@azure/msal-browser package

Reference

Classes

ClientApplication
PublicClientApplication	The PublicClientApplication class is the object exposed by the library to perform authentication and authorization functions in Single Page Applications to obtain JWT tokens as described in the OAuth 2.0 Authorization Code Flow with PKCE specification.
NativeMessageHandler
AsyncMemoryStorage	This class allows MSAL to store artifacts asynchronously using the DatabaseStorage IndexedDB wrapper, backed up with the more volatile MemoryStorage object for cases in which IndexedDB may be unavailable.
BrowserCacheManager	This class implements the cache storage interface for MSAL through browser local or session storage. Cookies are only used if storeAuthStateInCookie is true, and are only used for parameters such as state and nonce, generally.
BrowserStorage
CryptoKeyStore	MSAL CryptoKeyStore DB Version 2
DatabaseStorage	Storage wrapper for IndexedDB storage in browsers: https://developer.mozilla.org/en-US/docs/Web/API/IndexedDB_API
MemoryStorage
TokenCache	Token cache manager
BrowserCrypto	This class implements functions used by the browser library to perform cryptography operations such as hashing and encoding. It also has helper functions to validate the availability of specific APIs.
CryptoOps	This class implements MSAL's crypto interface, which allows it to perform base64 encoding and decoding, generating cryptographically random GUIDs and implementing Proof Key for Code Exchange specs for the OAuth Authorization Code Flow using PKCE (rfc here: https://tools.ietf.org/html/rfc7636).
GuidGenerator
ModernBrowserCrypto
MsBrowserCrypto
MsrBrowserCrypto
PkceGenerator	Class which exposes APIs to generate PKCE codes and code verifiers.
SignedHttpRequest
Base64Decode	Class which exposes APIs to decode base64 strings to plaintext. See here for implementation details: https://developer.mozilla.org/en-US/docs/Web/API/WindowBase64/Base64_encoding_and_decoding#Solution_2_%E2%80%93_JavaScript's_UTF-16_%3E_UTF-8_%3E_base64
Base64Encode	Class which exposes APIs to encode plaintext to base64 encoded string. See here for implementation details: https://developer.mozilla.org/en-US/docs/Web/API/WindowBase64/Base64_encoding_and_decoding#Solution_2_%E2%80%93_JavaScript's_UTF-16_%3E_UTF-8_%3E_base64
BrowserAuthError	Browser library error class thrown by the MSAL.js library for SPAs
BrowserConfigurationAuthError	Browser library error class thrown by the MSAL.js library for SPAs
NativeAuthError
EventHandler
EventMessageUtils
BaseInteractionClient
HybridSpaAuthorizationCodeClient
NativeInteractionClient
PopupClient
RedirectClient
SilentAuthCodeClient
SilentCacheClient
SilentIframeClient
SilentRefreshClient
StandardInteractionClient	Defines the class structure and helper functions used by the "standard", non-brokered auth flows (popup, redirect, silent (RT), silent (iframe))
InteractionHandler	Abstract class which defines operations for a browser interaction handling class.
RedirectHandler
SilentHandler
NavigationClient
FetchClient	This class implements the Fetch API for GET and POST requests. See more here: https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API
XhrClient	This client implements the XMLHttpRequest class to send GET and POST requests.
BrowserPerformanceClient
BrowserPerformanceMeasurement
BrowserProtocolUtils
BrowserStringUtils	Utility functions for strings in a browser. See here for implementation details: https://developer.mozilla.org/en-US/docs/Web/API/WindowBase64/Base64_encoding_and_decoding#Solution_2_%E2%80%93_JavaScript's_UTF-16_%3E_UTF-8_%3E_base64
BrowserUtils	Utility class for browser specific functions
MathUtils	Utility class for math specific functions in browser.

Interfaces

IPublicClientApplication
IAsyncStorage
ITokenCache
IWindowStorage
ISubtleCrypto
INavigationClient

Type Aliases

NativeExtensionRequest	Browser extension request
NativeExtensionRequestBody	Request which will be forwarded to native broker by the browser extension
NativeTokenRequest	Token request which native broker will use to acquire tokens
MATS	The native token broker can optionally include additional information about operations it performs. If that data is returned, MSAL.js will include the following properties in the telemetry it collects.
NativeAccountInfo	Account properties returned by Native Platform e.g. WAM
NativeResponse	Token response returned by Native Platform e.g. WAM
NativeResponseProperties	Properties returned under "properties" of the NativeResponse
LoadTokenOptions
BrowserAuthOptions	Use this to configure the auth options in the Configuration object
BrowserConfiguration
BrowserSystemOptions
BrowserTelemetryOptions	Telemetry Options
CacheOptions	Use this to configure the below cache configuration options:
Configuration	This object allows you to configure important elements of MSAL functionality and is passed into the constructor of PublicClientApplication
CryptoOptions
CachedKeyPair
SignedHttpRequestOptions
OSError
EventCallbackFunction
EventError
EventMessage
EventPayload
PopupEvent
PopupParams
InteractionParams
RedirectParams
NavigationOptions	Additional information passed to the navigateInternal and navigateExternal functions
AuthorizationCodeRequest
AuthorizationUrlRequest	This type is deprecated and will be removed on the next major version update
EndSessionPopupRequest	EndSessionPopupRequest account - Account object that will be logged out of. All tokens tied to this account will be cleared. postLogoutRedirectUri - URI to navigate to after logout page inside the popup. Required to ensure popup can be closed. authority - Authority to send logout request to. correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes. idTokenHint - ID Token used by B2C to validate logout if required by the policy mainWindowRedirectUri - URI to navigate the main window to after logout is complete popupWindowAttributes - Optional popup window attributes. popupSize with height and width, and popupPosition with top and left can be set. logoutHint - A string that specifies the account that is being logged out in order to skip the server account picker on logout
EndSessionRequest	EndSessionRequest account - Account object that will be logged out of. All tokens tied to this account will be cleared. postLogoutRedirectUri - URI to navigate to after logout page. authority - Authority to send logout request to. correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes. idTokenHint - ID Token used by B2C to validate logout if required by the policy onRedirectNavigate - Callback that will be passed the url that MSAL will navigate to. Returning false in the callback will stop navigation. logoutHint - A string that specifies the account that is being logged out in order to skip the server account picker on logout
PopupRequest	PopupRequest: Request object passed by user to retrieve a Code from the server (first leg of authorization code grant flow) with a popup window. scopes - Array of scopes the application is requesting access to. authority - Url of the authority which the application acquires tokens from. correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes. redirectUri - The redirect URI where authentication responses can be received by your application. It must exactly match one of the redirect URIs registered in the Azure portal. extraScopesToConsent - Scopes for a different resource when the user needs consent upfront. state - A value included in the request that is also returned in the token response. A randomly generated unique value is typically used for preventing cross site request forgery attacks. The state is also used to encode information about the user's state in the app before the authentication request occurred. prompt - Indicates the type of user interaction that is required. login: will force the user to enter their credentials on that request, negating single-sign on none: will ensure that the user isn't presented with any interactive prompt. if request can't be completed via single-sign on, the endpoint will return an interaction_required error consent: will the trigger the OAuth consent dialog after the user signs in, asking the user to grant permissions to the app select_account: will interrupt single sign-=on providing account selection experience listing all the accounts in session or any remembered accounts or an option to choose to use a different account create: will direct the user to the account creation experience instead of the log in experience no_session: will not read existing session token when authenticating the user. Upon user being successfully authenticated, EVO won’t create a new session for the user. FOR INTERNAL USE ONLY. loginHint - Can be used to pre-fill the username/email address field of the sign-in page for the user, if you know the username/email address ahead of time. Often apps use this parameter during re-authentication, having already extracted the username from a previous sign-in using the login_hint or preferred_username claim. sid - Session ID, unique identifier for the session. Available as an optional claim on ID tokens. domainHint - Provides a hint about the tenant or domain that the user should use to sign in. The value of the domain hint is a registered domain for the tenant. extraQueryParameters - String to string map of custom query parameters added to the /authorize call tokenQueryParameters - String to string map of custom query parameters added to the /token call claims - In cases where Azure AD tenant admin has enabled conditional access policies, and the policy has not been met, exceptions will contain claims that need to be consented to. nonce - A value included in the request that is returned in the id token. A randomly generated unique value is typically used to mitigate replay attacks. popupWindowAttributes - Optional popup window attributes. popupSize with height and width, and popupPosition with top and left can be set.
PopupPosition
PopupSize
PopupWindowAttributes	Popup configurations for setting dimensions and position of popup window
RedirectRequest	RedirectRequest: Request object passed by user to retrieve a Code from the server (first leg of authorization code grant flow) with a full page redirect. scopes - Array of scopes the application is requesting access to. authority - Url of the authority which the application acquires tokens from. correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes. redirectUri - The redirect URI where authentication responses can be received by your application. It must exactly match one of the redirect URIs registered in the Azure portal. extraScopesToConsent - Scopes for a different resource when the user needs consent upfront. state - A value included in the request that is also returned in the token response. A randomly generated unique value is typically used for preventing cross site request forgery attacks. The state is also used to encode information about the user's state in the app before the authentication request occurred. prompt - Indicates the type of user interaction that is required. login: will force the user to enter their credentials on that request, negating single-sign on none: will ensure that the user isn't presented with any interactive prompt. if request can't be completed via single-sign on, the endpoint will return an interaction_required error consent: will the trigger the OAuth consent dialog after the user signs in, asking the user to grant permissions to the app select_account: will interrupt single sign-=on providing account selection experience listing all the accounts in session or any remembered accounts or an option to choose to use a different account create: will direct the user to the account creation experience instead of the log in experience no_session: will not read existing session token when authenticating the user. Upon user being successfully authenticated, EVO won’t create a new session for the user. FOR INTERNAL USE ONLY. loginHint - Can be used to pre-fill the username/email address field of the sign-in page for the user, if you know the username/email address ahead of time. Often apps use this parameter during re-authentication, having already extracted the username from a previous sign-in using the login_hint or preferred_username claim. sid - Session ID, unique identifier for the session. Available as an optional claim on ID tokens. domainHint - Provides a hint about the tenant or domain that the user should use to sign in. The value of the domain hint is a registered domain for the tenant. extraQueryParameters - String to string map of custom query parameters added to the /authorize call tokenQueryParameters - String to string map of custom query parameters added to the /token call claims - In cases where Azure AD tenant admin has enabled conditional access policies, and the policy has not been met, exceptions will contain claims that need to be consented to. nonce - A value included in the request that is returned in the id token. A randomly generated unique value is typically used to mitigate replay attacks. redirectStartPage - The page that should be returned to after loginRedirect or acquireTokenRedirect. This should only be used if this is different from the redirectUri and will default to the page that initiates the request. When the navigateToLoginRequestUrl config option is set to false this parameter will be ignored. onRedirectNavigate - Callback that will be passed the url that MSAL will navigate to. Returning false in the callback will stop navigation.
SilentRequest	SilentRequest: Request object passed by user to retrieve tokens from the cache, renew an expired token with a refresh token, or retrieve a code (first leg of authorization code grant flow) in a hidden iframe. scopes - Array of scopes the application is requesting access to. authority - Url of the authority which the application acquires tokens from. correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes. account - Account entity to lookup the credentials. forceRefresh - Forces silent requests to make network calls if true. extraQueryParameters - String to string map of custom query parameters added to the /authorize call. Only used when renewing the refresh token. tokenQueryParameters - String to string map of custom query parameters added to the /token call. Only used when renewing access tokens. redirectUri - The redirect URI where authentication responses can be received by your application. It must exactly match one of the redirect URIs registered in the Azure portal. Only used for cases where refresh token is expired. cacheLookupPolicy - Enum of different ways the silent token can be retrieved. prompt - Indicates the type of user interaction that is required. none: will ensure that the user isn't presented with any interactive prompt. if request can't be completed via single-sign on, the endpoint will return an interaction_required error no_session: will not read existing session token when authenticating the user. Upon user being successfully authenticated, EVO won’t create a new session for the user. FOR INTERNAL USE ONLY.
SsoSilentRequest	Request object passed by user to ssoSilent to retrieve a Code from the server (first leg of authorization code grant flow) scopes - Array of scopes the application is requesting access to (optional for ssoSilent calls) claims - A stringified claims request which will be added to all /authorize and /token calls authority - Url of the authority which the application acquires tokens from. correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes. redirectUri - The redirect URI where authentication responses can be received by your application. It must exactly match one of the redirect URIs registered in the Azure portal. extraScopesToConsent - Scopes for a different resource when the user needs consent upfront. state - A value included in the request that is also returned in the token response. A randomly generated unique value is typically used for preventing cross site request forgery attacks. The state is also used to encode information about the user's state in the app before the authentication request occurred. prompt - Indicates the type of user interaction that is required. login: will force the user to enter their credentials on that request, negating single-sign on none: will ensure that the user isn't presented with any interactive prompt. if request can't be completed via single-sign on, the endpoint will return an interaction_required error consent: will trigger the OAuth consent dialog after the user signs in, asking the user to grant permissions to the app select_account: will interrupt single sign-=on providing account selection experience listing all the accounts in session or any remembered accounts or an option to choose to use a different account create: will direct the user to the account creation experience instead of the log in experience no_session: will not read existing session token when authenticating the user. Upon user being successfully authenticated, EVO won’t create a new session for the user. FOR INTERNAL USE ONLY. loginHint - Can be used to pre-fill the username/email address field of the sign-in page for the user, if you know the username/email address ahead of time. Often apps use this parameter during re-authentication, having already extracted the username from a previous sign-in using the login_hint or preferred_username claim. sid - Session ID, unique identifier for the session. Available as an optional claim on ID tokens. domainHint - Provides a hint about the tenant or domain that the user should use to sign in. The value of the domain hint is a registered domain for the tenant. extraQueryParameters - String to string map of custom query parameters added to the /authorize call tokenQueryParameters - String to string map of custom query parameters added to the /token call nonce - A value included in the request that is returned in the id token. A randomly generated unique value is typically used to mitigate replay attacks.
BrowserStateObject

Enums

CryptoKeyStoreNames
NativeStatusCode
EventType
ApiId	API Codes for Telemetry purposes. Before adding a new code you must claim it in the MSAL Telemetry tracker as these number spaces are shared across all MSALs 0-99 Silent Flow 800-899 Auth Code Flow
BrowserCacheLocation
CacheLookupPolicy
HTTP_REQUEST_TYPE	HTTP Request types supported by MSAL.
InMemoryCacheKeys	Cache keys stored in-memory
InteractionStatus	Types of interaction currently in progress. Used in events in wrapper libraries to invoke functions when certain interaction is in progress or all interactions are complete.
InteractionType
NativeExtensionMethod
TemporaryCacheKeys	Temporary cache keys for MSAL, deleted after any request.
WrapperSKU

Functions

buildConfiguration({ userInputAuth: { authority?: string, authorityMetadata?: string, azureCloudOptions?: AzureCloudOptions, clientCapabilities?: Array<string>, clientId: string, cloudDiscoveryMetadata?: string, knownAuthorities?: Array<string>, navigateToLoginRequestUrl?: boolean, postLogoutRedirectUri?: string | null, protocolMode?: ProtocolMode, redirectUri?: string, skipAuthorityMetadataCache?: boolean }, userInputCache: { cacheLocation?: BrowserCacheLocation | string, secureCookies?: boolean, storeAuthStateInCookie?: boolean }, userInputSystem: { preventCorsPreflight?: boolean, proxyUrl?: string, tokenRenewalOffsetSeconds?: number } & { allowNativeBroker?: boolean, allowRedirectInIframe?: boolean, asyncPopups?: boolean, cryptoOptions?: CryptoOptions, iframeHashTimeout?: number, loadFrameTimeout?: number, loggerOptions?: LoggerOptions, nativeBrokerHandshakeTimeout?: number, navigateFrameWait?: number, navigationClient?: INavigationClient, networkClient?: INetworkModule, pollIntervalMilliseconds?: number, redirectNavigationTimeout?: number, windowHashTimeout?: number }, userInputTelemetry: { application?: ApplicationTelemetry } }, boolean)

MSAL function that sets the default options when not explicitly configured from app developer

Function Details

buildConfiguration({ userInputAuth: { authority?: string, authorityMetadata?: string, azureCloudOptions?: AzureCloudOptions, clientCapabilities?: Array<string>, clientId: string, cloudDiscoveryMetadata?: string, knownAuthorities?: Array<string>, navigateToLoginRequestUrl?: boolean, postLogoutRedirectUri?: string | null, protocolMode?: ProtocolMode, redirectUri?: string, skipAuthorityMetadataCache?: boolean }, userInputCache: { cacheLocation?: BrowserCacheLocation | string, secureCookies?: boolean, storeAuthStateInCookie?: boolean }, userInputSystem: { preventCorsPreflight?: boolean, proxyUrl?: string, tokenRenewalOffsetSeconds?: number } & { allowNativeBroker?: boolean, allowRedirectInIframe?: boolean, asyncPopups?: boolean, cryptoOptions?: CryptoOptions, iframeHashTimeout?: number, loadFrameTimeout?: number, loggerOptions?: LoggerOptions, nativeBrokerHandshakeTimeout?: number, navigateFrameWait?: number, navigationClient?: INavigationClient, networkClient?: INetworkModule, pollIntervalMilliseconds?: number, redirectNavigationTimeout?: number, windowHashTimeout?: number }, userInputTelemetry: { application?: ApplicationTelemetry } }, boolean)

MSAL function that sets the default options when not explicitly configured from app developer

function buildConfiguration(__namedParameters: { userInputAuth: { authority?: string, authorityMetadata?: string, azureCloudOptions?: AzureCloudOptions, clientCapabilities?: Array<string>, clientId: string, cloudDiscoveryMetadata?: string, knownAuthorities?: Array<string>, navigateToLoginRequestUrl?: boolean, postLogoutRedirectUri?: string | null, protocolMode?: ProtocolMode, redirectUri?: string, skipAuthorityMetadataCache?: boolean }, userInputCache: { cacheLocation?: BrowserCacheLocation | string, secureCookies?: boolean, storeAuthStateInCookie?: boolean }, userInputSystem: { preventCorsPreflight?: boolean, proxyUrl?: string, tokenRenewalOffsetSeconds?: number } & { allowNativeBroker?: boolean, allowRedirectInIframe?: boolean, asyncPopups?: boolean, cryptoOptions?: CryptoOptions, iframeHashTimeout?: number, loadFrameTimeout?: number, loggerOptions?: LoggerOptions, nativeBrokerHandshakeTimeout?: number, navigateFrameWait?: number, navigationClient?: INavigationClient, networkClient?: INetworkModule, pollIntervalMilliseconds?: number, redirectNavigationTimeout?: number, windowHashTimeout?: number }, userInputTelemetry: { application?: ApplicationTelemetry } }, isBrowserEnvironment: boolean): BrowserConfiguration

Parameters

__namedParameters: { userInputAuth: { authority?: string, authorityMetadata?: string, azureCloudOptions?: AzureCloudOptions, clientCapabilities?: Array<string>, clientId: string, cloudDiscoveryMetadata?: string, knownAuthorities?: Array<string>, navigateToLoginRequestUrl?: boolean, postLogoutRedirectUri?: string | null, protocolMode?: ProtocolMode, redirectUri?: string, skipAuthorityMetadataCache?: boolean }, userInputCache: { cacheLocation?: BrowserCacheLocation | string, secureCookies?: boolean, storeAuthStateInCookie?: boolean }, userInputSystem: { preventCorsPreflight?: boolean, proxyUrl?: string, tokenRenewalOffsetSeconds?: number } & { allowNativeBroker?: boolean, allowRedirectInIframe?: boolean, asyncPopups?: boolean, cryptoOptions?: CryptoOptions, iframeHashTimeout?: number, loadFrameTimeout?: number, loggerOptions?: LoggerOptions, nativeBrokerHandshakeTimeout?: number, navigateFrameWait?: number, navigationClient?: INavigationClient, networkClient?: INetworkModule, pollIntervalMilliseconds?: number, redirectNavigationTimeout?: number, windowHashTimeout?: number }, userInputTelemetry: { application?: ApplicationTelemetry } }

isBrowserEnvironment: boolean

Returns

BrowserConfiguration

Configuration object