AzureAD · shylasummers · Apr 11, 2025 · Apr 11, 2025 · Apr 11, 2025 · Apr 11, 2025
diff --git a/change/@azure-msal-browser-e8d3cc67-0e49-4dfc-9d6b-fe1e3f0060b6.json b/change/@azure-msal-browser-e8d3cc67-0e49-4dfc-9d6b-fe1e3f0060b6.json
@@ -0,0 +1,7 @@
+{
+  "type": "patch",
+  "comment": "Add config option to not encode extra params",
+  "packageName": "@azure/msal-browser",
+  "email": "[email protected]",
+  "dependentChangeType": "patch"
+}
diff --git a/change/@azure-msal-common-6bcb71b8-7cc2-4044-ad9b-3aa8ac0be8d9.json b/change/@azure-msal-common-6bcb71b8-7cc2-4044-ad9b-3aa8ac0be8d9.json
@@ -0,0 +1,7 @@
+{
+  "type": "patch",
+  "comment": "Add config option to not encode extra params",
+  "packageName": "@azure/msal-common",
+  "email": "[email protected]",
+  "dependentChangeType": "patch"
+}
diff --git a/change/@azure-msal-node-ce9f6cb7-c0a0-4379-a8f8-b975b6e9f8b8.json b/change/@azure-msal-node-ce9f6cb7-c0a0-4379-a8f8-b975b6e9f8b8.json
@@ -0,0 +1,7 @@
+{
+  "type": "patch",
+  "comment": "Add config option to not encode extra params",
+  "packageName": "@azure/msal-node",
+  "email": "[email protected]",
+  "dependentChangeType": "patch"
+}
@@ -446,6 +446,7 @@ export type BrowserAuthOptions = {
     supportsNestedAppAuth?: boolean;
     onRedirectNavigate?: (url: string) => boolean | void;
     instanceAware?: boolean;
+    encodeExtraQueryParams?: boolean;
 };
 
 // Warning: (ae-missing-release-tag) "BrowserCacheLocation" is part of the package's API, but it is missing a release tag (@alpha, @beta, @public, or @internal)
@@ -1785,7 +1786,7 @@ export type WrapperSKU = (typeof WrapperSKU)[keyof typeof WrapperSKU];
 // src/cache/LocalStorage.ts:296:8 - (tsdoc-param-tag-missing-hyphen) The @param block should be followed by a parameter name and then a hyphen
 // src/cache/LocalStorage.ts:354:8 - (tsdoc-param-tag-missing-hyphen) The @param block should be followed by a parameter name and then a hyphen
 // src/cache/LocalStorage.ts:385:8 - (tsdoc-param-tag-missing-hyphen) The @param block should be followed by a parameter name and then a hyphen
-// src/config/Configuration.ts:247:5 - (ae-forgotten-export) The symbol "InternalAuthOptions" needs to be exported by the entry point index.d.ts
+// src/config/Configuration.ts:252:5 - (ae-forgotten-export) The symbol "InternalAuthOptions" needs to be exported by the entry point index.d.ts
 // src/event/EventHandler.ts:113:8 - (tsdoc-param-tag-missing-hyphen) The @param block should be followed by a parameter name and then a hyphen
 // src/event/EventHandler.ts:139:8 - (tsdoc-param-tag-missing-hyphen) The @param block should be followed by a parameter name and then a hyphen
 // src/index.ts:8:12 - (tsdoc-characters-after-block-tag) The token "@azure" looks like a TSDoc tag but contains an invalid character "/"; if it is not a tag, use a backslash to escape the "@"

@@ -108,6 +108,11 @@ export type BrowserAuthOptions = {
      * Flag of whether the STS will send back additional parameters to specify where the tokens should be retrieved from.
      */
     instanceAware?: boolean;
+    /**
+     * Flag of whether to encode query parameters
+     * @deprecated This flag is deprecated and will be removed in the next major version where all extra query params will be encoded by default.
+     */
+    encodeExtraQueryParams?: boolean;
 };
 
 /** @internal */
@@ -296,6 +301,7 @@ export function buildConfiguration(
         skipAuthorityMetadataCache: false,
         supportsNestedAppAuth: false,
         instanceAware: false,
+        encodeExtraQueryParams: false,
     };
 
     // Default cache options for browser

@@ -158,7 +158,12 @@ export async function getAuthCodeRequestUrl(
         request.extraQueryParameters || {}
     );
 
-    return AuthorizeProtocol.getAuthorizeUrl(authority, parameters);
+    return AuthorizeProtocol.getAuthorizeUrl(
+        authority,
+        parameters,
+        config.auth.encodeExtraQueryParams,
+        request.extraQueryParameters
+    );
 }
 
 /**
@@ -195,7 +200,12 @@ export async function getEARForm(
         queryParams,
         request.extraQueryParameters || {}
     );
-    const url = AuthorizeProtocol.getAuthorizeUrl(authority, queryParams);
+    const url = AuthorizeProtocol.getAuthorizeUrl(
+        authority,
+        queryParams,
+        config.auth.encodeExtraQueryParams,
+        request.extraQueryParameters
+    );
 
     return createForm(frame, url, parameters);
 }

@@ -628,6 +628,7 @@ export type AuthOptions = {
     azureCloudOptions?: AzureCloudOptions;
     skipAuthorityMetadataCache?: boolean;
     instanceAware?: boolean;
+    encodeExtraQueryParams?: boolean;
 };
 
 // Warning: (ae-internal-missing-underscore) The name "Authority" should be prefixed with an underscore because the declaration is marked as @internal
@@ -2312,7 +2313,7 @@ function getAuthorizationCodePayload(serverParams: AuthorizeResponse, cachedStat
 // Warning: (ae-missing-release-tag) "getAuthorizeUrl" is part of the package's API, but it is missing a release tag (@alpha, @beta, @public, or @internal)
 //
 // @public
-function getAuthorizeUrl(authority: Authority, requestParameters: Map<string, string>): string;
+function getAuthorizeUrl(authority: Authority, requestParameters: Map<string, string>, encodeParams?: boolean, extraQueryParameters?: StringDict | undefined): string;
 
 // Warning: (ae-missing-release-tag) "getClientAssertion" is part of the package's API, but it is missing a release tag (@alpha, @beta, @public, or @internal)
 //
@@ -2949,7 +2950,7 @@ const logoutRequestEmpty = "logout_request_empty";
 // Warning: (ae-missing-release-tag) "mapToQueryString" is part of the package's API, but it is missing a release tag (@alpha, @beta, @public, or @internal)
 //
 // @public
-function mapToQueryString(parameters: Map<string, string>): string;
+function mapToQueryString(parameters: Map<string, string>, encodeExtraParams?: boolean, extraQueryParameters?: StringDict): string;
 
 // Warning: (ae-missing-release-tag) "maxAgeTranspired" is part of the package's API, but it is missing a release tag (@alpha, @beta, @public, or @internal)
 //

@@ -507,6 +507,10 @@ export class AuthorizationCodeClient extends BaseClient {
             RequestParameterBuilder.addInstanceAware(parameters);
         }
 
-        return UrlUtils.mapToQueryString(parameters);
+        return UrlUtils.mapToQueryString(
+            parameters,
+            this.config.authOptions.encodeExtraQueryParams,
+            request.extraQueryParameters
+        );
     }
 }
@@ -83,6 +83,7 @@ export type CommonClientConfiguration = {
  * - skipAuthorityMetadataCache  - A flag to choose whether to use or not use the local metadata cache during authority initialization. Defaults to false.
  * - instanceAware               - A flag of whether the STS will send back additional parameters to specify where the tokens should be retrieved from.
  * - redirectUri                 - The redirect URI where authentication responses can be received by your application. It must exactly match one of the redirect URIs registered in the Azure portal.
+ * - encodeExtraQueryParams      - A flag to choose whether to encode the extra query parameters or not. Defaults to false.
  * @internal
  */
 export type AuthOptions = {
@@ -93,6 +94,10 @@ export type AuthOptions = {
     azureCloudOptions?: AzureCloudOptions;
     skipAuthorityMetadataCache?: boolean;
     instanceAware?: boolean;
+    /**
+     * @deprecated This flag is deprecated and will be removed in the next major version where all extra query params will be encoded by default.
+     */
+    encodeExtraQueryParams?: boolean;
 };
 
 /**
@@ -276,6 +281,7 @@ function buildAuthOptions(authOptions: AuthOptions): Required<AuthOptions> {
         azureCloudOptions: DEFAULT_AZURE_CLOUD_OPTIONS,
         skipAuthorityMetadataCache: false,
         instanceAware: false,
+        encodeExtraQueryParams: false,
         ...authOptions,
     };
 }

@@ -26,6 +26,7 @@ import {
     isInteractionRequiredError,
 } from "../error/InteractionRequiredAuthError.js";
 import { ServerError } from "../error/ServerError.js";
+import { StringDict } from "../utils/MsalTypes.js";
 
 /**
  * Returns map of parameters that are applicable to all calls to /authorize whether using PKCE or EAR
@@ -264,10 +265,15 @@ export function getStandardAuthorizeRequestParameters(
  */
 export function getAuthorizeUrl(
     authority: Authority,
-    requestParameters: Map<string, string>
+    requestParameters: Map<string, string>,
+    encodeParams?: boolean,
+    extraQueryParameters?: StringDict | undefined
 ): string {
-    const queryString = mapToQueryString(requestParameters);
-
+    const queryString = mapToQueryString(
+        requestParameters,
+        encodeParams,
+        extraQueryParameters
+    );
     return UrlString.appendQueryString(
         authority.authorizationEndpoint,
         queryString

@@ -8,6 +8,7 @@ import {
     ClientAuthErrorCodes,
     createClientAuthError,
 } from "../error/ClientAuthError.js";
+import { StringDict } from "./MsalTypes.js";
 
 /**
  * Parses hash string from given string. Returns empty string if no hash symbol is found.
@@ -64,11 +65,23 @@ export function getDeserializedResponse(
 /**
  * Utility to create a URL from the params map
  */
-export function mapToQueryString(parameters: Map<string, string>): string {
+export function mapToQueryString(
+    parameters: Map<string, string>,
+    encodeExtraParams: boolean = true,
+    extraQueryParameters?: StringDict
+): string {
     const queryParameterArray: Array<string> = new Array<string>();
 
     parameters.forEach((value, key) => {
-        queryParameterArray.push(`${key}=${encodeURIComponent(value)}`);
+        if (
+            !encodeExtraParams &&
+            extraQueryParameters &&
+            key in extraQueryParameters
+        ) {
+            queryParameterArray.push(`${key}=${value}`);
+        } else {
+            queryParameterArray.push(`${key}=${encodeURIComponent(value)}`);
+        }
     });
 
     return queryParameterArray.join("&");