MSAL 5.1.x: LoginPopup within iframe no longer works

[Finrod24]

Core Library

MSAL.js (@azure/msal-browser)

Core Library Version

5.4.0

Wrapper Library

MSAL Angular (@azure/msal-angular)

Wrapper Library Version

5.1.1

Public or Confidential Client?

Public

Description

The standard configuration used in the sample found here works as long as the app is rendered in a top level Window:
https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/msal-angular-v5.1.1/samples/msal-angular-samples/angular-standalone-sample

Aso soon as i render this app in my parent window as iframe the loginPopup no longer works.
The behavior is as follows:

1. The login window opens in a popup
2. I login with the credential
3. The popup closes
4. The authentication response never returns to my app → broken

It seems that the broadcastResponseToMainFrame(...) does not find the main application, when it is hosted in an iframe.

Btw. i tried with relative and absolute URI in the redirectUri config parameter.

Error Message

No response

MSAL Logs

No response

Network Trace (Preferrably Fiddler)

• Sent
• Pending

MSAL Configuration

{
      auth: {
        clientId: config.openIdConfig.clientId,
        authority: `https://login.microsoftonline.com/${config.openIdConfig.tenantId}`,
        redirectUri: 'https://localhost:4203/redirect',
        postLogoutRedirectUri: '/login',
      },
      cache: {
        cacheLocation: BrowserCacheLocation.LocalStorage,
      },
      system: {
        allowRedirectInIframe: true,
      },
    };

Relevant Code Snippets

Sample: https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/msal-angular-v5.1.1/samples/msal-angular-samples/angular-standalone-sample

Embedded in iframe

Reproduction Steps

1. Use loginPupup
2. The login window opens in a popup
3. I login with the credential
4. The popup closes
5. The authentication response never returns to my app → broken

Expected Behavior

The authentication result is returned to the main app

Identity Provider

Entra ID (formerly Azure AD) / MSA

Browsers Affected (Select all that apply)

Chrome

Regression

No response

[evristk]

We are experiencing the same issue.
We are using loginPopup inside an Azure DevOps iframe. The app is built with React and bundled using webpack.
The popup flow appears to complete successfully. Our redirect.html executes broadcastResponseToMainFrame, and the popup closes as expected. However, the parent iframe never receives the message.
After a short delay, the flow fails with the following error:

BrowserAuthError: timed_out

This suggests that the popup-to-parent communication channel is being broken, even though the redirect page logic runs successfully.

[stefanvettiger]

We are encountering a similar issue. Our application runs in a iframe within the main application and uses the loginPopup method. The app itself is built with Angular.

During authentication, the popup flow seems to complete successfully. The redirect-component.ts page runs broadcastResponseToMainFrame, and the popup window closes as expected, but the iframe does not receive the broadcasted message.

We use the same msal lib versions as mentioned by @Finrod24

Core Library

MSAL.js (@azure/msal-browser)

Core Library Version

5.4.0

Wrapper Library

MSAL Angular (@azure/msal-angular)

Wrapper Library Version

5.1.1

[lucassouza1]

Let's consider this scenario: your app runs inside an iframe hosted on a different top‑level site (e.g., hostplatform.com) while the iframe origin is mainapp.com.
The iframe is loaded in a third‑party context. When MSAL performs interactive authentication, it opens a popup window where mainapp.com becomes the top‑level browsing context.
In modern Chromium browsers (Chrome 115+), third‑party storage partitioning is enforced. Storage APIs, including BroadcastChannel, are partitioned by top‑level site, not just origin:

Main frame partition key: hostplatform.com
Popup partition key: mainapp.com

Although both frames share the same origin, they live in different storage partitions, so their BroadcastChannels cannot communicate.
MSAL’s popup flow relies on broadcastResponseToMainFrame, which uses BroadcastChannel to send the authentication response from the popup back to the main frame. Due to partitioning, this message never reaches the listener, causing the login flow to stall.

[Finrod24]

Yes, this seems to be the current behavior.

But instead of the popup communicating to the main frame (hostplatform.com) i would expect it to communicate with the origin of the popup which was the iframe (mainapp.com).
Since the recommendation's in the MSAL documentation is to use loginPopup() in iframe scenarios.