You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
On mobile, authentication providers that use app-switch (e.g. itsme in Belgium)
navigate the user away to a native app and then return to the browser via a deep-link.
Mobile browsers open this return link in a new tab instead of restoring the original tab.
This means the new tab has empty sessionStorage, and MSAL's temporary redirect state
(INTERACTION_STATUS, ORIGIN_URI, URL_HASH) is lost, causing authentication to fail silently.
Root cause
BrowserCacheManager hardcodes the temporary cache to sessionStorage, regardless of the
configured cacheLocation:
The redirect_bridge/index.ts also hardcodes window.sessionStorage reads directly,
so even the redirect bridge cannot recover these keys in the new tab.
History
This was fixed in v2 via PR #5725 we opened, which introduced temporaryCacheLocation in CacheOptions.
Setting temporaryCacheLocation: BrowserCacheLocation.LocalStorage allowed the temp state
to survive a cross-tab redirect.
Make redirect_bridge/index.ts automatically check localStorage as a fallback when the
sessionStorage keys are missing (since the redirect bridge already operates outside
BrowserCacheManager's abstraction), OR
Provide a supported hook/callback to allow apps to restore temporary state before the bridge runs
Core Library
MSAL.js (@azure/msal-browser)
Core Library Version
5.11.0
Wrapper Library
MSAL Angular (@azure/msal-angular)
Wrapper Library Version
5.2.5
Public or Confidential Client?
Public
Description
Description
On mobile, authentication providers that use app-switch (e.g. itsme in Belgium)
navigate the user away to a native app and then return to the browser via a deep-link.
Mobile browsers open this return link in a new tab instead of restoring the original tab.
This means the new tab has empty
sessionStorage, and MSAL's temporary redirect state(INTERACTION_STATUS, ORIGIN_URI, URL_HASH) is lost, causing authentication to fail silently.
Root cause
BrowserCacheManagerhardcodes the temporary cache tosessionStorage, regardless of theconfigured
cacheLocation:The redirect_bridge/index.ts also hardcodes window.sessionStorage reads directly,
so even the redirect bridge cannot recover these keys in the new tab.
History
This was fixed in v2 via PR #5725 we opened, which introduced
temporaryCacheLocationinCacheOptions.Setting
temporaryCacheLocation: BrowserCacheLocation.LocalStorageallowed the temp stateto survive a cross-tab redirect.
That option was removed without a replacement.
Error Message
No response
MSAL Logs
No response
Network Trace (Preferrably Fiddler)
MSAL Configuration
Relevant Code Snippets
Reproduction Steps
cacheLocation: BrowserCacheLocation.LocalStorage(the existing recommendation forcross-tab scenarios)
Expected Behavior
Either:
temporaryCacheLocationinCacheOptions(matching the v2 behavior from Add temporaryCacheLocation to Cache Options #5725), ORredirect_bridge/index.tsautomatically checklocalStorageas a fallback when thesessionStorage keys are missing (since the redirect bridge already operates outside
BrowserCacheManager's abstraction), OR
Identity Provider
Azure B2C Custom Policy
Browsers Affected (Select all that apply)
Chrome, Firefox, Edge, Safari
Regression
No response