feat: add default idToken claims (signin_state, login_hint) and kmsi on AccountInfo#8656
Open
tnorling wants to merge 8 commits into
Open
feat: add default idToken claims (signin_state, login_hint) and kmsi on AccountInfo#8656tnorling wants to merge 8 commits into
tnorling wants to merge 8 commits into
Conversation
tnorling
force-pushed
the
feat/default-claims-and-kmsi
branch
3 times, most recently
from
b46cc3e to
8bd619d
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
This PR enhances MSAL request-claims handling by automatically injecting default optional id_token claims (signin_state, login_hint) into all auth requests (at wire-serialization time), and by surfacing Keep Me Signed In (KMSI) state as an optional kmsi boolean on AccountInfo. It also replaces the prior “add client capabilities to claims” helper with a new single-pass buildMergedClaims merger.
Changes:
- Add
buildMergedClaimsto merge caller claims + default optionalid_tokenclaims +xms_ccclient capabilities, and update callers to use it. - Add
AccountInfo.kmsiderived from thesignin_stateclaim using the existingisKmsihelper. - Update unit tests and API review output, and add Beachball changefiles for msal-common/msal-browser.
Reviewed changes
Copilot reviewed 17 out of 17 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| lib/msal-common/src/request/RequestParameterBuilder.ts | Introduces buildMergedClaims and makes addClaims always set the claims param. |
| lib/msal-common/src/utils/Constants.ts | Adds ClaimsRequestKeys constants for id_token, signin_state, and login_hint. |
| lib/msal-common/src/account/AccountInfo.ts | Adds kmsi?: boolean to AccountInfo and populates it from signin_state. |
| lib/msal-common/apiReview/msal-common.api.md | Updates extracted public API for new kmsi and buildMergedClaims. |
| lib/msal-common/test/request/RequestParameterBuilder.spec.ts | Updates/expands unit tests for merged-claims behavior and default claims injection. |
| lib/msal-common/test/protocol/Authorize.spec.ts | Adjusts expected encoded claims query parameter. |
| lib/msal-common/test/client/RefreshTokenClient.spec.ts | Adjusts expected encoded claims parameter for token requests. |
| lib/msal-common/test/client/AuthorizationCodeClient.spec.ts | Adjusts expected encoded claims parameter for token requests. |
| lib/msal-browser/src/utils/BrowserUtils.ts | Switches exported helper from addClientCapabilitiesToClaims to buildMergedClaims. |
| lib/msal-browser/src/naa/mapping/NestedAppAuthAdapter.ts | Updates NAA claims construction to use buildMergedClaims. |
| lib/msal-browser/src/interaction_client/PlatformAuthInteractionClient.ts | Updates platform request initialization to use buildMergedClaims. |
| lib/msal-browser/test/naa/JSRuntime.spec.ts | Updates assertions to validate default id_token claims are added in NAA flow. |
| lib/msal-browser/test/interaction_client/PlatformAuthInteractionClient.spec.ts | Updates expectations to account for injected default id_token claims. |
| lib/msal-browser/test/interaction_client/SilentIframeClient.spec.ts | Updates test AccountInfo objects with new optional fields. |
| lib/msal-browser/test/utils/StringConstants.ts | Updates shared test AccountInfo fixture with new optional fields. |
| change/@azure-msal-common-1d98c12e-3b9f-4969-a710-fa8e2bf5a287.json | Beachball changefile for msal-common minor change. |
| change/@azure-msal-browser-b1b2fad5-8b32-43bd-9659-38cdc37ce382.json | Beachball changefile for msal-browser minor change. |
Comments suppressed due to low confidence (1)
lib/msal-common/src/request/RequestParameterBuilder.ts:533
- Same
hasOwnPropertyshadowing concern applies to the access_token check. UseObject.prototype.hasOwnProperty.call(...)to avoid a caller-providedhasOwnPropertykey breaking this logic.
if (
!mergedClaims.hasOwnProperty(
Constants.ClaimsRequestKeys.ACCESS_TOKEN
)
) {
0c55300 to
43ca3df
Compare
…on AccountInfo - Add buildMergedClaims to RequestParameterBuilder that combines default optional idToken claims and client capabilities in a single pass - Add signin_state and login_hint as default optional idToken claims on all auth requests (injected at wire-serialization time only) - Add kmsi boolean to AccountInfo populated from signin_state claim - Remove addClientCapabilitiesToClaims, replaced by buildMergedClaims - Update all callers and tests Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
tnorling
force-pushed
the
feat/default-claims-and-kmsi
branch
from
f2c6fe2 to
4a8290d
Compare
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Update msal-node test constants and utilities for default claims - Remove login_hint optional claim opt-in language from logout docs since MSAL now requests it by default Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
lalimasharda
approved these changes
Jun 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Adds two features to msal-common and msal-browser:
1. Default optional idToken claims on all auth requests
Automatically includes
signin_stateandlogin_hintas optional idToken claims on every auth request. These are injected at wire-serialization time inRequestParameterBuilder.addClaims(), sorequest.claimsremains unchanged andSilentFlowClientcache-skip logic is unaffected.When no user-specified claims or client capabilities are present, the claims parameter will be:
{"id_token":{"signin_state":{"essential":false},"login_hint":{"essential":false}}}Caller-specified idToken claims are preserved and not overwritten.
2.
kmsiboolean onAccountInfoA new optional
kmsifield onAccountInfoindicates whether the Keep Me Signed In flag is set. It is populated from thesignin_stateclaim using the existingisKmsi()helper inAuthToken.ts.Implementation details
buildMergedClaims— New function inRequestParameterBuilderthat parses claims JSON, merges default optional idToken claims, and appends client capabilities (xms_cc) in a single parse/stringify pass.addClientCapabilitiesToClaimsremoved — Replaced bybuildMergedClaims. All callers updated (NestedAppAuthAdapter,PlatformAuthInteractionClient,BrowserUtils).ClaimsRequestKeys— AddedID_TOKEN,SIGNIN_STATE, andLOGIN_HINTconstants.addClaimsalways sets the CLAIMS parameter — SincebuildMergedClaimsalways produces a non-empty result, the previous conditional guard was removed.Changed packages
@azure/msal-common(minor)@azure/msal-browser(minor)Companion PR
IDDP/msal-javascript-1pPR #24680