From ed5c2f1959adffba760fc8f6aaca2a97433cbae2 Mon Sep 17 00:00:00 2001 From: avdunn Date: Thu, 6 Nov 2025 14:47:56 -0800 Subject: [PATCH 1/4] Deprecate tokenQueryParameters in msal-node --- .../src/request/AuthorizationCodeRequest.ts | 12 +++++++++++- .../src/request/AuthorizationUrlRequest.ts | 12 +++++++++++- .../src/request/ClientCredentialRequest.ts | 8 ++++++++ lib/msal-node/src/request/InteractiveRequest.ts | 16 ++++++++++++++-- lib/msal-node/src/request/OnBehalfOfRequest.ts | 12 +++++++++++- lib/msal-node/src/request/RefreshTokenRequest.ts | 11 +++++++++-- lib/msal-node/src/request/SilentFlowRequest.ts | 10 ++++++++-- .../src/request/UsernamePasswordRequest.ts | 14 ++++++++++++-- 8 files changed, 84 insertions(+), 11 deletions(-) diff --git a/lib/msal-node/src/request/AuthorizationCodeRequest.ts b/lib/msal-node/src/request/AuthorizationCodeRequest.ts index 2e7f28b1a6..0042be33a1 100644 --- a/lib/msal-node/src/request/AuthorizationCodeRequest.ts +++ b/lib/msal-node/src/request/AuthorizationCodeRequest.ts @@ -3,7 +3,10 @@ * Licensed under the MIT License. */ -import { CommonAuthorizationCodeRequest } from "@azure/msal-common/node"; +import { + CommonAuthorizationCodeRequest, + StringDict, +} from "@azure/msal-common/node"; /** * Request object passed by user to acquire a token from the server exchanging a valid authorization code (second leg of OAuth2.0 Authorization Code flow) @@ -30,10 +33,17 @@ export type AuthorizationCodeRequest = Partial< | "resourceRequestUri" | "requestedClaimsHash" | "storeInCache" + | "tokenQueryParameters" > > & { scopes: Array; redirectUri: string; code: string; state?: string; + /** + * @deprecated String to string map of custom query parameters added to the /token call. + * This feature is being deprecated and not recommended for production scenarios. + * It will be removed in a future release, and the behavior may be replaced by a new API. + */ + tokenQueryParameters?: StringDict; }; diff --git a/lib/msal-node/src/request/AuthorizationUrlRequest.ts b/lib/msal-node/src/request/AuthorizationUrlRequest.ts index 43274501e8..5d78306dd8 100644 --- a/lib/msal-node/src/request/AuthorizationUrlRequest.ts +++ b/lib/msal-node/src/request/AuthorizationUrlRequest.ts @@ -3,7 +3,10 @@ * Licensed under the MIT License. */ -import { CommonAuthorizationUrlRequest } from "@azure/msal-common/node"; +import { + CommonAuthorizationUrlRequest, + StringDict, +} from "@azure/msal-common/node"; /** * Request object passed by user to retrieve a Code from the server (first leg of authorization code grant flow) @@ -43,8 +46,15 @@ export type AuthorizationUrlRequest = Partial< | "authenticationScheme" | "requestedClaimsHash" | "storeInCache" + | "tokenQueryParameters" > > & { scopes: Array; redirectUri: string; + /** + * @deprecated String to string map of custom query parameters added to the /token call. + * This feature is being deprecated and not recommended for production scenarios. + * It will be removed in a future release, and the behavior may be replaced by a new API. + */ + tokenQueryParameters?: StringDict; }; diff --git a/lib/msal-node/src/request/ClientCredentialRequest.ts b/lib/msal-node/src/request/ClientCredentialRequest.ts index 6908dcded7..a1537eba33 100644 --- a/lib/msal-node/src/request/ClientCredentialRequest.ts +++ b/lib/msal-node/src/request/ClientCredentialRequest.ts @@ -6,6 +6,7 @@ import { ClientAssertionCallback, CommonClientCredentialRequest, + StringDict, } from "@azure/msal-common/node"; /** @@ -26,7 +27,14 @@ export type ClientCredentialRequest = Partial< | "requestedClaimsHash" | "clientAssertion" | "storeInCache" + | "tokenQueryParameters" > > & { clientAssertion?: string | ClientAssertionCallback; + /** + * @deprecated String to string map of custom query parameters added to the /token call. + * This feature is being deprecated and not recommended for production scenarios. + * It will be removed in a future release, and the behavior may be replaced by a new API. + */ + tokenQueryParameters?: StringDict; }; diff --git a/lib/msal-node/src/request/InteractiveRequest.ts b/lib/msal-node/src/request/InteractiveRequest.ts index 70123ef71c..96efd3dc7d 100644 --- a/lib/msal-node/src/request/InteractiveRequest.ts +++ b/lib/msal-node/src/request/InteractiveRequest.ts @@ -3,7 +3,10 @@ * Licensed under the MIT License. */ -import { CommonAuthorizationUrlRequest } from "@azure/msal-common/node"; +import { + CommonAuthorizationUrlRequest, + StringDict, +} from "@azure/msal-common/node"; import { ILoopbackClient } from "../network/ILoopbackClient.js"; /** @@ -20,7 +23,10 @@ import { ILoopbackClient } from "../network/ILoopbackClient.js"; export type InteractiveRequest = Partial< Omit< CommonAuthorizationUrlRequest, - "scopes" | "requestedClaimsHash" | "storeInCache" + | "scopes" + | "requestedClaimsHash" + | "storeInCache" + | "tokenQueryParameters" > > & { openBrowser: (url: string) => Promise; @@ -29,4 +35,10 @@ export type InteractiveRequest = Partial< errorTemplate?: string; windowHandle?: Buffer; // Relevant only to brokered requests loopbackClient?: ILoopbackClient; + /** + * @deprecated String to string map of custom query parameters added to the /token call. + * This feature is being deprecated and not recommended for production scenarios. + * It will be removed in a future release, and the behavior may be replaced by a new API. + */ + tokenQueryParameters?: StringDict; }; diff --git a/lib/msal-node/src/request/OnBehalfOfRequest.ts b/lib/msal-node/src/request/OnBehalfOfRequest.ts index 6fe0572b71..a0fee3aed4 100644 --- a/lib/msal-node/src/request/OnBehalfOfRequest.ts +++ b/lib/msal-node/src/request/OnBehalfOfRequest.ts @@ -3,7 +3,10 @@ * Licensed under the MIT License. */ -import { CommonOnBehalfOfRequest } from "@azure/msal-common/node"; +import { + CommonOnBehalfOfRequest, + StringDict, +} from "@azure/msal-common/node"; /** * - scopes - Array of scopes the application is requesting access to. @@ -23,8 +26,15 @@ export type OnBehalfOfRequest = Partial< | "resourceRequestUri" | "requestedClaimsHash" | "storeInCache" + | "tokenQueryParameters" > > & { oboAssertion: string; scopes: Array; + /** + * @deprecated String to string map of custom query parameters added to the /token call. + * This feature is being deprecated and not recommended for production scenarios. + * It will be removed in a future release, and the behavior may be replaced by a new API. + */ + tokenQueryParameters?: StringDict; }; diff --git a/lib/msal-node/src/request/RefreshTokenRequest.ts b/lib/msal-node/src/request/RefreshTokenRequest.ts index 8a2472b9e4..ab08548b76 100644 --- a/lib/msal-node/src/request/RefreshTokenRequest.ts +++ b/lib/msal-node/src/request/RefreshTokenRequest.ts @@ -3,7 +3,7 @@ * Licensed under the MIT License. */ -import { CommonRefreshTokenRequest } from "@azure/msal-common/node"; +import { CommonRefreshTokenRequest, StringDict } from "@azure/msal-common/node"; /** * CommonRefreshTokenRequest @@ -12,7 +12,7 @@ import { CommonRefreshTokenRequest } from "@azure/msal-common/node"; * - authority - URL of the authority, the security token service (STS) from which MSAL will acquire tokens. * - correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes. * - refreshToken - A refresh token returned from a previous request to the Identity provider. - * - tokenQueryParameters - String to string map of custom query parameters added to the /token call + * - tokenQueryParameters - @deprecated String to string map of custom query parameters added to the /token call. This feature is being deprecated and not recommended for production scenarios. It will be removed in a future release, and the behavior may be replaced by a new API. * - forceCache - Force MSAL to cache a refresh token flow response when there is no account in the cache. Used for migration scenarios. * @public */ @@ -26,9 +26,16 @@ export type RefreshTokenRequest = Partial< | "resourceRequestUri" | "requestedClaimsHash" | "storeInCache" + | "tokenQueryParameters" > > & { scopes: Array; refreshToken: string; forceCache?: boolean; + /** + * @deprecated String to string map of custom query parameters added to the /token call. + * This feature is being deprecated and not recommended for production scenarios. + * It will be removed in a future release, and the behavior may be replaced by a new API. + */ + tokenQueryParameters?: StringDict; }; diff --git a/lib/msal-node/src/request/SilentFlowRequest.ts b/lib/msal-node/src/request/SilentFlowRequest.ts index aef948cfd6..8fd811bf70 100644 --- a/lib/msal-node/src/request/SilentFlowRequest.ts +++ b/lib/msal-node/src/request/SilentFlowRequest.ts @@ -3,7 +3,7 @@ * Licensed under the MIT License. */ -import { AccountInfo, CommonSilentFlowRequest } from "@azure/msal-common/node"; +import { AccountInfo, CommonSilentFlowRequest, StringDict } from "@azure/msal-common/node"; /** * SilentFlow parameters passed by the user to retrieve credentials silently @@ -19,9 +19,15 @@ import { AccountInfo, CommonSilentFlowRequest } from "@azure/msal-common/node"; export type SilentFlowRequest = Partial< Omit< CommonSilentFlowRequest, - "account" | "scopes" | "requestedClaimsHash" | "storeInCache" + "account" | "scopes" | "requestedClaimsHash" | "storeInCache" | "tokenQueryParameters" > > & { account: AccountInfo; scopes: Array; + /** + * @deprecated String to string map of custom query parameters added to the /token call. + * This feature is being deprecated and not recommended for production scenarios. + * It will be removed in a future release, and the behavior may be replaced by a new API. + */ + tokenQueryParameters?: StringDict; }; diff --git a/lib/msal-node/src/request/UsernamePasswordRequest.ts b/lib/msal-node/src/request/UsernamePasswordRequest.ts index 2296fec556..0f4f0bc0ed 100644 --- a/lib/msal-node/src/request/UsernamePasswordRequest.ts +++ b/lib/msal-node/src/request/UsernamePasswordRequest.ts @@ -3,7 +3,10 @@ * Licensed under the MIT License. */ -import { CommonUsernamePasswordRequest } from "@azure/msal-common/node"; +import { + CommonUsernamePasswordRequest, + StringDict, +} from "@azure/msal-common/node"; /** * UsernamePassword parameters passed by the user to retrieve credentials @@ -15,7 +18,7 @@ import { CommonUsernamePasswordRequest } from "@azure/msal-common/node"; * - correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes. * - username - username of the client * - password - credentials - * - tokenQueryParameters - String to string map of custom query parameters added to the /token call + * - tokenQueryParameters - @deprecated String to string map of custom query parameters added to the /token call. This feature is being deprecated and not recommended for production scenarios. It will be removed in a future release, and the behavior may be replaced by a new API. * @public */ export type UsernamePasswordRequest = Partial< @@ -28,9 +31,16 @@ export type UsernamePasswordRequest = Partial< | "password" | "requestedClaimsHash" | "storeInCache" + | "tokenQueryParameters" > > & { scopes: Array; username: string; password: string; + /** + * @deprecated String to string map of custom query parameters added to the /token call. + * This feature is being deprecated and not recommended for production scenarios. + * It will be removed in a future release, and the behavior may be replaced by a new API. + */ + tokenQueryParameters?: StringDict; }; From 71041b315cccf58a49b5c4fb39669a16e8ad93e3 Mon Sep 17 00:00:00 2001 From: avdunn Date: Fri, 7 Nov 2025 10:49:01 -0800 Subject: [PATCH 2/4] Change files --- ...ure-msal-node-9c8208b9-9c5c-453a-b8df-227bc52e8acf.json | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 change/@azure-msal-node-9c8208b9-9c5c-453a-b8df-227bc52e8acf.json diff --git a/change/@azure-msal-node-9c8208b9-9c5c-453a-b8df-227bc52e8acf.json b/change/@azure-msal-node-9c8208b9-9c5c-453a-b8df-227bc52e8acf.json new file mode 100644 index 0000000000..c9b26d0141 --- /dev/null +++ b/change/@azure-msal-node-9c8208b9-9c5c-453a-b8df-227bc52e8acf.json @@ -0,0 +1,7 @@ +{ + "type": "patch", + "comment": "Deprecate tokenQueryParameters in msal-node", + "packageName": "@azure/msal-node", + "email": "avdunn@microsoft.com", + "dependentChangeType": "patch" +} From cb2d6b6832d73208e1e4a3abc88abc724a1a3b2a Mon Sep 17 00:00:00 2001 From: avdunn Date: Fri, 7 Nov 2025 10:53:12 -0800 Subject: [PATCH 3/4] Change files --- ... @azure-msal-node-1d9af4a3-fa9f-4d52-922b-4722009998f2.json} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename change/{@azure-msal-node-9c8208b9-9c5c-453a-b8df-227bc52e8acf.json => @azure-msal-node-1d9af4a3-fa9f-4d52-922b-4722009998f2.json} (65%) diff --git a/change/@azure-msal-node-9c8208b9-9c5c-453a-b8df-227bc52e8acf.json b/change/@azure-msal-node-1d9af4a3-fa9f-4d52-922b-4722009998f2.json similarity index 65% rename from change/@azure-msal-node-9c8208b9-9c5c-453a-b8df-227bc52e8acf.json rename to change/@azure-msal-node-1d9af4a3-fa9f-4d52-922b-4722009998f2.json index c9b26d0141..1f26d49db2 100644 --- a/change/@azure-msal-node-9c8208b9-9c5c-453a-b8df-227bc52e8acf.json +++ b/change/@azure-msal-node-1d9af4a3-fa9f-4d52-922b-4722009998f2.json @@ -1,6 +1,6 @@ { "type": "patch", - "comment": "Deprecate tokenQueryParameters in msal-node", + "comment": "Deprecate tokenQueryParameters in msal-node (#8134)", "packageName": "@azure/msal-node", "email": "avdunn@microsoft.com", "dependentChangeType": "patch" From a704ddc5c2253fd03c7e0204148660cf0d32354c Mon Sep 17 00:00:00 2001 From: avdunn Date: Fri, 7 Nov 2025 10:56:50 -0800 Subject: [PATCH 4/4] API extractor report --- lib/msal-node/apiReview/msal-node.api.md | 29 ++++++++++++++++-------- 1 file changed, 19 insertions(+), 10 deletions(-) diff --git a/lib/msal-node/apiReview/msal-node.api.md b/lib/msal-node/apiReview/msal-node.api.md index c633de1c7a..4c1fba1f29 100644 --- a/lib/msal-node/apiReview/msal-node.api.md +++ b/lib/msal-node/apiReview/msal-node.api.md @@ -78,6 +78,7 @@ import { ServerError } from '@azure/msal-common/node'; import { ServerTelemetryEntity } from '@azure/msal-common/node'; import { ServerTelemetryManager } from '@azure/msal-common/node'; import { StaticAuthorityOptions } from '@azure/msal-common/node'; +import { StringDict } from '@azure/msal-common/node'; import { ThrottlingEntity } from '@azure/msal-common/node'; import { TokenCacheContext } from '@azure/msal-common/node'; import { TokenKeys } from '@azure/msal-common/node'; @@ -101,17 +102,19 @@ export { AuthErrorMessage } export { AuthorizationCodePayload } // @public -export type AuthorizationCodeRequest = Partial> & { +export type AuthorizationCodeRequest = Partial> & { scopes: Array; redirectUri: string; code: string; state?: string; + tokenQueryParameters?: StringDict; }; // @public -export type AuthorizationUrlRequest = Partial> & { +export type AuthorizationUrlRequest = Partial> & { scopes: Array; redirectUri: string; + tokenQueryParameters?: StringDict; }; export { AuthorizeResponse } @@ -198,8 +201,9 @@ export class ClientCredentialClient extends BaseClient { } // @public -export type ClientCredentialRequest = Partial> & { +export type ClientCredentialRequest = Partial> & { clientAssertion?: string | ClientAssertionCallback; + tokenQueryParameters?: StringDict; }; // @public @@ -325,13 +329,14 @@ export { InteractionRequiredAuthErrorCodes } export { InteractionRequiredAuthErrorMessage } // @public -export type InteractiveRequest = Partial> & { +export type InteractiveRequest = Partial> & { openBrowser: (url: string) => Promise; scopes?: Array; successTemplate?: string; errorTemplate?: string; windowHandle?: Buffer; loopbackClient?: ILoopbackClient; + tokenQueryParameters?: StringDict; }; declare namespace internals { @@ -478,9 +483,10 @@ export class OnBehalfOfClient extends BaseClient { } // @public -export type OnBehalfOfRequest = Partial> & { +export type OnBehalfOfRequest = Partial> & { oboAssertion: string; scopes: Array; + tokenQueryParameters?: StringDict; }; export { PromptValue } @@ -497,11 +503,12 @@ export class PublicClientApplication extends ClientApplication implements IPubli signOut(request: SignOutRequest): Promise; } -// @public -export type RefreshTokenRequest = Partial> & { +// @public @deprecated +export type RefreshTokenRequest = Partial> & { scopes: Array; refreshToken: string; forceCache?: boolean; + tokenQueryParameters?: StringDict; }; export { ResponseMode } @@ -590,9 +597,10 @@ export type SignOutRequest = { }; // @public -export type SilentFlowRequest = Partial> & { +export type SilentFlowRequest = Partial> & { account: AccountInfo; scopes: Array; + tokenQueryParameters?: StringDict; }; // @public @@ -620,11 +628,12 @@ export class UsernamePasswordClient extends BaseClient { acquireToken(request: CommonUsernamePasswordRequest): Promise; } -// @public -export type UsernamePasswordRequest = Partial> & { +// @public @deprecated +export type UsernamePasswordRequest = Partial> & { scopes: Array; username: string; password: string; + tokenQueryParameters?: StringDict; }; export { ValidCacheType }