@azure/msal-browser package

General error class thrown by the MSAL.js library.

This is a helper class that parses supported HTTP response authentication headers to extract and return header challenge values that can be used outside the basic authorization flows.

Browser library error class thrown by the MSAL.js library for SPAs

Browser library error class thrown by the MSAL.js library for SPAs

Error thrown when there is an error in the client code running on the browser.

Error thrown when there is an error in configuration of the MSAL.js library.

Error thrown when user interaction is required.

Class which facilitates logging of messages to a specific place.

The PublicClientApplication class is the object exposed by the library to perform authentication and authorization functions in Single Page Applications to obtain JWT tokens as described in the OAuth 2.0 Authorization Code Flow with PKCE specification.

PublicClientNext is an early look at the planned implementation of PublicClientApplication in the next major version of MSAL.js. It contains support for multiple API implementations based on the runtime environment that it is running in.

The goals of these changes are to provide a clean separation of behavior between different operating contexts (Nested App Auth, Platform Brokers, Plain old Browser, etc.) while still providing a consistent API surface for developers.

Please use PublicClientApplication for any prod/real-world scenarios. Note: PublicClientNext is experimental and subject to breaking changes without following semver

Error thrown when there is an error with the server code, for example, unavailability.

Url object class which can perform various transformations on url strings.

Base class for the action requried state in an authentication flow.

Base class for the state of an authentication flow.

Custom Auth API error.

The error class for get account errors.

The error class for getting the current account access token errors.

Base class for the action requried state in an authentication flow.

Represents the state that indicates the successful completion of a password reset operation.

State of a reset password operation that has failed.

Base class for the action requried state in an authentication flow.

Base class for the action requried state in an authentication flow.

Base class for the action requried state in an authentication flow.

Represents the completed state of the sign-in operation. This state indicates that the sign-in process has finished successfully.

Base class for the action requried state in an authentication flow.

Represents the state of a sign-in operation that has been failed.

Base class for the action requried state in an authentication flow.

Base class for the action requried state in an authentication flow.

The error class for sign-out errors.

Base class for the action requried state in an authentication flow.

Base class for the action requried state in an authentication flow.

Represents the state of a sign-up operation that has been completed scuccessfully.

Represents the state of a sign-up operation that has failed.

Base class for the action requried state in an authentication flow.

Base class for the action requried state in an authentication flow.

Client network interface to send backend requests.

Account object with the following signature:

• homeAccountId - Home account identifier for this account object
• environment - Entity which issued the token represented by the domain of the issuer (e.g. login.microsoftonline.com)
• tenantId - Full tenant or organizational id that this account belongs to
• username - preferred_username claim of the id_token that represents this account
• localAccountId - Local, tenant-specific account identifer for this account object, usually used in legacy cases
• name - Full name for the account, including given name and family name
• idToken - raw ID token
• idTokenClaims - Object contains claims from ID token
• nativeAccountId - The user's native account ID
• tenantProfiles - Map of tenant profile objects for each tenant that the account has authenticated with in the browser

This type is deprecated and will be removed on the next major version update

AzureCloudInstance specific options

• azureCloudInstance - string enum providing short notation for soverign and public cloud authorities
• tenant - provision to provide the tenant info

Payload for the BrokerConnectionEstablished event

Use this to configure the auth options in the Configuration object

Telemetry Options

Use this to configure the below cache configuration options:

ClearCacheRequest

• correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes.
• account - Account object that will be logged out of. All tokens tied to this account will be cleared.

This object allows you to configure important elements of MSAL functionality and is passed into the constructor of PublicClientApplication

EndSessionPopupRequest

• account - Account object that will be logged out of. All tokens tied to this account will be cleared.
• postLogoutRedirectUri - URI to navigate to after logout page inside the popup. Required to ensure popup can be closed.
• authority - Authority to send logout request to.
• correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes.
• idTokenHint - ID Token used by B2C to validate logout if required by the policy
• mainWindowRedirectUri - URI to navigate the main window to after logout is complete
• popupWindowAttributes - Optional popup window attributes. popupSize with height and width, and popupPosition with top and left can be set.
• logoutHint - A string that specifies the account that is being logged out in order to skip the server account picker on logout
• popupWindowParent - Optional window object to use as the parent when opening popup windows. Uses global window if not given.

EndSessionRequest

• account - Account object that will be logged out of. All tokens tied to this account will be cleared.
• postLogoutRedirectUri - URI to navigate to after logout page.
• authority - Authority to send logout request to.
• correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes.
• idTokenHint - ID Token used by B2C to validate logout if required by the policy
• onRedirectNavigate - Callback that will be passed the url that MSAL will navigate to. Returning false in the callback will stop navigation.
• logoutHint - A string that specifies the account that is being logged out in order to skip the server account picker on logout

Response object used for loading external tokens to cache.

• token_type: Indicates the token type value. The only type that Azure AD supports is Bearer.
• scope: The scopes that the access_token is valid for.
• expires_in: How long the access token is valid (in seconds).
• id_token: A JSON Web Token (JWT). The app can decode the segments of this token to request information about the user who signed in.
• refresh_token: An OAuth 2.0 refresh token. The app can use this token acquire additional access tokens after the current access token expires.
• access_token: The requested access token. The app can use this token to authenticate to the secured resource, such as a web API.
• client_info: Client info object

Type which describes Id Token claims known by MSAL.

InitializeApplicationRequest: Request object passed by user to initialize application

• correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes.

Additional information passed to the navigateInternal and navigateExternal functions

Options allowed by network request APIs.

Performance measurement taken by the library, including metadata about the request and application.

PopupRequest: Request object passed by user to retrieve a Code from the server (first leg of authorization code grant flow) with a popup window.

• scopes - Array of scopes the application is requesting access to.
• authority - Url of the authority which the application acquires tokens from.
• correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes.
• redirectUri - The redirect URI where authentication responses can be received by your application. It must exactly match one of the redirect URIs registered in the Azure portal.
• extraScopesToConsent - Scopes for a different resource when the user needs consent upfront.
• state - A value included in the request that is also returned in the token response. A randomly generated unique value is typically used for preventing cross site request forgery attacks. The state is also used to encode information about the user's state in the app before the authentication request occurred.
• prompt - Indicates the type of user interaction that is required. login: will force the user to enter their credentials on that request, negating single-sign on none: will ensure that the user isn't presented with any interactive prompt. if request can't be completed via single-sign on, the endpoint will return an interaction_required error consent: will the trigger the OAuth consent dialog after the user signs in, asking the user to grant permissions to the app select_account: will interrupt single sign-=on providing account selection experience listing all the accounts in session or any remembered accounts or an option to choose to use a different account create: will direct the user to the account creation experience instead of the log in experience no_session: will not read existing session token when authenticating the user. Upon user being successfully authenticated, EVO won’t create a new session for the user. FOR INTERNAL USE ONLY.
• loginHint - Can be used to pre-fill the username/email address field of the sign-in page for the user, if you know the username/email address ahead of time. Often apps use this parameter during re-authentication, having already extracted the username from a previous sign-in using the login_hint or preferred_username claim.
• sid - Session ID, unique identifier for the session. Available as an optional claim on ID tokens.
• domainHint - Provides a hint about the tenant or domain that the user should use to sign in. The value of the domain hint is a registered domain for the tenant.
• extraQueryParameters - String to string map of custom query parameters added to the /authorize call
• tokenBodyParameters - String to string map of custom token request body parameters added to the /token call. Only used when renewing access tokens.
• tokenQueryParameters - String to string map of custom query parameters added to the /token call
• claims - In cases where Azure AD tenant admin has enabled conditional access policies, and the policy has not been met, exceptions will contain claims that need to be consented to.
• nonce - A value included in the request that is returned in the id token. A randomly generated unique value is typically used to mitigate replay attacks.
• popupWindowAttributes - Optional popup window attributes. popupSize with height and width, and popupPosition with top and left can be set.
• popupWindowParent - Optional window object to use as the parent when opening popup windows. Uses global window if not given.

Popup configurations for setting dimensions and position of popup window

RedirectRequest: Request object passed by user to retrieve a Code from the server (first leg of authorization code grant flow) with a full page redirect.

• scopes - Array of scopes the application is requesting access to.
• authority - Url of the authority which the application acquires tokens from.
• correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes.
• redirectUri - The redirect URI where authentication responses can be received by your application. It must exactly match one of the redirect URIs registered in the Azure portal.
• extraScopesToConsent - Scopes for a different resource when the user needs consent upfront.
• state - A value included in the request that is also returned in the token response. A randomly generated unique value is typically used for preventing cross site request forgery attacks. The state is also used to encode information about the user's state in the app before the authentication request occurred.
• prompt - Indicates the type of user interaction that is required. login: will force the user to enter their credentials on that request, negating single-sign on none: will ensure that the user isn't presented with any interactive prompt. if request can't be completed via single-sign on, the endpoint will return an interaction_required error consent: will the trigger the OAuth consent dialog after the user signs in, asking the user to grant permissions to the app select_account: will interrupt single sign-=on providing account selection experience listing all the accounts in session or any remembered accounts or an option to choose to use a different account create: will direct the user to the account creation experience instead of the log in experience no_session: will not read existing session token when authenticating the user. Upon user being successfully authenticated, EVO won’t create a new session for the user. FOR INTERNAL USE ONLY.
• loginHint - Can be used to pre-fill the username/email address field of the sign-in page for the user, if you know the username/email address ahead of time. Often apps use this parameter during re-authentication, having already extracted the username from a previous sign-in using the login_hint or preferred_username claim.
• sid - Session ID, unique identifier for the session. Available as an optional claim on ID tokens.
• domainHint - Provides a hint about the tenant or domain that the user should use to sign in. The value of the domain hint is a registered domain for the tenant.
• extraQueryParameters - String to string map of custom query parameters added to the /authorize call
• tokenBodyParameters - String to string map of custom token request body parameters added to the /token call. Only used when renewing access tokens.
• tokenQueryParameters - String to string map of custom query parameters added to the /token call
• claims - In cases where Azure AD tenant admin has enabled conditional access policies, and the policy has not been met, exceptions will contain claims that need to be consented to.
• nonce - A value included in the request that is returned in the id token. A randomly generated unique value is typically used to mitigate replay attacks.
• redirectStartPage - The page that should be returned to after loginRedirect or acquireTokenRedirect. This should only be used if this is different from the redirectUri and will default to the page that initiates the request. When the navigateToLoginRequestUrl config option is set to false this parameter will be ignored.
• onRedirectNavigate - Callback that will be passed the url that MSAL will navigate to. Returning false in the callback will stop navigation.

SilentRequest: Request object passed by user to retrieve tokens from the cache, renew an expired token with a refresh token, or retrieve a code (first leg of authorization code grant flow) in a hidden iframe.

• scopes - Array of scopes the application is requesting access to.
• authority - Url of the authority which the application acquires tokens from.
• correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes.
• account - Account entity to lookup the credentials.
• forceRefresh - Forces silent requests to make network calls if true.
• extraQueryParameters - String to string map of custom query parameters added to the /authorize call. Only used when renewing the refresh token.
• tokenBodyParameters - String to string map of custom token request body parameters added to the /token call. Only used when renewing access tokens.
• tokenQueryParameters - String to string map of custom query parameters added to the /token call. Only used when renewing access tokens.
• redirectUri - The redirect URI where authentication responses can be received by your application. It must exactly match one of the redirect URIs registered in the Azure portal. Only used for cases where refresh token is expired.
• cacheLookupPolicy - Enum of different ways the silent token can be retrieved.
• prompt - Indicates the type of user interaction that is required. none: will ensure that the user isn't presented with any interactive prompt. if request can't be completed via single-sign on, the endpoint will return an interaction_required error no_session: will not read existing session token when authenticating the user. Upon user being successfully authenticated, EVO won’t create a new session for the user. FOR INTERNAL USE ONLY.

Request object passed by user to ssoSilent to retrieve a Code from the server (first leg of authorization code grant flow)

• scopes - Array of scopes the application is requesting access to (optional for ssoSilent calls)
• claims - A stringified claims request which will be added to all /authorize and /token calls
• authority - Url of the authority which the application acquires tokens from.
• correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes.
• redirectUri - The redirect URI where authentication responses can be received by your application. It must exactly match one of the redirect URIs registered in the Azure portal.
• extraScopesToConsent - Scopes for a different resource when the user needs consent upfront.
• state - A value included in the request that is also returned in the token response. A randomly generated unique value is typically used for preventing cross site request forgery attacks. The state is also used to encode information about the user's state in the app before the authentication request occurred.
• prompt - Indicates the type of user interaction that is required. login: will force the user to enter their credentials on that request, negating single-sign on none: will ensure that the user isn't presented with any interactive prompt. if request can't be completed via single-sign on, the endpoint will return an interaction_required error consent: will trigger the OAuth consent dialog after the user signs in, asking the user to grant permissions to the app select_account: will interrupt single sign-=on providing account selection experience listing all the accounts in session or any remembered accounts or an option to choose to use a different account create: will direct the user to the account creation experience instead of the log in experience no_session: will not read existing session token when authenticating the user. Upon user being successfully authenticated, EVO won’t create a new session for the user. FOR INTERNAL USE ONLY.
• loginHint - Can be used to pre-fill the username/email address field of the sign-in page for the user, if you know the username/email address ahead of time. Often apps use this parameter during re-authentication, having already extracted the username from a previous sign-in using the login_hint or preferred_username claim.
• sid - Session ID, unique identifier for the session. Available as an optional claim on ID tokens.
• domainHint - Provides a hint about the tenant or domain that the user should use to sign in. The value of the domain hint is a registered domain for the tenant.
• extraQueryParameters - String to string map of custom query parameters added to the /authorize call
• tokenBodyParameters - String to string map of custom token request body parameters added to the /token call. Only used when renewing access tokens.
• tokenQueryParameters - String to string map of custom query parameters added to the /token call
• nonce - A value included in the request that is returned in the id token. A randomly generated unique value is typically used to mitigate replay attacks.

Account details that vary across tenants for the same user

The possible states for the GetAccessTokenResult. This includes:

• GetAccessTokenCompletedState: The access token was successfully retrieved.
• GetAccessTokenFailedState: The access token retrieval failed.

The possible states for the GetAccountResult. This includes:

• GetAccountCompletedState: The account was successfully retrieved.
• GetAccountFailedState: The account retrieval failed.

The possible states for the ResetPasswordResendCodeResult. This includes:

• ResetPasswordCodeRequiredState: The reset password process requires a code.
• ResetPasswordFailedState: The reset password process has failed.

The possible states for the ResetPasswordStartResult. This includes:

• ResetPasswordCodeRequiredState: The reset password process requires a code.
• ResetPasswordFailedState: The reset password process has failed.

The possible states for the ResetPasswordSubmitCodeResult. This includes:

• ResetPasswordPasswordRequiredState: The reset password process requires a password.
• ResetPasswordFailedState: The reset password process has failed.

The possible states for the ResetPasswordSubmitPasswordResult. This includes:

• ResetPasswordCompletedState: The reset password process has completed successfully.
• ResetPasswordFailedState: The reset password process has failed.

The possible states for the SignInResendCodeResult. This includes:

• SignInCodeRequiredState: The sign-in process requires a code.
• SignInFailedState: The sign-in process has failed.

The possible states for the SignInResult. This includes:

• SignInCodeRequiredState: The sign-in process requires a code.
• SignInPasswordRequiredState: The sign-in process requires a password.
• SignInFailedState: The sign-in process has failed.
• SignInCompletedState: The sign-in process is completed.

The possible states of the SignInSubmitCredentialResult. This includes:

• SignInCompletedState: The sign-in process has completed successfully.
• SignInFailedState: The sign-in process has failed.

The possible states for the SignOutResult. This includes:

• SignOutCompletedState: The sign-out operation was successful.
• SignOutFailedState: The sign-out operation failed.

The possible states for the SignUpResendCodeResult. This includes:

• SignUpCodeRequiredState: The sign-up process requires a code.
• SignUpFailedState: The sign-up process has failed.

The possible states for the SignUpResult. This includes:

• SignUpCodeRequiredState: The sign-up process requires a code.
• SignUpPasswordRequiredState: The sign-up process requires a password.
• SignUpAttributesRequiredState: The sign-up process requires additional attributes.
• SignUpFailedState: The sign-up process has failed.

The possible states for the SignUpSubmitAttributesResult. This includes:

• SignUpCompletedState: The sign-up process has completed successfully.
• SignUpFailedState: The sign-up process has failed.

The possible states for the SignUpSubmitCodeResult. This includes:

• SignUpPasswordRequiredState: The sign-up process requires a password.
• SignUpAttributesRequiredState: The sign-up process requires additional attributes.
• SignUpCompletedState: The sign-up process has completed successfully.
• SignUpFailedState: The sign-up process has failed.

The possible states for the SignUpSubmitPasswordResult. This includes:

• SignUpAttributesRequiredState: The sign-up process requires additional attributes.
• SignUpCompletedState: The sign-up process has completed successfully.
• SignUpFailedState: The sign-up process has failed.

Enumeration of operations that are instrumented by have their performance measured by the PerformanceClient.

Log message level.

creates NestedAppAuthController and passes it to the PublicClientApplication, falls back to StandardController if NestedAppAuthController is not available

creates PublicClientApplication using StandardController

Checks if the platform broker is available in the current environment.