Port PR #8378: Add support for client data telemetry with CLI_DATA parameter (#8427)

## Summary

Ports
#8378
to `dev`.

## Changes

**Client Data Parsing and Instrumentation (msal-browser):**
- Added `parseClientData` function to extract structured information
(account type, error, sub-error, cloud instance, caller data boundary)
from the `clientdata` response parameter returned by the `/authorize`
endpoint
- Added `instrumentClientData` function that processes parsed clientdata
and instruments telemetry fields (`accountType`, `serverErrorNo`,
`serverSubErrorNo`) via `performanceClient`
- Called `instrumentClientData` in both `handleResponseCode` and
`handleResponseEAR` flows for early telemetry capture

**API and Telemetry Updates (msal-common):**
- Added `CLI_DATA = "clidata"` constant to `AADServerParamKeys`
- Added `addCliData` function to `RequestParameterBuilder` to include
`clidata=1` in authorize requests
- Called `addCliData` in `getStandardAuthorizeRequestParameters`
- Added `clientdata?: string` property to `AuthorizeResponse`
- Added `serverSubErrorNo?: string` field to `PerformanceEvent`
- Updated `addError` in `PerformanceClient` to not overwrite
`serverErrorNo` when it was already set via `addFields` (from clientdata
instrumentation)
- Updated `msal-common.api.md` API review file

**Testing:**
- Added test for `CLI_DATA=1` in msal-common `Authorize.spec.ts`
- Added tests for `serverErrorNo` non-overwrite behavior in
`PerformanceClient.spec.ts`
- Added tests for `accountType` addFields preservation/overwrite
behavior
- Updated browser `Authorize.spec.ts` with clidata=1 checks and
`instrumentClientData` integration tests
- Created new `ClientDataParser.spec.ts` with comprehensive unit tests
for `parseClientData`

**Change Files:**
- Added beachball change files for `@azure/msal-browser` and
`@azure/msal-common` (type: minor)

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: konstantin-msft <119362382+konstantin-msft@users.noreply.github.com>
Co-authored-by: Konstantin <kshabelko@microsoft.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

Author: 3 people

change/@azure-msal-browser-7b41d23d-898b-4f41-b815-fbdc56503858.json

@@ -0,0 +1,7 @@
+{
+  "type": "minor",
+  "comment": "Add support for client data telemetry with CLI_DATA parameter [#8378](https://github.com/AzureAD/microsoft-authentication-library-for-js/pull/8378)",
+  "packageName": "@azure/msal-browser",
+  "email": "kshabelko@microsoft.com",
+  "dependentChangeType": "patch"
+}

change/@azure-msal-common-efa161ad-2d6d-49ae-ab7c-2d12057eafb0.json

@@ -0,0 +1,7 @@
+{
+  "type": "minor",
+  "comment": "Add support for client data telemetry with CLI_DATA parameter [#8378](https://github.com/AzureAD/microsoft-authentication-library-for-js/pull/8378)",
+  "packageName": "@azure/msal-common",
+  "email": "kshabelko@microsoft.com",
+  "dependentChangeType": "patch"
+}

lib/msal-browser/src/protocol/Authorize.ts

@@ -44,6 +44,99 @@ import { EventHandler } from "../event/EventHandler.js";
 import { decryptEarResponse } from "../crypto/BrowserCrypto.js";
 import { IPlatformAuthHandler } from "../broker/nativeBroker/IPlatformAuthHandler.js";
 
+/**
+ * Parsed representation of the clientdata response parameter from the /authorize endpoint.
+ *
+ * Format: urlencoded(account_type|error|sub_error|cloud_instance|caller_data_boundary)
+ */
+type ClientData = {
+    /** Account type: MSA, AAD */
+    accountType: string;
+    /** Error code string (e.g. "0x8004345C" for MSA) */
+    error: string;
+    /** Sub-error code string (e.g. "0x80043588" for MSA) */
+    subError: string;
+    /** Cloud instance hostname (e.g. "login.microsoftonline.com") */
+    cloudInstance: string;
+    /** Caller data boundary (e.g. "none" for MSA) */
+    callerDataBoundary: string;
+};
+
+const clientDataAccountTypeMapping = new Map([
+    ["e", "AAD"],
+    ["m", "MSA"],
+]);
+
+/**
+ * Parses the clientdata response parameter from the /authorize endpoint.
+ *
+ * Logically, the clientdata value is URL-encoded and pipe-delimited:
+ *   urlencoded(account_type | error | sub_error | cloud_instance | caller_data_boundary)
+ *
+ * In normal browser flows, this value may already have been URL-decoded
+ * (e.g. by URLSearchParams). This function will only apply decodeURIComponent
+ * when the string appears to contain percent-encoded sequences to avoid
+ * double-decoding.
+ *
+ * @param clientdata - The raw clientdata string from the authorize response
+ * @returns Parsed ClientData object, or null if the input is empty/invalid
+ */
+export function parseClientData(clientdata?: string): ClientData | null {
+    if (!clientdata) {
+        return null;
+    }
+
+    try {
+        // Only decode when the string appears to contain percent-encoded sequences
+        const shouldDecode = /%(?:[0-9A-Fa-f]{2})/.test(clientdata);
+        const decoded = shouldDecode
+            ? decodeURIComponent(clientdata)
+            : clientdata;
+        const parts = decoded.split("|");
+
+        if (parts.length < 5) {
+            return null;
+        }
+
+        return {
+            accountType:
+                clientDataAccountTypeMapping.get(parts[0]?.trim() || "") || "",
+            error: parts[1]?.trim() || "",
+            subError: parts[2]?.trim() || "",
+            cloudInstance: parts[3]?.trim() || "",
+            callerDataBoundary: parts[4]?.trim() || "",
+        };
+    } catch {
+        return null;
+    }
+}
+
+/**
+ * Instruments account type, error, and suberror from clientdata
+ */
+function instrumentClientData(
+    response: AuthorizeResponse,
+    correlationId: string,
+    performanceClient: IPerformanceClient
+): void {
+    const parsed = parseClientData(response.clientdata);
+    parsed?.accountType &&
+        performanceClient.addFields(
+            { accountType: parsed.accountType },
+            correlationId
+        );
+    parsed?.error &&
+        performanceClient.addFields(
+            { serverErrorNo: parsed.error },
+            correlationId
+        );
+    parsed?.subError &&
+        performanceClient.addFields(
+            { serverSubErrorNo: parsed.subError },
+            correlationId
+        );
+}
+
 /**
  * Returns map of parameters that are applicable to all calls to /authorize whether using PKCE or EAR
  * @param config
@@ -407,6 +500,10 @@ export async function handleResponseCode(
         config.auth.clientId,
         request
     );
+
+    // Instrument clientdata telemetry fields from the authorize response
+    instrumentClientData(response, request.correlationId, performanceClient);
+
     if (response.accountId) {
         return invokeAsync(
             handleResponsePlatformBroker,
@@ -487,6 +584,9 @@ export async function handleResponseEAR(
         request
     );
 
+    // Instrument clientdata telemetry fields from the authorize response
+    instrumentClientData(response, request.correlationId, performanceClient);
+
     // Validate state & check response for errors
     AuthorizeProtocol.validateAuthorizationResponse(response, request.state);
 

lib/msal-browser/test/protocol/Authorize.spec.ts

@@ -193,6 +193,7 @@ describe("Authorize Protocol Tests", () => {
                     BrowserConstants.MSAL_SKU
                 );
                 checkInputProperties(AADServerParamKeys.X_CLIENT_VER, version);
+                checkInputProperties(AADServerParamKeys.CLI_DATA, "1");
 
                 // Verify correlationId is present in authorize URL query params
                 const actionUrl = new URL(form.action);
@@ -466,5 +467,252 @@ describe("Authorize Protocol Tests", () => {
                 actionUrl.searchParams.get(AADServerParamKeys.CLIENT_REQUEST_ID)
             ).toEqual(validRequest.correlationId);
         });
+
+        it("Includes clidata=1 in form post body", async () => {
+            const form = await Authorize.getCodeForm(
+                document,
+                config,
+                authority,
+                validRequest,
+                logger,
+                performanceClient
+            );
+
+            const cliDataInput = form.elements.namedItem(
+                AADServerParamKeys.CLI_DATA
+            ) as HTMLInputElement;
+            expect(cliDataInput).toBeTruthy();
+            expect(cliDataInput.value).toEqual("1");
+        });
+    });
+
+    describe("instrumentClientData Tests", () => {
+        const config = buildConfiguration(
+            { auth: { clientId: TEST_CONFIG.MSAL_CLIENT_ID } },
+            true
+        );
+        const logger = new Logger({});
+        const performanceClient = new StubPerformanceClient();
+        const authorityOptions: AuthorityOptions = {
+            protocolMode: ProtocolMode.EAR,
+            knownAuthorities: [],
+            cloudDiscoveryMetadata: "",
+            authorityMetadata: "",
+        };
+        const eventHandler = new EventHandler();
+        const cacheManager = new BrowserCacheManager(
+            TEST_CONFIG.MSAL_CLIENT_ID,
+            config.cache,
+            new CryptoOps(logger, performanceClient),
+            logger,
+            performanceClient,
+            eventHandler
+        );
+        let authority: Authority;
+        const validRequest: CommonAuthorizationUrlRequest = {
+            authority: TEST_CONFIG.validAuthority,
+            scopes: ["openid", "profile"],
+            correlationId: TEST_CONFIG.CORRELATION_ID,
+            redirectUri: window.location.href,
+            state: TEST_STATE_VALUES.TEST_STATE_REDIRECT,
+            nonce: ID_TOKEN_CLAIMS.nonce,
+            responseMode: Constants.ResponseMode.FRAGMENT,
+            codeChallenge: "code-challenge",
+            earJwk: validEarJWK,
+        };
+
+        beforeAll(async () => {
+            jest.useFakeTimers();
+            authority = await AuthorityFactory.createDiscoveredInstance(
+                TEST_CONFIG.validAuthority,
+                config.system.networkClient,
+                cacheManager,
+                authorityOptions,
+                logger,
+                TEST_CONFIG.CORRELATION_ID,
+                performanceClient
+            );
+        });
+
+        afterAll(() => {
+            jest.useRealTimers();
+        });
+
+        it("handleResponseEAR instruments clientdata telemetry when clientdata is present", async () => {
+            const addFieldsSpy = jest.spyOn(performanceClient, "addFields");
+            // clientdata: m|0x8004345C|0x80047857|none|login.microsoftonline.com
+            const clientdata =
+                "m%7C0x8004345C%7C0x80047857%7Cnone%7Clogin.microsoftonline.com";
+            const response = {
+                ear_jwe: validEarJWE,
+                state: validRequest.state,
+                clientdata,
+            };
+
+            await Authorize.handleResponseEAR(
+                validRequest,
+                response,
+                ApiId.acquireTokenPopup,
+                config,
+                authority,
+                cacheManager,
+                cacheManager,
+                eventHandler,
+                logger,
+                performanceClient
+            );
+
+            expect(addFieldsSpy).toHaveBeenCalledWith(
+                expect.objectContaining({
+                    accountType: "MSA",
+                }),
+                validRequest.correlationId
+            );
+            expect(addFieldsSpy).toHaveBeenCalledWith(
+                expect.objectContaining({
+                    serverErrorNo: "0x8004345C",
+                }),
+                validRequest.correlationId
+            );
+            expect(addFieldsSpy).toHaveBeenCalledWith(
+                expect.objectContaining({
+                    serverSubErrorNo: "0x80047857",
+                }),
+                validRequest.correlationId
+            );
+            addFieldsSpy.mockRestore();
+        });
+
+        it("handleResponseEAR does not instrument clientdata when clientdata is absent", async () => {
+            const addFieldsSpy = jest.spyOn(performanceClient, "addFields");
+            addFieldsSpy.mockClear();
+            const response = {
+                ear_jwe: validEarJWE,
+                state: validRequest.state,
+            };
+
+            await Authorize.handleResponseEAR(
+                validRequest,
+                response,
+                ApiId.acquireTokenPopup,
+                config,
+                authority,
+                cacheManager,
+                cacheManager,
+                eventHandler,
+                logger,
+                performanceClient
+            );
+
+            // addFields may be called for other reasons, but NOT with clientData fields
+            const clientDataCalls = addFieldsSpy.mock.calls.filter(
+                (call: unknown[]) => {
+                    const fields = call[0] as
+                        | Record<string, unknown>
+                        | undefined;
+                    return fields && "serverErrorNo" in fields;
+                }
+            );
+            expect(clientDataCalls).toHaveLength(0);
+            addFieldsSpy.mockRestore();
+        });
+
+        it("handleResponseEAR instruments Entra (AAD) account type from clientdata", async () => {
+            const addFieldsSpy = jest.spyOn(performanceClient, "addFields");
+            // clientdata: e|AADSTS50076|basic_action|login.microsoftonline.com|none
+            const clientdata =
+                "e%7CAADSTS50076%7Cbasic_action%7Clogin.microsoftonline.com%7Cnone";
+            const response = {
+                ear_jwe: validEarJWE,
+                state: validRequest.state,
+                clientdata,
+            };
+
+            await Authorize.handleResponseEAR(
+                validRequest,
+                response,
+                ApiId.acquireTokenPopup,
+                config,
+                authority,
+                cacheManager,
+                cacheManager,
+                eventHandler,
+                logger,
+                performanceClient
+            );
+
+            expect(addFieldsSpy).toHaveBeenCalledWith(
+                expect.objectContaining({
+                    accountType: "AAD",
+                }),
+                validRequest.correlationId
+            );
+            expect(addFieldsSpy).toHaveBeenCalledWith(
+                expect.objectContaining({
+                    serverErrorNo: "AADSTS50076",
+                }),
+                validRequest.correlationId
+            );
+            expect(addFieldsSpy).toHaveBeenCalledWith(
+                expect.objectContaining({
+                    serverSubErrorNo: "basic_action",
+                }),
+                validRequest.correlationId
+            );
+            addFieldsSpy.mockRestore();
+        });
+
+        it("handleResponseCode instruments clientdata telemetry before processing response", async () => {
+            const addFieldsSpy = jest.spyOn(performanceClient, "addFields");
+            // clientdata: e|AADSTS65001|consent_required|login.microsoftonline.com|none
+            const clientdata =
+                "e%7CAADSTS65001%7Cconsent_required%7Clogin.microsoftonline.com%7Cnone";
+            const response = {
+                // Use accountId so it hits the platformBroker path, which throws without a provider
+                accountId: "test-account-id",
+                state: validRequest.state,
+                clientdata,
+            };
+
+            try {
+                await Authorize.handleResponseCode(
+                    validRequest,
+                    response,
+                    "code-verifier",
+                    ApiId.acquireTokenPopup,
+                    config,
+                    {} as any, // authClient not needed — accountId path is taken
+                    cacheManager,
+                    cacheManager,
+                    eventHandler,
+                    logger,
+                    performanceClient
+                    // no platformAuthProvider → throws nativeConnectionNotEstablished
+                );
+            } catch {
+                // Expected: nativeConnectionNotEstablished
+            }
+
+            // instrumentClientData ran before the throw
+            expect(addFieldsSpy).toHaveBeenCalledWith(
+                expect.objectContaining({
+                    accountType: "AAD",
+                }),
+                validRequest.correlationId
+            );
+            expect(addFieldsSpy).toHaveBeenCalledWith(
+                expect.objectContaining({
+                    serverErrorNo: "AADSTS65001",
+                }),
+                validRequest.correlationId
+            );
+            expect(addFieldsSpy).toHaveBeenCalledWith(
+                expect.objectContaining({
+                    serverSubErrorNo: "consent_required",
+                }),
+                validRequest.correlationId
+            );
+            addFieldsSpy.mockRestore();
+        });
     });
 });