Skip to content

[v5] Add skipBrokerClaims parameter for brokered authentication flows#8419

Open
Copilot wants to merge 10 commits intodevfrom
copilot/migrate-pr-8409-to-dev-again
Open

[v5] Add skipBrokerClaims parameter for brokered authentication flows#8419
Copilot wants to merge 10 commits intodevfrom
copilot/migrate-pr-8409-to-dev-again

Conversation

Copy link
Contributor

Copilot AI commented Mar 12, 2026
edited
Loading

Migrates PR #8409 from v4-lts to dev. Adds skipBrokerClaims request parameter to exclude broker's clientCapabilities from claims in brokered authentication flows—embedded apps should not inherit parent app capabilities.

Changes

  • BaseAuthRequest: Add skipBrokerClaims?: boolean property
  • RequestParameterBuilder.addClaims(): Extended with optional skipBrokerClaims parameter to skip clientCapabilities only when both skipBrokerClaims=true AND BROKER_CLIENT_ID is present
  • Authorize.ts, AuthorizationCodeClient.ts, RefreshTokenClient.ts: Move claims handling after broker params are set; pass skipBrokerClaims to addClaims() function
  • Tests: 18 new test cases (12 across the three caller files + 6 for the addClaims skipBrokerClaims behavior) covering all behavior combinations
  • Docs: Update request-response-object.md with parameter documentation

Usage

const request = {
    scopes: ["User.Read"],
    embeddedClientId: "child-app-client-id",
    skipBrokerClaims: true, // Excludes broker's clientCapabilities from claims
};

const response = await msalInstance.acquireTokenSilent(request);

Behavior Matrix

skipBrokerClaims embeddedClientId set clientCapabilities in claims
false/unset Yes ✅ Included
false/unset No ✅ Included
true No ✅ Included
true Yes ❌ Excluded

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI and others added 3 commits March 12, 2026 17:12
Initial plan
fd36c8b
@sameerag
Add skipBrokerClaims parameter for brokered authentication flows
f9e4721 
Co-authored-by: sameerag <21958742+sameerag@users.noreply.github.com>
@sameerag
Fix changefile comment format with proper PR link
65d88bf 
Co-authored-by: sameerag <21958742+sameerag@users.noreply.github.com>
@sameerag sameerag marked this pull request as ready for review March 12, 2026 17:28
@sameerag sameerag requested a review from a team as a code owner March 12, 2026 17:28
Copilot AI review requested due to automatic review settings March 12, 2026 17:28
@sameerag sameerag changed the title Add skipBrokerClaims parameter for brokered authentication flows [v5] Add skipBrokerClaims parameter for brokered authentication flows Mar 12, 2026
Copilot AI reviewed Mar 12, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a new skipBrokerClaims request flag to support embedded/brokered scenarios where the child app should not inherit the broker (parent) app’s configured clientCapabilities in outgoing claims.

Changes:

  • Add skipBrokerClaims?: boolean to BaseAuthRequest and update the API review file.
  • Update /authorize and /token request-building logic to conditionally omit config-driven clientCapabilities from claims when broker params are present.
  • Add unit tests covering the 4 combinations of {skipBrokerClaims} x {brokered flow} and document the new request parameter in msal-browser docs.

Reviewed changes

Copilot reviewed 10 out of 11 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
package-lock.json Large lockfile regeneration/churn included alongside the feature work.
lib/msal-common/test/protocol/Authorize.spec.ts Adds tests validating claims behavior for brokered vs non-brokered authorize requests.
lib/msal-common/test/client/RefreshTokenClient.spec.ts Adds tests validating token request body claims behavior for refresh token flow.
lib/msal-common/test/client/AuthorizationCodeClient.spec.ts Adds tests validating token request body claims behavior for auth code flow.
lib/msal-common/src/request/BaseAuthRequest.ts Introduces skipBrokerClaims on the common request shape.
lib/msal-common/src/protocol/Authorize.ts Moves/adjusts claims building to happen after broker params are applied and conditionally omits config capabilities.
lib/msal-common/src/client/RefreshTokenClient.ts Adjusts token request parameter construction to conditionally omit config capabilities in brokered flows.
lib/msal-common/src/client/AuthorizationCodeClient.ts Adjusts token request parameter construction to conditionally omit config capabilities in brokered flows.
lib/msal-common/apiReview/msal-common.api.md Updates the public API surface snapshot to include skipBrokerClaims.
lib/msal-browser/docs/request-response-object.md Documents skipBrokerClaims and its behavior matrix for brokered requests.
change/@azure-msal-common-1773335883.json Adds the Beachball changefile for the msal-common change.

konstantin-msft
konstantin-msft reviewed Mar 12, 2026
View reviewed changes
@sameerag
Extract duplicated claims handling into reusable addClaimsWithBrokerS…
e9edd33 
…upport function

Co-authored-by: sameerag <21958742+sameerag@users.noreply.github.com>
Copilot AI requested a review from sameerag March 12, 2026 21:23
@sameerag
Merge addClaimsWithBrokerSupport logic into addClaims function
b6758c2 
Co-authored-by: sameerag <21958742+sameerag@users.noreply.github.com>
@sameerag
Update changefile comment to use standard Beachball format with PR link
4f2e1bf 
Co-authored-by: sameerag <21958742+sameerag@users.noreply.github.com>
@sameerag
Copy link
Member

sameerag commented Mar 12, 2026

@copilot update apiExtractor for msal-common

@sameerag
Update msal-common API review file with addClaims signature change
01d7abf 
Co-authored-by: sameerag <21958742+sameerag@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Mar 12, 2026

@copilot update apiExtractor for msal-common

Updated the msal-common API review file with the new addClaims signature that includes the skipBrokerClaims parameter. (01d7abf)

@sameerag
Copy link
Member

sameerag commented Mar 12, 2026

@copilot format check is failing for msal-common, Can you please fix it? Please also run unit tests before checking in.

@sameerag
Fix formatting issues in RequestParameterBuilder.spec.ts
e59fc82 
Co-authored-by: sameerag <21958742+sameerag@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Mar 12, 2026

@copilot format check is failing for msal-common, Can you please fix it? Please also run unit tests before checking in.

Fixed the formatting issue in RequestParameterBuilder.spec.ts and verified all 944 unit tests pass. (e59fc82)

sameerag
sameerag reviewed Mar 20, 2026
View reviewed changes
@sameerag
Copy link
Member

sameerag commented Mar 20, 2026

@copilot regenerate package-lock.json and run the checks again.

Copy link
Contributor Author

Copilot AI commented Mar 20, 2026

@copilot regenerate package-lock.json and run the checks again.

Regenerated package-lock.json and verified all checks pass: format check ✅, lint ✅, all 944 unit tests pass ✅ (68ec561)

Copilot AI requested a review from sameerag March 20, 2026 19:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@konstantin-msft konstantin-msft konstantin-msft left review comments

Copilot code review Copilot Copilot left review comments

@sameerag sameerag Awaiting requested review from sameerag

At least 2 approving reviews are required to merge this pull request.

Assignees

@sameerag sameerag

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@sameerag @konstantin-msft