MSAL Browser 5.1.0 popup flow redirects instead of closing and never posts result back to opener causing timed_out and no-callback

[jplevene]

Core Library

MSAL.js (@azure/msal-browser)

Core Library Version

5.1.0

Wrapper Library

Not Applicable

Wrapper Library Version

None

Public or Confidential Client?

Public

Description

Upgrading from MSAL Browser 4.27.0 → 5.1.0 breaks the popup login flow.

In 5.1.0:

• The popup redirects to my app URL instead of closing.
• The opener never receives the authentication result.
• After ~6 seconds MSAL throws BrowserAuthError: timed_out.
• Closing the popup manually does not trigger a callback.

This is a regression from 4.27.0, where the popup closes and the promise resolves correctly.

Error Message

BrowserAuthError: timed_out

Popup console also shows:

requestStorageAccess: Permission denied

MSAL Logs

[MSAL][Verbose] Initializing PublicClientApplication
[MSAL][Verbose] Initializing browser storage
[MSAL][Verbose] Event: msal:loginStart
[MSAL][Verbose] PopupHandler.openPopup called
[MSAL][Verbose] Popup opened successfully
[MSAL][Verbose] Navigating popup to https://login.microsoftonline.com/common/oauth2/v2.0/authorize...
[MSAL][Verbose] Monitoring popup for hash
[MSAL][Warning] requestStorageAccess: Permission denied
[MSAL][Verbose] No response from popup yet, continuing to wait...
[MSAL][Verbose] Still waiting for response from popup...
[MSAL][Error] BrowserAuthError: timed_out
    at PopupClient.monitorPopupForHash
    at PopupClient.initiateAuthRequest
    at PublicClientApplication.loginPopup

Popup window logs:

[MSAL][Verbose] Popup redirect detected
[MSAL][Verbose] Processing auth code...
(no postMessage sent)

Network Trace (Preferrably Fiddler)

• Sent
• Pending

MSAL Configuration

const msalConfig = {
  auth: {
    clientId: "my-client-id",
    authority: "https://login.microsoftonline.com/common"
  },
  cache: {
    cacheLocation: "localStorage",
    storeAuthStateInCookie: false
  }
};

Relevant Code Snippets

## **Minimal reproduction**
### Working (4.27.0)

<!DOCTYPE html>
<html>
<head>
  <meta charset="utf-8" />
  <title>MSAL 4.27.0 Popup Working Repro</title>

  <!-- MSAL 4.x (works) -->
  <script src="https://alcdn.msauth.net/browser/4.27.0/js/msal-browser.min.js"></script>

</head>

<body>
  <h2>MSAL 4.27.0 — Popup Works</h2>
  <button id="login">Sign in with Microsoft</button>

  <script>
    const msalConfig = {
      auth: {
        clientId: "my-client-id",
        authority: "https://login.microsoftonline.com/common"
      }
    };

    const msalInstance = new msal.PublicClientApplication(msalConfig);

    document.getElementById("login").onclick = () => {
      console.log("Opening popup…");

      msalInstance.loginPopup({
        scopes: ["User.Read", "openid", "profile", "offline_access"],
        prompt: "select_account"
      })
      .then(result => {
        console.log("Popup resolved:", result);
        alert("SUCCESS — Popup closed and returned account: " + result.account.username);
      })
      .catch(err => {
        console.error("Popup error:", err);
        alert("ERROR: " + (err.errorCode || err.message));
      });
    };
  </script>
</body>
</html>



### Broken (5.1.0)

<!DOCTYPE html>
<html>
<head>
  <meta charset="utf-8" />
  <title>MSAL 5.1.0 Popup Broken Repro</title>

  <!-- MSAL 5.x (broken popup behaviour) -->
  <script src="https://alcdn.msauth.net/browser/5.1.0/js/msal-browser.min.js"></script>

</head>

<body>
  <h2>MSAL 5.1.0 — Popup Redirects + No Callback</h2>
  <button id="login">Sign in with Microsoft</button>

  <script>
    const msalConfig = {
      auth: {
        clientId: "my-client-id",
        authority: "https://login.microsoftonline.com/common"
      }
    };

    const msalInstance = new msal.PublicClientApplication(msalConfig);

    // Required in 5.x
    msalInstance.initialize().then(() => {
      console.log("MSAL initialized");
    });

    document.getElementById("login").onclick = () => {
      console.log("Opening popup…");

      msalInstance.loginPopup({
        scopes: ["User.Read", "openid", "profile", "offline_access"],
        prompt: "select_account"
      })
      .then(result => {
        console.log("Popup resolved:", result);
        alert("SUCCESS — Popup closed and returned account: " + result.account.username);
      })
      .catch(err => {
        console.error("Popup error:", err);
        alert("ERROR: " + (err.errorCode || err.message));
      });
    };
  </script>
</body>
</html>

Reproduction Steps

1. Load the minimal repro HTML file (attached below).
2. Click “Sign in with Microsoft”.
3. Complete login in the popup.
4. Observe that the popup redirects to the app URL and stays open.
5. Opener never receives the result.
6. After timeout, MSAL throws timed_out.

Expected Behavior

Expected behavior

• Popup should close automatically.
• loginPopup() should resolve with an AuthenticationResult.
• Closing the popup manually should reject with popup_window_closed.

Actual behavior

• Popup redirects to the app URL.
• Popup stays open.
• No postMessage back to opener.
• Opener throws BrowserAuthError: timed_out.

Identity Provider

Other

Browsers Affected (Select all that apply)

Chrome

Regression

@azure/msal-browser@4.27.0

[github-actions]

Invalid Issue Template:
Please update the original issue and make sure to fill out the entire issue template so we can better assist you.

[jplevene]

Just regression tested on 4.28.1 and it works fine. Seems to be a v5 issue

[tnorling]

There are changes needed to support the popup flow in v5. Please see the migration guide for more details

[jplevene]

I have tried all of these in the migration and even resorted to copilot try and help. Close the bug report if you want, I am only trying to be helpful and report a bug that even after using the migration guide and all other suggestions is still there.

[tnorling]

Please show how you've implemented the redirect bridge (a sample repo would be helpful)