AzureAD · hectormmg · Jun 5, 2025 · Jun 5, 2025 · Jun 5, 2025 · Jun 6, 2025
diff --git a/change/@azure-msal-browser-cfc942e4-b61f-4c9d-b4af-ed9cb7636840.json b/change/@azure-msal-browser-cfc942e4-b61f-4c9d-b4af-ed9cb7636840.json
@@ -0,0 +1,7 @@
+{
+  "type": "major",
+  "comment": "Move navigateToLoginRequestUrl to request config",
+  "packageName": "@azure/msal-browser",
+  "email": "[email protected]",
+  "dependentChangeType": "patch"
+}
@@ -171,7 +171,7 @@ For a full implementation, please refer to the app creation scripts in the [Vani
 
 The redirect flow can be confusing, as redirecting away from the page means you are creating a whole new instance of the application when you return. This means that calling a redirect method cannot return anything. Rather, what happens is that the page is redirected away, you enter your credentials, and you are redirected back to your application with the response in the url hash.
 
-If `navigateToLoginRequestUrl` property in MSAL configuration parameters is set to **true**, you will be redirected again to the page you were on when you called `loginRedirect`, unless that page was also set as your `redirectUri`. On the final page your application must call `handleRedirectPromise()` in order to process the hash and cache tokens in local/session storage.
+If `navigateToLoginRequestUrl` property is passed in as an option to `handleRedirectPromise` and set to **true**, you will be redirected again to the page you were on when you called `loginRedirect`, unless that page was also set as your `redirectUri`. On the final page your application must call `handleRedirectPromise()` in order to process the hash and cache tokens in local/session storage.
 
 As this function returns a promise you can call `.then` and `.catch`, similar to `loginPopup`.
 

@@ -281,7 +281,6 @@ export type BrowserAuthOptions = {
     authorityMetadata?: string;
     redirectUri?: string;
     postLogoutRedirectUri?: string | null;
-    navigateToLoginRequestUrl?: boolean;
     clientCapabilities?: Array<string>;
     OIDCOptions?: OIDCOptions;
     azureCloudOptions?: AzureCloudOptions;
@@ -731,7 +730,9 @@ export interface IController {
     // @internal (undocumented)
     getPerformanceClient(): IPerformanceClient;
     // (undocumented)
-    handleRedirectPromise(hash?: string): Promise<AuthenticationResult | null>;
+    handleRedirectPromise(hash?: string, options?: {
+        navigateToLoginRequestUrl?: boolean;
+    }): Promise<AuthenticationResult | null>;
     // (undocumented)
     hydrateCache(result: AuthenticationResult, request: SilentRequest | SsoSilentRequest | RedirectRequest | PopupRequest): Promise<void>;
     // (undocumented)
@@ -1257,7 +1258,10 @@ export class PublicClientApplication implements IPublicClientApplication {
     getConfiguration(): BrowserConfiguration;
     getLogger(): Logger;
     // Warning: (tsdoc-param-tag-missing-hyphen) The @param block should be followed by a parameter name and then a hyphen
-    handleRedirectPromise(hash?: string | undefined): Promise<AuthenticationResult | null>;
+    // Warning: (tsdoc-param-tag-missing-hyphen) The @param block should be followed by a parameter name and then a hyphen
+    handleRedirectPromise(hash?: string | undefined, options?: {
+        navigateToLoginRequestUrl?: boolean;
+    }): Promise<AuthenticationResult | null>;
     // Warning: (tsdoc-param-tag-missing-hyphen) The @param block should be followed by a parameter name and then a hyphen
     hydrateCache(result: AuthenticationResult, request: SilentRequest | SsoSilentRequest | RedirectRequest | PopupRequest): Promise<void>;
     // Warning: (tsdoc-param-tag-missing-hyphen) The @param block should be followed by a parameter name and then a hyphen
@@ -1382,6 +1386,7 @@ function redirectPreflightCheck(initialized: boolean, config: BrowserConfigurati
 export type RedirectRequest = Partial<Omit<CommonAuthorizationUrlRequest, "responseMode" | "scopes" | "earJwk" | "codeChallenge" | "codeChallengeMethod" | "requestedClaimsHash" | "platformBroker">> & {
     scopes: Array<string>;
     redirectStartPage?: string;
+    navigateToLoginRequestUrl?: boolean;
 };
 
 // Warning: (ae-missing-release-tag) "replaceHash" is part of the package's API, but it is missing a release tag (@alpha, @beta, @public, or @internal)
@@ -1569,7 +1574,7 @@ export type WrapperSKU = (typeof WrapperSKU)[keyof typeof WrapperSKU];
 // src/cache/LocalStorage.ts:297:8 - (tsdoc-param-tag-missing-hyphen) The @param block should be followed by a parameter name and then a hyphen
 // src/cache/LocalStorage.ts:355:8 - (tsdoc-param-tag-missing-hyphen) The @param block should be followed by a parameter name and then a hyphen
 // src/cache/LocalStorage.ts:386:8 - (tsdoc-param-tag-missing-hyphen) The @param block should be followed by a parameter name and then a hyphen
-// src/config/Configuration.ts:210:5 - (ae-forgotten-export) The symbol "InternalAuthOptions" needs to be exported by the entry point index.d.ts
+// src/config/Configuration.ts:207:5 - (ae-forgotten-export) The symbol "InternalAuthOptions" needs to be exported by the entry point index.d.ts
 // src/event/EventHandler.ts:113:8 - (tsdoc-param-tag-missing-hyphen) The @param block should be followed by a parameter name and then a hyphen
 // src/event/EventHandler.ts:139:8 - (tsdoc-param-tag-missing-hyphen) The @param block should be followed by a parameter name and then a hyphen
 // src/index.ts:8:12 - (tsdoc-characters-after-block-tag) The token "@azure" looks like a TSDoc tag but contains an invalid character "/"; if it is not a tag, use a backslash to escape the "@"

@@ -65,6 +65,13 @@ await loadExternalTokens(
 1. The `skipAuthorityMetadataCache` parameter has been removed from BrowserAuthOptions in Configuration.
 1. The `protocolMode` parameter has been moved to SystemOptions instead of BrowserAuthOptions in Configuration.
 1. The `supportsNestedAppAuth` parameter has been removed. Use the `createNestablePublicClientApplication` API for Nested Apps instead. Read more about Nested Apps [here](./initialization.md#nested-app-configuration).
+1. The `navigateTologinRequestUrl` parameter has been removed from BrowserAuthOptions in Configuration. Default behavior remains the same (set to true), in order to maintain custom configuration:
+    1. For APIs that take a `RedirectRequest` object, the type now has a `navigateToLoginRequestUrl` parameter
+    1. For `handleRedirectPromise`, `navigateToLoginRequestUrl` has to be passed in as an option as follows:
+
+    ```typescript
+      pca.handleRedirectPromise(hash, { navigateToLoginRequestUrl: false })
+    ```
 
 ### CacheOptions changes
 

@@ -212,12 +212,16 @@ export class PublicClientApplication implements IPublicClientApplication {
      * has loaded during redirect flows. This should be invoked on all page loads involved in redirect
      * auth flows.
      * @param hash Hash to process. Defaults to the current value of window.location.hash. Only needs to be provided explicitly if the response to be handled is not contained in the current value.
+     * @param options Object containing optional configuration for redirect promise handling.
      * @returns Token response or null. If the return value is null, then no auth redirect was detected.
      */
     handleRedirectPromise(
-        hash?: string | undefined
+        hash?: string | undefined,
+        options?: {
+            navigateToLoginRequestUrl?: boolean;
+        }
     ): Promise<AuthenticationResult | null> {
-        return this.controller.handleRedirectPromise(hash);
+        return this.controller.handleRedirectPromise(hash, options);
     }
 
     /**

@@ -69,10 +69,7 @@ export type BrowserAuthOptions = {
      * The redirect URI where the window navigates after a successful logout.
      */
     postLogoutRedirectUri?: string | null;
-    /**
-     * Boolean indicating whether to navigate to the original request URL after the auth server navigates to the redirect URL.
-     */
-    navigateToLoginRequestUrl?: boolean;
+
     /**
      * Array of capabilities which will be added to the claims.access_token.xms_cc request property on every network request.
      */
@@ -241,7 +238,6 @@ export function buildConfiguration(
         redirectUri:
             typeof window !== "undefined" ? BrowserUtils.getCurrentUri() : "",
         postLogoutRedirectUri: "",
-        navigateToLoginRequestUrl: true,
         clientCapabilities: [],
         OIDCOptions: {
             responseMode: Constants.ResponseMode.FRAGMENT,

@@ -72,7 +72,10 @@ export interface IController {
 
     getAllAccounts(accountFilter?: AccountFilter): AccountInfo[];
 
-    handleRedirectPromise(hash?: string): Promise<AuthenticationResult | null>;
+    handleRedirectPromise(
+        hash?: string,
+        options?: { navigateToLoginRequestUrl?: boolean }
+    ): Promise<AuthenticationResult | null>;
 
     loginPopup(request?: PopupRequest): Promise<AuthenticationResult>;
 

@@ -392,10 +392,14 @@ export class StandardController implements IController {
      * has loaded during redirect flows. This should be invoked on all page loads involved in redirect
      * auth flows.
      * @param hash Hash to process. Defaults to the current value of window.location.hash. Only needs to be provided explicitly if the response to be handled is not contained in the current value.
+     * @param options Object containing optional configuration for redirect promise handling.
      * @returns Token response or null. If the return value is null, then no auth redirect was detected.
      */
     async handleRedirectPromise(
-        hash?: string
+        hash?: string,
+        options?: {
+            navigateToLoginRequestUrl?: boolean;
+        }
     ): Promise<AuthenticationResult | null> {
         this.logger.verbose("handleRedirectPromise called");
         // Block token acquisition before initialize has been called
@@ -410,7 +414,7 @@ export class StandardController implements IController {
             const redirectResponseKey = hash || "";
             let response = this.redirectResponse.get(redirectResponseKey);
             if (typeof response === "undefined") {
-                response = this.handleRedirectPromiseInternal(hash);
+                response = this.handleRedirectPromiseInternal(hash, options);
                 this.redirectResponse.set(redirectResponseKey, response);
                 this.logger.verbose(
                     "handleRedirectPromise has been called for the first time, storing the promise"
@@ -435,7 +439,10 @@ export class StandardController implements IController {
      * @returns
      */
     private async handleRedirectPromiseInternal(
-        hash?: string
+        hash?: string,
+        options?: {
+            navigateToLoginRequestUrl?: boolean;
+        }
     ): Promise<AuthenticationResult | null> {
         if (!this.browserStorage.isInteractionInProgress(true)) {
             this.logger.info(
@@ -518,7 +525,13 @@ export class StandardController implements IController {
                     this.logger,
                     this.performanceClient,
                     rootMeasurement.event.correlationId
-                )(hash, standardRequest, codeVerifier, rootMeasurement);
+                )(
+                    hash,
+                    standardRequest,
+                    codeVerifier,
+                    rootMeasurement,
+                    options
+                );
             }
         } catch (e) {
             this.browserStorage.resetRequestCache();

@@ -311,6 +311,8 @@ export class PlatformAuthInteractionClient extends BaseInteractionClient {
         );
 
         const nativeRequest = await this.initializeNativeRequest(request);
+        const navigateToLoginRequestUrl =
+            request.navigateToLoginRequestUrl ?? true;
 
         try {
             await this.platformAuthProvider.sendMessage(nativeRequest);
@@ -336,7 +338,7 @@ export class PlatformAuthInteractionClient extends BaseInteractionClient {
             timeout: this.config.system.redirectNavigationTimeout,
             noHistory: false,
         };
-        const redirectUri = this.config.auth.navigateToLoginRequestUrl
+        const redirectUri = navigateToLoginRequestUrl
             ? window.location.href
             : this.getRedirectUri(request.redirectUri);
         rootMeasurement.end({ success: true });

@@ -288,12 +288,18 @@ export class RedirectClient extends StandardInteractionClient {
         hash: string = "",
         request: CommonAuthorizationUrlRequest,
         pkceVerifier: string,
-        parentMeasurement: InProgressPerformanceEvent
+        parentMeasurement: InProgressPerformanceEvent,
+        options?: {
+            navigateToLoginRequestUrl?: boolean;
+        }
     ): Promise<AuthenticationResult | null> {
         const serverTelemetryManager = this.initializeServerTelemetryManager(
             ApiId.handleRedirectPromise
         );
 
+        const navigateToLoginRequestUrl =
+            options?.navigateToLoginRequestUrl ?? true;
+
         try {
             const [serverParams, responseString] = this.getRedirectResponse(
                 hash || ""
@@ -330,7 +336,7 @@ export class RedirectClient extends StandardInteractionClient {
 
             if (
                 loginRequestUrlNormalized === currentUrlNormalized &&
-                this.config.auth.navigateToLoginRequestUrl
+                navigateToLoginRequestUrl
             ) {
                 // We are on the page we need to navigate to - handle hash
                 this.logger.verbose(
@@ -350,7 +356,7 @@ export class RedirectClient extends StandardInteractionClient {
                 );
 
                 return handleHashResult;
-            } else if (!this.config.auth.navigateToLoginRequestUrl) {
+            } else if (!navigateToLoginRequestUrl) {
                 this.logger.verbose(
                     "NavigateToLoginRequestUrl set to false, handling response"
                 );

@@ -31,6 +31,7 @@ import { CommonAuthorizationUrlRequest } from "@azure/msal-common/browser";
  * - claims                     - In cases where Azure AD tenant admin has enabled conditional access policies, and the policy has not been met, exceptions will contain claims that need to be consented to.
  * - nonce                      - A value included in the request that is returned in the id token. A randomly generated unique value is typically used to mitigate replay attacks.
  * - redirectStartPage          - The page that should be returned to after loginRedirect or acquireTokenRedirect. This should only be used if this is different from the redirectUri and will default to the page that initiates the request. When the navigateToLoginRequestUrl config option is set to false this parameter will be ignored.
+ * - navigateToLoginRequestUrl - If true, the browser will navigate to the login request URL after the redirect response is received. If false, the response will be returned to the calling code and the browser will not navigate to the login request URL.
  */
 export type RedirectRequest = Partial<
     Omit<
@@ -46,4 +47,5 @@ export type RedirectRequest = Partial<
 > & {
     scopes: Array<string>;
     redirectStartPage?: string;
+    navigateToLoginRequestUrl?: boolean;
 };
@@ -42,7 +42,6 @@ describe("Configuration.ts Class Unit Tests", () => {
         );
         expect(emptyConfig.auth.redirectUri).toBeDefined();
         expect(emptyConfig.auth.postLogoutRedirectUri).toBe("");
-        expect(emptyConfig.auth.navigateToLoginRequestUrl).toBe(true);
         expect(emptyConfig.auth?.azureCloudOptions?.azureCloudInstance).toBe(
             AzureCloudInstance.None
         );
@@ -234,7 +233,6 @@ describe("Configuration.ts Class Unit Tests", () => {
                     authority: TEST_CONFIG.validAuthority,
                     redirectUri: TEST_URIS.TEST_ALTERNATE_REDIR_URI,
                     postLogoutRedirectUri: TEST_URIS.TEST_LOGOUT_URI,
-                    navigateToLoginRequestUrl: false,
                 },
                 cache: {
                     cacheLocation: BrowserCacheLocation.LocalStorage,
@@ -261,7 +259,6 @@ describe("Configuration.ts Class Unit Tests", () => {
         expect(newConfig.auth.postLogoutRedirectUri).toBe(
             TEST_URIS.TEST_LOGOUT_URI
         );
-        expect(newConfig.auth.navigateToLoginRequestUrl).toBe(false);
         // Cache config checks
         expect(newConfig.cache).not.toBeNull();
         expect(newConfig.cache?.cacheLocation).not.toBeNull();

@@ -346,7 +346,6 @@ describe("RedirectClient", () => {
                         auth: {
                             // @ts-ignore
                             ...pca.config.auth,
-                            navigateToLoginRequestUrl: false,
                         },
                     },
                     browserStorage,
@@ -368,7 +367,10 @@ describe("RedirectClient", () => {
                     TEST_HASHES.TEST_SUCCESS_CODE_HASH_REDIRECT,
                     testRequest,
                     TEST_CONFIG.TEST_VERIFIER,
-                    rootMeasurement
+                    rootMeasurement,
+                    {
+                        navigateToLoginRequestUrl: false,
+                    }
                 )
                 .catch((e) => {
                     expect(e).toEqual("Error in handleResponse");
@@ -850,7 +852,6 @@ describe("RedirectClient", () => {
             let pca = new PublicClientApplication({
                 auth: {
                     clientId: TEST_CONFIG.MSAL_CLIENT_ID,
-                    navigateToLoginRequestUrl: false,
                 },
             });
 
@@ -883,7 +884,10 @@ describe("RedirectClient", () => {
                 "",
                 testRequest,
                 TEST_CONFIG.TEST_VERIFIER,
-                rootMeasurement
+                rootMeasurement,
+                {
+                    navigateToLoginRequestUrl: false,
+                }
             );
             expect(tokenResponse?.uniqueId).toEqual(testTokenResponse.uniqueId);
             expect(tokenResponse?.tenantId).toEqual(testTokenResponse.tenantId);
@@ -1147,7 +1151,6 @@ describe("RedirectClient", () => {
             let pca = new PublicClientApplication({
                 auth: {
                     clientId: TEST_CONFIG.MSAL_CLIENT_ID,
-                    navigateToLoginRequestUrl: false,
                 },
             });
 
@@ -1180,7 +1183,10 @@ describe("RedirectClient", () => {
                 "",
                 testRequest,
                 TEST_CONFIG.TEST_VERIFIER,
-                rootMeasurement
+                rootMeasurement,
+                {
+                    navigateToLoginRequestUrl: false,
+                }
             );
             expect(tokenResponse?.uniqueId).toEqual(testTokenResponse.uniqueId);
             expect(tokenResponse?.tenantId).toEqual(testTokenResponse.tenantId);
@@ -1667,7 +1673,6 @@ describe("RedirectClient", () => {
             let pca = new PublicClientApplication({
                 auth: {
                     clientId: TEST_CONFIG.MSAL_CLIENT_ID,
-                    navigateToLoginRequestUrl: false,
                 },
             });
 
@@ -1717,7 +1722,10 @@ describe("RedirectClient", () => {
                 "",
                 testRequest,
                 TEST_CONFIG.TEST_VERIFIER,
-                rootMeasurement
+                rootMeasurement,
+                {
+                    navigateToLoginRequestUrl: false,
+                }
             );
         });