Gathering detailed insights and metrics for @azure/msal-browser
Gathering detailed insights and metrics for @azure/msal-browser
Microsoft Authentication Library (MSAL) for JS
Installations
npm install @azure/msal-browserDeveloper Guide
BETA
Typescript
Yes
Module System
ESM
Min. Node Version
>=0.8.0
Node Version
18.20.6
NPM Version
10.8.2
Releases
684
@azure/msal-angular v4.0.15
msal-angular-v4.0.15
Updated on Jul 08, 2025
@azure/msal-react v3.0.15
msal-react-v3.0.15
Updated on Jul 08, 2025
@azure/msal-common v15.8.1
msal-common-v15.8.1
Updated on Jul 08, 2025
@azure/msal-browser v4.15.0
msal-browser-v4.15.0
Updated on Jul 08, 2025
@azure/msal-node-extensions v1.5.17
msal-node-extensions-v1.5.17
Updated on Jul 08, 2025
@azure/msal-node v3.6.3
msal-node-v3.6.3
Updated on Jul 08, 2025
Languages
8
TypeScript
JavaScript
C++
PowerShell
HTML
Shell
C
SCSS
TypeScript (98.73%)
JavaScript (1.1%)
C++ (0.08%)
PowerShell (0.05%)
HTML (0.04%)
Developer
Download Statistics
Total Downloads
0
Last Day
0
Last Week
0
Last Month
0
Last Year
0
GitHub Statistics
MIT License
3,900 Stars
13,455 Commits
2,694 Forks
124 Watchers
192 Branches
1,162 Contributors
Updated on Jul 12, 2025
Maintainers
3
Package Meta Information
Latest Version
4.15.0
Package Id
@azure/msal-browser@4.15.0
Unpacked Size
10.52 MB
Size
1.55 MB
File Count
2,340
NPM Version
10.8.2
Node Version
18.20.6
Published on
Jul 08, 2025
Total Downloads
Cumulative downloads
Total Downloads
NaN
Last Day
0%
NaN
Compared to previous day
Last Week
0%
NaN
Compared to previous week
Last Month
0%
NaN
Compared to previous month
Last Year
0%
NaN
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dependencies
1
Dev Dependencies
29
@azure/storage-blob@babel/core@babel/plugin-proposal-class-properties@babel/plugin-proposal-object-rest-spread@babel/preset-env@babel/preset-typescript@microsoft/api-extractor@rollup/plugin-node-resolve@rollup/plugin-terser@rollup/plugin-typescript@types/jest@types/nodedotenveslint-config-msalfake-indexeddbjestjest-environment-jsdomjest-junitmsal-test-utilsprettierrimrafrolluprollup-msalshxssrits-jestts-jest-resolvertslibtypescript
Microsoft Authentication Library for JavaScript (MSAL.js) for Browser-Based Single-Page Applications
| Getting Started | AAD Docs | Library Reference |
|---|
- About
- FAQ
- Changelog
- Roadmap
- Prerequisites
- Installation
- Usage
- Samples
- Build and Test
- Authorization Code vs Implicit
- Framework Wrappers
- Security Reporting
- License
- Code of Conduct
About
The MSAL library for JavaScript enables client-side JavaScript applications to authenticate users using Azure AD work and school accounts (AAD), Microsoft personal accounts (MSA) and social identity providers like Facebook, Google, LinkedIn, Microsoft accounts, etc. through Azure AD B2C service. It also enables your app to get tokens to access Microsoft Cloud services such as Microsoft Graph.
The @azure/msal-browser package described by the code in this folder uses the @azure/msal-common package as a dependency to enable authentication in JavaScript Single-Page Applications without backend servers. This version of the library uses the OAuth 2.0 Authorization Code Flow with PKCE. To read more about this protocol, as well as the differences between implicit flow and authorization code flow, see the section below.
This is an improvement upon the previous @azure/msal library which will utilize the authorization code flow in the browser. Most features available in the old library will be available in this one, but there are nuances to the authentication flow in both. The @azure/msal-browser package does NOT support the implicit flow.
FAQ
See here.
Roadmap
See here.
Prerequisites
-
@azure/msal-browseris meant to be used in Single-Page Application scenarios. -
Before using
@azure/msal-browseryou will need to register a Single Page Application in Azure AD to get a validclientIdfor configuration, and to register the routes that your app will accept redirect traffic on.
Installation
Via NPM
1npm install @azure/msal-browser
Usage
Migrating from Previous MSAL Versions
MSAL Basics
- Initialization
- Logging in a User
- Acquiring and Using an Access Token
- Managing Token Lifetimes
- Managing Accounts
- Logging Out a User
Advanced Topics
- Configuration Options
- Request and Response Details
- Cache Storage
- Performance Enhancements
- Instance Aware Flow
Samples
The msal-browser-samples folder contains sample applications for our libraries.
More instructions to run the samples can be found in the README.md file of the VanillaJSTestApp2.0 folder.
More advanced samples backed with a tutorial can be found in the Azure Samples space on GitHub:
- JavaScript SPA calling Express.js web API
- JavaScript SPA calling Microsoft Graph via Express.js web API using on-behalf-of flow
- Deployment tutorial for Azure App Service and Azure Storage
We also provide samples for addin/plugin scenarios:
Build and Test
See the contributing.md file for more information.
Building the package
To build the @azure/msal-browser library, you can do the following:
1// Change to the msal-browser package directory 2cd lib/msal-browser/ 3// To run build only for browser package 4npm run build
To build both the @azure/msal-browser library and @azure/msal-common libraries, you can do the following:
1// Change to the msal-browser package directory 2cd lib/msal-browser/ 3// To run build for both browser and common packages 4npm run build:all
Running Tests
@azure/msal-browser uses jest to run unit tests.
1// To run tests 2npm test 3// To run tests with code coverage 4npm run test:coverage
Framework Wrappers
If you are using a framework such as Angular or React you may be interested in using one of our wrapper libraries:
- Angular: @azure/msal-angular v2
- React: @azure/msal-react
Security Reporting
If you find a security issue with our libraries or services please report it to secure@microsoft.com with as much detail as possible. Your submission may be eligible for a bounty through the Microsoft Bounty program. Please do not post security issues to GitHub Issues or any other public site. We will contact you shortly upon receiving the information. We encourage you to get notifications of when security incidents occur by visiting this page and subscribing to Security Advisory Alerts.
License
Copyright (c) Microsoft Corporation. All rights reserved. Licensed under the MIT License.
We Value and Adhere to the Microsoft Open Source Code of Conduct
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.
No vulnerabilities found.
Reason
no dangerous workflow patterns detected
Reason
30 commit(s) and 23 issue activity found in the last 90 days -- score normalized to 10
Reason
security policy file detected
Details
- Info: security policy file detected: SECURITY.md:1
- Info: Found linked content: SECURITY.md:1
- Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1
- Info: Found text in security policy: SECURITY.md:1
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: MIT License: LICENSE:0
Reason
no binaries found in the repo
Reason
Found 21/23 approved changesets -- score normalized to 9
Reason
branch protection is not maximal on development and all release branches
Details
- Info: 'allow deletion' disabled on branch 'dev'
- Info: 'force pushes' disabled on branch 'dev'
- Warn: 'branch protection settings apply to administrators' is disabled on branch 'dev'
- Info: 'stale review dismissal' is required to merge on branch 'dev'
- Info: required approving review count is 2 on branch 'dev'
- Info: codeowner review is required on branch 'dev'
- Info: 'last push approval' is required to merge on branch 'dev'
- Info: 'up-to-date branches' is required to merge on branch 'dev'
- Info: status check found to merge onto on branch 'dev'
- Info: PRs are required in order to make changes on branch 'dev'
Reason
dependency not pinned by hash detected -- score normalized to 2
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/beachball-bump.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/AzureAD/microsoft-authentication-library-for-js/beachball-bump.yml/dev?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/beachball-bump.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/AzureAD/microsoft-authentication-library-for-js/beachball-bump.yml/dev?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/beachball-bump.yml:61: update your workflow using https://app.stepsecurity.io/secureworkflow/AzureAD/microsoft-authentication-library-for-js/beachball-bump.yml/dev?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/beachball-check.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/AzureAD/microsoft-authentication-library-for-js/beachball-check.yml/dev?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/beachball-check.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/AzureAD/microsoft-authentication-library-for-js/beachball-check.yml/dev?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/beachball-check.yml:43: update your workflow using https://app.stepsecurity.io/secureworkflow/AzureAD/microsoft-authentication-library-for-js/beachball-check.yml/dev?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/client-credential-benchmark.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/AzureAD/microsoft-authentication-library-for-js/client-credential-benchmark.yml/dev?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/client-credential-benchmark.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/AzureAD/microsoft-authentication-library-for-js/client-credential-benchmark.yml/dev?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/client-credential-benchmark.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/AzureAD/microsoft-authentication-library-for-js/client-credential-benchmark.yml/dev?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/client-credential-benchmark.yml:43: update your workflow using https://app.stepsecurity.io/secureworkflow/AzureAD/microsoft-authentication-library-for-js/client-credential-benchmark.yml/dev?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/issue-template-bot.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/AzureAD/microsoft-authentication-library-for-js/issue-template-bot.yml/dev?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/label.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/AzureAD/microsoft-authentication-library-for-js/label.yml/dev?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/metadata-check.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/AzureAD/microsoft-authentication-library-for-js/metadata-check.yml/dev?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/metadata-check.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/AzureAD/microsoft-authentication-library-for-js/metadata-check.yml/dev?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/msal-node-confidential-client-benchmarks.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/AzureAD/microsoft-authentication-library-for-js/msal-node-confidential-client-benchmarks.yml/dev?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/msal-node-confidential-client-benchmarks.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/AzureAD/microsoft-authentication-library-for-js/msal-node-confidential-client-benchmarks.yml/dev?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/msal-node-confidential-client-benchmarks.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/AzureAD/microsoft-authentication-library-for-js/msal-node-confidential-client-benchmarks.yml/dev?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/npm-audit.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/AzureAD/microsoft-authentication-library-for-js/npm-audit.yml/dev?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/npm-audit.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/AzureAD/microsoft-authentication-library-for-js/npm-audit.yml/dev?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/typedoc.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/AzureAD/microsoft-authentication-library-for-js/typedoc.yml/dev?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/typedoc.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/AzureAD/microsoft-authentication-library-for-js/typedoc.yml/dev?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/typedoc.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/AzureAD/microsoft-authentication-library-for-js/typedoc.yml/dev?enable=pin
- Warn: npmCommand not pinned by hash: .github/workflows/client-credential-benchmark.yml:28
- Warn: npmCommand not pinned by hash: .github/workflows/client-credential-benchmark.yml:34
- Warn: npmCommand not pinned by hash: .github/workflows/msal-node-confidential-client-benchmarks.yml:23
- Warn: npmCommand not pinned by hash: .github/workflows/msal-node-confidential-client-benchmarks.yml:29
- Info: 0 out of 17 GitHub-owned GitHubAction dependencies pinned
- Info: 0 out of 5 third-party GitHubAction dependencies pinned
- Info: 4 out of 8 npmCommand dependencies pinned
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: jobLevel 'contents' permission set to 'write': .github/workflows/beachball-bump.yml:20
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/beachball-check.yml:20
- Info: jobLevel 'pull-requests' permission set to 'read': .github/workflows/beachball-check.yml:21
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/issue-template-bot.yml:12
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/label.yml:22
- Info: topLevel 'contents' permission set to 'read': .github/workflows/beachball-bump.yml:15
- Info: topLevel 'contents' permission set to 'read': .github/workflows/beachball-check.yml:15
- Warn: no topLevel permission defined: .github/workflows/client-credential-benchmark.yml:1
- Info: found token with 'none' permissions: .github/workflows/issue-template-bot.yml:1
- Info: topLevel 'contents' permission set to 'read': .github/workflows/label.yml:17
- Warn: no topLevel permission defined: .github/workflows/metadata-check.yml:1
- Warn: topLevel 'deployments' permission set to 'write': .github/workflows/msal-node-confidential-client-benchmarks.yml:9
- Warn: topLevel 'contents' permission set to 'write': .github/workflows/msal-node-confidential-client-benchmarks.yml:11
- Info: topLevel 'contents' permission set to 'read': .github/workflows/npm-audit.yml:24
- Warn: no topLevel permission defined: .github/workflows/typedoc.yml:1
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 30 are checked with a SAST tool
Reason
26 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-m5vv-6r4h-3vj9
- Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8
- Warn: Project is vulnerable to: GHSA-h5c3-5r3r-rr8q
- Warn: Project is vulnerable to: GHSA-rmvr-2pp2-xj38
- Warn: Project is vulnerable to: GHSA-xx4v-prfh-6cgc
- Warn: Project is vulnerable to: GHSA-wf5p-g6vw-rhxx
- Warn: Project is vulnerable to: GHSA-jr5f-v2jv-69x6
- Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw
- Warn: Project is vulnerable to: GHSA-6r2x-8pq8-9489
- Warn: Project is vulnerable to: MAL-2022-2692
- Warn: Project is vulnerable to: GHSA-67mh-4wv8-2f99
- Warn: Project is vulnerable to: GHSA-4www-5p9h-95mh
- Warn: Project is vulnerable to: GHSA-9gqv-wp59-fq42
- Warn: Project is vulnerable to: GHSA-rp65-9cf3-cjxr
- Warn: Project is vulnerable to: GHSA-7fh5-64p2-3v2j
- Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw
- Warn: Project is vulnerable to: GHSA-vg6x-rcgg-rjx6
- Warn: Project is vulnerable to: GHSA-x574-m823-4x7w
- Warn: Project is vulnerable to: GHSA-4r4m-qw57-chr8
- Warn: Project is vulnerable to: GHSA-xcj6-pq6g-qj4x
- Warn: Project is vulnerable to: GHSA-356w-63v5-8wf4
- Warn: Project is vulnerable to: GHSA-859w-5945-r5v3
- Warn: Project is vulnerable to: GHSA-g3ch-rx76-35fx
- Warn: Project is vulnerable to: GHSA-4vvj-4cpr-p986
- Warn: Project is vulnerable to: GHSA-4v9v-hfq4-rm2v
- Warn: Project is vulnerable to: GHSA-9jgg-88mc-972h
Score
5.9
/10
Last Scanned on 2025-07-07
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More