[v5] Add skipBrokerClaims parameter for brokered authentication flows#8419
Open
[v5] Add skipBrokerClaims parameter for brokered authentication flows#8419
Conversation
Co-authored-by: sameerag <21958742+sameerag@users.noreply.github.com>
Co-authored-by: sameerag <21958742+sameerag@users.noreply.github.com>
sameerag
changed the title
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a new skipBrokerClaims request flag to support embedded/brokered scenarios where the child app should not inherit the broker (parent) app’s configured clientCapabilities in outgoing claims.
Changes:
- Add
skipBrokerClaims?: booleantoBaseAuthRequestand update the API review file. - Update
/authorizeand/tokenrequest-building logic to conditionally omit config-drivenclientCapabilitiesfromclaimswhen broker params are present. - Add unit tests covering the 4 combinations of
{skipBrokerClaims} x {brokered flow}and document the new request parameter in msal-browser docs.
Reviewed changes
Copilot reviewed 10 out of 11 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| package-lock.json | Large lockfile regeneration/churn included alongside the feature work. |
| lib/msal-common/test/protocol/Authorize.spec.ts | Adds tests validating claims behavior for brokered vs non-brokered authorize requests. |
| lib/msal-common/test/client/RefreshTokenClient.spec.ts | Adds tests validating token request body claims behavior for refresh token flow. |
| lib/msal-common/test/client/AuthorizationCodeClient.spec.ts | Adds tests validating token request body claims behavior for auth code flow. |
| lib/msal-common/src/request/BaseAuthRequest.ts | Introduces skipBrokerClaims on the common request shape. |
| lib/msal-common/src/protocol/Authorize.ts | Moves/adjusts claims building to happen after broker params are applied and conditionally omits config capabilities. |
| lib/msal-common/src/client/RefreshTokenClient.ts | Adjusts token request parameter construction to conditionally omit config capabilities in brokered flows. |
| lib/msal-common/src/client/AuthorizationCodeClient.ts | Adjusts token request parameter construction to conditionally omit config capabilities in brokered flows. |
| lib/msal-common/apiReview/msal-common.api.md | Updates the public API surface snapshot to include skipBrokerClaims. |
| lib/msal-browser/docs/request-response-object.md | Documents skipBrokerClaims and its behavior matrix for brokered requests. |
| change/@azure-msal-common-1773335883.json | Adds the Beachball changefile for the msal-common change. |
Comment on lines
+2
to
+6
| "type": "patch", | ||
| "comment": "Add skipBrokerClaims parameter for brokered authentication flows (migrate <a href=\"https://github.com/AzureAD/microsoft-authentication-library-for-js/pull/8409\">#8409</a> to dev)", | ||
| "packageName": "@azure/msal-common", | ||
| "email": "AzureADGitHubBot@users.noreply.github.com", | ||
| "dependentChangeType": "patch" |
There was a problem hiding this comment.
This PR’s changefile comment does not follow the repo’s Beachball template (Markdown link to the PR, e.g. ... [#XXXX](https://github.com/.../pull/XXXX)). Please update the comment field to use the standard format so changelogs are consistent.
Contributor
Author
There was a problem hiding this comment.
Updated the changefile comment to follow the standard Beachball template format with the PR link at the end: Add skipBrokerClaims parameter for brokered authentication flows [#8419](...) (4f2e1bf)
…upport function Co-authored-by: sameerag <21958742+sameerag@users.noreply.github.com>
Co-authored-by: sameerag <21958742+sameerag@users.noreply.github.com>
Co-authored-by: sameerag <21958742+sameerag@users.noreply.github.com>
Member
|
@copilot update apiExtractor for msal-common |
Co-authored-by: sameerag <21958742+sameerag@users.noreply.github.com>
Contributor
Author
Member
|
@copilot format check is failing for msal-common, Can you please fix it? Please also run unit tests before checking in. |
Co-authored-by: sameerag <21958742+sameerag@users.noreply.github.com>
Contributor
Author
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Migrates PR #8409 from v4-lts to dev. Adds
skipBrokerClaimsrequest parameter to exclude broker'sclientCapabilitiesfrom claims in brokered authentication flows—embedded apps should not inherit parent app capabilities.Changes
BaseAuthRequest: AddskipBrokerClaims?: booleanpropertyRequestParameterBuilder.addClaims(): Extended with optionalskipBrokerClaimsparameter to skipclientCapabilitiesonly when bothskipBrokerClaims=trueANDBROKER_CLIENT_IDis presentAuthorize.ts,AuthorizationCodeClient.ts,RefreshTokenClient.ts: Move claims handling after broker params are set; passskipBrokerClaimstoaddClaims()functionaddClaimsskipBrokerClaims behavior) covering all behavior combinationsrequest-response-object.mdwith parameter documentationUsage
Behavior Matrix
skipBrokerClaimsembeddedClientIdsetclientCapabilitiesin claims✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.