Skip to content

EAR auth code fallback #8111

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: dev
Choose a base branch
from
Open

EAR auth code fallback #8111

wants to merge 4 commits into from
+288 −53

Conversation

@tnorling
Copy link
Collaborator

@tnorling tnorling commented Oct 23, 2025

This pull request introduces enhancements to the authentication flow to support fallback from Encrypted Authorize Response (EAR) to standard authorization code flow, working around lack of support for symmetric EAR in MSA.

Authentication flow fallback and PKCE improvements:

  • Updated PopupClient and SilentIframeClient to detect when the server does not support EAR and automatically fallback to the authorization code flow, passing the PKCE verifier as needed. This ensures authentication succeeds even if EAR is unsupported. [1] [2]
  • Refactored PKCE code generation and propagation: PKCE codes are now generated and passed through the EAR flow across all clients (PopupClient, RedirectClient, SilentIframeClient). The code challenge is included in requests and cached with the verifier for later use. [1] [2] [3] [4]

Protocol and test updates:

  • Modified the protocol logic in Authorize.ts to always include the PKCE code challenge in EAR requests as a backup, improving compatibility with servers that may not support EAR.
  • Updated protocol tests to verify that the code challenge and method are correctly included in authorization requests, ensuring test coverage for the new fallback and PKCE logic. [1] [2]

@tnorling tnorling marked this pull request as ready for review November 17, 2025 21:13
@tnorling tnorling requested a review from a team as a code owner November 17, 2025 21:13
Copilot AI review requested due to automatic review settings November 17, 2025 21:13
Copilot finished reviewing on behalf of tnorling November 17, 2025 21:18
Copilot AI reviewed Nov 17, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This pull request implements automatic fallback from Encrypted Authorize Response (EAR) to standard authorization code flow when the server does not support EAR, ensuring authentication succeeds even with MSA which lacks symmetric EAR support.

Key Changes

  • Added PKCE code generation and propagation through the EAR flow across all interactive clients (PopupClient, RedirectClient, SilentIframeClient)
  • Implemented fallback logic to detect when server returns code instead of ear_jwe and automatically switch to authorization code flow
  • Optimized authority discovery in StandardInteractionClient by allowing reuse of already-discovered authority instances

Reviewed Changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
lib/msal-browser/src/protocol/Authorize.ts Added PKCE code challenge as backup parameter in EAR requests to support fallback to auth code flow
lib/msal-browser/src/interaction_client/PopupClient.ts Added PKCE code generation to EAR flow and implemented fallback logic to handle auth code response
lib/msal-browser/src/interaction_client/RedirectClient.ts Added PKCE code generation and caching for EAR flow to support fallback on redirect
lib/msal-browser/src/interaction_client/SilentIframeClient.ts Added PKCE code generation to EAR flow and implemented fallback logic for silent iframe flows
lib/msal-browser/src/interaction_client/StandardInteractionClient.ts Added optional authority parameter to avoid redundant authority discovery when already available
lib/msal-browser/test/protocol/Authorize.spec.ts Updated tests to verify code challenge and method are included in EAR authorization requests
lib/msal-browser/test/interaction_client/PopupClient.spec.ts Added test case to verify EAR flow successfully falls back to auth code when server returns code
lib/msal-browser/test/interaction_client/RedirectClient.spec.ts Added test case to verify EAR flow fallback behavior in redirect scenarios
lib/msal-browser/test/interaction_client/SilentIframeClient.spec.ts Added test case to verify EAR flow fallback behavior in silent iframe flows
change/@azure-msal-browser-4584bec2-2724-4645-aac5-73cf620cedd7.json Beachball change file documenting the patch-level change for EAR fallback support

change/@azure-msal-browser-4584bec2-2724-4645-aac5-73cf620cedd7.json
@@ -0,0 +1,7 @@
{
"type": "patch",
"comment": "EAR flow falls back to auth code when /authorize returns code #8111",
Copy link

Copilot AI Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The change message should include a link to the PR according to the beachball guidelines. The expected format is: Brief description of change [#XXXX](PR_URL).

For example: EAR flow falls back to auth code when /authorize returns code [#8111](https://github.com/AzureAD/microsoft-authentication-library-for-js/pull/8111)

Copilot generated this review using guidance from repository custom instructions.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tnorling