Skip to content

loadExternalTokens bug fixes #8242

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
tnorling merged 11 commits into from
Jan 16, 2026
Merged

loadExternalTokens bug fixes #8242

tnorling merged 11 commits into from
Jan 16, 2026

Conversation

@tnorling
Copy link
Collaborator

@tnorling tnorling commented Jan 16, 2026

This pull request introduces several important improvements and bug fixes to token caching and authority handling in the browser library. The main changes include more robust handling of authority discovery and preferred cache environments, correct calculation and caching of refresh token expiration, and enhanced test coverage for these scenarios. Additionally, the AccountEntity conversion now ensures tenant profiles are always present, and telemetry fields have been updated to capture new metrics.

Authority and Token Caching Improvements:

  • The TokenCache now uses AuthorityFactory.createDiscoveredInstance to resolve the authority and its preferred cache environment, ensuring tokens are always cached under the correct environment. This fixes issues with mismatched environments when using authorities like login.microsoftonline.com, which should use login.windows.net for caching. (lib/msal-browser/src/cache/TokenCache.ts, [1] [2]
  • Updated the logic so that when caching tokens, the environment is always taken from the authority's preferred cache, not directly from the request or account. (lib/msal-browser/src/cache/BrowserCacheManager.ts, [1] [2]

Refresh Token Expiration Handling:

  • Added logic to calculate and cache the refresh token expiration (expiresOn) based on refresh_token_expires_in from the token response. This value is now passed to the credential and recorded in telemetry. (lib/msal-browser/src/cache/TokenCache.ts, [1] [2]; lib/msal-common/apiReview/msal-common.api.md, [3]

Account Entity Conversion Robustness:

  • The AccountEntity.getAccountInfo method now ensures that at least the home tenant profile is present when converting to AccountInfo, preventing missing tenant profile issues. (lib/msal-common/src/cache/entities/AccountEntity.ts, [1] [2]

Test Coverage and Reliability Enhancements:

  • Added and updated tests to verify correct refresh token expiration handling, preferred cache environment usage, and tenant profile population. Also removed obsolete tests that no longer match the new authority handling logic. (lib/msal-browser/test/cache/TokenCache.spec.ts, [1] [2] [3]; lib/msal-browser/test/custom_auth/test_resources/TestConstants.ts, [4]
  • Improved test setup for account retrieval and coverage of multiple account scenarios. (lib/msal-browser/test/interaction_client/SilentRefreshClient.spec.ts, lib/msal-browser/test/interaction_client/SilentRefreshClient.spec.tsR235-R238)

Telemetry and Miscellaneous:

These changes collectively improve the reliability, correctness, and observability of token caching and authority resolution in the browser library.

Copilot AI review requested due to automatic review settings January 16, 2026 00:34
@tnorling
Copy link
Collaborator Author

tnorling commented Jan 16, 2026

@copilot Please generate changefiles for this PR

Copilot AI mentioned this pull request Jan 16, 2026
Merged
5 tasks
Copy link
Contributor

Copilot AI commented Jan 16, 2026

@tnorling I've opened a new pull request, #8243, to work on those changes. Once the pull request is ready, I'll request review from you.

Copilot AI reviewed Jan 16, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes critical bugs in token caching and authority handling, particularly addressing environment mismatches when using authority aliases (e.g., login.microsoftonline.com vs login.windows.net). The changes ensure tokens are always cached under the correct preferred cache environment and properly handle refresh token expiration.

Changes:

  • Authority resolution now uses AuthorityFactory.createDiscoveredInstance to determine the preferred cache environment before caching tokens
  • Refresh token expiration is now calculated from refresh_token_expires_in and stored with the credential, with telemetry support via new extRtExpiresOnSeconds field
  • AccountEntity conversion ensures home tenant profiles are always present to prevent missing tenant profile issues
  • Account lookup in ResponseHandler uses getAllAccounts to find accounts across authority aliases

Reviewed changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
lib/msal-browser/src/cache/TokenCache.ts Uses AuthorityFactory.createDiscoveredInstance for authority resolution and preferred cache environment; calculates refresh token expiration from response
lib/msal-browser/src/cache/BrowserCacheManager.ts Removes optional chaining on result.account properties (now guaranteed non-null)
lib/msal-common/src/response/ResponseHandler.ts Changes account lookup from getAccount to getAllAccounts to find accounts across authority aliases
lib/msal-common/src/cache/entities/AccountEntity.ts Ensures home tenant profile exists in both getAccountInfo and createFromAccountInfo methods
lib/msal-common/src/telemetry/performance/PerformanceEvent.ts Adds extRtExpiresOnSeconds telemetry field
lib/msal-browser/test/cache/TokenCache.spec.ts Adds tests for refresh token expiration, preferred cache environment, and removes obsolete test
lib/msal-common/test/cache/entities/AccountEntity.spec.ts Updates test to verify home tenant profile creation
lib/msal-common/test/response/ResponseHandler.spec.ts Adds tests for account lookup with authority aliases
lib/msal-browser/test/interaction_client/SilentRefreshClient.spec.ts Adds mock for getAllAccounts
lib/msal-browser/test/custom_auth/test_resources/TestConstants.ts Fixes test account IDs to match CLIENT_INFO
lib/msal-common/apiReview/msal-common.api.md Updates API surface with new telemetry field and TSDoc line numbers
Comments suppressed due to low confidence (1)

lib/msal-common/test/response/ResponseHandler.spec.ts:1

  • The test manually creates a tenant profile array but doesn't verify that AccountEntity.getAccountInfo correctly creates this profile when it's missing. Consider adding a test case where the account entity has no tenant profiles to ensure the new logic in getAccountInfo is tested.
import { ServerAuthorizationTokenResponse } from "../../src/response/ServerAuthorizationTokenResponse.js";

Copilot AI added a commit that referenced this pull request Jan 16, 2026
@tnorling
Generate beachball changefiles for PR #8242
170d562 
Co-authored-by: tnorling <[email protected]>
Copilot AI and others added 2 commits January 15, 2026 16:51
@tnorling
Add beachball changefiles for loadExternalTokens bug fixes (#8243)
ae8a98a 
- [x] Generate beachball changefiles for @azure/msal-browser and
@azure/msal-common
- [x] Set change type to "patch" for both packages (bug fixes)
- [x] Update change messages to include PR #8242
- [x] Validate changefiles with beachball:check
- [x] Convert HTML anchor tags to markdown-style links

<!-- START COPILOT CODING AGENT TIPS -->
---

💡 You can make Copilot smarter by setting up custom instructions,
customizing its development environment and configuring Model Context
Protocol (MCP) servers. Learn more [Copilot coding agent
tips](https://gh.io/copilot-coding-agent-tips) in the docs.

---------

Co-authored-by: copilot-swe-agent[bot] <[email protected]>
Co-authored-by: tnorling <[email protected]>
Co-authored-by: Thomas Norling <[email protected]>
@tnorling
fix test
75ea1d8
@tnorling tnorling requested a review from a team as a code owner January 16, 2026 01:27
github-code-quality[bot]
github-code-quality bot found potential problems Jan 16, 2026
View reviewed changes
tnorling and others added 4 commits January 16, 2026 12:17
@tnorling @github-code-quality
Potential fix for pull request finding 'Semicolon insertion'
b3170a5 
Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>
@tnorling
fix formatting
5d63df6
@tnorling
apiExtractor
b128c0a
@tnorling
apiExtractor
947e40b
@tnorling tnorling enabled auto-merge (squash) January 16, 2026 21:39
sameerag
sameerag reviewed Jan 16, 2026
View reviewed changes
@tnorling tnorling merged commit efc1ae6 into dev Jan 16, 2026
8 checks passed
@tnorling tnorling deleted the fix-loadExternalTokens-RT branch January 16, 2026 23:54
Copilot AI mentioned this pull request Jan 20, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@hectormmg hectormmg hectormmg approved these changes

@sameerag sameerag sameerag approved these changes

@konstantin-msft konstantin-msft konstantin-msft approved these changes

@shenj shenj Awaiting requested review from shenj

@yongdiw yongdiw Awaiting requested review from yongdiw

@nilo-ms nilo-ms Awaiting requested review from nilo-ms

@spetrescu84 spetrescu84 Awaiting requested review from spetrescu84

@mustafamizrak mustafamizrak Awaiting requested review from mustafamizrak

+1 more reviewer

@github-code-quality github-code-quality[bot] github-code-quality[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@tnorling @hectormmg @sameerag @konstantin-msft