AzureAD · jo-arroyo · Apr 16, 2025 · Apr 9, 2025 · Apr 9, 2025 · Apr 11, 2025
diff --git a/change/@azure-msal-browser-47a421a0-b795-4c4d-81b2-3f1ba6db85a9.json b/change/@azure-msal-browser-47a421a0-b795-4c4d-81b2-3f1ba6db85a9.json
@@ -0,0 +1,7 @@
+{
+  "type": "major",
+  "comment": "Configuration changes to BrowserAuthOptions #7695",
+  "packageName": "@azure/msal-browser",
+  "email": "[email protected]",
+  "dependentChangeType": "patch"
+}
diff --git a/change/@azure-msal-common-e34a2020-1a97-410d-963b-08e910174a0d.json b/change/@azure-msal-common-e34a2020-1a97-410d-963b-08e910174a0d.json
@@ -0,0 +1,7 @@
+{
+  "type": "major",
+  "comment": "Configuration changes to AuthOptions #7695",
+  "packageName": "@azure/msal-common",
+  "email": "[email protected]",
+  "dependentChangeType": "patch"
+}
diff --git a/change/@azure-msal-node-485c21d3-c772-49f5-9425-10a96df9e76e.json b/change/@azure-msal-node-485c21d3-c772-49f5-9425-10a96df9e76e.json
@@ -0,0 +1,7 @@
+{
+  "type": "major",
+  "comment": "Configuration changes to NodeAuthOptions #7695",
+  "packageName": "@azure/msal-node",
+  "email": "[email protected]",
+  "dependentChangeType": "patch"
+}
@@ -250,10 +250,8 @@ export type BrowserAuthOptions = {
     postLogoutRedirectUri?: string | null;
     navigateToLoginRequestUrl?: boolean;
     clientCapabilities?: Array<string>;
-    protocolMode?: ProtocolMode;
     OIDCOptions?: OIDCOptions;
     azureCloudOptions?: AzureCloudOptions;
-    skipAuthorityMetadataCache?: boolean;
     onRedirectNavigate?: (url: string) => boolean | void;
     instanceAware?: boolean;
 };
@@ -355,6 +353,7 @@ export type BrowserSystemOptions = SystemOptions & {
     allowPlatformBroker?: boolean;
     nativeBrokerHandshakeTimeout?: number;
     pollIntervalMilliseconds?: number;
+    protocolMode?: ProtocolMode;
 };
 
 // Warning: (ae-missing-release-tag) "BrowserTelemetryOptions" is part of the package's API, but it is missing a release tag (@alpha, @beta, @public, or @internal)
@@ -1492,7 +1491,7 @@ export type WrapperSKU = (typeof WrapperSKU)[keyof typeof WrapperSKU];
 // src/cache/LocalStorage.ts:296:8 - (tsdoc-param-tag-missing-hyphen) The @param block should be followed by a parameter name and then a hyphen
 // src/cache/LocalStorage.ts:354:8 - (tsdoc-param-tag-missing-hyphen) The @param block should be followed by a parameter name and then a hyphen
 // src/cache/LocalStorage.ts:385:8 - (tsdoc-param-tag-missing-hyphen) The @param block should be followed by a parameter name and then a hyphen
-// src/config/Configuration.ts:231:5 - (ae-forgotten-export) The symbol "InternalAuthOptions" needs to be exported by the entry point index.d.ts
+// src/config/Configuration.ts:227:5 - (ae-forgotten-export) The symbol "InternalAuthOptions" needs to be exported by the entry point index.d.ts
 // src/event/EventHandler.ts:113:8 - (tsdoc-param-tag-missing-hyphen) The @param block should be followed by a parameter name and then a hyphen
 // src/event/EventHandler.ts:139:8 - (tsdoc-param-tag-missing-hyphen) The @param block should be followed by a parameter name and then a hyphen
 // src/index.ts:8:12 - (tsdoc-characters-after-block-tag) The token "@azure" looks like a TSDoc tag but contains an invalid character "/"; if it is not a tag, use a backslash to escape the "@"

@@ -19,7 +19,6 @@ const msalConfig = {
         postLogoutRedirectUri: "enter_postlogout_uri_here",
         navigateToLoginRequestUrl: true,
         clientCapabilities: ["CP1"],
-        protocolMode: "AAD"
     },
     cache: {
         cacheLocation: "sessionStorage",
@@ -59,6 +58,7 @@ const msalConfig = {
         iframeHashTimeout: 6000,
         loadFrameTimeout: 0,
         asyncPopups: false,
+        protocolMode: "AAD"
     },
     telemetry: {
         application: {
@@ -85,10 +85,8 @@ const msalInstance = new PublicClientApplication(msalConfig);
 | `redirectUri`                | URI where the authorization code response is sent back to. Whatever location is specified here must have the MSAL library available to handle the response.                                                                                                             | String in absolute or relative URI format                                                                                                    | Login request page (`window.location.href` of page which made auth request) |
 | `postLogoutRedirectUri`      | URI that is redirected to after a logout() call is made.                                                                                                                                                                                                                | String in absolute or relative URI format. Pass `null` to disable post logout redirect.                                                      | Login request page (`window.location.href` of page which made auth request) |
 | `navigateToLoginRequestUrl`  | If `true`, will navigate back to the original request location before processing the authorization code response. If the `redirectUri` is the same as the original request location, this flag should be set to false.                                                  | boolean                                                                                                                                      | `true`                                                                      |
-| `clientCapabilities`         | Array of capabilities to be added to all network requests as part of the `xms_cc` claims request (see: [Client capability in MSAL](../../msal-common/docs/client-capability.md))                                                                                        | Array of strings                                                                                                                             | []                                                                          |
-| `protocolMode`               | Enum representing the protocol mode to use. If `"AAD"`, will function on the OIDC-compliant AAD v2 endpoints; if `"OIDC"`, will function on other OIDC-compliant endpoints.                                                                                             | string                                                                                                                                       | `"AAD"`                                                                     |
+| `clientCapabilities`         | Array of capabilities to be added to all network requests as part of the `xms_cc` claims request (see: [Client capability in MSAL](../../msal-common/docs/client-capability.md))                                                                                        | Array of strings                                                                                                                             | []                                                                          |                                                                                          | string                                                                                                                                       | `"AAD"`                                                                     |
 | `azureCloudOptions`          | A defined set of azure cloud options for developers to default to their specific cloud authorities, for specific clouds supported please refer to the [AzureCloudInstance](https://aka.ms/msaljs/azure_cloud_instance)                                                  | [AzureCloudOptions](https://azuread.github.io/microsoft-authentication-library-for-js/ref/modules/_azure_msal_common.html#azurecloudoptions) | [AzureCloudInstance.None](msaljs/azure_cloud_instance)                      |
-| `skipAuthorityMetadataCache` | A flag to choose whether to use the local metadata cache during authority initialization. Metadata cache would be used if no authority metadata is provided and before a network call for metadata has been made (see [Authority](../../msal-common/docs/authority.md)) | boolean                                                                                                                                      | `false`                                                                     |
 | `onRedirectNavigate`         | A callback that will be passed the url that MSAL will navigate to in redirect flows. Returning false in the callback will stop navigation.
 | `instanceAware`              | A flag of whether the STS will send back additional parameters to specify where the tokens should be retrieved from. | boolean | `false` |
 
@@ -118,6 +116,7 @@ See [Caching in MSAL](./caching.md) for more.
 | `allowRedirectInIframe`    | By default, MSAL will not allow redirect operations to be initiated when the application is inside an iframe. Set this flag to `true` to remove this check.                                                                                                                                                   | boolean                              | `false`                                          |
 | `cryptoOptions`            | Config object for crypto operations in the browser.                                                                                                                                                                                                                                                           | See [below](#crypto-config-options.) | See [below](#crypto-config-options.)             |
 | `pollIntervalMilliseconds` | Interval of time in milliseconds between polls of popup URL hash during authenticaiton.                                                                                                                                                                                                                       | integer (milliseconds)               | `30`                                             |
+| `protocolMode`               | Enum representing the protocol mode to use. If `"AAD"`, will function on the OIDC-compliant AAD v2 endpoints; if `"OIDC"`, will function on other OIDC-compliant endpoints.   
 
 #### Logger Config Options
 

@@ -53,7 +53,6 @@ const nestablePca = msal.createNestablePublicClientApplication({
 
 Please note the below guidance before opting in for Nested app authentication:
 
--   `supportsNestedAppAuth` in MSAL Browser configuration will be deprecated in the next major version. Please use `createNestablePublicClientApplication` instead.
 -   `createNestablePublicClientApplication` will fall back to `createStandardPublicClientApplication` if nested app bridge is unavailable or the Hub is not configured to support nested app authentication.
 -   If an application does not want to be Nested App, it should use `createStandardPublicClientApplication` instead.
 -   Certain account lookup APIs are not supported in NAA apps, please refer to [active accounts](./accounts.md#active-account-apis).
@@ -128,8 +127,10 @@ const msalConfig = {
         clientId: "your_client_id",
         authority: "https://login.live.com",
         knownAuthorities: ["login.live.com"],
-        protocolMode: "OIDC",
     },
+    system: {
+        protocolMode: "OIDC",
+    }
 };
 ```
 

@@ -96,12 +96,10 @@ export class TokenCache implements ITokenCache {
             : undefined;
 
         const authorityOptions: AuthorityOptions = {
-            protocolMode: this.config.auth.protocolMode,
+            protocolMode: this.config.system.protocolMode,
             knownAuthorities: this.config.auth.knownAuthorities,
             cloudDiscoveryMetadata: this.config.auth.cloudDiscoveryMetadata,
             authorityMetadata: this.config.auth.authorityMetadata,
-            skipAuthorityMetadataCache:
-                this.config.auth.skipAuthorityMetadataCache,
         };
         const authority = request.authority
             ? new Authority(

@@ -78,10 +78,6 @@ export type BrowserAuthOptions = {
      * Array of capabilities which will be added to the claims.access_token.xms_cc request property on every network request.
      */
     clientCapabilities?: Array<string>;
-    /**
-     * Enum that represents the protocol that msal follows. Used for configuring proper endpoints.
-     */
-    protocolMode?: ProtocolMode;
     /**
      * Enum that configures options for the OIDC protocol mode.
      */
@@ -90,10 +86,6 @@ export type BrowserAuthOptions = {
      * Enum that represents the Azure Cloud to use.
      */
     azureCloudOptions?: AzureCloudOptions;
-    /**
-     * Flag of whether to use the local metadata cache
-     */
-    skipAuthorityMetadataCache?: boolean;
     /**
      * Callback that will be passed the url that MSAL will navigate to in redirect flows. Returning false in the callback will stop navigation.
      */
@@ -188,6 +180,10 @@ export type BrowserSystemOptions = SystemOptions & {
      * Sets the interval length in milliseconds for polling the location attribute in popup windows (default is 30ms)
      */
     pollIntervalMilliseconds?: number;
+    /**
+     * Enum that represents the protocol that msal follows. Used for configuring proper endpoints.
+     */
+    protocolMode?: ProtocolMode;
 };
 
 /**
@@ -264,7 +260,6 @@ export function buildConfiguration(
         postLogoutRedirectUri: Constants.EMPTY_STRING,
         navigateToLoginRequestUrl: true,
         clientCapabilities: [],
-        protocolMode: ProtocolMode.AAD,
         OIDCOptions: {
             responseMode: ResponseMode.FRAGMENT,
             defaultScopes: [
@@ -277,7 +272,6 @@ export function buildConfiguration(
             azureCloudInstance: AzureCloudInstance.None,
             tenant: Constants.EMPTY_STRING,
         },
-        skipAuthorityMetadataCache: false,
         instanceAware: false,
     };
 
@@ -327,6 +321,7 @@ export function buildConfiguration(
             userInputSystem?.nativeBrokerHandshakeTimeout ||
             DEFAULT_NATIVE_BROKER_HANDSHAKE_TIMEOUT_MS,
         pollIntervalMilliseconds: BrowserConstants.DEFAULT_POLL_INTERVAL_MS,
+        protocolMode: ProtocolMode.AAD,
     };
 
     const providedSystemOptions: Required<BrowserSystemOptions> = {
@@ -345,7 +340,7 @@ export function buildConfiguration(
 
     // Throw an error if user has set OIDCOptions without being in OIDC protocol mode
     if (
-        userInputAuth?.protocolMode !== ProtocolMode.OIDC &&
+        userInputSystem?.protocolMode !== ProtocolMode.OIDC &&
         userInputAuth?.OIDCOptions
     ) {
         const logger = new Logger(providedSystemOptions.loggerOptions);
@@ -360,8 +355,8 @@ export function buildConfiguration(
 
     // Throw an error if user has set allowPlatformBroker to true with OIDC protocol mode
     if (
-        userInputAuth?.protocolMode &&
-        userInputAuth.protocolMode === ProtocolMode.OIDC &&
+        userInputSystem?.protocolMode &&
+        userInputSystem.protocolMode === ProtocolMode.OIDC &&
         providedSystemOptions?.allowPlatformBroker
     ) {
         throw createClientConfigurationError(

@@ -200,13 +200,11 @@ export abstract class BaseInteractionClient {
             this.correlationId
         );
         const authorityOptions: AuthorityOptions = {
-            protocolMode: this.config.auth.protocolMode,
+            protocolMode: this.config.system.protocolMode,
             OIDCOptions: this.config.auth.OIDCOptions,
             knownAuthorities: this.config.auth.knownAuthorities,
             cloudDiscoveryMetadata: this.config.auth.cloudDiscoveryMetadata,
             authorityMetadata: this.config.auth.authorityMetadata,
-            skipAuthorityMetadataCache:
-                this.config.auth.skipAuthorityMetadataCache,
         };
 
         // build authority string based on auth params, precedence - azureCloudInstance + tenant >> authority

@@ -230,7 +230,7 @@ export class PopupClient extends StandardInteractionClient {
         );
         validRequest.platformBroker = isPlatformBroker;
 
-        if (this.config.auth.protocolMode === ProtocolMode.EAR) {
+        if (this.config.system.protocolMode === ProtocolMode.EAR) {
             return this.executeEarFlow(validRequest, popupParams);
         } else {
             return this.executeCodeFlow(validRequest, popupParams, pkceCodes);

@@ -144,7 +144,7 @@ export class RedirectClient extends StandardInteractionClient {
         window.addEventListener("pageshow", handleBackButton);
 
         try {
-            if (this.config.auth.protocolMode === ProtocolMode.EAR) {
+            if (this.config.system.protocolMode === ProtocolMode.EAR) {
                 await this.executeEarFlow(validRequest);
             } else {
                 await this.executeCodeFlow(validRequest);

@@ -131,7 +131,7 @@ export class SilentIframeClient extends StandardInteractionClient {
             );
         BrowserUtils.preconnect(silentRequest.authority);
 
-        if (this.config.auth.protocolMode === ProtocolMode.EAR) {
+        if (this.config.system.protocolMode === ProtocolMode.EAR) {
             return this.executeEarFlow(silentRequest);
         } else {
             return this.executeCodeFlow(silentRequest);

@@ -73,7 +73,7 @@ async function getStandardParameters(
         os: "",
         cpu: "",
     });
-    if (config.auth.protocolMode !== ProtocolMode.OIDC) {
+    if (config.system.protocolMode !== ProtocolMode.OIDC) {
         RequestParameterBuilder.addApplicationTelemetry(
             parameters,
             config.telemetry.application

@@ -1340,7 +1340,6 @@ describe("PublicClientApplication.ts Class Unit Tests", () => {
             pca = new PublicClientApplication({
                 auth: {
                     clientId: TEST_CONFIG.MSAL_CLIENT_ID,
-                    protocolMode: ProtocolMode.OIDC,
                     OIDCOptions: {
                         responseMode: ResponseMode.QUERY,
                     },
@@ -1353,6 +1352,7 @@ describe("PublicClientApplication.ts Class Unit Tests", () => {
                 },
                 system: {
                     allowPlatformBroker: false,
+                    protocolMode: ProtocolMode.OIDC,
                 },
             });
 

@@ -295,11 +295,13 @@ describe("Configuration.ts Class Unit Tests", () => {
                 auth: {
                     clientId: TEST_CONFIG.MSAL_CLIENT_ID,
                     authority: TEST_CONFIG.validAuthority,
-                    protocolMode: ProtocolMode.AAD,
                     OIDCOptions: {
                         responseMode: ResponseMode.QUERY,
                     },
                 },
+                system: {
+                    protocolMode: ProtocolMode.AAD,
+                },
             },
             true
         );

@@ -845,6 +845,8 @@ describe("PopupClient", () => {
                 pca = new PublicClientApplication({
                     auth: {
                         clientId: TEST_CONFIG.MSAL_CLIENT_ID,
+                    },
+                    system: {
                         protocolMode: ProtocolMode.EAR,
                     },
                 });
@@ -1910,9 +1912,11 @@ describe("PopupClient", () => {
             pca = new PublicClientApplication({
                 auth: {
                     clientId: TEST_CONFIG.MSAL_CLIENT_ID,
-                    protocolMode: ProtocolMode.OIDC,
                     OIDCOptions: { responseMode: "query" },
                 },
+                system: {
+                    protocolMode: ProtocolMode.OIDC,
+                },
             });
 
             await pca.initialize();

@@ -3008,6 +3008,8 @@ describe("RedirectClient", () => {
             pca = new PublicClientApplication({
                 auth: {
                     clientId: TEST_CONFIG.MSAL_CLIENT_ID,
+                },
+                system: {
                     protocolMode: ProtocolMode.EAR,
                 },
             });

@@ -1256,6 +1256,8 @@ describe("SilentIframeClient", () => {
                 pca = new PublicClientApplication({
                     auth: {
                         clientId: TEST_CONFIG.MSAL_CLIENT_ID,
+                    },
+                    system: {
                         protocolMode: ProtocolMode.EAR,
                     },
                 });

@@ -306,9 +306,11 @@ describe("StandardInteractionClient OIDCOptions Tests", () => {
         pca = new PublicClientApplication({
             auth: {
                 clientId: TEST_CONFIG.MSAL_CLIENT_ID,
-                protocolMode: ProtocolMode.OIDC,
                 OIDCOptions: { responseMode: ResponseMode.QUERY },
             },
+            system: {
+                protocolMode: ProtocolMode.OIDC,
+            },
         });
 
         //Implementation of PCA was moved to controller.