Merge remote-tracking branch 'origin/enable_1p_naa' into enable_1p_naa

Author: konstantin-msft

change/@azure-msal-browser-0edfea56-535d-4b51-9035-1773e5f6a743.json

@@ -0,0 +1,7 @@
+{
+  "type": "minor",
+  "comment": "Minify logging strings with rollup plugin #8000",
+  "packageName": "@azure/msal-browser",
+  "email": "[email protected]",
+  "dependentChangeType": "patch"
+}

change/@azure-msal-browser-88e0dc39-07d7-4080-a5bb-96379561a4ff.json

@@ -0,0 +1,7 @@
+{
+  "type": "major",
+  "comment": "Remove onRedirectNavigate from endSessionRequest #8066",
+  "packageName": "@azure/msal-browser",
+  "email": "[email protected]",
+  "dependentChangeType": "patch"
+}

change/@azure-msal-common-e0257c81-21e7-4658-a73e-2c2119abb8f0.json

@@ -0,0 +1,7 @@
+{
+  "type": "minor",
+  "comment": "Minify logging strings with rollup plugin #8000",
+  "packageName": "@azure/msal-common",
+  "email": "[email protected]",
+  "dependentChangeType": "patch"
+}

lib/msal-browser/apiReview/msal-browser.api.md

@@ -563,7 +563,6 @@ export type EndSessionPopupRequest = Partial<Omit<CommonEndSessionRequest, "toke
 // @public
 export type EndSessionRequest = Partial<Omit<CommonEndSessionRequest, "tokenQueryParameters">> & {
     authority?: string;
-    onRedirectNavigate?: (url: string) => boolean | void;
 };
 
 // Warning: (ae-missing-release-tag) "EventCallbackFunction" is part of the package's API, but it is missing a release tag (@alpha, @beta, @public, or @internal)

lib/msal-browser/docs/logout.md

@@ -60,18 +60,25 @@ await msalInstance.logoutRedirect({
 ```
 
 ### Skipping the server sign-out
-
 **WARNING:** Skipping the server sign-out means the user's session will remain active on the server and can be signed back into your application without providing credentials again.
 
-If you want your application to only perform local logout you can provide a callback to the `onRedirectNavigate` parameter on the request and have the callback return false.
+If you want your application to only perform local logout you can provide a callback to the `onRedirectNavigate` parameter in the configuration and have the callback return false.
 
 ```javascript
-msalInstance.logoutRedirect({
-    onRedirectNavigate: (url) => {
-        // Return false if you would like to stop navigation after local logout
-        return false;
+const msalConfig = {
+    auth: {
+        clientId: 'your_client_id',
+        authority: 'https://login.microsoftonline.con/{your_tenant_id}',
+        redirectUri: 'https://contoso.com',
+        postLogoutRedirectUri: 'https://contoso.com/homepage',
+        onRedirectNavigate: (url) => {
+            // Return false if you would like to stop navigation after local logout
+            return false;
+        }
     }
-});
+};
+const msalInstance = new PublicClientApplication(msalConfig);
+msalInstance.logoutRedirect();
 ```
 
 ## logoutPopup
@@ -151,30 +158,26 @@ Example:
 ```typescript
 const msal = new PublicClientApplication({
     auth: {
-        clientId: "my-client-id"
+        clientId: "my-client-id",
+        onRedirectNavigate: (url) => {
+            return false;
+        }
     },
     system: {
         allowRedirectInIframe: true
     }
 })
 
 // Automatically on page load
-msal.logoutRedirect({
-    onRedirectNavigate: () => {
-        // Return false to stop navigation after local logout
-        return false;
-    }
-});
+msal.logoutRedirect();
 ```
 
-Now when a user logouts out of another application, your application's front-channel logout url will be loaded in a hidden iframe, and MSAL.js will clear its cache to complete single-sign out.
-
+Please note that front-channel logout is not always supported across browsers. Chromium enabled [Storage Partitioning](https://privacysandbox.google.com/cookies/storage-partitioning) and Firefox supports [similar standard](https://developer.mozilla.org/en-US/docs/Web/Privacy/Guides/State_Partitioning) limiting applications to execute front-channel logout. For official Entra documentation on this topic,  see [here](https://learn.microsoft.com/en-us/entra/identity-platform/reference-third-party-cookies-spas#limitations-on-front-channel-logout-without-third-party-cookies).
 
 ### Front-channel logout samples
 
 The following samples demonstrate how to implement front-channel logout using MSAL.js:
 
-- MSAL Angular v2: [Angular 11 sample](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/samples/msal-angular-v2-samples/angular11-sample-app)
 - MSAL React: [React Router sample](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/samples/msal-react-samples/react-router-sample)
 
 ## Events

lib/msal-browser/docs/v4-migration.md

@@ -159,7 +159,7 @@ See the [Configuration doc](./configuration.md#system-config-options) for more d
 
 ### Removal of `onRedirectNavigate` parameter
 
-The `onRedirectNavigate` parameter has been removed from the `RedirectRequest` object. It has *not* been removed from the `Configuration` object and can continue to be set there.
+The `onRedirectNavigate` parameter will *only be supported* from `Configuration` object going forward and is removed from `RedirectRequest` and `EndSessionRequest` objects. Please ensure to set it in msal config if you need to use it.
 
 ## Behavioral Breaking Changes
 

lib/msal-browser/package.json

@@ -72,9 +72,12 @@
     "test:coverage": "jest --coverage",
     "test:coverage:only": "npm run clean:coverage && npm run test:coverage",
     "build:all": "cd ../.. && npm run build --workspace=@azure/msal-common --workspace=@azure/msal-browser",
+    "build:all:debug": "cd ../.. && MSAL_MINIFY_LOGS=false npm run build --workspace=@azure/msal-common --workspace=@azure/msal-browser",
     "build:modules": "rollup -c --strictDeprecations --bundleConfigAsCjs",
     "build:modules:watch": "rollup -cw --bundleConfigAsCjs",
     "build": "npm run clean && npm run build:modules",
+    "build:debug": "npm run clean && MSAL_MINIFY_LOGS=false npm run build:modules",
+    "decode-logs": "node scripts/decode-logs.cjs",
     "prepack": "npm run build:all",
     "format:check": "prettier --ignore-path .gitignore --check src test",
     "format:fix": "prettier --ignore-path .gitignore --write src test",
@@ -114,4 +117,4 @@
   "dependencies": {
     "@azure/msal-common": "15.7.0"
   }
-}
+}

lib/msal-browser/rollup.config.js

@@ -7,13 +7,15 @@ import { nodeResolve } from "@rollup/plugin-node-resolve";
 import typescript from "@rollup/plugin-typescript";
 import terser from "@rollup/plugin-terser";
 import pkg from "./package.json";
-import { createPackageJson } from "rollup-msal";
+import { createPackageJson, loggerMinifyPlugin } from "rollup-msal";
+import path from "path";
 
 const libraryHeader = `/*! ${pkg.name} v${pkg.version} ${
     new Date().toISOString().split("T")[0]
 } */`;
 const useStrictHeader = "'use strict';";
 const fileHeader = `${libraryHeader}\n${useStrictHeader}`;
+const minifyLogs = process.env.MSAL_MINIFY_LOGS !== 'false';
 
 export default [
     {
@@ -38,6 +40,11 @@ export default [
                 typescript: require("typescript"),
                 tsconfig: "tsconfig.build.json",
             }),
+            ...(minifyLogs === true ? [loggerMinifyPlugin({
+                verbose: true,
+                outputFile: path.resolve(__dirname, "./dist/log-strings-mapping.json"),
+                packageJsonPath: path.resolve(__dirname, "./package.json"),
+            })] : []),
         ],
     },
     {
@@ -65,6 +72,11 @@ export default [
                 compilerOptions: { outDir: "lib/types" },
             }),
             createPackageJson({ libPath: __dirname }),
+            ...(minifyLogs === true ? [loggerMinifyPlugin({
+                outputFile: path.resolve(__dirname, "./lib/log-strings-mapping.json"),
+                packageJsonPath: path.resolve(__dirname, "./package.json"),
+                verbose: true
+            })] : []),
         ],
     },
     {
@@ -96,6 +108,9 @@ export default [
                     declarationMap: false,
                 },
             }),
+            ...(minifyLogs === true ? [loggerMinifyPlugin({
+                verbose: true
+            })] : []),
         ],
     },
     {
@@ -127,9 +142,13 @@ export default [
                     declarationMap: false,
                 },
             }),
+            loggerMinifyPlugin({
+                verbose: true
+            }),
             terser({
                 output: {
                     preamble: libraryHeader,
+                    comments: false,
                 },
             }),
         ],
@@ -156,6 +175,11 @@ export default [
                 typescript: require("typescript"),
                 tsconfig: "tsconfig.custom-auth.build.json",
             }),
+            ...(minifyLogs === true ? [loggerMinifyPlugin({
+                verbose: true,
+                outputFile: path.resolve(__dirname, "./dist/custom-auth-path/log-strings-mapping.json"),
+                packageJsonPath: path.resolve(__dirname, "./package.json"),
+            })] : []),
         ],
     },
     {
@@ -180,6 +204,11 @@ export default [
                 sourceMap: true,
                 compilerOptions: { outDir: "lib/custom-auth-path/types" },
             }),
+            ...(minifyLogs === true ? [loggerMinifyPlugin({
+                outputFile: path.resolve(__dirname, "./lib/custom-auth-path/log-strings-mapping.json"),
+                packageJsonPath: path.resolve(__dirname, "./package.json"),
+                verbose: true
+            })] : []),
         ],
     },
 ];

lib/msal-browser/scripts/README.md

@@ -0,0 +1,97 @@
+# MSAL Browser Log Decoder
+
+This script decodes hashed logging strings from browser console logs back to their original messages.
+
+## Overview
+
+The MSAL Browser library hashes logging strings to reduce bundle size. When running in a browser, console logs display these hashes instead of full messages. This decoder script transforms those hashed logs back into readable messages and saves them to a new file.
+
+## Log Format
+
+The script expects log files where each MSAL log entry follows this format:
+```
+[timestamp] : [correlation-id] : @azure/[module]@[version] : [LogLevel] - [hash]
+```
+
+Example:
+```
+[Tue, 07 Oct 2025 16:50:29 GMT] : [] : @azure/[email protected] : Verbose - 0hoqeo
+[Tue, 07 Oct 2025 16:50:30 GMT] : [abc-123] : @azure/[email protected] : Info - 1atvtd
+```
+
+Non-MSAL log lines are preserved unchanged in the output.
+
+## Usage
+
+### Basic Usage
+```bash
+node scripts/decode-logs.cjs <path-to-log-file>
+```
+
+### With NPM Script
+```bash
+npm run decode-logs -- <path-to-log-file>
+```
+
+### Verbose Mode
+Add `--verbose` or `-V` flag for detailed debugging information:
+```bash
+node scripts/decode-logs.cjs --verbose <path-to-log-file>
+npm run decode-logs -- --verbose /path/to/console.log
+```
+
+### Examples
+```bash
+# Decode logs from a file
+node scripts/decode-logs.cjs ./console-logs.txt
+# Output: ./console-logs-decoded.txt
+
+# Decode with verbose output
+node scripts/decode-logs.cjs --verbose /Users/user/Downloads/browser-console.log
+# Output: /Users/user/Downloads/browser-console-decoded.log
+
+# Using npm script
+npm run decode-logs -- ./logs/debug.log
+# Output: ./logs/debug-decoded.log
+```
+
+## Output
+
+The script creates a new file with the decoded logs in the same directory as the input file, adding a `-decoded` suffix before the file extension:
+
+- Input: `/path/to/debug.log` → Output: `/path/to/debug-decoded.log`
+
+## Features
+
+- **Automatic Version Detection**: Extracts module@version from each log entry and fetches appropriate mappings
+- **Multi-Module Support**: Handles logs from multiple MSAL packages (msal-browser, msal-common, etc.)
+- **Multiple Versions Support**: Can handle multiple versions of the same module in a single file
+- **Efficient Mapping Download**: Downloads each unique module@version combination only once
+- **Local Fallback**: Automatically falls back to local mapping files when remote fetching fails
+- **Non-MSAL Log Preservation**: Leaves non-MSAL log lines unchanged
+- **File Output**: Saves decoded logs to a new file with `-decoded` suffix
+- **Remote Mapping Fetching**: Automatically downloads mappings from npm registry
+- **Caching**: Caches downloaded mappings for 24 hours to improve performance
+- **Verbose Mode**: Detailed debugging information with `--verbose` flag
+
+## How It Works
+
+1. **Scans the entire log file** to identify all unique module@version combinations
+2. **Downloads mappings once** for each unique module@version combination
+3. **Falls back to local mappings** if remote download fails (for local development)
+4. **Identifies MSAL log entries** by pattern matching for `@azure/[module]@[version]`
+5. **Decodes hashes** back to original messages using the appropriate mappings
+6. **Preserves non-MSAL lines** unchanged
+7. **Saves decoded output** to a new file with `-decoded` suffix
+
+## Mapping File Locations
+
+The script looks for mapping files in the following locations within each package:
+- **@azure/msal-browser**: `dist/log-strings-mapping.json`, `dist/custom-auth-path/log-strings-mapping.json`
+- **@azure/msal-common**: `dist-browser/log-strings-mapping.json`
+
+## Cache Location
+
+Downloaded mappings are cached in: `temp/log-mappings/`
+
+Cache files are valid for 24 hours.