993,7 @@ function buildAccountToCache(cacheStorage, authority, homeAccountId, base64Decod
     return baseAccount;
 }
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -48893,7 +49011,7 @@ async function getClientAssertion(clientAssertion, clientId, tokenEndpoint) {
     }
 }
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -49042,11 +49160,6 @@ class AuthorizationCodeClient extends BaseClient {
                 throw createClientConfigurationError(missingSshJwk);
             }
         }
-        if (!StringUtils.isEmptyObj(request.claims) ||
-            (this.config.authOptions.clientCapabilities &&
-                this.config.authOptions.clientCapabilities.length > 0)) {
-            addClaims(parameters, request.claims, this.config.authOptions.clientCapabilities);
-        }
         let ccsCred = undefined;
         if (request.clientInfo) {
             try {
@@ -49096,6 +49209,15 @@ class AuthorizationCodeClient extends BaseClient {
             });
         }
         instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
+        // ignore config claims if skipBrokerClaims is set to true and this is a brokered authentication flow
+        const configClaims = request.skipBrokerClaims &&
+            parameters.has(BROKER_CLIENT_ID)
+            ? undefined
+            : this.config.authOptions.clientCapabilities;
+        if (!StringUtils.isEmptyObj(request.claims) ||
+            (configClaims && configClaims.length > 0)) {
+            addClaims(parameters, request.claims, configClaims);
+        }
         return mapToQueryString(parameters);
     }
     /**
@@ -49129,7 +49251,7 @@ class AuthorizationCodeClient extends BaseClient {
     }
 }
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -49307,11 +49429,6 @@ class RefreshTokenClient extends BaseClient {
                 throw createClientConfigurationError(missingSshJwk);
             }
         }
-        if (!StringUtils.isEmptyObj(request.claims) ||
-            (this.config.authOptions.clientCapabilities &&
-                this.config.authOptions.clientCapabilities.length > 0)) {
-            addClaims(parameters, request.claims, this.config.authOptions.clientCapabilities);
-        }
         if (this.config.systemOptions.preventCorsPreflight &&
             request.ccsCredential) {
             switch (request.ccsCredential.type) {
@@ -49337,11 +49454,20 @@ class RefreshTokenClient extends BaseClient {
             addExtraQueryParameters(parameters, request.tokenBodyParameters);
         }
         instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
+        // ignore config claims if skipBrokerClaims is set to true and this is a brokered authentication flow
+        const configClaims = request.skipBrokerClaims &&
+            parameters.has(BROKER_CLIENT_ID)
+            ? undefined
+            : this.config.authOptions.clientCapabilities;
+        if (!StringUtils.isEmptyObj(request.claims) ||
+            (configClaims && configClaims.length > 0)) {
+            addClaims(parameters, request.claims, configClaims);
+        }
         return mapToQueryString(parameters);
     }
 }
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -49439,7 +49565,7 @@ class SilentFlowClient extends BaseClient {
     }
 }
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -49454,7 +49580,7 @@ const StubbedNetworkModule = {
     },
 };
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -49575,14 +49701,17 @@ function getStandardAuthorizeRequestParameters(authOptions, request, logger, per
     if (request.state) {
         addState(parameters, request.state);
     }
-    if (request.claims ||
-        (authOptions.clientCapabilities &&
-            authOptions.clientCapabilities.length > 0)) {
-        addClaims(parameters, request.claims, authOptions.clientCapabilities);
-    }
     if (request.embeddedClientId) {
         addBrokerParameters(parameters, authOptions.clientId, authOptions.redirectUri);
     }
+    // ignore config claims if skipBrokerClaims is set to true and this is a brokered authentication flow
+    const configClaims = request.skipBrokerClaims &&
+        parameters.has(BROKER_CLIENT_ID)
+        ? undefined
+        : authOptions.clientCapabilities;
+    if (request.claims || (configClaims && configClaims.length > 0)) {
+        addClaims(parameters, request.claims, configClaims);
+    }
     // If extraQueryParameters includes instance_aware its value will be added when extraQueryParameters are added
     if (authOptions.instanceAware &&
         (!request.extraQueryParameters ||
@@ -49678,7 +49807,7 @@ function extractLoginHint(account) {
     return account.loginHint || account.idTokenClaims?.login_hint || null;
 }
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -49941,7 +50070,7 @@ class ServerTelemetryManager {
     }
 }
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -49949,7 +50078,7 @@ class ServerTelemetryManager {
 const missingKidError = "missing_kid_error";
 const missingAlgError = "missing_alg_error";
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -49974,7 +50103,7 @@ function createJoseHeaderError(code) {
     return new JoseHeaderError(code, JoseHeaderErrorMessages[code]);
 }
-/*! @azure/msal-common v15.14.1 2026-01-17 */
+/*! @azure/msal-common v15.16.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -50014,7 +50143,7 @@ class JoseHeader {
     }
 }
-/*! @azure/msal-browser v4.28.1 2026-01-17 */
+/*! @azure/msal-browser v4.29.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -50071,7 +50200,7 @@ const failedToParseHeaders = "failed_to_parse_headers";
 const failedToDecryptEarResponse = "failed_to_decrypt_ear_response";
 const timedOut = "timed_out";
-/*! @azure/msal-browser v4.28.1 2026-01-17 */
+/*! @azure/msal-browser v4.29.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -50148,7 +50277,7 @@ function createBrowserAuthError(errorCode, subError) {
     return new BrowserAuthError(errorCode, subError);
 }
-/*! @azure/msal-browser v4.28.1 2026-01-17 */
+/*! @azure/msal-browser v4.29.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -50337,7 +50466,7 @@ const iFrameRenewalPolicies = [
     CacheLookupPolicy.RefreshTokenAndNetwork,
 ];
-/*! @azure/msal-browser v4.28.1 2026-01-17 */
+/*! @azure/msal-browser v4.29.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -50382,7 +50511,7 @@ function base64EncArr(aBytes) {
     return btoa(binString);
 }
-/*! @azure/msal-browser v4.28.1 2026-01-17 */
+/*! @azure/msal-browser v4.29.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -50421,7 +50550,7 @@ function base64DecToArr(base64String) {
     return Uint8Array.from(binString, (m) => m.codePointAt(0) || 0);
 }
-/*! @azure/msal-browser v4.28.1 2026-01-17 */
+/*! @azure/msal-browser v4.29.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -50720,7 +50849,7 @@ async function hashString(plainText) {
     return urlEncodeArr(hashBytes);
 }
-/*! @azure/msal-browser v4.28.1 2026-01-17 */
+/*! @azure/msal-browser v4.29.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -50729,7 +50858,7 @@ const storageNotSupported = "storage_not_supported";
 const stubbedPublicClientApplicationCalled = "stubbed_public_client_application_called";
 const inMemRedirectUnavailable = "in_mem_redirect_unavailable";
-/*! @azure/msal-browser v4.28.1 2026-01-17 */
+/*! @azure/msal-browser v4.29.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -50769,7 +50898,7 @@ function createBrowserConfigurationAuthError(errorCode) {
     return new BrowserConfigurationAuthError(errorCode, BrowserConfigurationAuthErrorMessages[errorCode]);
 }
-/*! @azure/msal-browser v4.28.1 2026-01-17 */
+/*! @azure/msal-browser v4.29.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -50931,7 +51060,7 @@ function createGuid() {
     return createNewGuid();
 }
-/*! @azure/msal-browser v4.28.1 2026-01-17 */
+/*! @azure/msal-browser v4.29.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -50974,7 +51103,7 @@ class NavigationClient {
     }
 }
-/*! @azure/msal-browser v4.28.1 2026-01-17 */
+/*! @azure/msal-browser v4.29.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -51095,7 +51224,7 @@ function getHeaderDict(headers) {
     }
 }
-/*! @azure/msal-browser v4.28.1 2026-01-17 */
+/*! @azure/msal-browser v4.29.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -51144,6 +51273,7 @@ function buildConfiguration({ auth: userInputAuth, cache: userInputCache, system
         supportsNestedAppAuth: false,
         instanceAware: false,
         encodeExtraQueryParams: false,
+        verifySSO: false,
     };
     // Default cache options for browser
     const DEFAULT_CACHE_OPTIONS = {
@@ -51230,12 +51360,12 @@ function buildConfiguration({ auth: userInputAuth, cache: userInputCache, system
     return overlayedConfig;
 }
-/*! @azure/msal-browser v4.28.1 2026-01-17 */
+/*! @azure/msal-browser v4.29.1 2026-03-13 */
 /* eslint-disable header/header */
 const name$1 = "@azure/msal-browser";
-const version = "4.28.1";
+const version = "4.29.1";
-/*! @azure/msal-browser v4.28.1 2026-01-17 */
+/*! @azure/msal-browser v4.29.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -51263,7 +51393,7 @@ function getTokenKeysCacheKey(clientId, schema = CREDENTIAL_SCHEMA_VERSION) {
     return `${PREFIX}.${schema}.${TOKEN_KEYS}.${clientId}`;
 }
-/*! @azure/msal-browser v4.28.1 2026-01-17 */
+/*! @azure/msal-browser v4.29.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -51360,7 +51490,7 @@ class BaseOperatingContext {
     }
 }
-/*! @azure/msal-browser v4.28.1 2026-01-17 */
+/*! @azure/msal-browser v4.29.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -51406,7 +51536,7 @@ StandardOperatingContext.MODULE_NAME = "";
  */
 StandardOperatingContext.ID = "StandardOperatingContext";
-/*! @azure/msal-browser v4.28.1 2026-01-17 */
+/*! @azure/msal-browser v4.29.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -51609,7 +51739,7 @@ class DatabaseStorage {
     }
 }
-/*! @azure/msal-browser v4.28.1 2026-01-17 */
+/*! @azure/msal-browser v4.29.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -51655,7 +51785,7 @@ class MemoryStorage {
     }
 }
-/*! @azure/msal-browser v4.28.1 2026-01-17 */
+/*! @azure/msal-browser v4.29.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -51789,7 +51919,7 @@ class AsyncMemoryStorage {
     }
 }
-/*! @azure/msal-browser v4.28.1 2026-01-17 */
+/*! @azure/msal-browser v4.29.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -51970,7 +52100,7 @@ function getSortedObjectString(obj) {
     return JSON.stringify(obj, Object.keys(obj).sort());
 }
-/*! @azure/msal-browser v4.28.1 2026-01-17 */
+/*! @azure/msal-browser v4.29.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -52048,7 +52178,7 @@ function getCookieExpirationTime(cookieLifeDays) {
     return expr.toUTCString();
 }
-/*! @azure/msal-browser v4.28.1 2026-01-17 */
+/*! @azure/msal-browser v4.29.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -52090,7 +52220,7 @@ function getTokenKeys(clientId, storage, schemaVersion) {
     };
 }
-/*! @azure/msal-browser v4.28.1 2026-01-17 */
+/*! @azure/msal-browser v4.29.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -52101,7 +52231,7 @@ function isEncrypted(data) {
         data.hasOwnProperty("data"));
 }
-/*! @azure/msal-browser v4.28.1 2026-01-17 */
+/*! @azure/msal-browser v4.29.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -52391,7 +52521,7 @@ class LocalStorage {
     }
 }
-/*! @azure/msal-browser v4.28.1 2026-01-17 */
+/*! @azure/msal-browser v4.29.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -52433,7 +52563,7 @@ class SessionStorage {
     }
 }
-/*! @azure/msal-browser v4.28.1 2026-01-17 */
+/*! @azure/msal-browser v4.29.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -52468,7 +52598,7 @@ const EventType = {
     BROKER_CONNECTION_ESTABLISHED: "msal:brokerConnectionEstablished",
 };
-/*! @azure/msal-browser v4.28.1 2026-01-17 */
+/*! @azure/msal-browser v4.29.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -52485,7 +52615,7 @@ function removeElementFromArray(array, element) {
     }
 }
-/*! @azure/msal-browser v4.28.1 2026-01-17 */
+/*! @azure/msal-browser v4.29.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -53900,7 +54030,7 @@ const DEFAULT_BROWSER_CACHE_MANAGER = (clientId, logger, performanceClient, even
     return new BrowserCacheManager(clientId, cacheOptions, DEFAULT_CRYPTO_IMPLEMENTATION, logger, performanceClient, eventHandler);
 };
-/*! @azure/msal-browser v4.28.1 2026-01-17 */
+/*! @azure/msal-browser v4.29.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -54025,7 +54155,7 @@ function getActiveAccount(browserStorage, correlationId) {
     return browserStorage.getActiveAccount(correlationId);
 }
-/*! @azure/msal-browser v4.28.1 2026-01-17 */
+/*! @azure/msal-browser v4.29.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -54131,7 +54261,7 @@ class EventHandler {
     }
 }
-/*! @azure/msal-browser v4.28.1 2026-01-17 */
+/*! @azure/msal-browser v4.29.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -54247,7 +54377,7 @@ class BaseInteractionClient {
     }
 }
-/*! @azure/msal-browser v4.28.1 2026-01-17 */
+/*! @azure/msal-browser v4.29.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -54332,7 +54462,7 @@ function validateRequestMethod(interactionRequest, protocolMode) {
     return httpMethod;
 }
-/*! @azure/msal-browser v4.28.1 2026-01-17 */
+/*! @azure/msal-browser v4.29.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -54504,6 +54634,10 @@ class StandardInteractionClient extends BaseInteractionClient {
     async initializeAuthorizationRequest(request, interactionType) {
         this.performanceClient.addQueueMeasurement(PerformanceEvents.StandardInteractionClientInitializeAuthorizationRequest, this.correlationId);
         const redirectUri = this.getRedirectUri(request.redirectUri);
+        if (new URL(redirectUri).origin !== new URL(window.location.href).origin) {
+            this.logger.warning("The origin of the redirect URI does not match the origin of the current page. This is likely to cause issues with authentication.", this.correlationId);
+            this.performanceClient.addFields({ isRedirectUriCrossOrigin: true }, this.correlationId);
+        }
         const browserState = {
             interactionType: interactionType,
         };
@@ -54536,7 +54670,7 @@ class StandardInteractionClient extends BaseInteractionClient {
     }
 }
-/*! @azure/msal-browser v4.28.1 2026-01-17 */
+/*! @azure/msal-browser v4.29.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -54560,7 +54694,7 @@ function extractBrowserRequestState(browserCrypto, state) {
     }
 }
-/*! @azure/msal-browser v4.28.1 2026-01-17 */
+/*! @azure/msal-browser v4.29.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -54599,7 +54733,7 @@ function validateInteractionType(response, browserCrypto, interactionType) {
     }
 }
-/*! @azure/msal-browser v4.28.1 2026-01-17 */
+/*! @azure/msal-browser v4.29.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -54695,7 +54829,7 @@ class InteractionHandler {
     }
 }
-/*! @azure/msal-browser v4.28.1 2026-01-17 */
+/*! @azure/msal-browser v4.29.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -54704,7 +54838,7 @@ const contentError = "ContentError";
 const pageException = "PageException";
 const userSwitch = "user_switch";
-/*! @azure/msal-browser v4.28.1 2026-01-17 */
+/*! @azure/msal-browser v4.29.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -54717,7 +54851,7 @@ const DISABLED = "DISABLED";
 const ACCOUNT_UNAVAILABLE = "ACCOUNT_UNAVAILABLE";
 const UX_NOT_ALLOWED = "UX_NOT_ALLOWED";
-/*! @azure/msal-browser v4.28.1 2026-01-17 */
+/*! @azure/msal-browser v4.29.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -54782,7 +54916,7 @@ function createNativeAuthError(code, description, ext) {
     return new NativeAuthError(code, NativeAuthErrorMessages[code] || description, ext);
 }
-/*! @azure/msal-browser v4.28.1 2026-01-17 */
+/*! @azure/msal-browser v4.29.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -54832,7 +54966,7 @@ class SilentCacheClient extends StandardInteractionClient {
     }
 }
-/*! @azure/msal-browser v4.28.1 2026-01-17 */
+/*! @azure/msal-browser v4.29.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -55459,7 +55593,7 @@ class PlatformAuthInteractionClient extends BaseInteractionClient {
     }
 }
-/*! @azure/msal-browser v4.28.1 2026-01-17 */
+/*! @azure/msal-browser v4.29.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -55544,6 +55678,8 @@ async function getEARForm(frame, config, authority, request, logger, performance
     addCodeChallengeParams(parameters, request.codeChallenge, Constants.S256_CODE_CHALLENGE_METHOD);
     const queryParams = new Map();
     addExtraQueryParameters(queryParams, request.extraQueryParameters || {});
+    // Add correlationId to query params so gateway can propagate it to IDPs
+    addCorrelationId(queryParams, request.correlationId);
     const url = getAuthorizeUrl(authority, queryParams, config.auth.encodeExtraQueryParams, request.extraQueryParameters);
     return createForm(frame, url, parameters);
 }
@@ -55557,6 +55693,8 @@ async function getCodeForm(frame, config, authority, request, logger, performanc
     addPostBodyParameters(parameters, request.authorizePostBodyParameters || {});
     const queryParams = new Map();
     addExtraQueryParameters(queryParams, request.extraQueryParameters || {});
+    // Add correlationId to query params so gateway can propagate it to IDPs
+    addCorrelationId(queryParams, request.correlationId);
     const url = getAuthorizeUrl(authority, queryParams, config.auth.encodeExtraQueryParams, request.extraQueryParameters);
     return createForm(frame, url, parameters);
 }
@@ -55684,7 +55822,7 @@ async function handleResponseEAR(request, response, apiId, config, authority, br
     return (await invokeAsync(responseHandler.handleServerTokenResponse.bind(responseHandler), PerformanceEvents.HandleServerTokenResponse, logger, performanceClient, request.correlationId)(decryptedData, authority, nowSeconds(), request, apiId, additionalData, undefined, undefined, undefined, undefined));
 }
-/*! @azure/msal-browser v4.28.1 2026-01-17 */
+/*! @azure/msal-browser v4.29.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -55741,7 +55879,7 @@ async function generateCodeChallengeFromVerifier(pkceCodeVerifier, performanceCl
     }
 }
-/*! @azure/msal-browser v4.28.1 2026-01-17 */
+/*! @azure/msal-browser v4.29.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -56006,7 +56144,7 @@ class PlatformAuthExtensionHandler {
     }
 }
-/*! @azure/msal-browser v4.28.1 2026-01-17 */
+/*! @azure/msal-browser v4.29.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -56132,18 +56270,32 @@ class PlatformAuthDOMHandler {
         return nativeResponse;
     }
     getDOMExtraParams(extraParameters) {
-        const stringifiedParams = Object.entries(extraParameters).reduce((record, [key, value]) => {
-            record[key] = String(value);
-            return record;
-        }, {});
-        const validExtraParams = {
-            ...stringifiedParams,
-        };
-        return validExtraParams;
+        try {
+            const stringifiedProperties = {};
+            for (const [key, value] of Object.entries(extraParameters)) {
+                if (!value) {
+                    continue;
+                }
+                if (typeof value === "object") {
+                    stringifiedProperties[key] = JSON.stringify(value);
+                }
+                else {
+                    stringifiedProperties[key] = String(value);
+                }
+            }
+            return stringifiedProperties;
+        }
+        catch (e) {
+            this.logger.error(this.platformAuthType + " - Error stringifying extra parameters");
+            this.logger.errorPii(this.platformAuthType +
+                " - Error stringifying extra parameters: " +
+                e);
+            return {};
+        }
     }
 }
-/*! @azure/msal-browser v4.28.1 2026-01-17 */
+/*! @azure/msal-browser v4.29.1 2026-03-13 */
 async function getPlatformAuthProvider(logger, performanceClient, correlationId, nativeBrokerHandshakeTimeout, enablePlatformBrokerDOMSupport) {
     logger.trace("getPlatformAuthProvider called", correlationId);
     logger.trace("Has client allowed platform auth via DOM API: " +
@@ -56208,7 +56360,7 @@ function isPlatformAuthAllowed(config, logger, platformAuthProvider, authenticat
     return true;
 }
-/*! @azure/msal-browser v4.28.1 2026-01-17 */
+/*! @azure/msal-browser v4.29.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -56705,7 +56857,7 @@ class PopupClient extends StandardInteractionClient {
     }
 }
-/*! @azure/msal-browser v4.28.1 2026-01-17 */
+/*! @azure/msal-browser v4.29.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -57145,7 +57297,7 @@ class RedirectClient extends StandardInteractionClient {
     }
 }
-/*! @azure/msal-browser v4.28.1 2026-01-17 */
+/*! @azure/msal-browser v4.29.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -57193,6 +57345,12 @@ async function initiateEarRequest(config, authority, request, logger, performanc
  */
 async function monitorIframeForHash(iframe, timeout, pollIntervalMilliseconds, performanceClient, logger, correlationId, responseType) {
     performanceClient.addQueueMeasurement(PerformanceEvents.SilentHandlerMonitorIframeForHash, correlationId);
+    performanceClient.addFields({
+        iframePollIntervalMs: pollIntervalMilliseconds,
+        iframeTimeoutMs: timeout,
+    }, correlationId);
+    let totalTickCount = 0;
+    let crossOriginTickCount = 0;
     return new Promise((resolve, reject) => {
         if (timeout < DEFAULT_IFRAME_TIMEOUT_MS) {
             logger.warning(`system.loadFrameTimeout or system.iframeHashTimeout set to lower (${timeout}ms) than the default (${DEFAULT_IFRAME_TIMEOUT_MS}ms). This may result in timeouts.`);
@@ -57206,6 +57364,7 @@ async function monitorIframeForHash(iframe, timeout, pollIntervalMilliseconds, p
             reject(createBrowserAuthError(monitorWindowTimeout));
         }, timeout);
         const intervalId = window.setInterval(() => {
+            totalTickCount++;
             let href = "";
             const contentWindow = iframe.contentWindow;
             try {
@@ -57216,7 +57375,9 @@ async function monitorIframeForHash(iframe, timeout, pollIntervalMilliseconds, p
                  */
                 href = contentWindow ? contentWindow.location.href : "";
             }
-            catch (e) { }
+            catch (e) {
+                crossOriginTickCount++;
+            }
             if (!href || href === "about:blank") {
                 return;
             }
@@ -57234,6 +57395,10 @@ async function monitorIframeForHash(iframe, timeout, pollIntervalMilliseconds, p
             resolve(responseString);
         }, pollIntervalMilliseconds);
     }).finally(() => {
+        performanceClient.addFields({
+            iframeTickCount: totalTickCount,
+            crossOriginTickCount: crossOriginTickCount,
+        }, correlationId);
         invoke(removeHiddenIframe, PerformanceEvents.RemoveHiddenIframe, logger, performanceClient, correlationId)(iframe);
     });
 }
@@ -57301,7 +57466,7 @@ function removeHiddenIframe(iframe) {
     }
 }
-/*! @azure/msal-browser v4.28.1 2026-01-17 */
+/*! @azure/msal-browser v4.29.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -57423,6 +57588,52 @@ class SilentIframeClient extends StandardInteractionClient {
             return invokeAsync(handleResponseEAR, PerformanceEvents.HandleResponseEar, this.logger, this.performanceClient, correlationId)(silentRequest, serverParams, this.apiId, this.config, discoveredAuthority, this.browserStorage, this.nativeStorage, this.eventHandler, this.logger, this.performanceClient, this.platformAuthProvider);
         }
     }
+    /**
+     * Verifies SSO capability by making an iframe request to /authorize without exchanging the code for tokens.
+     * This is useful for verifying SSO capability in the background without the overhead of a full token exchange.
+     * @param request - The SSO silent request
+     * @returns true if SSO verification was successful with a valid authorization code, false otherwise
+     */
+    async verifySso(request) {
+        this.performanceClient.addQueueMeasurement(PerformanceEvents.SilentIframeClientAcquireToken, request.correlationId);
+        const inputRequest = { ...request };
+        if (!inputRequest.prompt) {
+            inputRequest.prompt = PromptValue.NONE;
+        }
+        // Create silent request
+        const silentRequest = await invokeAsync(this.initializeAuthorizationRequest.bind(this), PerformanceEvents.StandardInteractionClientInitializeAuthorizationRequest, this.logger, this.performanceClient, request.correlationId)(inputRequest, InteractionType.Silent);
+        const authClient = await invokeAsync(this.createAuthCodeClient.bind(this), PerformanceEvents.StandardInteractionClientCreateAuthCodeClient, this.logger, this.performanceClient, request.correlationId)({
+            serverTelemetryManager: this.initializeServerTelemetryManager(this.apiId),
+            requestAuthority: silentRequest.authority,
+            requestAzureCloudOptions: silentRequest.azureCloudOptions,
+            requestExtraQueryParameters: silentRequest.extraQueryParameters,
+            account: silentRequest.account,
+        });
+        const correlationId = silentRequest.correlationId;
+        const pkceCodes = await invokeAsync(generatePkceCodes, PerformanceEvents.GeneratePkceCodes, this.logger, this.performanceClient, correlationId)(this.performanceClient, this.logger, correlationId);
+        const requestWithPkce = {
+            ...silentRequest,
+            codeChallenge: pkceCodes.challenge,
+        };
+        // Create authorize request url
+        const navigateUrl = await invokeAsync(getAuthCodeRequestUrl, PerformanceEvents.GetAuthCodeUrl, this.logger, this.performanceClient, correlationId)(this.config, authClient.authority, requestWithPkce, this.logger, this.performanceClient);
+        // Get the frame handle for the silent request - this triggers the SSO verification
+        const msalFrame = await invokeAsync(initiateCodeRequest, PerformanceEvents.SilentHandlerInitiateAuthRequest, this.logger, this.performanceClient, correlationId)(navigateUrl, this.performanceClient, this.logger, correlationId, this.config.system.navigateFrameWait);
+        const responseType = this.config.auth.OIDCOptions.serverResponseType;
+        // Monitor the iframe for the response
+        const responseString = await invokeAsync(monitorIframeForHash, PerformanceEvents.SilentHandlerMonitorIframeForHash, this.logger, this.performanceClient, correlationId)(msalFrame, this.config.system.iframeHashTimeout, this.config.system.pollIntervalMilliseconds, this.performanceClient, this.logger, correlationId, responseType);
+        // Deserialize the response
+        const serverParams = invoke(deserializeResponse, PerformanceEvents.DeserializeResponse, this.logger, this.performanceClient, correlationId)(responseString, responseType, this.logger);
+        // Validate the response - this checks for errors and validates state
+        validateAuthorizationResponse(serverParams, silentRequest.state);
+        // Verify a valid authorization code is present
+        if (!serverParams.code) {
+            this.logger.warning("SSO verification response did not contain an authorization code", correlationId);
+            return false;
+        }
+        this.logger.verbose("SSO verification completed successfully with valid authorization code - skipped token exchange", correlationId);
+        return true;
+    }
     /**
      * Currently Unsupported
      */
@@ -57462,7 +57673,7 @@ class SilentIframeClient extends StandardInteractionClient {
     }
 }
-/*! @azure/msal-browser v4.28.1 2026-01-17 */
+/*! @azure/msal-browser v4.29.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -57528,7 +57739,7 @@ class SilentRefreshClient extends StandardInteractionClient {
     }
 }
-/*! @azure/msal-browser v4.28.1 2026-01-17 */
+/*! @azure/msal-browser v4.29.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -57742,7 +57953,7 @@ class TokenCache {
     }
 }
-/*! @azure/msal-browser v4.28.1 2026-01-17 */
+/*! @azure/msal-browser v4.29.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -57755,7 +57966,7 @@ class HybridSpaAuthorizationCodeClient extends AuthorizationCodeClient {
     }
 }
-/*! @azure/msal-browser v4.28.1 2026-01-17 */
+/*! @azure/msal-browser v4.29.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -57821,11 +58032,7 @@ class SilentAuthCodeClient extends StandardInteractionClient {
     }
 }
-/*! @azure/msal-browser v4.28.1 2026-01-17 */
-/*
- * Copyright (c) Microsoft Corporation. All rights reserved.
- * Licensed under the MIT License.
- */
+/*! @azure/msal-browser v4.29.1 2026-03-13 */
 function collectInstanceStats(currentClientId, performanceEvent, logger) {
     const frameInstances =
     // @ts-ignore
@@ -57841,7 +58048,7 @@ function collectInstanceStats(currentClientId, performanceEvent, logger) {
     });
 }
-/*! @azure/msal-browser v4.28.1 2026-01-17 */
+/*! @azure/msal-browser v4.29.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -57921,22 +58128,30 @@ class StandardController {
         this.tokenCache = new TokenCache(this.config, this.browserStorage, this.logger, this.browserCrypto, this.performanceClient);
         this.activeSilentTokenRequests = new Map();
         // Register listener functions
-        this.trackPageVisibility = this.trackPageVisibility.bind(this);
-        // Register listener functions
-        this.trackPageVisibilityWithMeasurement =
-            this.trackPageVisibilityWithMeasurement.bind(this);
+        this.trackStateChangeWithMeasurement =
+            this.trackStateChangeWithMeasurement.bind(this);
     }
     static async createController(operatingContext, request) {
         const controller = new StandardController(operatingContext);
         await controller.initialize(request);
         return controller;
     }
-    trackPageVisibility(correlationId) {
+    trackStateChange(correlationId, event) {
         if (!correlationId) {
             return;
         }
-        this.logger.info("Perf: Visibility change detected");
-        this.performanceClient.incrementFields({ visibilityChangeCount: 1 }, correlationId);
+        if (event.type === "visibilitychange") {
+            this.logger.info("Perf: Visibility change detected");
+            this.performanceClient.incrementFields({ visibilityChangeCount: 1 }, correlationId);
+        }
+        else if (event.type === "online") {
+            this.logger.info("Perf: Online status change detected");
+            this.performanceClient.incrementFields({ onlineStatusChangeCount: 1 }, correlationId);
+        }
+        else if (event.type === "offline") {
+            this.logger.info("Perf: Offline status change detected");
+            this.performanceClient.incrementFields({ onlineStatusChangeCount: 1 }, correlationId);
+        }
     }
     /**
      * Initializer function to perform async startup tasks such as connecting to WAM extension
@@ -58084,6 +58299,8 @@ class StandardController {
                 rootMeasurement.end({
                     success: true,
                 }, undefined, result.account);
+                // Fire-and-forget SSO capability verification in background
+                this.verifySsoCapability(result.account, InteractionType.Redirect);
             }
             else {
                 /*
@@ -58316,6 +58533,8 @@ class StandardController {
                 accessTokenSize: result.accessToken.length,
                 idTokenSize: result.idToken.length,
             }, undefined, result.account);
+            // SSO capability verification in background
+            this.verifySsoCapability(result.account, InteractionType.Popup);
             return result;
         })
             .catch((e) => {
@@ -58338,16 +58557,87 @@ class StandardController {
             }
         });
     }
-    trackPageVisibilityWithMeasurement() {
+    trackStateChangeWithMeasurement(event) {
         const measurement = this.ssoSilentMeasurement ||
             this.acquireTokenByCodeAsyncMeasurement;
         if (!measurement) {
             return;
         }
-        this.logger.info("Perf: Visibility change detected in ", measurement.event.name);
-        measurement.increment({
-            visibilityChangeCount: 1,
+        if (event.type === "visibilitychange") {
+            this.logger.info("Perf: Visibility change detected in ", measurement.event.name);
+            measurement.increment({
+                visibilityChangeCount: 1,
+            });
+        }
+        else if (event.type === "online") {
+            this.logger.info("Perf: Online status change detected in ", measurement.event.name);
+            measurement.increment({
+                onlineStatusChangeCount: 1,
+            });
+        }
+        else if (event.type === "offline") {
+            this.logger.info("Perf: Offline status change detected in ", measurement.event.name);
+            measurement.increment({
+                onlineStatusChangeCount: 1,
+            });
+        }
+    }
+    addStateChangeListeners(listener) {
+        document.addEventListener("visibilitychange", listener);
+        window.addEventListener("online", listener);
+        window.addEventListener("offline", listener);
+    }
+    removeStateChangeListeners(listener) {
+        document.removeEventListener("visibilitychange", listener);
+        window.removeEventListener("online", listener);
+        window.removeEventListener("offline", listener);
+    }
+    /**
+     * SSO capability verification in the background.
+     * This method makes an iframe request to /authorize to verify SSO capability without calling /token.
+     * This method does not block the caller and tracks telemetry for success/failure.
+     * This method only executes if verifySSO is set to true in the auth configuration.
+     * @param account - The account to use for the SSO verification
+     * @param parentApi - The API ID of the parent operation for logging purposes
+     */
+    verifySsoCapability(account, parentApi) {
+        // Check if SSO capability verification is enabled
+        if (!this.config.auth.verifySSO) {
+            return;
+        }
+        const correlationId = this.browserCrypto.createNewGuid();
+        const ssoCapableMeasurement = this.performanceClient.startMeasurement(PerformanceEvents.SsoCapable, correlationId);
+        ssoCapableMeasurement.add({
+            parentApi: parentApi,
         });
+        this.logger.verbose(`SSO capability verification initiated after ${parentApi}`, correlationId);
+        /*
+         * Use setTimeout to ensure this runs in a separate macrotask after the current call stack completes
+         * This ensures the result is returned to the caller before the SSO verification starts and doesn't affect performance
+         */
+        setTimeout(() => {
+            const ssoVerificationRequest = {
+                account: account,
+                correlationId: correlationId,
+            };
+            const silentIframeClient = this.createSilentIframeClient(correlationId);
+            silentIframeClient
+                .verifySso(ssoVerificationRequest)
+                .then((success) => {
+                this.logger.verbose(`SSO capability verification completed after ${parentApi}, success: ${success}`, correlationId);
+                ssoCapableMeasurement.end({
+                    fromCache: false,
+                    success: success,
+                }, undefined, account);
+            })
+                .catch((error) => {
+                this.logger.warning(`SSO capability verification failed after ${parentApi}: ${error.message}`, correlationId);
+                ssoCapableMeasurement.end({
+                    fromCache: false,
+                    success: false,
+                }, error, account);
+            });
+        }, 0);
     }
     // #endregion
     // #region Silent Flow
@@ -58381,8 +58671,9 @@ class StandardController {
         preflightCheck(this.initialized, this.ssoSilentMeasurement, request.account);
         this.ssoSilentMeasurement?.increment({
             visibilityChangeCount: 0,
+            onlineStatusChangeCount: 0,
         });
-        document.addEventListener("visibilitychange", this.trackPageVisibilityWithMeasurement);
+        this.addStateChangeListeners(this.trackStateChangeWithMeasurement);
         this.logger.verbose("ssoSilent called", correlationId);
         this.eventHandler.emitEvent(EventType.SSO_SILENT_START, InteractionType.Silent, validRequest);
         let result;
@@ -58426,7 +58717,7 @@ class StandardController {
             throw e;
         })
             .finally(() => {
-            document.removeEventListener("visibilitychange", this.trackPageVisibilityWithMeasurement);
+            this.removeStateChangeListeners(this.trackStateChangeWithMeasurement);
         });
     }
     /**
@@ -58538,8 +58829,9 @@ class StandardController {
             this.performanceClient.startMeasurement(PerformanceEvents.AcquireTokenByCodeAsync, request.correlationId);
         this.acquireTokenByCodeAsyncMeasurement?.increment({
             visibilityChangeCount: 0,
+            onlineStatusChangeCount: 0,
         });
-        document.addEventListener("visibilitychange", this.trackPageVisibilityWithMeasurement);
+        this.addStateChangeListeners(this.trackStateChangeWithMeasurement);
         const silentAuthCodeClient = this.createSilentAuthCodeClient(request.correlationId);
         const silentTokenResult = await silentAuthCodeClient
             .acquireToken(request)
@@ -58557,7 +58849,7 @@ class StandardController {
             throw tokenRenewalError;
         })
             .finally(() => {
-            document.removeEventListener("visibilitychange", this.trackPageVisibilityWithMeasurement);
+            this.removeStateChangeListeners(this.trackStateChangeWithMeasurement);
         });
         return silentTokenResult;
     }
@@ -59102,18 +59394,22 @@ class StandardController {
      * @returns {Promise.<AuthenticationResult>} - a promise that is fulfilled when this function has completed, or rejected if an error was raised. Returns the {@link AuthResponse}
      */
     async acquireTokenSilentAsync(request, account) {
-        const trackPageVisibility = () => this.trackPageVisibility(request.correlationId);
+        const trackStateChange = (event) => this.trackStateChange(request.correlationId, event);
         this.performanceClient.addQueueMeasurement(PerformanceEvents.AcquireTokenSilentAsync, request.correlationId);
         this.eventHandler.emitEvent(EventType.ACQUIRE_TOKEN_START, InteractionType.Silent, request);
         if (request.correlationId) {
-            this.performanceClient.incrementFields({ visibilityChangeCount: 0 }, request.correlationId);
+            this.performanceClient.incrementFields({ visibilityChangeCount: 0, onlineStatusChangeCount: 0 }, request.correlationId);
         }
-        document.addEventListener("visibilitychange", trackPageVisibility);
+        this.addStateChangeListeners(trackStateChange);
         const silentRequest = await invokeAsync(initializeSilentRequest, PerformanceEvents.InitializeSilentRequest, this.logger, this.performanceClient, request.correlationId)(request, account, this.config, this.performanceClient, this.logger);
         const cacheLookupPolicy = request.cacheLookupPolicy || CacheLookupPolicy.Default;
         const result = this.acquireTokenSilentNoIframe(silentRequest, cacheLookupPolicy).catch(async (refreshTokenError) => {
             const shouldTryToResolveSilently = checkIfRefreshTokenErrorCanBeResolvedSilently(refreshTokenError, cacheLookupPolicy);
             if (shouldTryToResolveSilently) {
+                const silentRefreshReason = `${refreshTokenError.errorCode}${refreshTokenError.subError
+                    ? `|${refreshTokenError.subError}`
+                    : ""}`;
+                this.performanceClient.addFields({ silentRefreshReason }, silentRequest.correlationId);
                 if (!this.activeIframeRequest) {
                     let _resolve;
                     // Always set the active request tracker immediately after checking it to prevent races
@@ -59183,7 +59479,7 @@ class StandardController {
             throw tokenRenewalError;
         })
             .finally(() => {
-            document.removeEventListener("visibilitychange", trackPageVisibility);
+            this.removeStateChangeListeners(trackStateChange);
         });
     }
     /**
@@ -59294,7 +59590,7 @@ function checkIfRefreshTokenErrorCanBeResolvedSilently(refreshTokenError, cacheL
     return isSilentlyResolvable && tryIframeRenewal;
 }
-/*! @azure/msal-browser v4.28.1 2026-01-17 */
+/*! @azure/msal-browser v4.29.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -59306,7 +59602,7 @@ async function createV3Controller(config, request) {
     return StandardController.createController(standard, request);
 }
-/*! @azure/msal-browser v4.28.1 2026-01-17 */
+/*! @azure/msal-browser v4.29.1 2026-03-13 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.