COOP requirement clarification

[h3rmanj]

Core Library

MSAL.js (@azure/msal-browser)

Wrapper Library

Not Applicable

Public or Confidential Client?

Public

Documentation Location

https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/v4-migration.md#cross-origin-opener-policy-coop-support

Description

I'm a bit unsure whether returning COOP headers for my application is required for upgrading to MSAL v5.

The upgrade docs states:

When the authentication service (Microsoft Entra ID or Azure AD B2C) returns COOP headers, traditional popup and silent iframe authentication flows are restricted.

and

Microsoft Entra ID (formerly Azure AD) has COOP enabled by default.

This makes it seem it is required to return the COOP headers for your application to work.

However, when testing, it only seems that the redirect bridge itself is required. Checking your samples, the default react sample also doesn't do anything specific to return COOP headers, only implementing a redirect bridge.

Are COOP headers required in MSAL v5? Or is the redirect bridge pattern only implemented to optionally support it if you return the header from your own application?

[peterzenz]

This is to support a COOP signal from the login server itself. The redirect bridge is to support this server change.

[h3rmanj]

The migration guide got upgraded today, which seems less ambiguous as it doesn't talk as much about the COOP header.
Just to be 100% clear though, when you have examples saying you need to set the COOP header for your application, is it to:

1. To showcase that if you have COOP headers, your redirect bridge MUST NOT have it

or

2. To showcase that every other than the redirect page NEEDS the COOP header set

Because the previous version of the document made it seem like it was 2.

[konstantin-msft]

Hi @h3rmanj. The redirect bridge is mandatory in v5 to support COOP header. It is required even if server does not set COOP - it broadcasts auth code back to the app frame. The updated migration guide showcases that page that implements the redirect bridge must not have COOP header set.

[h3rmanj]

Thanks for the clarifications @konstantin-msft & @peterzenz!

I guess the earlier migration guide confused me by giving me the impression that you needed to add COOP headers for the rest of your app, when in reality it was only for those already using the COOP header for their app.