fix(module-msal): avoid ~10-20s iframe timeout when refresh token is revoked (#4710)

* fix(module-msal): default cacheLookupPolicy to AccessTokenAndRefreshToken to avoid iframe timeout on revoked refresh token

When a refresh token is revoked, MSAL's default CacheLookupPolicy falls back to
a hidden iframe (SilentIframeClient) after receiving invalid_grant. The iframe
times out after ~10-20s (monitor_window_timeout) before the app eventually
triggers an interactive redirect — causing the visible iframe crash + page reload.

Set CacheLookupPolicy.AccessTokenAndRefreshToken as the default in MsalConfigurator
so revoked tokens immediately throw InteractionRequiredAuthError without the delay.

The policy is configurable via configurator.setCacheLookupPolicy() and can be
overridden per-request via SilentRequest.cacheLookupPolicy.

* fix(module-msal): use z.custom validator and add cacheLookupPolicy tests

- Replace z.nativeEnum (deprecated in Zod v4) with z.custom validator
  that checks Object.values(CacheLookupPolicy) for valid membership
- Add CacheLookupPolicy import to MsalConfigurator.test.ts
- Add tests: default resolves to AccessTokenAndRefreshToken,
  setCacheLookupPolicy(undefined) clears policy, override works
- Remove trailing whitespace flagged by Biome

* Update packages/modules/msal/src/MsalConfigurator.ts

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

---------

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

Author: odinr

.changeset/fusion-framework-module-msal_fix-cache-lookup-policy.md

@@ -0,0 +1,23 @@
+---
+"@equinor/fusion-framework-module-msal": patch
+---
+
+Fix silent token acquisition hanging ~10–20 s when refresh token is revoked.
+
+When a refresh token is revoked, MSAL's default cache lookup policy (`Default`) falls back to a hidden iframe (`SilentIframeClient`) after the token endpoint returns `invalid_grant`. The iframe loads the app URL, fails to authenticate (no valid session), and times out — throwing `monitor_window_timeout` before eventually triggering an interactive redirect. This causes the visible "iframe crash + page reload" symptom.
+
+The configurator now defaults `cacheLookupPolicy` to `CacheLookupPolicy.AccessTokenAndRefreshToken`, which skips the iframe step entirely. A revoked refresh token now immediately throws `InteractionRequiredAuthError`, and the app falls back to interactive login without the delay.
+
+**Configuration:**
+
+The policy is fully configurable via `MsalConfigurator.setCacheLookupPolicy`. To restore MSAL's original waterfall (cache → refresh token → iframe):
+
+```typescript
+import { CacheLookupPolicy } from '@azure/msal-browser';
+
+configurator.setCacheLookupPolicy(CacheLookupPolicy.Default);
+```
+
+Per-request `cacheLookupPolicy` on `SilentRequest` still takes precedence over the instance default.
+
+Fixes: https://github.com/equinor/fusion-core-tasks/issues/1234

packages/modules/msal/src/MsalClient.ts

@@ -1,5 +1,6 @@
 import {
   PublicClientApplication,
+  type CacheLookupPolicy,
   type SilentRequest,
   type Configuration,
   type EndSessionRequest,
@@ -40,6 +41,23 @@ export type MsalClientConfig = Configuration & {
     /** Optional tenant identifier for Azure AD tenant */
     tenantId?: string;
   };
+  /**
+   * Cache lookup policy applied to every `acquireTokenSilent` call.
+   *
+   * Controls whether MSAL falls back to a hidden iframe when the refresh token
+   * fails. When `undefined`, MSAL's built-in default applies (cache → refresh
+   * token → iframe). Set to `CacheLookupPolicy.AccessTokenAndRefreshToken` to
+   * skip the iframe step and fail immediately with `InteractionRequiredAuthError`
+   * when the refresh token is revoked — avoiding the ~10–20 s
+   * `monitor_window_timeout` delay.
+   *
+   * When using {@link MsalConfigurator}, this defaults to
+   * `CacheLookupPolicy.AccessTokenAndRefreshToken`. When constructing `MsalClient`
+   * directly, the field is optional and defaults to `undefined` (MSAL default).
+   *
+   * Per-request `cacheLookupPolicy` on `SilentRequest` takes precedence over this value.
+   */
+  cacheLookupPolicy?: CacheLookupPolicy;
 };
 
 /**
@@ -65,6 +83,7 @@ export type MsalClientConfig = Configuration & {
 export class MsalClient extends PublicClientApplication implements IMsalClient {
   #tenantId?: string;
   #clientId?: string;
+  #cacheLookupPolicy?: CacheLookupPolicy;
 
   /**
    * Creates a new MSAL client instance.
@@ -75,6 +94,7 @@ export class MsalClient extends PublicClientApplication implements IMsalClient {
     super(config);
     this.#tenantId = config.auth?.tenantId;
     this.#clientId = config.auth?.clientId;
+    this.#cacheLookupPolicy = config.cacheLookupPolicy;
   }
 
   /**
@@ -257,7 +277,11 @@ export class MsalClient extends PublicClientApplication implements IMsalClient {
             'Attempting to acquire token silently',
             request.correlationId || FUSION_CORRELATION_ID,
           );
-          return await this.acquireTokenSilent(request as SilentRequest);
+          return await this.acquireTokenSilent({
+            // Instance-level policy is the default; request-level cacheLookupPolicy takes precedence
+            cacheLookupPolicy: this.#cacheLookupPolicy,
+            ...(request as SilentRequest),
+          });
         } catch {
           // Silent acquisition failed - fall back to interactive
           this.getLogger().warning(

packages/modules/msal/src/MsalConfigurator.ts

@@ -8,7 +8,7 @@ import {
 } from '@equinor/fusion-framework-module-telemetry';
 import { MsalClient, type MsalClientConfig, type IMsalClient } from './MsalClient';
 import { createClientLogCallback } from './create-client-log-callback';
-import { LogLevel } from '@azure/msal-browser';
+import { CacheLookupPolicy, LogLevel } from '@azure/msal-browser';
 import { version } from './version';
 
 /**
@@ -45,6 +45,13 @@ const MsalConfigSchema = z.object({
   redirectUri: z.string().optional(),
   loginHint: z.string().optional(),
   authCode: z.string().optional(),
+  cacheLookupPolicy: z
+    .custom<CacheLookupPolicy>(
+      (val) =>
+        typeof val === 'number' &&
+        Object.values(CacheLookupPolicy).includes(val as CacheLookupPolicy),
+    )
+    .optional(),
   version: z.string().transform((x: string) => String(semver.coerce(x))),
   telemetry: TelemetryConfigSchema,
 });
@@ -98,6 +105,8 @@ export class MsalConfigurator extends BaseConfigBuilder<MsalConfig> {
         return telemetry;
       }
     });
+    // Default cache lookup policy to AccessTokenAndRefreshToken to avoid iframe fallback delays
+    this._set('cacheLookupPolicy', async () => CacheLookupPolicy.AccessTokenAndRefreshToken);
   }
 
   /**
@@ -125,6 +134,34 @@ export class MsalConfigurator extends BaseConfigBuilder<MsalConfig> {
     return this;
   }
 
+  /**
+   * Sets the cache lookup policy used for every silent token acquisition.
+   *
+   * Controls whether MSAL falls back to a hidden iframe when the refresh token
+   * fails. Defaults to `CacheLookupPolicy.AccessTokenAndRefreshToken`, which skips
+   * the iframe step and fails immediately with `InteractionRequiredAuthError` when
+   * the refresh token is revoked — avoiding the ~10–20 s `monitor_window_timeout`
+   * delay caused by MSAL's built-in iframe fallback.
+   *
+   * Set to `CacheLookupPolicy.Default` to restore MSAL's full waterfall:
+   * cache → refresh token → iframe.
+   *
+   * @param policy - Cache lookup policy to apply
+   * @returns The configurator instance for method chaining
+   *
+   * @example
+   * ```typescript
+   * import { CacheLookupPolicy } from '@azure/msal-browser';
+   *
+   * // Restore MSAL's built-in iframe fallback (not recommended for most apps)
+   * configurator.setCacheLookupPolicy(CacheLookupPolicy.Default);
+   * ```
+   */
+  setCacheLookupPolicy(policy: CacheLookupPolicy | undefined): this {
+    this._set('cacheLookupPolicy', async () => policy);
+    return this;
+  }
+
   /**
    * Sets a backend-issued authorization code for token exchange.
    *
@@ -346,6 +383,11 @@ export class MsalConfigurator extends BaseConfigBuilder<MsalConfig> {
           },
         };
       }
+      // Apply silent cache lookup policy if configured
+      if (config.cacheLookupPolicy !== undefined) {
+        clientConfig.cacheLookupPolicy = config.cacheLookupPolicy;
+      }
+
       // Instantiate MSAL client with fully configured options
       config.client = new MsalClient(clientConfig);
     }

packages/modules/msal/src/__tests__/MsalConfigurator.test.ts

@@ -1,4 +1,5 @@
 import type { ConfigBuilderCallbackArgs } from '@equinor/fusion-framework-module';
+import { CacheLookupPolicy } from '@azure/msal-browser';
 import { describe, expect, it, vi } from 'vitest';
 import type { IMsalClient } from '../MsalClient.interface';
 import { type MsalConfig, MsalConfigurator } from '../MsalConfigurator';
@@ -72,4 +73,44 @@ describe('MsalConfigurator', () => {
 
     expect(config.client).toBeUndefined();
   });
+
+  describe('cacheLookupPolicy', () => {
+    it('defaults to CacheLookupPolicy.AccessTokenAndRefreshToken', async () => {
+      const configurator = new MsalConfigurator();
+      configurator.setClient(createClient());
+
+      const config = await configurator.createConfigAsync(
+        createConfigCallbackArgs(),
+        createInitialConfig(),
+      );
+
+      expect(config.cacheLookupPolicy).toBe(CacheLookupPolicy.AccessTokenAndRefreshToken);
+    });
+
+    it('setCacheLookupPolicy(undefined) clears the policy so MSAL default applies', async () => {
+      const configurator = new MsalConfigurator();
+      configurator.setClient(createClient());
+      configurator.setCacheLookupPolicy(undefined);
+
+      const config = await configurator.createConfigAsync(
+        createConfigCallbackArgs(),
+        createInitialConfig(),
+      );
+
+      expect(config.cacheLookupPolicy).toBeUndefined();
+    });
+
+    it('setCacheLookupPolicy overrides the default', async () => {
+      const configurator = new MsalConfigurator();
+      configurator.setClient(createClient());
+      configurator.setCacheLookupPolicy(CacheLookupPolicy.Default);
+
+      const config = await configurator.createConfigAsync(
+        createConfigCallbackArgs(),
+        createInitialConfig(),
+      );
+
+      expect(config.cacheLookupPolicy).toBe(CacheLookupPolicy.Default);
+    });
+  });
 });