Skip to content

temporaryCacheLocation removed in v5 breaks mobile app-switch redirects (e.g. itsme) that return in a new tab #8667

Description

@nicolaszawada

Core Library

MSAL.js (@azure/msal-browser)

Core Library Version

5.11.0

Wrapper Library

MSAL Angular (@azure/msal-angular)

Wrapper Library Version

5.2.5

Public or Confidential Client?

Public

Description

Description

On mobile, authentication providers that use app-switch (e.g. itsme in Belgium)
navigate the user away to a native app and then return to the browser via a deep-link.
Mobile browsers open this return link in a new tab instead of restoring the original tab.

This means the new tab has empty sessionStorage, and MSAL's temporary redirect state
(INTERACTION_STATUS, ORIGIN_URI, URL_HASH) is lost, causing authentication to fail silently.

Root cause

BrowserCacheManager hardcodes the temporary cache to sessionStorage, regardless of the
configured cacheLocation:

// BrowserCacheManager.ts (v5)
this.browserStorage = getStorageImplementation(clientId, cacheConfig.cacheLocation, ...);

// HARDCODED — ignores cacheLocation
this.temporaryCacheStorage = getStorageImplementation(
    clientId, BrowserCacheLocation.SessionStorage, ...
);

The redirect_bridge/index.ts also hardcodes window.sessionStorage reads directly,
so even the redirect bridge cannot recover these keys in the new tab.

History

This was fixed in v2 via PR #5725 we opened, which introduced temporaryCacheLocation in CacheOptions.
Setting temporaryCacheLocation: BrowserCacheLocation.LocalStorage allowed the temp state
to survive a cross-tab redirect.

That option was removed without a replacement.

Error Message

No response

MSAL Logs

No response

Network Trace (Preferrably Fiddler)

  • Sent
  • Pending

MSAL Configuration

{
  "auth": {
    "clientId": "<redacted>",
    "authority": "https://<b2c-tenant>.b2clogin.com/<b2c-tenant>.onmicrosoft.com/<policy>/",
    "redirectUri": "https://<app>/redirect",
    "postLogoutRedirectUri": "https://<app>",
    "knownAuthorities": ["<b2c-tenant>.b2clogin.com"]
  },
  "cache": {
    "cacheLocation": "localStorage"
  }
}

Relevant Code Snippets

// MSAL instance factory
new PublicClientApplication({
    auth: {
        clientId: config.clientId,
        authority: `${config.instance}/${config.tenant}/${config.policy}/`,
        redirectUri: `${config.appUri}/redirect`,
        postLogoutRedirectUri: config.appUri,
        knownAuthorities: [new URL(config.instance).hostname]
    },
    cache: {
        cacheLocation: BrowserCacheLocation.LocalStorage
    }
});

// Triggering the redirect (Angular / @azure/msal-angular)
this.msalService.loginRedirect({
    scopes: [],
    redirectStartPage
});

Reproduction Steps

  1. Use Azure AD B2C with an identity provider that performs app-switch on mobile (e.g. itsme)
  2. Configure cacheLocation: BrowserCacheLocation.LocalStorage (the existing recommendation for
    cross-tab scenarios)
  3. On a mobile browser, start the auth flow and select the app-switch provider
  4. After authenticating in the native app, observe the browser opens a new tab with the redirect URI
  5. MSAL fails to process the auth response: the state keys are not in the new tab's sessionStorage

Expected Behavior

Either:

  • Re-introduce temporaryCacheLocation in CacheOptions (matching the v2 behavior from Add temporaryCacheLocation to Cache Options #5725), OR
  • Make redirect_bridge/index.ts automatically check localStorage as a fallback when the
    sessionStorage keys are missing (since the redirect bridge already operates outside
    BrowserCacheManager's abstraction), OR
  • Provide a supported hook/callback to allow apps to restore temporary state before the bridge runs

Identity Provider

Azure B2C Custom Policy

Browsers Affected (Select all that apply)

Chrome, Firefox, Edge, Safari

Regression

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    Needs: Attention 👋Awaiting response from the MSAL.js teamb2cRelated to Azure B2C library-specific issuesbug-unconfirmedA reported bug that needs to be investigated and confirmedmsal-angularRelated to @azure/msal-angular packagemsal-browserRelated to msal-browser packagepublic-clientIssues regarding PublicClientApplicationsquestionCustomer is asking for a clarification, use case or information.

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions