Skip to content

[v5] Add support for authorize call using method POST #7997

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 28 commits into
base: msal-v5
Choose a base branch
from
Open

[v5] Add support for authorize call using method POST #7997

wants to merge 28 commits into from

Conversation

@hectormmg
Copy link
Member

@hectormmg hectormmg commented Aug 13, 2025
edited
Loading

This PR:

  • Migrates usage of tokenBodyParameters and tokenQueryParameters to use extraParams instead
  • Updates extra param logic to properly set the extra params in request body params or URL query params depending on the HTTP method used
  • Adds httpMethod to request parameters
  • Adds implementation and tests for POST method on authorize calls

@hectormmg
Add support for authorize call using method POST (#7920)
e41e39a 
This PR:
- Adds the `httpMethod` and `authorizePostBodyParameters` options to
`BaseAuthRequest`
- Enables calls to the `/authorize` endpoint using HTTP method "POST"
using the `Redirect`, `Popup`, and `SilentIFrame` flows
- Ensures `extraQueryParameters` are still encoded into the request URL
in `POST` flow
- Ensures `httpMethod` cannot be set to 'GET' when using the EAR
protocol mode (throws when the request is validated)
- Ensures request validation to make sure the combinations of
`httpMethod` and `authorizePostBodyParameters` as well as `httpMethod`
and protocol mode happens before synchronous popup is opened.
Copilot AI review requested due to automatic review settings August 13, 2025 22:43
@github-actions github-actions bot added documentation Related to documentation. samples Related to the samples apps for the library. msal-browser Related to msal-browser package msal-common Related to msal-common package labels Aug 13, 2025
Copilot AI reviewed Aug 13, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds support for calling the /authorize endpoint using HTTP POST method across all browser authentication flows. The implementation includes new request validation logic that ensures proper combinations of HTTP method, protocol mode, and body parameters while maintaining backward compatibility with existing GET-based flows.

  • Adds httpMethod and authorizePostBodyParameters fields to the BaseAuthRequest interface
  • Implements POST flow support for Redirect, Popup, and SilentIFrame authentication flows
  • Ensures validation prevents invalid combinations like GET method with body parameters or GET method with EAR protocol mode

Reviewed Changes

Copilot reviewed 22 out of 22 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
lib/msal-common/src/utils/Constants.ts Adds HttpMethod enum with GET and POST values
lib/msal-common/src/request/BaseAuthRequest.ts Extends request interface with httpMethod and authorizePostBodyParameters fields
lib/msal-common/src/error/ClientConfigurationErrorCodes.ts Adds validation error codes for invalid request method configurations
lib/msal-common/src/request/RequestParameterBuilder.ts Adds utility function to handle POST body parameters
lib/msal-browser/src/request/RequestHelpers.ts Implements request validation logic for HTTP method combinations
lib/msal-browser/src/protocol/Authorize.ts Adds getCodeForm function for creating POST forms
lib/msal-browser/src/interaction_handler/SilentHandler.ts Implements POST flow support for silent iframe requests
lib/msal-browser/src/interaction_client/StandardInteractionClient.ts Integrates request validation into authorization request initialization
lib/msal-browser/src/interaction_client/SilentIframeClient.ts Adds POST method support to silent iframe flow
lib/msal-browser/src/interaction_client/RedirectClient.ts Implements POST flow execution for redirect authentication
lib/msal-browser/src/interaction_client/PopupClient.ts Adds POST method support to popup authentication flow
Sample files Updates test app to demonstrate POST method usage
Test files Adds comprehensive test coverage for new functionality
Change files Documents API changes for both msal-common and msal-browser packages

You can also share your feedback on Copilot code review for a chance to win a $100 gift card. Take the survey.

@hectormmg hectormmg marked this pull request as draft August 14, 2025 16:40
@hectormmg hectormmg marked this pull request as ready for review October 28, 2025 16:38
@hectormmg hectormmg requested review from a team as code owners October 28, 2025 16:38
tnorling
tnorling reviewed Oct 28, 2025
View reviewed changes
tnorling
tnorling reviewed Oct 28, 2025
View reviewed changes
tnorling
tnorling reviewed Oct 28, 2025
View reviewed changes
tnorling
tnorling reviewed Oct 28, 2025
View reviewed changes
tnorling
tnorling reviewed Oct 28, 2025
View reviewed changes
tnorling
tnorling reviewed Oct 28, 2025
View reviewed changes
@hectormmg hectormmg requested a review from tnorling October 30, 2025 18:02
sameerag
sameerag reviewed Oct 30, 2025
View reviewed changes
sameerag
sameerag reviewed Oct 30, 2025
View reviewed changes
lib/msal-browser/docs/v4-migration.md

### Consolidation of extra request parameters

The following request parameters have been removed:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as above. I would move this to PS as a note and highlight the PS with a removal notice as needed.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, not sure I understand. I think the above comment you're referring to did not get submitted?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I meant can we mention the new support first and then follow up with removed params. Better for readability.

@hectormmg @sameerag
Update docs/errors.md
8a15a85 
Co-authored-by: Sameera Gajjarapu <[email protected]>
@hectormmg hectormmg requested a review from sameerag October 30, 2025 20:19
sameerag
sameerag reviewed Oct 31, 2025
View reviewed changes
Copy link
Member

@sameerag sameerag left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As discussed, lets track and add NAA as a special case, and a follow up. Approving.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@sameerag sameerag sameerag approved these changes

@jo-arroyo jo-arroyo Awaiting requested review from jo-arroyo

@peterzenz peterzenz Awaiting requested review from peterzenz

@Robbie-Microsoft Robbie-Microsoft Awaiting requested review from Robbie-Microsoft

@konstantin-msft konstantin-msft Awaiting requested review from konstantin-msft

@lalimasharda lalimasharda Awaiting requested review from lalimasharda

@shylasummers shylasummers Awaiting requested review from shylasummers

@tnorling tnorling Awaiting requested review from tnorling

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

documentation Related to documentation. msal-browser Related to msal-browser package msal-common Related to msal-common package samples Related to the samples apps for the library.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@hectormmg @tnorling @sameerag