@equinor/fusion-framework-vite-plugin-spa 4.0.6 → 4.0.8

package/dist/html/bootstrap.js

@@ -25062,7 +25062,7 @@ configurator, options) => {
     });
 };
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -25289,7 +25289,7 @@ const JsonWebTokenTypes = {
 // Token renewal offset default in seconds
 const DEFAULT_TOKEN_RENEWAL_OFFSET_SEC = 300;
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -25341,7 +25341,7 @@ const EAR_JWE_CRYPTO = "ear_jwe_crypto";
 const RESOURCE = "resource";
 const CLI_DATA = "clidata";
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -25372,7 +25372,7 @@ function createAuthError(code, additionalMessage) {
     return new AuthError(code, additionalMessage || getDefaultErrorMessage$1(code));
 }
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -25392,7 +25392,7 @@ function createClientConfigurationError(errorCode) {
     return new ClientConfigurationError(errorCode);
 }
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -25472,7 +25472,7 @@ class StringUtils {
     }
 }
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -25495,7 +25495,7 @@ function createClientAuthError(errorCode, additionalMessage) {
     return new ClientAuthError(errorCode, additionalMessage);
 }
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -25517,9 +25517,10 @@ const missingSshKid = "missing_ssh_kid";
 const cannotSetOIDCOptions = "cannot_set_OIDCOptions";
 const cannotAllowPlatformBroker = "cannot_allow_platform_broker";
 const authorityMismatch = "authority_mismatch";
-const invalidRequestMethodForEAR = "invalid_request_method_for_EAR";
+const invalidRequestMethodForEAR = "invalid_request_method_for_EAR";
+const issuerValidationFailed = "issuer_validation_failed";
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -25558,7 +25559,7 @@ const methodNotImplemented = "method_not_implemented";
 const resourceParameterRequired = "resource_parameter_required";
 const misplacedResourceParam = "misplaced_resource_parameter";
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -25753,7 +25754,7 @@ class ScopeSet {
     }
 }
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -26142,7 +26143,7 @@ function addResource(parameters, resource) {
     }
 }
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -26251,7 +26252,7 @@ function normalizeUrlForComparison(url) {
     }
 }
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -26290,7 +26291,7 @@ const DEFAULT_CRYPTO_IMPLEMENTATION = {
     },
 };
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -26551,12 +26552,12 @@ class Logger {
     }
 }
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 /* eslint-disable header/header */
 const name$1 = "@azure/msal-common";
-const version$4 = "16.5.2";
+const version$4 = "16.6.1";
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -26565,7 +26566,7 @@ const AzureCloudInstance = {
     // AzureCloudInstance is not specified.
     None: "none"};
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -26648,7 +26649,7 @@ function updateAccountTenantProfileData(baseAccountInfo, tenantProfile, idTokenC
     return updatedAccountInfo;
 }
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -26728,7 +26729,7 @@ function checkMaxAge(authTime, maxAge) {
     }
 }
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -26885,7 +26886,7 @@ class UrlString {
     }
 }
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -26971,6 +26972,15 @@ const rawMetdataJSON = {
                 preferred_cache: "login.sovcloud-identity.sg",
                 aliases: ["login.sovcloud-identity.sg"],
             },
+            {
+                preferred_network: "login.windows-ppe.net",
+                preferred_cache: "login.windows-ppe.net",
+                aliases: [
+                    "login.windows-ppe.net",
+                    "sts.windows-ppe.net",
+                    "login.microsoft-ppe.com",
+                ],
+            },
         ],
     },
 };
@@ -27042,7 +27052,7 @@ function getCloudDiscoveryMetadataFromNetworkResponse(response, authorityHost) {
     return null;
 }
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -27050,7 +27060,7 @@ function getCloudDiscoveryMetadataFromNetworkResponse(response, authorityHost) {
 const cacheQuotaExceeded = "cache_quota_exceeded";
 const cacheErrorUnknown = "cache_error_unknown";
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -27088,7 +27098,7 @@ function createCacheError(e) {
     }
 }
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -27126,7 +27136,7 @@ function buildClientInfoFromHomeAccountId(homeAccountId) {
     };
 }
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -27141,7 +27151,7 @@ const AuthorityType = {
     Ciam: 3,
 };
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -27163,7 +27173,7 @@ function getTenantIdFromIdTokenClaims(idTokenClaims) {
     return null;
 }
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -27187,7 +27197,7 @@ const ProtocolMode = {
     EAR: "EAR",
 };
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 /**
  * Returns the AccountInfo interface for this account.
  */
@@ -27362,7 +27372,7 @@ function isAccountEntity(entity) {
         entity.hasOwnProperty("authorityType"));
 }
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -28493,7 +28503,7 @@ class DefaultStorageClass extends CacheManager {
     }
 }
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -28507,7 +28517,7 @@ class DefaultStorageClass extends CacheManager {
 const PerformanceEventStatus = {
     InProgress: 1};
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -28562,7 +28572,7 @@ class StubPerformanceClient {
     }
 }
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -28657,7 +28667,7 @@ function isOidcProtocolMode(config) {
     return (config.authOptions.authority.options.protocolMode === ProtocolMode.OIDC);
 }
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -28684,7 +28694,7 @@ function isOidcProtocolMode(config) {
     }
 }
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -28749,7 +28759,7 @@ function wasClockTurnedBack(cachedAt) {
     return cachedAtSec > nowSeconds();
 }
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -29008,7 +29018,7 @@ function isAuthorityMetadataExpired(metadata) {
     return metadata.expiresAt <= nowSeconds();
 }
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -29079,7 +29089,7 @@ const RegionDiscoveryGetCurrentVersion = "regionDiscoveryGetCurrentVersion";
 const CacheManagerGetRefreshToken = "cacheManagerGetRefreshToken";
 const SetUserData = "setUserData";
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -29172,7 +29182,7 @@ const invokeAsync = (callback, eventName, logger, telemetryClient, correlationId
     };
 };
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -29252,7 +29262,7 @@ class PopTokenGenerator {
     }
 }
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -29303,7 +29313,7 @@ const badToken = "bad_token";
  */
 const interruptedUser = "interrupted_user";
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -29371,7 +29381,7 @@ function createInteractionRequiredAuthError(errorCode, errorMessage) {
     return new InteractionRequiredAuthError(errorCode, errorMessage);
 }
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -29390,7 +29400,7 @@ class ServerError extends AuthError {
     }
 }
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -29458,7 +29468,7 @@ function parseRequestState(base64Decode, state) {
     }
 }
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -29806,7 +29816,7 @@ function buildAccountToCache(cacheStorage, authority, homeAccountId, base64Decod
     return baseAccount;
 }
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -29816,7 +29826,7 @@ const CcsCredentialType = {
     UPN: "UPN",
 };
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -29834,7 +29844,7 @@ async function getClientAssertion(clientAssertion, clientId, tokenEndpoint) {
     }
 }
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -29855,7 +29865,7 @@ function getRequestThumbprint(clientId, request, homeAccountId) {
     };
 }
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -29941,7 +29951,7 @@ class ThrottlingUtils {
     }
 }
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -29972,7 +29982,7 @@ function createNetworkError(error, httpStatus, responseHeaders, additionalError)
     return new NetworkError(error, httpStatus, responseHeaders);
 }
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -30086,7 +30096,7 @@ async function sendPostRequest(thumbprint, tokenEndpoint, options, correlationId
     return response;
 }
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -30098,7 +30108,7 @@ function isOpenIdConfigResponse(response) {
         response.hasOwnProperty("jwks_uri"));
 }
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -30108,7 +30118,7 @@ function isCloudInstanceDiscoveryResponse(response) {
         response.hasOwnProperty("metadata"));
 }
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -30118,7 +30128,7 @@ function isCloudInstanceDiscoveryErrorResponse(response) {
         response.hasOwnProperty("error_description"));
 }
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -30223,7 +30233,7 @@ RegionDiscovery.IMDS_OPTIONS = {
     },
 };
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -30478,7 +30488,7 @@ class Authority {
         }, this.correlationId);
     }
     /**
-     * Returns metadata entity from cache if it exists, otherwiser returns a new metadata entity built
+     * Returns metadata entity from cache if it exists, otherwise returns a new metadata entity built
      * from the configured canonical authority
      * @returns
      */
@@ -30547,6 +30557,8 @@ class Authority {
         // Get metadata from network if local sources aren't available
         let metadata = await invokeAsync(this.getEndpointMetadataFromNetwork.bind(this), AuthorityGetEndpointMetadataFromNetwork, this.logger, this.performanceClient, this.correlationId)();
         if (metadata) {
+            // Validate the issuer returned by the OIDC discovery document.
+            this.validateIssuer(metadata.issuer);
             // If the user prefers to use an azure region replace the global endpoints with regional information.
             if (this.authorityOptions.azureRegionConfiguration?.azureRegion) {
                 metadata = await invokeAsync(this.updateMetadataWithRegionalInformation.bind(this), AuthorityUpdateMetadataWithRegionalInformation, this.logger, this.performanceClient, this.correlationId)(metadata);
@@ -30715,7 +30727,7 @@ class Authority {
         throw createClientConfigurationError(untrustedAuthority);
     }
     updateCloudDiscoveryMetadataFromLocalSources(metadataEntity) {
-        this.logger.verbose("0jhlgt", this.correlationId);
+        this.logger.verbose("1tpqlr", this.correlationId);
         this.logger.verbosePii("1fy7uz", this.correlationId);
         this.logger.verbosePii("08zabj", this.correlationId);
         this.logger.verbosePii("1o1kv3", this.correlationId);
@@ -30912,6 +30924,139 @@ class Authority {
     isAliasOfKnownMicrosoftAuthority(host) {
         return InstanceDiscoveryMetadataAliases.has(host);
     }
+    /**
+     * Validates the `issuer` returned by an OIDC discovery document against
+     * this authority, per
+     * https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationValidation
+     *
+     * The issuer is accepted when ANY of the following holds:
+     *  1. The issuer scheme + host + port match the authority's (path may
+     *     differ). Applies to all authorities.
+     *  2. The authority is a Microsoft cloud authority (public, sovereign,
+     *     or CIAM), the issuer is HTTPS, and the issuer host is in the known
+     *     Microsoft authority host set.
+     *  3. Same as (2), but the issuer host is a single-label regional variant
+     *     of a known Microsoft host (e.g. `westus.login.microsoftonline.com`).
+     *  4. Same as (2), but the issuer host matches the CIAM tenant pattern
+     *     `{tenant}.ciamlogin.com` with an optional `/{tenant}[.onmicrosoft.com][/v2.0]`
+     *     path.
+     *
+     * @param issuer The `issuer` value returned in the OIDC discovery document.
+     * @throws ClientConfigurationError("issuer_validation_failed") on failure.
+     */
+    validateIssuer(issuer) {
+        if (!issuer) {
+            throw createClientConfigurationError(issuerValidationFailed);
+        }
+        // Parse with the WHATWG URL API. URL normalizes scheme + host to lowercase per RFC 3986.
+        let issuerUrl;
+        try {
+            issuerUrl = new URL(issuer);
+        }
+        catch {
+            throw createClientConfigurationError(issuerValidationFailed);
+        }
+        const issuerScheme = issuerUrl.protocol;
+        const issuerHost = issuerUrl.host;
+        const authorityScheme = (this.canonicalAuthorityUrlComponents.Protocol || "").toLowerCase();
+        const authorityHost = (this.canonicalAuthorityUrlComponents.HostNameAndPort || "").toLowerCase();
+        // Rule 1: Same scheme and host
+        const matchesAuthorityOrigin = this.matchesAuthorityOrigin(issuerScheme, issuerHost, authorityScheme, authorityHost);
+        // Rule 2: The issuer host is a well-known Microsoft authority host (HTTPS only)
+        const matchesKnownMicrosoftHost = issuerScheme === "https:" &&
+            this.isAliasOfKnownMicrosoftAuthority(issuerHost);
+        /*
+         * Rule 3: The issuer host is a regional variant ({region}.{host}) of a well-known host
+         * (HTTPS only). E.g. westus2.login.microsoft.com
+         */
+        const matchesRegionalMicrosoftHost = issuerScheme === "https:" &&
+            this.matchesRegionalMicrosoftHost(issuerHost);
+        /*
+         * Rule 4: CIAM-specific validation. In a CIAM scenario the issuer is expected to
+         * have "{tenant}.ciamlogin.com" as the host, even when using a custom domain.
+         */
+        const matchesCiamTenantPattern = this.matchesCiamTenantPattern(issuerUrl, authorityHost, this.canonicalAuthorityUrlComponents.PathSegments);
+        // Each rule is an independent boolean; the issuer is valid if ANY rule matches.
+        if (matchesAuthorityOrigin ||
+            matchesKnownMicrosoftHost ||
+            matchesRegionalMicrosoftHost ||
+            matchesCiamTenantPattern) {
+            return;
+        }
+        // issuer validation fails if none of the above rules are satisfied
+        throw createClientConfigurationError(issuerValidationFailed);
+    }
+    /**
+     * Rule 1: The issuer scheme + host (and port) match the authority's. Path
+     * may differ. Applies to all authorities.
+     */
+    matchesAuthorityOrigin(issuerScheme, issuerHost, authorityScheme, authorityHost) {
+        return issuerScheme === authorityScheme && issuerHost === authorityHost;
+    }
+    /**
+     * Rule 3: The issuer host is a regional variant
+     * (`{region}.{host}`) of a known Microsoft authority host.
+     * E.g. `westus2.login.microsoft.com`.
+     */
+    matchesRegionalMicrosoftHost(issuerHost) {
+        const firstDot = issuerHost.indexOf(".");
+        if (firstDot > 0 && firstDot < issuerHost.length - 1) {
+            const hostWithoutRegion = issuerHost.substring(firstDot + 1);
+            return this.isAliasOfKnownMicrosoftAuthority(hostWithoutRegion);
+        }
+        return false;
+    }
+    /**
+     * Rule 4: The issuer matches one of the well-known CIAM tenant patterns
+     * (`https://{tenant}.ciamlogin.com[/{tenant}[.onmicrosoft.com][/v2.0]]`).
+     *
+     * The bare tenant name is extracted from the authority's first path segment
+     * when available (stripping the `.onmicrosoft.com` suffix that
+     * `transformCIAMAuthority` adds), or otherwise from the leftmost label of
+     * the authority host (to support CIAM custom domain scenarios).
+     *
+     * Both `/{tenant}` and `/{tenant}.onmicrosoft.com` path forms are accepted
+     * because the OIDC issuer may use either form depending on the authority URL
+     * that was used to trigger discovery.
+     */
+    matchesCiamTenantPattern(issuerUrl, authorityHost, authorityPathSegments) {
+        /*
+         * authorityPathSegments[0] is the first path segment of the *authority
+         * URL* after transformCIAMAuthority runs (e.g. "contoso.onmicrosoft.com").
+         * Additional CIAM issuer path segments such as "/v2.0" are part of the
+         * issuer string, not the authority URL's PathSegments.
+         */
+        const pathSegment = authorityPathSegments[0];
+        /*
+         * Extract the bare tenant name: strip the .onmicrosoft.com suffix when
+         * present (introduced by transformCIAMAuthority), or fall back to the
+         * first label of the authority hostname for non-transformed/custom-domain
+         * CIAM authorities.
+         */
+        const tenantName = pathSegment
+            ? pathSegment.endsWith(AAD_TENANT_DOMAIN_SUFFIX)
+                ? pathSegment.slice(0, -AAD_TENANT_DOMAIN_SUFFIX.length)
+                : pathSegment
+            : authorityHost.split(".")[0];
+        if (!tenantName) {
+            return false;
+        }
+        const ciamBaseURL = `https://${tenantName}${CIAM_AUTH_URL}`;
+        const validCiamPatterns = [
+            ciamBaseURL,
+            `${ciamBaseURL}/${tenantName}`,
+            `${ciamBaseURL}/${tenantName}/v2.0`,
+            `${ciamBaseURL}/${tenantName}${AAD_TENANT_DOMAIN_SUFFIX}`,
+            `${ciamBaseURL}/${tenantName}${AAD_TENANT_DOMAIN_SUFFIX}/v2.0`, // https://{tenant}.ciamlogin.com/{tenant}.onmicrosoft.com/v2.0
+        ];
+        /*
+         * Compose the canonical issuer string from URL components and strip any
+         * trailing slashes from the path so it can be compared to the pattern set.
+         */
+        const issuerPath = issuerUrl.pathname.replace(/\/+$/, "");
+        const normalizedIssuer = `${issuerUrl.protocol}//${issuerUrl.host}${issuerPath}`;
+        return validCiamPatterns.some((pattern) => pattern === normalizedIssuer);
+    }
     /**
      * Checks whether the provided host is that of a public cloud authority
      *
@@ -31043,7 +31188,7 @@ function buildStaticAuthorityOptions(authOptions) {
     };
 }
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -31077,7 +31222,7 @@ async function createDiscoveredInstance(authorityUri, networkClient, cacheManage
     }
 }
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -31334,7 +31479,7 @@ class AuthorizationCodeClient {
     }
 }
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -31555,7 +31700,7 @@ class RefreshTokenClient {
     }
 }
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -31671,7 +31816,7 @@ class SilentFlowClient {
     }
 }
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -31686,7 +31831,7 @@ const StubbedNetworkModule = {
     },
 };
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -31909,7 +32054,7 @@ function extractLoginHint(account) {
     return account.loginHint || account.idTokenClaims?.login_hint || null;
 }
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -31942,7 +32087,7 @@ function containsResourceParam(params) {
     return Object.prototype.hasOwnProperty.call(params, "resource");
 }
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -31952,7 +32097,7 @@ function containsResourceParam(params) {
  */
 const unexpectedError = "unexpected_error";
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -32213,7 +32358,7 @@ class ServerTelemetryManager {
     }
 }
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -32234,7 +32379,7 @@ function createJoseHeaderError(code) {
     return new JoseHeaderError(code);
 }
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -32242,7 +32387,7 @@ function createJoseHeaderError(code) {
 const missingKidError = "missing_kid_error";
 const missingAlgError = "missing_alg_error";
 
-/*! @azure/msal-common v16.5.2 2026-04-28 */
+/*! @azure/msal-common v16.6.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -32282,7 +32427,7 @@ class JoseHeader {
     }
 }
 
-/*! @azure/msal-browser v5.9.0 2026-04-28 */
+/*! @azure/msal-browser v5.10.1 2026-05-11 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -32410,7 +32555,7 @@ const DecryptEarResponse = "decryptEarResponse";
  */
 const WaitForBridgeLateResponse = "waitForBridgeLateResponse";
 
-/*! @azure/msal-browser v5.9.0 2026-04-28 */
+/*! @azure/msal-browser v5.10.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -32433,7 +32578,7 @@ function createBrowserAuthError(errorCode, subError) {
     return new BrowserAuthError(errorCode, subError);
 }
 
-/*! @azure/msal-browser v5.9.0 2026-04-28 */
+/*! @azure/msal-browser v5.10.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -32619,7 +32764,7 @@ const iFrameRenewalPolicies = [
     CacheLookupPolicy.RefreshTokenAndNetwork,
 ];
 
-/*! @azure/msal-browser v5.9.0 2026-04-28 */
+/*! @azure/msal-browser v5.10.1 2026-05-11 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -32664,7 +32809,7 @@ function base64EncArr(aBytes) {
     return btoa(binString);
 }
 
-/*! @azure/msal-browser v5.9.0 2026-04-28 */
+/*! @azure/msal-browser v5.10.1 2026-05-11 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -32717,7 +32862,7 @@ const failedToDecryptEarResponse = "failed_to_decrypt_ear_response";
 const timedOut = "timed_out";
 const emptyResponse = "empty_response";
 
-/*! @azure/msal-browser v5.9.0 2026-04-28 */
+/*! @azure/msal-browser v5.10.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -32756,7 +32901,7 @@ function base64DecToArr(base64String) {
     return Uint8Array.from(binString, (m) => m.codePointAt(0) || 0);
 }
 
-/*! @azure/msal-browser v5.9.0 2026-04-28 */
+/*! @azure/msal-browser v5.10.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -33054,7 +33199,7 @@ async function hashString(plainText) {
     return urlEncodeArr(hashBytes);
 }
 
-/*! @azure/msal-browser v5.9.0 2026-04-28 */
+/*! @azure/msal-browser v5.10.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -33074,7 +33219,7 @@ function createBrowserConfigurationAuthError(errorCode) {
     return new BrowserConfigurationAuthError(errorCode, getDefaultErrorMessage(errorCode));
 }
 
-/*! @azure/msal-browser v5.9.0 2026-04-28 */
+/*! @azure/msal-browser v5.10.1 2026-05-11 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -33082,7 +33227,7 @@ function createBrowserConfigurationAuthError(errorCode) {
 const storageNotSupported = "storage_not_supported";
 const inMemRedirectUnavailable = "in_mem_redirect_unavailable";
 
-/*! @azure/msal-browser v5.9.0 2026-04-28 */
+/*! @azure/msal-browser v5.10.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -33417,7 +33562,7 @@ function createGuid() {
     return createNewGuid();
 }
 
-/*! @azure/msal-browser v5.9.0 2026-04-28 */
+/*! @azure/msal-browser v5.10.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -33620,7 +33765,7 @@ class DatabaseStorage {
     }
 }
 
-/*! @azure/msal-browser v5.9.0 2026-04-28 */
+/*! @azure/msal-browser v5.10.1 2026-05-11 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -33666,7 +33811,7 @@ class MemoryStorage {
     }
 }
 
-/*! @azure/msal-browser v5.9.0 2026-04-28 */
+/*! @azure/msal-browser v5.10.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -33807,7 +33952,7 @@ class AsyncMemoryStorage {
     }
 }
 
-/*! @azure/msal-browser v5.9.0 2026-04-28 */
+/*! @azure/msal-browser v5.10.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -33990,7 +34135,7 @@ function getSortedObjectString(obj) {
     return JSON.stringify(obj, Object.keys(obj).sort());
 }
 
-/*! @azure/msal-browser v5.9.0 2026-04-28 */
+/*! @azure/msal-browser v5.10.1 2026-05-11 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -34037,7 +34182,7 @@ const LocalStorageUpdated = "localStorageUpdated";
  */
 const SsoCapable = "ssoCapable";
 
-/*! @azure/msal-browser v5.9.0 2026-04-28 */
+/*! @azure/msal-browser v5.10.1 2026-05-11 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -34067,7 +34212,7 @@ function getTokenKeysCacheKey(clientId, schema = CREDENTIAL_SCHEMA_VERSION) {
     return `${PREFIX}.${schema}.${TOKEN_KEYS}.${clientId}`;
 }
 
-/*! @azure/msal-browser v5.9.0 2026-04-28 */
+/*! @azure/msal-browser v5.10.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -34158,7 +34303,7 @@ function getCookieExpirationTime(cookieLifeDays) {
     return expr.toUTCString();
 }
 
-/*! @azure/msal-browser v5.9.0 2026-04-28 */
+/*! @azure/msal-browser v5.10.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -34200,7 +34345,7 @@ function getTokenKeys(clientId, storage, schemaVersion) {
     };
 }
 
-/*! @azure/msal-browser v5.9.0 2026-04-28 */
+/*! @azure/msal-browser v5.10.1 2026-05-11 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -34211,7 +34356,7 @@ function isEncrypted(data) {
         data.hasOwnProperty("data"));
 }
 
-/*! @azure/msal-browser v5.9.0 2026-04-28 */
+/*! @azure/msal-browser v5.10.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -34503,7 +34648,7 @@ class LocalStorage {
     }
 }
 
-/*! @azure/msal-browser v5.9.0 2026-04-28 */
+/*! @azure/msal-browser v5.10.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -34545,7 +34690,7 @@ class SessionStorage {
     }
 }
 
-/*! @azure/msal-browser v5.9.0 2026-04-28 */
+/*! @azure/msal-browser v5.10.1 2026-05-11 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -34573,12 +34718,12 @@ const EventType = {
     BROKER_CONNECTION_ESTABLISHED: "msal:brokerConnectionEstablished",
 };
 
-/*! @azure/msal-browser v5.9.0 2026-04-28 */
+/*! @azure/msal-browser v5.10.1 2026-05-11 */
 /* eslint-disable header/header */
 const name = "@azure/msal-browser";
-const version$3 = "5.9.0";
+const version$3 = "5.10.1";
 
-/*! @azure/msal-browser v5.9.0 2026-04-28 */
+/*! @azure/msal-browser v5.10.1 2026-05-11 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -34595,7 +34740,7 @@ function removeElementFromArray(array, element) {
     }
 }
 
-/*! @azure/msal-browser v5.9.0 2026-04-28 */
+/*! @azure/msal-browser v5.10.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -35632,22 +35777,9 @@ class BrowserCacheManager extends CacheManager {
      * @param generateKey
      */
     getTemporaryCache(cacheKey, correlationId, generateKey) {
+        this.logger.trace("1ordf8", correlationId);
         const key = generateKey ? this.generateCacheKey(cacheKey) : cacheKey;
-        const value = this.temporaryCacheStorage.getItem(key);
-        if (!value) {
-            // If temp cache item not found in session/memory, check local storage for items set by old versions
-            if (this.cacheConfig.cacheLocation ===
-                BrowserCacheLocation.LocalStorage) {
-                const item = this.browserStorage.getItem(key);
-                if (item) {
-                    this.logger.trace("1yt61y", correlationId);
-                    return item;
-                }
-            }
-            this.logger.trace("1qhy81", correlationId);
-            return null;
-        }
-        return value;
+        return this.temporaryCacheStorage.getItem(key);
     }
     /**
      * Sets the cache item with the key and value given.
@@ -35960,7 +36092,7 @@ const DEFAULT_BROWSER_CACHE_MANAGER = (clientId, logger, performanceClient, even
     return new BrowserCacheManager(clientId, cacheOptions, DEFAULT_CRYPTO_IMPLEMENTATION, logger, performanceClient, eventHandler);
 };
 
-/*! @azure/msal-browser v5.9.0 2026-04-28 */
+/*! @azure/msal-browser v5.10.1 2026-05-11 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -36007,7 +36139,7 @@ function getActiveAccount(browserStorage, correlationId) {
     return browserStorage.getActiveAccount(correlationId);
 }
 
-/*! @azure/msal-browser v5.9.0 2026-04-28 */
+/*! @azure/msal-browser v5.10.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -36111,7 +36243,7 @@ class EventHandler {
     }
 }
 
-/*! @azure/msal-browser v5.9.0 2026-04-28 */
+/*! @azure/msal-browser v5.10.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -36246,7 +36378,7 @@ async function clearCacheOnLogout(browserStorage, browserCrypto, logger, correla
     }
 }
 
-/*! @azure/msal-browser v5.9.0 2026-04-28 */
+/*! @azure/msal-browser v5.10.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -36324,7 +36456,7 @@ function validateRequestMethod(interactionRequest, protocolMode) {
     return httpMethod;
 }
 
-/*! @azure/msal-browser v5.9.0 2026-04-28 */
+/*! @azure/msal-browser v5.10.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -36528,7 +36660,7 @@ async function initializeAuthorizationRequest(request, interactionType, config,
     return validatedRequest;
 }
 
-/*! @azure/msal-browser v5.9.0 2026-04-28 */
+/*! @azure/msal-browser v5.10.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -36552,7 +36684,7 @@ function extractBrowserRequestState(browserCrypto, state) {
     }
 }
 
-/*! @azure/msal-browser v5.9.0 2026-04-28 */
+/*! @azure/msal-browser v5.10.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -36591,7 +36723,7 @@ function validateInteractionType(response, browserCrypto, interactionType) {
     }
 }
 
-/*! @azure/msal-browser v5.9.0 2026-04-28 */
+/*! @azure/msal-browser v5.10.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -36680,7 +36812,7 @@ class InteractionHandler {
     }
 }
 
-/*! @azure/msal-browser v5.9.0 2026-04-28 */
+/*! @azure/msal-browser v5.10.1 2026-05-11 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -36689,7 +36821,7 @@ const contentError = "ContentError";
 const pageException = "PageException";
 const userSwitch = "user_switch";
 
-/*! @azure/msal-browser v5.9.0 2026-04-28 */
+/*! @azure/msal-browser v5.10.1 2026-05-11 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -36702,7 +36834,7 @@ const DISABLED = "DISABLED";
 const ACCOUNT_UNAVAILABLE = "ACCOUNT_UNAVAILABLE";
 const UX_NOT_ALLOWED = "UX_NOT_ALLOWED";
 
-/*! @azure/msal-browser v5.9.0 2026-04-28 */
+/*! @azure/msal-browser v5.10.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -36764,7 +36896,7 @@ function createNativeAuthError(code, description, ext) {
     return new NativeAuthError(code, description, ext);
 }
 
-/*! @azure/msal-browser v5.9.0 2026-04-28 */
+/*! @azure/msal-browser v5.10.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -36813,7 +36945,7 @@ class SilentCacheClient extends StandardInteractionClient {
     }
 }
 
-/*! @azure/msal-browser v5.9.0 2026-04-28 */
+/*! @azure/msal-browser v5.10.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -37444,7 +37576,7 @@ class PlatformAuthInteractionClient extends BaseInteractionClient {
     }
 }
 
-/*! @azure/msal-browser v5.9.0 2026-04-28 */
+/*! @azure/msal-browser v5.10.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -37744,7 +37876,7 @@ async function handleResponseEAR(request, response, apiId, config, authority, br
     return (await invokeAsync(responseHandler.handleServerTokenResponse.bind(responseHandler), HandleServerTokenResponse, logger, performanceClient, request.correlationId)(decryptedData, authority, nowSeconds(), request, apiId, additionalData, undefined, undefined, undefined, undefined));
 }
 
-/*! @azure/msal-browser v5.9.0 2026-04-28 */
+/*! @azure/msal-browser v5.10.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -37799,7 +37931,7 @@ async function generateCodeChallengeFromVerifier(pkceCodeVerifier, performanceCl
     }
 }
 
-/*! @azure/msal-browser v5.9.0 2026-04-28 */
+/*! @azure/msal-browser v5.10.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -37842,7 +37974,7 @@ class NavigationClient {
     }
 }
 
-/*! @azure/msal-browser v5.9.0 2026-04-28 */
+/*! @azure/msal-browser v5.10.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -37963,7 +38095,7 @@ function getHeaderDict(headers) {
     }
 }
 
-/*! @azure/msal-browser v5.9.0 2026-04-28 */
+/*! @azure/msal-browser v5.10.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -38091,7 +38223,7 @@ function buildConfiguration({ auth: userInputAuth, cache: userInputCache, system
     return overlayedConfig;
 }
 
-/*! @azure/msal-browser v5.9.0 2026-04-28 */
+/*! @azure/msal-browser v5.10.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -38352,7 +38484,7 @@ class PlatformAuthExtensionHandler {
     }
 }
 
-/*! @azure/msal-browser v5.9.0 2026-04-28 */
+/*! @azure/msal-browser v5.10.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -38502,7 +38634,7 @@ class PlatformAuthDOMHandler {
     }
 }
 
-/*! @azure/msal-browser v5.9.0 2026-04-28 */
+/*! @azure/msal-browser v5.10.1 2026-05-11 */
 async function getPlatformAuthProvider(logger, performanceClient, correlationId, nativeBrokerHandshakeTimeout) {
     logger.trace("134j0v", correlationId);
     const enablePlatformBrokerDOMSupport = isDomEnabledForPlatformAuth();
@@ -38579,7 +38711,7 @@ function isPlatformAuthAllowed(config, logger, correlationId, platformAuthProvid
     return true;
 }
 
-/*! @azure/msal-browser v5.9.0 2026-04-28 */
+/*! @azure/msal-browser v5.10.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -38999,7 +39131,7 @@ class PopupClient extends StandardInteractionClient {
     }
 }
 
-/*! @azure/msal-browser v5.9.0 2026-04-28 */
+/*! @azure/msal-browser v5.10.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -39434,7 +39566,7 @@ class RedirectClient extends StandardInteractionClient {
     }
 }
 
-/*! @azure/msal-browser v5.9.0 2026-04-28 */
+/*! @azure/msal-browser v5.10.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -39511,7 +39643,7 @@ function removeHiddenIframe(iframe) {
     }
 }
 
-/*! @azure/msal-browser v5.9.0 2026-04-28 */
+/*! @azure/msal-browser v5.10.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -39718,7 +39850,7 @@ class SilentIframeClient extends StandardInteractionClient {
     }
 }
 
-/*! @azure/msal-browser v5.9.0 2026-04-28 */
+/*! @azure/msal-browser v5.10.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -39783,7 +39915,7 @@ class SilentRefreshClient extends StandardInteractionClient {
     }
 }
 
-/*! @azure/msal-browser v5.9.0 2026-04-28 */
+/*! @azure/msal-browser v5.10.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -39796,7 +39928,7 @@ class HybridSpaAuthorizationCodeClient extends AuthorizationCodeClient {
     }
 }
 
-/*! @azure/msal-browser v5.9.0 2026-04-28 */
+/*! @azure/msal-browser v5.10.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -39867,7 +39999,7 @@ class SilentAuthCodeClient extends StandardInteractionClient {
     }
 }
 
-/*! @azure/msal-browser v5.9.0 2026-04-28 */
+/*! @azure/msal-browser v5.10.1 2026-05-11 */
 function collectInstanceStats(currentClientId, performanceEvent, logger, correlationId) {
     const frameInstances = 
     // @ts-ignore
@@ -39883,7 +40015,7 @@ function collectInstanceStats(currentClientId, performanceEvent, logger, correla
     });
 }
 
-/*! @azure/msal-browser v5.9.0 2026-04-28 */
+/*! @azure/msal-browser v5.10.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -41370,7 +41502,7 @@ function checkIfRefreshTokenErrorCanBeResolvedSilently(refreshTokenError, cacheL
     return isSilentlyResolvable && tryIframeRenewal;
 }
 
-/*! @azure/msal-browser v5.9.0 2026-04-28 */
+/*! @azure/msal-browser v5.10.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -41467,7 +41599,7 @@ class BaseOperatingContext {
     }
 }
 
-/*! @azure/msal-browser v5.9.0 2026-04-28 */
+/*! @azure/msal-browser v5.10.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -41514,7 +41646,7 @@ StandardOperatingContext.MODULE_NAME = "";
  */
 StandardOperatingContext.ID = "StandardOperatingContext";
 
-/*! @azure/msal-browser v5.9.0 2026-04-28 */
+/*! @azure/msal-browser v5.10.1 2026-05-11 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -41812,6 +41944,7 @@ const FUSION_CORRELATION_ID = '';
 class MsalClient extends PublicClientApplication {
     #tenantId;
     #clientId;
+    #cacheLookupPolicy;
     /**
      * Creates a new MSAL client instance.
      *
@@ -41821,6 +41954,7 @@ class MsalClient extends PublicClientApplication {
         super(config);
         this.#tenantId = config.auth?.tenantId;
         this.#clientId = config.auth?.clientId;
+        this.#cacheLookupPolicy = config.cacheLookupPolicy;
     }
     /**
      * Tenant identifier for the configured Azure AD tenant.
@@ -41975,7 +42109,11 @@ class MsalClient extends PublicClientApplication {
             if (request.account) {
                 try {
                     this.getLogger().verbose('Attempting to acquire token silently', request.correlationId || FUSION_CORRELATION_ID);
-                    return await this.acquireTokenSilent(request);
+                    return await this.acquireTokenSilent({
+                        // Instance-level policy is the default; request-level cacheLookupPolicy takes precedence
+                        cacheLookupPolicy: this.#cacheLookupPolicy,
+                        ...request,
+                    });
                 }
                 catch {
                     // Silent acquisition failed - fall back to interactive
@@ -42089,7 +42227,7 @@ const createClientLogCallback = (provider, metadata, scope) => {
 };
 
 // Generated by genversion.
-const version$2 = '8.0.4';
+const version$2 = '8.0.5';
 
 /**
  * Zod schema for telemetry configuration validation.
@@ -42116,6 +42254,10 @@ const MsalConfigSchema = z.object({
     redirectUri: z.string().optional(),
     loginHint: z.string().optional(),
     authCode: z.string().optional(),
+    cacheLookupPolicy: z
+        .custom((val) => typeof val === 'number' &&
+        Object.values(CacheLookupPolicy).includes(val))
+        .optional(),
     version: z.string().transform((x) => String(semver.coerce(x))),
     telemetry: TelemetryConfigSchema,
 });
@@ -42158,6 +42300,8 @@ class MsalConfigurator extends BaseConfigBuilder {
                 return telemetry;
             }
         });
+        // Default cache lookup policy to AccessTokenAndRefreshToken to avoid iframe fallback delays
+        this._set('cacheLookupPolicy', async () => CacheLookupPolicy.AccessTokenAndRefreshToken);
     }
     /**
      * Sets the MSAL client configuration for authentication.
@@ -42183,6 +42327,33 @@ class MsalConfigurator extends BaseConfigBuilder {
         this.#msalConfig = config;
         return this;
     }
+    /**
+     * Sets the cache lookup policy used for every silent token acquisition.
+     *
+     * Controls whether MSAL falls back to a hidden iframe when the refresh token
+     * fails. Defaults to `CacheLookupPolicy.AccessTokenAndRefreshToken`, which skips
+     * the iframe step and fails immediately with `InteractionRequiredAuthError` when
+     * the refresh token is revoked — avoiding the ~10–20 s `monitor_window_timeout`
+     * delay caused by MSAL's built-in iframe fallback.
+     *
+     * Set to `CacheLookupPolicy.Default` to restore MSAL's full waterfall:
+     * cache → refresh token → iframe.
+     *
+     * @param policy - Cache lookup policy to apply
+     * @returns The configurator instance for method chaining
+     *
+     * @example
+     * ```typescript
+     * import { CacheLookupPolicy } from '@azure/msal-browser';
+     *
+     * // Restore MSAL's built-in iframe fallback (not recommended for most apps)
+     * configurator.setCacheLookupPolicy(CacheLookupPolicy.Default);
+     * ```
+     */
+    setCacheLookupPolicy(policy) {
+        this._set('cacheLookupPolicy', async () => policy);
+        return this;
+    }
     /**
      * Sets a backend-issued authorization code for token exchange.
      *
@@ -42389,6 +42560,10 @@ class MsalConfigurator extends BaseConfigBuilder {
                     },
                 };
             }
+            // Apply silent cache lookup policy if configured
+            if (config.cacheLookupPolicy !== undefined) {
+                clientConfig.cacheLookupPolicy = config.cacheLookupPolicy;
+            }
             // Instantiate MSAL client with fully configured options
             config.client = new MsalClient(clientConfig);
         }
@@ -46869,7 +47044,7 @@ async function registerServiceWorker(framework) {
 }
 
 // Generated by genversion.
-const version = '4.0.6';
+const version = '4.0.8';
 
 // Allow dynamic import without vite
 const importWithoutVite = (path) => import(/* @vite-ignore */ path);