Verify SSO Capability (#8252)

This PR verfies if an app is capable of SSO after a successful
interactive authentication. When enabled via the new `verifySso`
configuration option, MSAL will fire a fire-and-forget `verifySso()`
call after handleRedirectPromise and acquireTokenPopup complete
successfully.

Changes:

- Added new `verifySso` configuration option (defaults to false)
- Implemented fire-and-forget background verifySso after interactive
authentication
- Added comprehensive telemetry tracking with new `SsoCapable`
performance event

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Konstantin <kshabelko@microsoft.com>

Author: 4 people

change/@azure-msal-browser-440d27b3-88ff-459d-883e-a675b66d7976.json

@@ -0,0 +1,7 @@
+{
+  "type": "patch",
+  "comment": "Verify if an app is SSO Capable, [#8252](https://github.com/AzureAD/microsoft-authentication-library-for-js/pull/8252) ",
+  "packageName": "@azure/msal-browser",
+  "email": "sameera.gajjarapu@microsoft.com",
+  "dependentChangeType": "patch"
+}

change/@azure-msal-common-461989e8-10b5-48f1-91dd-836248c3fce6.json

@@ -0,0 +1,7 @@
+{
+  "type": "patch",
+  "comment": "Verify if an app is SSO Capable, [#8252](https://github.com/AzureAD/microsoft-authentication-library-for-js/pull/8252)",
+  "packageName": "@azure/msal-common",
+  "email": "sameera.gajjarapu@microsoft.com",
+  "dependentChangeType": "patch"
+}

lib/msal-browser/apiReview/msal-browser.api.md

@@ -463,6 +463,7 @@ export type BrowserAuthOptions = {
     onRedirectNavigate?: (url: string) => boolean | void;
     instanceAware?: boolean;
     encodeExtraQueryParams?: boolean;
+    verifySSO?: boolean;
 };
 
 // Warning: (ae-missing-release-tag) "BrowserCacheLocation" is part of the package's API, but it is missing a release tag (@alpha, @beta, @public, or @internal)
@@ -1830,7 +1831,7 @@ export type WrapperSKU = (typeof WrapperSKU)[keyof typeof WrapperSKU];
 // src/cache/LocalStorage.ts:363:8 - (tsdoc-param-tag-missing-hyphen) The @param block should be followed by a parameter name and then a hyphen
 // src/cache/LocalStorage.ts:426:8 - (tsdoc-param-tag-missing-hyphen) The @param block should be followed by a parameter name and then a hyphen
 // src/cache/LocalStorage.ts:457:8 - (tsdoc-param-tag-missing-hyphen) The @param block should be followed by a parameter name and then a hyphen
-// src/config/Configuration.ts:264:5 - (ae-forgotten-export) The symbol "InternalAuthOptions" needs to be exported by the entry point index.d.ts
+// src/config/Configuration.ts:271:5 - (ae-forgotten-export) The symbol "InternalAuthOptions" needs to be exported by the entry point index.d.ts
 // src/event/EventHandler.ts:113:8 - (tsdoc-param-tag-missing-hyphen) The @param block should be followed by a parameter name and then a hyphen
 // src/event/EventHandler.ts:139:8 - (tsdoc-param-tag-missing-hyphen) The @param block should be followed by a parameter name and then a hyphen
 // src/index.ts:8:12 - (tsdoc-characters-after-block-tag) The token "@azure" looks like a TSDoc tag but contains an invalid character "/"; if it is not a tag, use a backslash to escape the "@"

lib/msal-browser/src/config/Configuration.ts

@@ -113,6 +113,13 @@ export type BrowserAuthOptions = {
      * @deprecated This flag is deprecated and will be removed in the next major version where all extra query params will be encoded by default.
      */
     encodeExtraQueryParams?: boolean;
+    /**
+     * If set to true, MSAL will make a background SSO verification call after successful interactive authentication.
+     * COGS intensive, recommendation is to *NOT* set this flag to true unless your application has a specific need for it.
+     * This will trigger additional network calls after interactive authentication flows (acquireTokenPopup, handleRedirectPromise) calls.
+     * This is a boolean flag and defaults to false if not specified.
+     */
+    verifySSO?: boolean;
 };
 
 /** @internal */
@@ -314,6 +321,7 @@ export function buildConfiguration(
         supportsNestedAppAuth: false,
         instanceAware: false,
         encodeExtraQueryParams: false,
+        verifySSO: false,
     };
 
     // Default cache options for browser

lib/msal-browser/src/controllers/StandardController.ts

@@ -567,6 +567,12 @@ export class StandardController implements IController {
                         undefined,
                         result.account
                     );
+
+                    // Fire-and-forget SSO capability verification in background
+                    this.verifySsoCapability(
+                        result.account,
+                        InteractionType.Redirect
+                    );
                 } else {
                     /*
                      * Instrument an event only if an error code is set. Otherwise, discard it when the redirect response
@@ -930,6 +936,10 @@ export class StandardController implements IController {
                     undefined,
                     result.account
                 );
+
+                // SSO capability verification in background
+                this.verifySsoCapability(result.account, InteractionType.Popup);
+
                 return result;
             })
             .catch((e: Error) => {
@@ -984,6 +994,79 @@ export class StandardController implements IController {
             visibilityChangeCount: 1,
         });
     }
+
+    /**
+     * SSO capability verification in the background.
+     * This method makes an iframe request to /authorize to verify SSO capability without calling /token.
+     * This method does not block the caller and tracks telemetry for success/failure.
+     * This method only executes if verifySSO is set to true in the auth configuration.
+     * @param account - The account to use for the SSO verification
+     * @param parentApi - The API ID of the parent operation for logging purposes
+     */
+    private verifySsoCapability(account: AccountInfo, parentApi: string): void {
+        // Check if SSO capability verification is enabled
+        if (!this.config.auth.verifySSO) {
+            return;
+        }
+
+        const correlationId = this.browserCrypto.createNewGuid();
+        const ssoCapableMeasurement = this.performanceClient.startMeasurement(
+            PerformanceEvents.SsoCapable,
+            correlationId
+        );
+        ssoCapableMeasurement.add({
+            parentApi: parentApi,
+        });
+
+        this.logger.verbose(
+            `SSO capability verification initiated after ${parentApi}`,
+            correlationId
+        );
+
+        /*
+         * Use setTimeout to ensure this runs in a separate macrotask after the current call stack completes
+         * This ensures the result is returned to the caller before the SSO verification starts and doesn't affect performance
+         */
+        setTimeout(() => {
+            const ssoVerificationRequest: SsoSilentRequest = {
+                account: account,
+                correlationId: correlationId,
+            };
+
+            const silentIframeClient =
+                this.createSilentIframeClient(correlationId);
+            silentIframeClient
+                .verifySso(ssoVerificationRequest)
+                .then((success: boolean) => {
+                    this.logger.verbose(
+                        `SSO capability verification completed after ${parentApi}, success: ${success}`,
+                        correlationId
+                    );
+                    ssoCapableMeasurement.end(
+                        {
+                            fromCache: false,
+                            success: success,
+                        },
+                        undefined,
+                        account
+                    );
+                })
+                .catch((error: Error) => {
+                    this.logger.warning(
+                        `SSO capability verification failed after ${parentApi}: ${error.message}`,
+                        correlationId
+                    );
+                    ssoCapableMeasurement.end(
+                        {
+                            fromCache: false,
+                            success: false,
+                        },
+                        error,
+                        account
+                    );
+                });
+        }, 0);
+    }
     // #endregion
 
     // #region Silent Flow

lib/msal-browser/src/interaction_client/SilentIframeClient.ts

@@ -16,6 +16,7 @@ import {
     ProtocolMode,
     CommonAuthorizationUrlRequest,
     HttpMethod,
+    AuthorizeProtocol,
 } from "@azure/msal-common/browser";
 import { StandardInteractionClient } from "./StandardInteractionClient.js";
 import { BrowserConfiguration } from "../config/Configuration.js";
@@ -349,6 +350,141 @@ export class SilentIframeClient extends StandardInteractionClient {
         }
     }
 
+    /**
+     * Verifies SSO capability by making an iframe request to /authorize without exchanging the code for tokens.
+     * This is useful for verifying SSO capability in the background without the overhead of a full token exchange.
+     * @param request - The SSO silent request
+     * @returns true if SSO verification was successful with a valid authorization code, false otherwise
+     */
+    async verifySso(request: SsoSilentRequest): Promise<boolean> {
+        this.performanceClient.addQueueMeasurement(
+            PerformanceEvents.SilentIframeClientAcquireToken,
+            request.correlationId
+        );
+
+        const inputRequest = { ...request };
+        if (!inputRequest.prompt) {
+            inputRequest.prompt = PromptValue.NONE;
+        }
+
+        // Create silent request
+        const silentRequest: CommonAuthorizationUrlRequest = await invokeAsync(
+            this.initializeAuthorizationRequest.bind(this),
+            PerformanceEvents.StandardInteractionClientInitializeAuthorizationRequest,
+            this.logger,
+            this.performanceClient,
+            request.correlationId
+        )(inputRequest, InteractionType.Silent);
+
+        const authClient = await invokeAsync(
+            this.createAuthCodeClient.bind(this),
+            PerformanceEvents.StandardInteractionClientCreateAuthCodeClient,
+            this.logger,
+            this.performanceClient,
+            request.correlationId
+        )({
+            serverTelemetryManager: this.initializeServerTelemetryManager(
+                this.apiId
+            ),
+            requestAuthority: silentRequest.authority,
+            requestAzureCloudOptions: silentRequest.azureCloudOptions,
+            requestExtraQueryParameters: silentRequest.extraQueryParameters,
+            account: silentRequest.account,
+        });
+
+        const correlationId = silentRequest.correlationId;
+        const pkceCodes = await invokeAsync(
+            generatePkceCodes,
+            PerformanceEvents.GeneratePkceCodes,
+            this.logger,
+            this.performanceClient,
+            correlationId
+        )(this.performanceClient, this.logger, correlationId);
+
+        const requestWithPkce = {
+            ...silentRequest,
+            codeChallenge: pkceCodes.challenge,
+        };
+
+        // Create authorize request url
+        const navigateUrl = await invokeAsync(
+            Authorize.getAuthCodeRequestUrl,
+            PerformanceEvents.GetAuthCodeUrl,
+            this.logger,
+            this.performanceClient,
+            correlationId
+        )(
+            this.config,
+            authClient.authority,
+            requestWithPkce,
+            this.logger,
+            this.performanceClient
+        );
+
+        // Get the frame handle for the silent request - this triggers the SSO verification
+        const msalFrame = await invokeAsync(
+            initiateCodeRequest,
+            PerformanceEvents.SilentHandlerInitiateAuthRequest,
+            this.logger,
+            this.performanceClient,
+            correlationId
+        )(
+            navigateUrl,
+            this.performanceClient,
+            this.logger,
+            correlationId,
+            this.config.system.navigateFrameWait
+        );
+
+        const responseType = this.config.auth.OIDCOptions.serverResponseType;
+        // Monitor the iframe for the response
+        const responseString = await invokeAsync(
+            monitorIframeForHash,
+            PerformanceEvents.SilentHandlerMonitorIframeForHash,
+            this.logger,
+            this.performanceClient,
+            correlationId
+        )(
+            msalFrame,
+            this.config.system.iframeHashTimeout,
+            this.config.system.pollIntervalMilliseconds,
+            this.performanceClient,
+            this.logger,
+            correlationId,
+            responseType
+        );
+
+        // Deserialize the response
+        const serverParams = invoke(
+            ResponseHandler.deserializeResponse,
+            PerformanceEvents.DeserializeResponse,
+            this.logger,
+            this.performanceClient,
+            correlationId
+        )(responseString, responseType, this.logger);
+
+        // Validate the response - this checks for errors and validates state
+        AuthorizeProtocol.validateAuthorizationResponse(
+            serverParams,
+            silentRequest.state
+        );
+
+        // Verify a valid authorization code is present
+        if (!serverParams.code) {
+            this.logger.warning(
+                "SSO verification response did not contain an authorization code",
+                correlationId
+            );
+            return false;
+        }
+
+        this.logger.verbose(
+            "SSO verification completed successfully with valid authorization code - skipped token exchange",
+            correlationId
+        );
+        return true;
+    }
+
     /**
      * Currently Unsupported
      */