Regression in MSAL Browser 4.8.0 (query param value handling)

[Devvox93]

Core Library

MSAL.js (@azure/msal-browser)

Core Library Version

4.10.0

Wrapper Library

MSAL Angular (@azure/msal-angular)

Wrapper Library Version

4.0.9

Public or Confidential Client?

Public

Description

A regression has been introduced in #7621 (released as part of 4.8.0), causing (extra) query parameter values now to be encoded, where that previously wasn't the case.
As such, it's a breaking change, but the version/changelog did not indicate that.
Please either fix this or provide (documentation for) a workaround to keep the same output, since migrating all apps that are using the policy at the same time is impossible. We force teams to stay on 4.7.0 for the time being.

See more detailed info in the other boxes.

Error Message

Punctuation, like comma's, is now being encoded in the (extra) query param values, where previously this was not the case.

Erroneous URL:
https://REDACTED/REDACTED/REDACTED/oauth2/v2.0/authorize?client_id=REDACTED&scope=openid%20profile%20offline_access&redirect_uri=https%3A%2F%2Flocalhost%3A4300%2F&client-request-id=REDACTED&response_mode=fragment&client_info=1&nonce=01961b18-693a-7858-83d6-f010c9b0b996&state=REDACTED&x-client-SKU=msal.js.browser&x-client-VER=4.10.0&response_type=code&code_challenge=REDACTED&code_challenge_method=S256&idps=local%2Cotheridp&ui_locales=nl

MSAL Logs

[Wed, 09 Apr 2025 15:08:26 GMT] : [01961b18-693a-7a4f-8910-9cb17625a5b4] : [email protected] : Verbose - Found cloud discovery metadata in authority configuration main.js:276:23
[Wed, 09 Apr 2025 15:08:26 GMT] : [01961b18-693a-7a4f-8910-9cb17625a5b4] : [email protected] : Trace - Returning result from authorityUpdateCloudDiscoveryMetadata main.js:282:23
[Wed, 09 Apr 2025 15:08:26 GMT] : [01961b18-693a-7a4f-8910-9cb17625a5b4] : [email protected] : Trace - Executing function authorityUpdateEndpointMetadata main.js:282:23
[Wed, 09 Apr 2025 15:08:26 GMT] : [01961b18-693a-7a4f-8910-9cb17625a5b4] : [email protected] : Verbose - Attempting to get endpoint metadata from authority configuration main.js:276:23
[Wed, 09 Apr 2025 15:08:26 GMT] : [01961b18-693a-7a4f-8910-9cb17625a5b4] : [email protected] : Verbose - Did not find endpoint metadata in the config... Attempting to get endpoint metadata from the hardcoded values. main.js:276:23
[Wed, 09 Apr 2025 15:08:26 GMT] : [01961b18-693a-7a4f-8910-9cb17625a5b4] : [email protected] : Verbose - Did not find endpoint metadata in hardcoded values... Attempting to get endpoint metadata from the network metadata cache. main.js:276:23
[Wed, 09 Apr 2025 15:08:26 GMT] : [01961b18-693a-7a4f-8910-9cb17625a5b4] : [email protected] : Trace - Executing function authorityGetEndpointMetadataFromNetwork main.js:282:23
[Wed, 09 Apr 2025 15:08:26 GMT] : [01961b18-693a-7a4f-8910-9cb17625a5b4] : [email protected] : Verbose - Authority.getEndpointMetadataFromNetwork: attempting to retrieve OAuth endpoints from https://REDACTED/REDACTED/REDACTED/v2.0/.well-known/openid-configuration main.js:276:23
Navigated to https://REDACTED/REDACTED/REDACTED/oauth2/v2.0/authorize?client_id=REDACTED&scope=openid%20profile%20offline_access&redirect_uri=https%3A%2F%2Flocalhost%3A4300%2F&client-request-id=REDACTED&response_mode=fragment&client_info=1&nonce=01961b18-693a-7858-83d6-f010c9b0b996&state=REDACTED&x-client-SKU=msal.js.browser&x-client-VER=4.10.0&response_type=code&code_challenge=REDACTED&code_challenge_method=S256&idps=local%2Cotheridp&ui_locales=nl
[Wed, 09 Apr 2025 15:08:27 GMT] : [01961b18-693a-7a4f-8910-9cb17625a5b4] : [email protected] : Trace - Returning result from authorityGetEndpointMetadataFromNetwork main.js:282:23
[Wed, 09 Apr 2025 15:08:27 GMT] : [01961b18-693a-7a4f-8910-9cb17625a5b4] : [email protected] : Trace - Returning result from authorityUpdateEndpointMetadata main.js:282:23
[Wed, 09 Apr 2025 15:08:27 GMT] : [] : @azure/[email protected] : Trace - BrowserCacheManager.setAuthorityMetadata called main.js:282:23
[Wed, 09 Apr 2025 15:08:27 GMT] : [01961b18-693a-7a4f-8910-9cb17625a5b4] : [email protected] : Trace - Returning result from authorityResolveEndpointsAsync main.js:282:23
[Wed, 09 Apr 2025 15:08:27 GMT] : [01961b18-693a-7a4f-8910-9cb17625a5b4] : [email protected] : Trace - Returning result from authorityFactoryCreateDiscoveredInstance main.js:282:23
[Wed, 09 Apr 2025 15:08:27 GMT] : [01961b18-693a-7a4f-8910-9cb17625a5b4] : [email protected] : Trace - Returning result from standardInteractionClientGetDiscoveredAuthority main.js:282:23
[Wed, 09 Apr 2025 15:08:27 GMT] : [01961b18-693a-7a4f-8910-9cb17625a5b4] : [email protected] : Trace - Returning result from standardInteractionClientGetClientConfiguration main.js:282:23
[Wed, 09 Apr 2025 15:08:27 GMT] : [01961b18-693a-7a4f-8910-9cb17625a5b4] : [email protected] : Trace - Returning result from standardInteractionClientCreateAuthCodeClient main.js:282:23
[Wed, 09 Apr 2025 15:08:27 GMT] : [01961b18-693a-7a4f-8910-9cb17625a5b4] : [email protected] : Trace - Executing function getAuthCodeUrl main.js:282:23
[Wed, 09 Apr 2025 15:08:27 GMT] : [01961b18-693a-7a4f-8910-9cb17625a5b4] : [email protected] : Trace - Executing function getStandardParams main.js:282:23
[Wed, 09 Apr 2025 15:08:27 GMT] : [01961b18-693a-7a4f-8910-9cb17625a5b4] : [email protected] : Trace - Returning result from getStandardParams main.js:282:23
[Wed, 09 Apr 2025 15:08:27 GMT] : [01961b18-693a-7a4f-8910-9cb17625a5b4] : [email protected] : Trace - Returning result from getAuthCodeUrl main.js:282:23
[Wed, 09 Apr 2025 15:08:27 GMT] : [01961b18-693a-7a4f-8910-9cb17625a5b4] : [email protected] : Verbose - RedirectHandler.initiateAuthRequest called main.js:276:23
[Wed, 09 Apr 2025 15:08:27 GMT] : [01961b18-693a-7a4f-8910-9cb17625a5b4] : [email protected] : Verbose - RedirectHandler.initiateAuthRequest: Invoking onRedirectNavigate callback main.js:276:23
[Wed, 09 Apr 2025 15:08:27 GMT] : [01961b18-693a-7a4f-8910-9cb17625a5b4] : [email protected] : Verbose - RedirectHandler.initiateAuthRequest: onRedirectNavigate did not return false, navigating main.js:276:23

Network Trace (Preferrably Fiddler)

• Sent
• Pending

MSAL Configuration

{
        auth: {
            clientId: environment.authenticationServer.clientId,
            authority: environment.authenticationServer.authority,
            knownAuthorities: environment.authenticationServer.knownAuthorities, // array of URIs that are known to be valid
            redirectUri: environment.authenticationServer.redirectUri,
            postLogoutRedirectUri: environment.authenticationServer.postLogoutRedirectUri,
            navigateToLoginRequestUrl: true
        },
        cache: {
            cacheLocation: BrowserCacheLocation.SessionStorage,
            storeAuthStateInCookie: isIE, // set to true for IE 11
        },
        system: {
            loggerOptions: {
                logLevel: LogLevel.Trace,
                loggerCallback: (level, message, containsPii) => {
                    if (containsPii) {
                        return;
                    }
                    switch (level) {
                        case LogLevel.Error:
                            console.error(message);
                            return;
                        case LogLevel.Info:
                            console.info(message);
                            return;
                        case LogLevel.Verbose:
                            console.debug(message);
                            return;
                        case LogLevel.Warning:
                            console.warn(message);
                            return;
                        default:
                            console.log(message);
                            return;
                    }
                }
            }
        }

Relevant Code Snippets

export function MSALGuardConfigFactory(languageService: LanguageService): MsalGuardConfiguration {
    return {
        interactionType: InteractionType.Redirect,
        authRequest: {
            extraQueryParameters: {
                "idps": environment.authenticationServer.idpFilter.join(","),
                "ui_locales": languageService.currentLanguage
            }
        }
    };
}

Reproduction Steps

1. Have MSAL Browser 4.7.0 and MSAL Angular 4.0.6 with (at least) the extraQueryParameters as described, with a comma (,) in it.
2. Update to MSAL Browser 4.8.0 or later

Expected Behavior

Working URL (from v4.7.0):
https://REDACTED/REDACTED/REDACTED/oauth2/v2.0/authorize?client_id=REDACTED&scope=openid%20profile%20offline_access&redirect_uri=https%3A%2F%2Flocalhost%3A4300%2F&client-request-id=REDACTED&response_mode=fragment&response_type=code&x-client-SKU=msal.js.browser&x-client-VER=4.7.0&client_info=1&code_challenge=REDACTED&code_challenge_method=S256&nonce=01961b22-3e4d-7f6e-a42c-460fb1144986&state=REDACTED&idps=local,otheridp&ui_locales=nl

Or similar. At least without the encoding of the parameters.

Identity Provider

Azure B2C Custom Policy

Browsers Affected (Select all that apply)

Firefox, Chrome, Edge

Regression

@azure/msal-browser 4.7.0

[shylasummers]

Hi there, thank you for reporting this. The next version of MSAL.js will fix this regression. It will include an optional config parameter called encodeExtraQueryParams that will be set by default to false (i.e. old behavior). Setting it to true will encode the extra query parameters.