AzureAD
diff --git a/‎.gitignore
+1 b/‎.gitignore
+1
diff --git a/‎README.md
+6 b/‎README.md
+6
diff --git a/‎lerna.json
+1-1 b/‎lerna.json
+1-1
diff --git a/‎lib/msal-browser/README.md
+6-4 b/‎lib/msal-browser/README.md
+6-4
diff --git a/‎lib/msal-browser/changelog.md
+23-1 b/‎lib/msal-browser/changelog.md
+23-1
diff --git a/‎lib/msal-browser/docs/acquire-token.md
+1-1 b/‎lib/msal-browser/docs/acquire-token.md
+1-1
diff --git a/‎lib/msal-browser/docs/configuration.md
+2 b/‎lib/msal-browser/docs/configuration.md
+2
diff --git a/‎lib/msal-browser/docs/performance.md
+30 b/‎lib/msal-browser/docs/performance.md
+30
diff --git a/‎lib/msal-browser/docs/request-response-object.md
+1 b/‎lib/msal-browser/docs/request-response-object.md
+1
diff --git a/‎lib/msal-browser/docs/token-lifetimes.md
+1-1 b/‎lib/msal-browser/docs/token-lifetimes.md
+1-1
diff --git a/‎lib/msal-browser/docs/v1-migration.md
+33-21 b/‎lib/msal-browser/docs/v1-migration.md
+33-21
diff --git a/‎lib/msal-browser/package-lock.json
+1-1 b/‎lib/msal-browser/package-lock.json
+1-1
@@ -266,3 +266,4 @@ lib/msal-core/lib-es6
 *.tgz
 *.zip
 samples/**/test/screenshots
+samples/**/data/cache.json
@@ -8,6 +8,12 @@ The Microsoft Authentication Library for JavaScript enables client-side JavaScri
 
 The [`lib`](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib) folder contains the source code for all of our libraries. You will also find all the details about **installing the libraries**, in their respective README.md.
 
+- [Microsoft Authentication Library for Node.js v1.x (Alpha)](lib/msal-node/): A [Node.js](https://nodejs.org/en/) library that enables authentication and token acquisition with the Microsoft Identity platform in JavaScript applications. Implements the following OAuth 2.0 protocols and is [OpenID-compliant](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc):
+    - [Authorization Code Grant](https://oauth.net/2/grant-types/authorization-code/) with [PKCE](https://oauth.net/2/pkce/)
+    - [Device Code Grant](https://oauth.net/2/grant-types/device-code/)
+    - [Refresh Token Grant](https://oauth.net/2/grant-types/refresh-token/)
+    - [Client Credential Grant](https://oauth.net/2/grant-types/client-credentials/) (Coming soon)
+
 - [Microsoft Authentication Library for JavaScript v2.x (Preview)](lib/msal-browser/): A browser-based, framework-agnostic browser library that enables authentication and token acquisition with the Microsoft Identity platform in JavaScript applications. Implements the OAuth 2.0 [Authorization Code Flow with PKCE](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow), and is [OpenID-compliant](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc).
 
 - [Microsoft Authentication Library for JavaScript v1.x](lib/msal-core/): A browser-based, framework-agnostic core library that enables authentication and token acquisition with the Microsoft Identity platform in JavaScript applications. Implements the OAuth 2.0 [Implicit Grant Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow), and is [OpenID-compliant](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc).
 
@@ -15,7 +15,7 @@
   },
   "packages": [
     "lib/*",
-    "samples/*"
+    "samples/**/*"
   ],
   "version": "independent",
   "concurrency": 2
 
@@ -44,7 +44,7 @@ See [here](https://github.com/AzureAD/microsoft-authentication-library-for-js/bl
 
 | Date | Release | Announcement | Main features |
 | ------| ------- | ---------| --------- |
-| July 6th, 2020 (Tentative) | @azure/msal-browser v2.0.0 | No release notes yet | Full version of the `@azure/msal-browser` package; relies on `@azure/msal-common` v1.0.0 |
+| July 13th, 2020 (Tentative) | @azure/msal-browser v2.0.0 | No release notes yet | Full version of the `@azure/msal-browser` package; relies on `@azure/msal-common` v1.0.0 |
 | May 11, 2020 | @azure/msal-browser v2.0.0-beta | No release notes yet | Beta version of the `@azure/msal-browser` package; relies on `@azure/msal-common` v1.0.0-beta |
 | January 17, 2020 | @azure/msal-browser v2.0.0-alpha | No release notes yet | Alpha version of the `@azure/msal-browser` package with authorization code flow for SPAs working in dev; relies on msal-common v1.0.0-alpha |
 
@@ -74,17 +74,19 @@ If you have MSAL v1.x currently running in your application, you can follow the
 2. [Logging in a User](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/login-user.md)
 3. [Acquiring and Using an Access Token](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/acquire-token.md)
 4. [Managing Token Lifetimes](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/token-lifetimes.md)
-5. [Logging Out a User](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/logout.md)
+5. [Managing Accounts](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-common/docs/Accounts.md)
+6. [Logging Out a User](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/logout.md)
 
 ### Advanced Topics
 
 - [Configuration Options](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/configuration.md)
 - [Request and Response Details](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/request-response-object.md)
 - [Cache Storage](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/caching.md)
+- [Performance Enhancements](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/performance.md)
 
 ## Samples
 
-The [`VanillaJSTestApp2.0` folder](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/samples) contains sample applications for our libraries. You can run any sample by changing the `authConfig.js` file in the respective folder to match your app registration and running the `npm` command `npm start -- -s <sample-name> -p <port>`. 
+The [`VanillaJSTestApp2.0` folder](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/samples) contains sample applications for our libraries. You can run any sample by changing the `authConfig.js` file in the respective folder to match your app registration and running the `npm` command `npm start -- -s <sample-name> -p <port>`.
 
 Here is a complete list of samples for the MSAL.js 2.x library:
 
@@ -142,7 +144,7 @@ MSAL.js 1.x implemented the [Implicit Grant Flow](https://docs.microsoft.com/azu
 
 Our goal is that the library abstracts enough of the protocol away so that you can get plug and play authentication, but it is important to know and understand the implicit flow from a security perspective. The MSAL 1.x client for single-page applications runs in the context of a web browser which cannot manage client secrets securely. It uses the implicit flow, which optimized for single page apps and has one less hop between client and server so tokens are returned directly to the browser. These aspects make it naturally less secure. These security concerns are mitigated per standard practices such as- use of short lived tokens (and so no refresh tokens are returned), the library requiring a registered redirect URI for the app, library matching the request and response with a unique nonce and state parameter. You can read more about the [disadvantages of the implicit flow here](https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps-04#section-9.8.6).
 
-The MSAL library will now support the Authorization Code Flow with PKCE for Browser-Based Applications without a backend web server. 
+The MSAL library will now support the Authorization Code Flow with PKCE for Browser-Based Applications without a backend web server.
 We plan to continue support for the implicit flow in the `msal-core` library.
 
 You can learn further details about `@azure/msal-browser` functionality documented in our [docs folder](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-browser/docs) and find complete [code samples](#samples).
 
@@ -1,8 +1,30 @@
+# 2.0.0-beta.4
+## Breaking Changes
+* Updated all APIs to send `openid` and `profile` by default in all requests (#1868)
+
+## Features and Fixes
+* add interface for PublicClientApplication (#1870)
+* Update `monitorIframeForHash` to be purely time-based (#1873)
+* Instantiate Logger instance for PublicClientApplication (#1882)
+* Fix an issue with encoding in cookies and state values (#1852)
+* Fix issue where cache isn't being cleaned correctly (#1856)
+* Fix issue where expiration isn't calculated correctly (#1860)
+* Fix an issue where the crypto APIs were not truly random (#1872)
+* Remove all non-application specific initialization from PublicClientApplication constructor (#1885, #1886)
+* Added support for IE11 (#1883, #1884)
+* Added support for redirection to pages with custom hashes or query params (#1862)
+* Remove deprecated `handleRedirectCallback()` API (#1863)
+* Remove function typings for `redirectUri` and `postLogoutRedirectUri` (#1861).
+* Add support for Instance Discovery, combine all authority classes into a single generic class (#1811)
+
 # 2.0.0-beta.3
-* add `setKnownAuthorities` to constructor call for B2C Authority scenarios (#1646)
+## Breaking Changes
 * `@azure/msal-browser` now follows a unified cache schema similar to other MSAL libraries (#1624, #1655, #1680, #1711, #1762, #1771)
 * Updated browser library to follow common format for request, response, and client configurations (#1682, #1711, #1762, #1770, #1771, #1793)
 * Account interface updated to AccountInfo.ts (#1789)
+
+## Features and Fixes
+* add `setKnownAuthorities` to constructor call for B2C Authority scenarios (#1646)
 * Library state is now sent as a encoded JSON object (#1790)
 * Added a request object for logout APIs, made logout async (#1802)
 
 
@@ -39,7 +39,7 @@ msalInstance.acquireTokenSilent(request).then(tokenResponse => {
         return myMSALObj.acquireTokenPopup(request);
     }
 }).catch(error => {
-    console.log(error);
+    handleError(error);
 });
 ```
 
 
@@ -14,6 +14,7 @@ const msalConfig = {
         clientId: "enter_client_id_here",
         authority: "https://login.microsoftonline.com/common",
         knownAuthorities: [],
+        cloudDiscoveryMetadata: "",
         redirectUri: "enter_redirect_uri_here",
         postLogoutRedirectUri: "enter_postlogout_uri_here",
         navigateToLoginRequestUrl: true
@@ -62,6 +63,7 @@ const msalInstance = new PublicClientApplication(msalConfig);
 | `clientId` | App ID of your application. Can be found in your [portal registration](../README#prerequisites). | UUID/GUID | None. This parameter is required in order for MSAL to perform any actions. |
 | `authority` | URI of the tenant to authenticate and authorize with. Usually takes the form of `https://{uri}/{tenantid}`. | String in URI format with tenant - `https://{uri}/{tenantid}` | `https://login.microsoftonline.com/common` |
 | `knownAuthorities` | An array of URIs that are known to be valid. Used in B2C scenarios. | Array of strings in URI format | Empty array `[]` |
+| `cloudDiscoveryMetadata` | A string containing the cloud discovery response. Used in AAD scenarios. See performance.md for more info | string | Empty string `""` |
 | `redirectUri` | URI where the authorization code response is sent back to. Whatever location is specified here must have the MSAL library available to handle the response. | String in URI format | Login request page (`window.location.href` of page which made auth request) |
 | `postLogoutRedirectUri` | URI that is redirected to after a logout() call is made. | String in URI format | Login request page (`window.location.href` of page which made auth request) |
 | `navigateToLoginRequestUrl` | If `true`, will navigate back to the original request location before processing the authorization code response. If the `redirectUri` is the same as the original request location, this flag should be set to false. | boolean | `true` |
 
@@ -0,0 +1,30 @@
+# Performance
+
+This document will outline techniques your application can use to improve the performance of acquire tokens using MSAL.js.
+
+## Bypass cloud instance discovery resolution
+
+By default, during the process of retrieving a token, MSAL.js will make a network request to retrieve metadata associated with the various Azure clouds. If you would like to skip this network request, you can provide the required metadata in the configuration of `PublicClientApplication`.
+
+**Important:** It is your application's responsibility to ensure it is using correct, up-to-date cloud instance metadata. Failure to do so may result in your application not working correctly.
+
+**Note:** If you are using B2C or ADFS authorities this document is not applicable. You will need to provide your authority domains to the `auth.knownAuthorities` property instead.
+
+Instructions (AAD Scenarios):
+
+Instance Discovery Endpoint: `https://login.microsoftonline.com/common/discovery/instance?api-version=1.1&authorization_endpoint=https://login.microsoftonline.com/common/oauth2/v2.0/authorize`
+
+1. Make a request to the instance discovery endpoint above
+2. Provide the **entire** JSON response to the `auth.cloudDiscoveryMetadata` property.
+
+**Note** If none of the aliases listed in the response match your authority you should pass your authority domain in `auth.knownAuthorities` instead. 
+
+Example:
+
+```js
+const msalInstance = new msal.PublicClientApplication({
+    auth: {
+        cloudDiscoveryMetadata: '{"tenant_discovery_endpoint":"https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration","api-version":"1.1","metadata":[{"preferred_network":"login.microsoftonline.com","preferred_cache":"login.windows.net","aliases":["login.microsoftonline.com","login.windows.net","login.microsoft.com","sts.windows.net"]},{"preferred_network":"login.partner.microsoftonline.cn","preferred_cache":"login.partner.microsoftonline.cn","aliases":["login.partner.microsoftonline.cn","login.chinacloudapi.cn"]},{"preferred_network":"login.microsoftonline.de","preferred_cache":"login.microsoftonline.de","aliases":["login.microsoftonline.de"]},{"preferred_network":"login.microsoftonline.us","preferred_cache":"login.microsoftonline.us","aliases":["login.microsoftonline.us","login.usgovcloudapi.net"]},{"preferred_network":"login-us.microsoftonline.com","preferred_cache":"login-us.microsoftonline.com","aliases":["login-us.microsoftonline.com"]}]}'
+    }
+});
+```
@@ -174,6 +174,7 @@ All descriptions of silent request options can be found above except for:
 When you login a user, you can pass in scopes that the user can pre-consent to on login. However, this is not required. Please note that consenting to scopes on login, does not return an access_token for these scopes, but gives you the opportunity to obtain a token silently with these scopes passed in, with no further interaction from the user.
 
 In our examples, we use the MS Graph scopes `user.read` and `mail.read`, so your scopes may look a little different.
+MSAL.js v2 no longer supports translation of `clientId` to `openid` and `profile` when provided in the scope list. If you need an idToken please pass `openid` and `profile`
 
 It is best practice to only request scopes you need when you need them, a concept called dynamic consent. While this can create more interactive consent for users in your application, it also reduces drop-off from users that may be uneasy granting a large list of permissions for features they are not yet using.
 
 
@@ -53,7 +53,7 @@ const tokenResponse = await msalInstance.acquireTokenSilent(silentRequest).catch
     if (error instanceof InteractionRequiredAuthError) {
         // fallback to interaction when silent call fails
         return await myMSALObj.acquireTokenPopup(request).catch(error => {
-            console.log(error);
+            handleError(error);
         });
     }
 });
 
@@ -39,41 +39,47 @@ Most APIs from MSAL 1.x have been carried forward to MSAL 2.x without change. So
 - `urlContainsHash`
 - `getCurrentConfiguration`
 - `getLoginInProgress`
-- `getAllAccounts`
+- `getAccount`
 - `getAccountState`
 - `isCallback`
 
-In MSAL 2.x, handling the response from the hash is an asynchronous operation, as MSAL will perform a token exchange as soon as it parses the authorization code from the response. Because of this, when performing redirect calls, MSAL provides the `handleRedirectPromise` function which will return a promise that resolves when the redirect has been fully handled by MSAL.
+In MSAL 2.x, handling the response from the hash is an asynchronous operation, as MSAL will perform a token exchange as soon as it parses the authorization code from the response. Because of this, when performing redirect calls, MSAL provides the `handleRedirectPromise` function which will return a promise that resolves when the redirect has been fully handled by MSAL. When using a redirect method, the page used as the `redirectUri` must implement  `handleRedirectPromise` to ensure the response is handled and tokens are cached when returning from the redirect.
 
 ```javascript
 const myMSALObj = new msal.PublicClientApplication(msalConfig); 
 
 // Register Callbacks for Redirect flow
 myMSALObj.handleRedirectPromise().then((tokenResponse) => {
-    const accountObj = tokenResponse ? tokenResponse.account : myMSALObj.getAccount();
-    if (accountObj) {
-        // Account object was retrieved, continue with app progress
-        console.log('id_token acquired at: ' + new Date().toString());
-    } else if (tokenResponse && tokenResponse.tokenType === "Bearer") {
-        // No account object available, but access token was retrieved
-        console.log('access_token acquired at: ' + new Date().toString());
-    } else if (tokenResponse === null) {
-        // tokenResponse was null, attempt sign in or enter unauthenticated state for app
-        signIn();
+    let accountObj = null;
+    if (tokenResponse !== null) {
+        accountObj = tokenResponse.account;
+        const id_token = tokenResponse.idToken;
+        const access_token = tokenResponse.accessToken;
     } else {
-        console.log("tokenResponse was not null but did not have any tokens: " + tokenResponse);
+        const currentAccounts = myMSALObj.getAllAccounts();
+        if (currentAccounts === null) {
+            // No user signed in
+            return;
+        } else if (currentAccounts.length > 1) {
+            // More than one user signed in, find desired user with getAccountByUsername(username)
+        } else {
+            accountObj = currentAccounts[0];
+        }
     }
+    
+    const username = accountObj.username;
+   
 }).catch((error) => {
-    console.log(error);
+    handleError(error);
 });
 
-async function signIn() {
+function signIn() {
     myMSALObj.loginRedirect(loginRequest);
 }
 
 async function getTokenRedirect(request) {
     return await myMSALObj.acquireTokenSilent(request).catch(error => {
-        console.log("silent token acquisition fails. acquiring token using redirect");
+        this.logger.info("silent token acquisition fails. acquiring token using redirect");
         // fallback to interaction when silent call fails
         return myMSALObj.acquireTokenRedirect(request)
     });
@@ -89,20 +95,26 @@ async function signIn(method) {
     try {
         const loginResponse = await myMSALObj.loginPopup(loginRequest);
     } catch (err) {
-        console.log(error);
+        handleError(error);
     }
 
-    if (myMSALObj.getAccount()) {
-        showWelcomeMessage(myMSALObj.getAccount());
+    const currentAccounts = myMSALObj.getAllAccounts();
+    if (currentAccounts === null) {
+        // No user signed in
+        return;
+    } else if (currentAccounts.length > 1) {
+        // More than one user signed in, find desired user with getAccountByUsername(username)
+    } else {
+        accountObj = currentAccounts[0];
     }
 }
 
 async function getTokenPopup(request) {
     return await myMSALObj.acquireTokenSilent(request).catch(async (error) => {
-        console.log("silent token acquisition fails. acquiring token using popup");
+        this.logger.info("silent token acquisition fails. acquiring token using popup");
         // fallback to interaction when silent call fails
         return await myMSALObj.acquireTokenPopup(request).catch(error => {
-            console.log(error);
+            handleError(error);
         });
     });
 }
Original file line number	Diff line number	Diff line change
`@@ -39,7 +39,7 @@ msalInstance.acquireTokenSilent(request).then(tokenResponse => {`
`39`	`39`	`return myMSALObj.acquireTokenPopup(request);`
`40`	`40`	`}`
`41`	`41`	`}).catch(error => {`
`42`		`- console.log(error);`
	`42`	`+ handleError(error);`
`43`	`43`	`});`
`44`	`44`	```
`45`	`45`
Original file line number	Diff line number	Diff line change
`@@ -53,7 +53,7 @@ const tokenResponse = await msalInstance.acquireTokenSilent(silentRequest).catch`
`53`	`53`	`if (error instanceof InteractionRequiredAuthError) {`
`54`	`54`	`// fallback to interaction when silent call fails`
`55`	`55`	`return await myMSALObj.acquireTokenPopup(request).catch(error => {`
`56`		`- console.log(error);`
	`56`	`+ handleError(error);`
`57`	`57`	`});`
`58`	`58`	`}`
`59`	`59`	`});`