@equinor/fusion-framework-module-msal 8.0.4 → 8.0.5

package/dist/types/MsalClient.d.ts

@@ -1,4 +1,4 @@
-import { PublicClientApplication, type Configuration } from '@azure/msal-browser';
+import { PublicClientApplication, type CacheLookupPolicy, type Configuration } from '@azure/msal-browser';
 import type { IMsalClient, AcquireTokenResult, LoginOptions, LogoutOptions, LoginResult, AcquireTokenOptions } from './MsalClient.interface';
 export type { IMsalClient };
 /**
@@ -17,6 +17,23 @@ export type MsalClientConfig = Configuration & {
         /** Optional tenant identifier for Azure AD tenant */
         tenantId?: string;
     };
+    /**
+     * Cache lookup policy applied to every `acquireTokenSilent` call.
+     *
+     * Controls whether MSAL falls back to a hidden iframe when the refresh token
+     * fails. When `undefined`, MSAL's built-in default applies (cache → refresh
+     * token → iframe). Set to `CacheLookupPolicy.AccessTokenAndRefreshToken` to
+     * skip the iframe step and fail immediately with `InteractionRequiredAuthError`
+     * when the refresh token is revoked — avoiding the ~10–20 s
+     * `monitor_window_timeout` delay.
+     *
+     * When using {@link MsalConfigurator}, this defaults to
+     * `CacheLookupPolicy.AccessTokenAndRefreshToken`. When constructing `MsalClient`
+     * directly, the field is optional and defaults to `undefined` (MSAL default).
+     *
+     * Per-request `cacheLookupPolicy` on `SilentRequest` takes precedence over this value.
+     */
+    cacheLookupPolicy?: CacheLookupPolicy;
 };
 /**
  * MSAL v4 client implementation with extended properties and methods.

package/dist/types/MsalConfigurator.d.ts

@@ -3,6 +3,7 @@ import { BaseConfigBuilder } from '@equinor/fusion-framework-module';
 import type { IMsalProvider } from './MsalProvider.interface';
 import { type ITelemetryProvider } from '@equinor/fusion-framework-module-telemetry';
 import { type MsalClientConfig, type IMsalClient } from './MsalClient';
+import { CacheLookupPolicy } from '@azure/msal-browser';
 /**
  * Telemetry configuration for MSAL module.
  *
@@ -65,6 +66,30 @@ export declare class MsalConfigurator extends BaseConfigBuilder<MsalConfig> {
      * ```
      */
     setClientConfig(config?: MsalClientConfig): this;
+    /**
+     * Sets the cache lookup policy used for every silent token acquisition.
+     *
+     * Controls whether MSAL falls back to a hidden iframe when the refresh token
+     * fails. Defaults to `CacheLookupPolicy.AccessTokenAndRefreshToken`, which skips
+     * the iframe step and fails immediately with `InteractionRequiredAuthError` when
+     * the refresh token is revoked — avoiding the ~10–20 s `monitor_window_timeout`
+     * delay caused by MSAL's built-in iframe fallback.
+     *
+     * Set to `CacheLookupPolicy.Default` to restore MSAL's full waterfall:
+     * cache → refresh token → iframe.
+     *
+     * @param policy - Cache lookup policy to apply
+     * @returns The configurator instance for method chaining
+     *
+     * @example
+     * ```typescript
+     * import { CacheLookupPolicy } from '@azure/msal-browser';
+     *
+     * // Restore MSAL's built-in iframe fallback (not recommended for most apps)
+     * configurator.setCacheLookupPolicy(CacheLookupPolicy.Default);
+     * ```
+     */
+    setCacheLookupPolicy(policy: CacheLookupPolicy | undefined): this;
     /**
      * Sets a backend-issued authorization code for token exchange.
      *

package/dist/types/version.d.ts

@@ -1 +1 @@
-export declare const version = "8.0.4";
+export declare const version = "8.0.5";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@equinor/fusion-framework-module-msal",
-  "version": "8.0.4",
+  "version": "8.0.5",
   "description": "Microsoft Authentication Library (MSAL) integration module for Fusion Framework",
   "main": "dist/esm/index.js",
   "types": "dist/types/index.d.ts",

package/src/MsalClient.ts

@@ -1,5 +1,6 @@
 import {
   PublicClientApplication,
+  type CacheLookupPolicy,
   type SilentRequest,
   type Configuration,
   type EndSessionRequest,
@@ -40,6 +41,23 @@ export type MsalClientConfig = Configuration & {
     /** Optional tenant identifier for Azure AD tenant */
     tenantId?: string;
   };
+  /**
+   * Cache lookup policy applied to every `acquireTokenSilent` call.
+   *
+   * Controls whether MSAL falls back to a hidden iframe when the refresh token
+   * fails. When `undefined`, MSAL's built-in default applies (cache → refresh
+   * token → iframe). Set to `CacheLookupPolicy.AccessTokenAndRefreshToken` to
+   * skip the iframe step and fail immediately with `InteractionRequiredAuthError`
+   * when the refresh token is revoked — avoiding the ~10–20 s
+   * `monitor_window_timeout` delay.
+   *
+   * When using {@link MsalConfigurator}, this defaults to
+   * `CacheLookupPolicy.AccessTokenAndRefreshToken`. When constructing `MsalClient`
+   * directly, the field is optional and defaults to `undefined` (MSAL default).
+   *
+   * Per-request `cacheLookupPolicy` on `SilentRequest` takes precedence over this value.
+   */
+  cacheLookupPolicy?: CacheLookupPolicy;
 };
 
 /**
@@ -65,6 +83,7 @@ export type MsalClientConfig = Configuration & {
 export class MsalClient extends PublicClientApplication implements IMsalClient {
   #tenantId?: string;
   #clientId?: string;
+  #cacheLookupPolicy?: CacheLookupPolicy;
 
   /**
    * Creates a new MSAL client instance.
@@ -75,6 +94,7 @@ export class MsalClient extends PublicClientApplication implements IMsalClient {
     super(config);
     this.#tenantId = config.auth?.tenantId;
     this.#clientId = config.auth?.clientId;
+    this.#cacheLookupPolicy = config.cacheLookupPolicy;
   }
 
   /**
@@ -257,7 +277,11 @@ export class MsalClient extends PublicClientApplication implements IMsalClient {
             'Attempting to acquire token silently',
             request.correlationId || FUSION_CORRELATION_ID,
           );
-          return await this.acquireTokenSilent(request as SilentRequest);
+          return await this.acquireTokenSilent({
+            // Instance-level policy is the default; request-level cacheLookupPolicy takes precedence
+            cacheLookupPolicy: this.#cacheLookupPolicy,
+            ...(request as SilentRequest),
+          });
         } catch {
           // Silent acquisition failed - fall back to interactive
           this.getLogger().warning(

package/src/MsalConfigurator.ts

@@ -8,7 +8,7 @@ import {
 } from '@equinor/fusion-framework-module-telemetry';
 import { MsalClient, type MsalClientConfig, type IMsalClient } from './MsalClient';
 import { createClientLogCallback } from './create-client-log-callback';
-import { LogLevel } from '@azure/msal-browser';
+import { CacheLookupPolicy, LogLevel } from '@azure/msal-browser';
 import { version } from './version';
 
 /**
@@ -45,6 +45,13 @@ const MsalConfigSchema = z.object({
   redirectUri: z.string().optional(),
   loginHint: z.string().optional(),
   authCode: z.string().optional(),
+  cacheLookupPolicy: z
+    .custom<CacheLookupPolicy>(
+      (val) =>
+        typeof val === 'number' &&
+        Object.values(CacheLookupPolicy).includes(val as CacheLookupPolicy),
+    )
+    .optional(),
   version: z.string().transform((x: string) => String(semver.coerce(x))),
   telemetry: TelemetryConfigSchema,
 });
@@ -98,6 +105,8 @@ export class MsalConfigurator extends BaseConfigBuilder<MsalConfig> {
         return telemetry;
       }
     });
+    // Default cache lookup policy to AccessTokenAndRefreshToken to avoid iframe fallback delays
+    this._set('cacheLookupPolicy', async () => CacheLookupPolicy.AccessTokenAndRefreshToken);
   }
 
   /**
@@ -125,6 +134,34 @@ export class MsalConfigurator extends BaseConfigBuilder<MsalConfig> {
     return this;
   }
 
+  /**
+   * Sets the cache lookup policy used for every silent token acquisition.
+   *
+   * Controls whether MSAL falls back to a hidden iframe when the refresh token
+   * fails. Defaults to `CacheLookupPolicy.AccessTokenAndRefreshToken`, which skips
+   * the iframe step and fails immediately with `InteractionRequiredAuthError` when
+   * the refresh token is revoked — avoiding the ~10–20 s `monitor_window_timeout`
+   * delay caused by MSAL's built-in iframe fallback.
+   *
+   * Set to `CacheLookupPolicy.Default` to restore MSAL's full waterfall:
+   * cache → refresh token → iframe.
+   *
+   * @param policy - Cache lookup policy to apply
+   * @returns The configurator instance for method chaining
+   *
+   * @example
+   * ```typescript
+   * import { CacheLookupPolicy } from '@azure/msal-browser';
+   *
+   * // Restore MSAL's built-in iframe fallback (not recommended for most apps)
+   * configurator.setCacheLookupPolicy(CacheLookupPolicy.Default);
+   * ```
+   */
+  setCacheLookupPolicy(policy: CacheLookupPolicy | undefined): this {
+    this._set('cacheLookupPolicy', async () => policy);
+    return this;
+  }
+
   /**
    * Sets a backend-issued authorization code for token exchange.
    *
@@ -346,6 +383,11 @@ export class MsalConfigurator extends BaseConfigBuilder<MsalConfig> {
           },
         };
       }
+      // Apply silent cache lookup policy if configured
+      if (config.cacheLookupPolicy !== undefined) {
+        clientConfig.cacheLookupPolicy = config.cacheLookupPolicy;
+      }
+
       // Instantiate MSAL client with fully configured options
       config.client = new MsalClient(clientConfig);
     }

package/src/__tests__/MsalConfigurator.test.ts

@@ -1,4 +1,5 @@
 import type { ConfigBuilderCallbackArgs } from '@equinor/fusion-framework-module';
+import { CacheLookupPolicy } from '@azure/msal-browser';
 import { describe, expect, it, vi } from 'vitest';
 import type { IMsalClient } from '../MsalClient.interface';
 import { type MsalConfig, MsalConfigurator } from '../MsalConfigurator';
@@ -72,4 +73,44 @@ describe('MsalConfigurator', () => {
 
     expect(config.client).toBeUndefined();
   });
+
+  describe('cacheLookupPolicy', () => {
+    it('defaults to CacheLookupPolicy.AccessTokenAndRefreshToken', async () => {
+      const configurator = new MsalConfigurator();
+      configurator.setClient(createClient());
+
+      const config = await configurator.createConfigAsync(
+        createConfigCallbackArgs(),
+        createInitialConfig(),
+      );
+
+      expect(config.cacheLookupPolicy).toBe(CacheLookupPolicy.AccessTokenAndRefreshToken);
+    });
+
+    it('setCacheLookupPolicy(undefined) clears the policy so MSAL default applies', async () => {
+      const configurator = new MsalConfigurator();
+      configurator.setClient(createClient());
+      configurator.setCacheLookupPolicy(undefined);
+
+      const config = await configurator.createConfigAsync(
+        createConfigCallbackArgs(),
+        createInitialConfig(),
+      );
+
+      expect(config.cacheLookupPolicy).toBeUndefined();
+    });
+
+    it('setCacheLookupPolicy overrides the default', async () => {
+      const configurator = new MsalConfigurator();
+      configurator.setClient(createClient());
+      configurator.setCacheLookupPolicy(CacheLookupPolicy.Default);
+
+      const config = await configurator.createConfigAsync(
+        createConfigCallbackArgs(),
+        createInitialConfig(),
+      );
+
+      expect(config.cacheLookupPolicy).toBe(CacheLookupPolicy.Default);
+    });
+  });
 });

package/src/version.ts

@@ -1,2 +1,2 @@
 // Generated by genversion.
-export const version = '8.0.4';
+export const version = '8.0.5';