Skip to content

[v5] KMSI Support #8123

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Nov 4, 2025
Merged

[v5] KMSI Support #8123

merged 5 commits into from
Nov 4, 2025

Conversation

@tnorling
Copy link
Collaborator

@tnorling tnorling commented Oct 31, 2025

This pull request introduces support for handling the "Keep Me Signed In" (KMSI) option in MSAL's browser cache logic. It updates both documentation and core caching code to ensure authentication artifacts are stored unencrypted in localStorage when KMSI is selected, and encrypted otherwise. The changes also propagate the KMSI flag through account and token storage APIs, update cache key formats and schema versions, and improve documentation to clarify new behaviors.

KMSI-aware cache storage and artifact handling:

  • Updated the cache storage logic in LocalStorage so that authentication artifacts are stored unencrypted in localStorage when the KMSI flag is set, and encrypted otherwise. This is handled via the new kmsi boolean parameter in relevant storage methods. (lib/msal-browser/src/cache/LocalStorage.ts) [1] [2] [3] [4]

  • Propagated the KMSI flag through the token and account loading and storage APIs, including updates to function signatures and calls in TokenCache, PlatformAuthInteractionClient, StandardController, and NestedAppAuthController. (lib/msal-browser/src/cache/TokenCache.ts, lib/msal-browser/src/interaction_client/PlatformAuthInteractionClient.ts, lib/msal-browser/src/controllers/StandardController.ts, lib/msal-browser/src/controllers/NestedAppAuthController.ts) [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17]

Documentation and developer clarity:

  • Improved documentation in caching.md to clarify how KMSI affects cache persistence and encryption. The docs now explain that localStorage persists across browser sessions only for users who select KMSI, and that encryption is skipped for those users. (lib/msal-browser/docs/caching.md) [1] [2]

Cache key format and schema versioning:

  • Changed the cache key separator from - to |, and incremented both credential and account schema versions to 2 to reflect the new format and logic. (lib/msal-browser/src/cache/CacheKeys.ts)

API surface and type updates:

  • Updated interfaces and method signatures to accept and handle the new kmsi boolean parameter for cache operations. (lib/msal-browser/src/cache/IWindowStorage.ts)

Common library exports:

  • Added the isKmsi utility to the AuthToken namespace for consistent KMSI flag extraction from token claims. (lib/msal-common/apiReview/msal-common.api.md)

@tnorling tnorling marked this pull request as ready for review October 31, 2025 23:27
Copilot AI review requested due to automatic review settings October 31, 2025 23:27
@tnorling tnorling requested review from a team and mustafamizrak as code owners October 31, 2025 23:27
Copilot AI reviewed Oct 31, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This pull request implements "Keep Me Signed In" (KMSI) support for MSAL Browser, which significantly changes how tokens are stored in localStorage. The main goal is to conditionally skip encryption of tokens when users explicitly opt to stay signed in, while maintaining encryption by default for better security.

Key Changes:

  • Added KMSI detection based on signin_state claim in ID tokens
  • Updated cache schema version from v1 to v2 with a new key separator ("|" instead of "-")
  • Modified token storage to conditionally encrypt based on KMSI status
  • Enhanced cache migration logic to handle schema version upgrades while preserving KMSI information
  • Added comprehensive test coverage for KMSI scenarios and migration paths

Reviewed Changes

Copilot reviewed 30 out of 31 changed files in this pull request and generated 6 comments.

Show a summary per file
File Description
lib/msal-common/src/account/AuthToken.ts Added isKmsi() function to detect KMSI from signin_state claim
lib/msal-common/src/account/TokenClaims.ts Added signin_state property to TokenClaims type
lib/msal-common/src/cache/interface/ICacheManager.ts Added kmsi parameter to all cache setter methods
lib/msal-common/src/cache/CacheManager.ts Updated abstract methods and saveCacheRecord to pass kmsi flag
lib/msal-common/src/response/ResponseHandler.ts Integrated KMSI detection when saving cache records
lib/msal-browser/src/cache/CacheKeys.ts Updated schema versions to 2 and changed separator to "
lib/msal-browser/src/cache/BrowserCacheManager.ts Major refactor of migration logic and storage methods to support KMSI
lib/msal-browser/src/cache/LocalStorage.ts Conditional encryption based on kmsi flag
lib/msal-browser/src/cache/IWindowStorage.ts Added kmsi parameter to setUserData interface
lib/msal-browser/src/controllers/* Updated controllers to pass KMSI status when caching accounts
lib/msal-browser/src/cache/TokenCache.ts Updated loadExternalTokens to detect and pass KMSI
samples/msal-browser-samples/ExpressSample/test/upgrade-downgrade.spec.ts Updated schema version constants and added v4.25.0 test cases
samples/e2eTestUtils/src/BrowserCacheTestUtils.ts Updated account key to use v2 schema
lib/msal-browser/docs/caching.md Updated documentation to explain KMSI behavior
Various test files Added kmsi parameter to all cache operation test calls

@tnorling tnorling merged commit 8c1fed9 into msal-v5 Nov 4, 2025
7 checks passed
@tnorling tnorling deleted the v5-kmsi branch November 4, 2025 22:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@hectormmg hectormmg hectormmg approved these changes

@shylasummers shylasummers shylasummers approved these changes

@shenj shenj shenj approved these changes

@yongdiw yongdiw Awaiting requested review from yongdiw yongdiw is a code owner

@nilo-ms nilo-ms Awaiting requested review from nilo-ms nilo-ms is a code owner

@spetrescu84 spetrescu84 Awaiting requested review from spetrescu84 spetrescu84 is a code owner

@mustafamizrak mustafamizrak Awaiting requested review from mustafamizrak mustafamizrak is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@tnorling @hectormmg @shylasummers @shenj