Remove extraQueryParameters and extraParameters fields from Request types in msal-node (#8136)

Avery-Dunn · Copilot · web-flow · commit bb941e717609 · 2025-11-18T15:43:21.000-08:00
Removes the extraQueryParameters/extraParameters API according to KR [3310905](https://identitydivision.visualstudio.com/Engineering/_workitems/edit/3310905), similar to what is being done in MSAL.NET and MSAL Java: AzureAD/microsoft-authentication-library-for-dotnet#5536 AzureAD/microsoft-authentication-library-for-java#1001 This API was meant for niche scenarios which the library did not explicitly cover, and extensive usage could lead to bad caching behavior: these extra query parameters could affect the contents and validity of tokens but were not used in our caching scheme, so if they changed between requests we could return tokens that were not valid for the latest set of parameters. Therefore we are deprecating the current API and, if there is a need for it, may add a new API in the future to perform similar behavior in a more robust way (like was done in MSAL .NET due to requests from first-party customers). --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
diff --git a/change/@azure-msal-node-ad99a1d3-bdf2-499d-a4a2-7b4ef4153d6a.json b/change/@azure-msal-node-ad99a1d3-bdf2-499d-a4a2-7b4ef4153d6a.json
@@ -0,0 +1,7 @@
+{
+  "type": "major",
+  "comment": "Remove extraQueryParameters and extraParameters fields from Request types [#8136](https://github.com/AzureAD/microsoft-authentication-library-for-js/pull/8136)",
+  "packageName": "@azure/msal-node",
+  "email": "avdunn@microsoft.com",
+  "dependentChangeType": "patch"
+}
diff --git a/lib/msal-node/src/request/ClientCredentialRequest.ts b/lib/msal-node/src/request/ClientCredentialRequest.ts
@@ -13,8 +13,6 @@ import { CommonClientCredentialRequest } from "./CommonClientCredentialRequest.j
  * - correlationId           - Unique GUID set per request to trace a request end-to-end for telemetry purposes.
  * - skipCache               - Skip token cache lookup and force request to authority to get a a new token. Defaults to false.
  * - clientAssertion         - An assertion string or a callback function that returns an assertion string (both are Base64Url-encoded signed JWTs) used in the Client Credential flow
- * - extraQueryParameters    - String to string map of custom query parameters added to outgoing token service requests
- * - extraParameters         - String to string map of custom query parameters added to outgoing token service requests
  * @public
  */
 export type ClientCredentialRequest = Partial<
diff --git a/lib/msal-node/src/request/CommonClientCredentialRequest.ts b/lib/msal-node/src/request/CommonClientCredentialRequest.ts
@@ -18,10 +18,11 @@ import {
  * - preferredAzureRegionOptions        - Options of the user's preferred azure region
  * - clientAssertion                  - An assertion string or a callback function that returns an assertion string (both are Base64Url-encoded signed JWTs) used in the Client Credential flow
  * - azureRegion                       - Azure region to be used for regional authentication
- * - extraQueryParameters              - String to string map of custom query parameters added to outgoing token service requests
- * - extraParameters                   - String to string map of custom query parameters added to outgoing token service requests
  */
-export type CommonClientCredentialRequest = BaseAuthRequest & {
+export type CommonClientCredentialRequest = Omit<
+    BaseAuthRequest,
+    "extraQueryParameters" | "extraParameters"
+> & {
     skipCache?: boolean;
     azureRegion?: AzureRegion;
     clientAssertion?: ClientAssertion;
diff --git a/lib/msal-node/src/request/CommonOnBehalfOfRequest.ts b/lib/msal-node/src/request/CommonOnBehalfOfRequest.ts
@@ -11,10 +11,11 @@ import { BaseAuthRequest } from "@azure/msal-common/node";
  * - correlationId           - Unique GUID set per request to trace a request end-to-end for telemetry purposes.
  * - oboAssertion            - The access token that was sent to the middle-tier API. This token must have an audience of the app making this OBO request.
  * - skipCache               - Skip token cache lookup and force request to authority to get a a new token. Defaults to false.
- * - extraQueryParameters    - String to string map of custom query parameters added to outgoing token service requests
- * - extraParameters         - String to string map of custom query parameters added to outgoing token service requests
  */
-export type CommonOnBehalfOfRequest = BaseAuthRequest & {
+export type CommonOnBehalfOfRequest = Omit<
+    BaseAuthRequest,
+    "extraQueryParameters" | "extraParameters"
+> & {
     oboAssertion: string;
     skipCache?: boolean;
 };
diff --git a/lib/msal-node/src/request/OnBehalfOfRequest.ts b/lib/msal-node/src/request/OnBehalfOfRequest.ts
@@ -11,8 +11,6 @@ import { CommonOnBehalfOfRequest } from "./CommonOnBehalfOfRequest.js";
  * - correlationId           - Unique GUID set per request to trace a request end-to-end for telemetry purposes.
  * - oboAssertion            - The access token that was sent to the middle-tier API. This token must have an audience of the app making this OBO request.
  * - skipCache               - Skip token cache lookup and force request to authority to get a a new token. Defaults to false.
- * - extraQueryParameters    - String to string map of custom query parameters added to outgoing token service requests
- * - extraParameters         - String to string map of custom query parameters added to outgoing token service requests
  * @public
  */
 export type OnBehalfOfRequest = Partial<
diff --git a/lib/msal-node/test/client/ClientCredentialClient.spec.ts b/lib/msal-node/test/client/ClientCredentialClient.spec.ts
@@ -119,45 +119,6 @@ describe("ClientCredentialClient unit tests", () => {
         checkMockedNetworkRequest(returnVal, checks);
     });
 
-    it("Adds extraQueryParameters to the /token request", async () => {
-        const badExecutePostToTokenEndpointMock = jest.spyOn(
-            ClientCredentialClient.prototype,
-            <any>"executePostToTokenEndpoint"
-        );
-        // no implementation has been mocked, the acquireToken call will fail
-
-        const fakeConfig: ClientConfiguration =
-            await ClientTestUtils.createTestClientConfiguration();
-        const client: ClientCredentialClient = new ClientCredentialClient(
-            fakeConfig
-        );
-
-        const clientCredentialRequest: CommonClientCredentialRequest = {
-            authority: TEST_CONFIG.validAuthority,
-            correlationId: TEST_CONFIG.CORRELATION_ID,
-            scopes: TEST_CONFIG.DEFAULT_GRAPH_SCOPE,
-            extraQueryParameters: {
-                testParam1: "testValue1",
-                testParam2: "",
-                testParam3: "testValue3",
-            },
-        };
-
-        await expect(
-            client.acquireToken(clientCredentialRequest)
-        ).rejects.toThrow();
-
-        if (!badExecutePostToTokenEndpointMock.mock.lastCall) {
-            fail("executePostToTokenEndpointMock was not called");
-        }
-        const url: string = badExecutePostToTokenEndpointMock.mock
-            .lastCall[0] as string;
-        expect(
-            url.includes("/token?testParam1=testValue1&testParam3=testValue3")
-        ).toBeTruthy();
-        expect(!url.includes("/token?testParam2=")).toBeTruthy();
-    });
-
     it("acquireToken's interactionRequiredAuthError error contains claims", async () => {
         const errorResponse = {
             error: "interaction_required",
diff --git a/lib/msal-node/test/client/OnBehalfOfClient.spec.ts b/lib/msal-node/test/client/OnBehalfOfClient.spec.ts
@@ -232,46 +232,6 @@ describe("OnBehalfOf unit tests", () => {
             );
         });
 
-        it("Adds extraQueryParameters to the /token request", async () => {
-            const badExecutePostToTokenEndpointMock = jest.spyOn(
-                OnBehalfOfClient.prototype,
-                <any>"executePostToTokenEndpoint"
-            );
-            // no implementation has been mocked, the acquireToken call will fail
-
-            const fakeConfig: ClientConfiguration =
-                await ClientTestUtils.createTestClientConfiguration();
-            const client: OnBehalfOfClient = new OnBehalfOfClient(fakeConfig);
-
-            const oboRequest: CommonOnBehalfOfRequest = {
-                scopes: [...TEST_CONFIG.DEFAULT_GRAPH_SCOPE],
-                authority: TEST_CONFIG.validAuthority,
-                correlationId: TEST_CONFIG.CORRELATION_ID,
-                oboAssertion: "user_assertion_hash",
-                skipCache: true,
-                claims: TEST_CONFIG.CLAIMS,
-                extraQueryParameters: {
-                    testParam1: "testValue1",
-                    testParam2: "",
-                    testParam3: "testValue3",
-                },
-            };
-
-            await expect(client.acquireToken(oboRequest)).rejects.toThrow();
-
-            if (!badExecutePostToTokenEndpointMock.mock.lastCall) {
-                fail("executePostToTokenEndpointMock was not called");
-            }
-            const url: string = badExecutePostToTokenEndpointMock.mock
-                .lastCall[0] as string;
-            expect(
-                url.includes(
-                    "/token?testParam1=testValue1&testParam3=testValue3"
-                )
-            ).toBeTruthy();
-            expect(!url.includes("/token?testParam2=")).toBeTruthy();
-        });
-
         it("Does not add claims when empty object provided", async () => {
             const client = new OnBehalfOfClient(config);
 
