Adding new UX_NOT_ALLOWED suberror under InteractionRequired error type (#7834)

lalimasharda · web-flow · commit 32c6a1bd1f2a · 2025-06-17T13:42:55.000-07:00
- UX_NOT_ALLOWED is a new sub_error in the platform auth flow that is
thrown when there was a token request made from a web page without user
interaction/presence on the page (Edge browser feature).
- This PR also updates some logger statements.
diff --git a/change/@azure-msal-browser-e0f47ef0-42cd-4dcc-b793-c6277389a1c2.json b/change/@azure-msal-browser-e0f47ef0-42cd-4dcc-b793-c6277389a1c2.json
@@ -0,0 +1,7 @@
+{
+  "type": "patch",
+  "comment": "added UX_NOT_ALLOWED suberror to InteractionRequired error type #7834",
+  "packageName": "@azure/msal-browser",
+  "email": "lalimasharda@microsoft.com",
+  "dependentChangeType": "patch"
+}
diff --git a/change/@azure-msal-common-bcac2331-9139-41d4-8695-c1e99e1ed05e.json b/change/@azure-msal-common-bcac2331-9139-41d4-8695-c1e99e1ed05e.json
@@ -0,0 +1,7 @@
+{
+  "type": "patch",
+  "comment": "added UX_NOT_ALLOWED suberror to InteractionRequired error type #7834",
+  "packageName": "@azure/msal-common",
+  "email": "lalimasharda@microsoft.com",
+  "dependentChangeType": "patch"
+}
diff --git a/lib/msal-browser/src/broker/nativeBroker/NativeStatusCodes.ts b/lib/msal-browser/src/broker/nativeBroker/NativeStatusCodes.ts
@@ -11,3 +11,4 @@ export const TRANSIENT_ERROR = "TRANSIENT_ERROR";
 export const PERSISTENT_ERROR = "PERSISTENT_ERROR";
 export const DISABLED = "DISABLED";
 export const ACCOUNT_UNAVAILABLE = "ACCOUNT_UNAVAILABLE";
+export const UX_NOT_ALLOWED = "UX_NOT_ALLOWED";
diff --git a/lib/msal-browser/src/broker/nativeBroker/PlatformAuthProvider.ts b/lib/msal-browser/src/broker/nativeBroker/PlatformAuthProvider.ts
@@ -128,18 +128,18 @@ export function isPlatformAuthAllowed(
     platformAuthProvider?: IPlatformAuthHandler,
     authenticationScheme?: AuthenticationScheme
 ): boolean {
-    logger.trace("isBrokerAvailable called");
+    logger.trace("isPlatformAuthAllowed called");
     if (!config.system.allowPlatformBroker) {
         logger.trace(
-            "isBrokerAvailable: allowPlatformBroker is not enabled, returning false"
+            "isPlatformAuthAllowed: allowPlatformBroker is not enabled, returning false"
         );
         // Developer disabled WAM
         return false;
     }
 
     if (!platformAuthProvider) {
         logger.trace(
-            "isBrokerAvailable: Platform auth provider is not initialized, returning false"
+            "isPlatformAuthAllowed: Platform auth provider is not initialized, returning false"
         );
         // Platform broker auth providers are not available
         return false;
@@ -150,12 +150,12 @@ export function isPlatformAuthAllowed(
             case AuthenticationScheme.BEARER:
             case AuthenticationScheme.POP:
                 logger.trace(
-                    "isBrokerAvailable: authenticationScheme is supported, returning true"
+                    "isPlatformAuthAllowed: authenticationScheme is supported, returning true"
                 );
                 return true;
             default:
                 logger.trace(
-                    "isBrokerAvailable: authenticationScheme is not supported, returning false"
+                    "isPlatformAuthAllowed: authenticationScheme is not supported, returning false"
                 );
                 return false;
         }
diff --git a/lib/msal-browser/src/error/NativeAuthError.ts b/lib/msal-browser/src/error/NativeAuthError.ts
@@ -102,6 +102,10 @@ export function createNativeAuthError(
                 return createBrowserAuthError(
                     BrowserAuthErrorCodes.noNetworkConnectivity
                 );
+            case NativeStatusCodes.UX_NOT_ALLOWED:
+                return createInteractionRequiredAuthError(
+                    InteractionRequiredAuthErrorCodes.uxNotAllowed
+                );
         }
     }
 
diff --git a/lib/msal-browser/test/broker/PlatformAuthDOMHandler.spec.ts b/lib/msal-browser/test/broker/PlatformAuthDOMHandler.spec.ts
@@ -16,7 +16,6 @@ import {
 } from "../utils/StringConstants.js";
 import { PlatformAuthRequest } from "../../src/broker/nativeBroker/PlatformAuthRequest.js";
 import { NativeAuthError } from "../../src/error/NativeAuthError.js";
-import { sign } from "crypto";
 
 describe("PlatformAuthDOMHandler tests", () => {
     let performanceClient: IPerformanceClient;
@@ -517,37 +516,38 @@ describe("PlatformAuthDOMHandler tests", () => {
         });
     });
 
-    describe("getDOMExtraParams tests", () => {});
-    it("should return a valid DOMExtraParameters object", async () => {
-        getSupportedContractsMock.mockResolvedValue([
-            PlatformAuthConstants.PLATFORM_DOM_APIS,
-        ]);
-        const platformAuthDOMHandler =
-            await PlatformAuthDOMHandler.createProvider(
-                logger,
-                performanceClient,
-                "test-correlation-id"
-            );
-        const testExtraParameters = {
-            prompt: PromptValue.NONE,
-            nonce: "test-nonce",
-            claims: "test-claims",
-            instanceAware: true,
-            windowTitleSubstring: "test-window-substring",
-            extendedExpiryToken: true,
-            signPopToken: true,
-        };
-        const domExtraParams =
-            //@ts-ignore
-            platformAuthDOMHandler.getDOMExtraParams(testExtraParameters);
-        expect(domExtraParams).toEqual({
-            prompt: "none",
-            nonce: "test-nonce",
-            claims: "test-claims",
-            instanceAware: "true",
-            windowTitleSubstring: "test-window-substring",
-            extendedExpiryToken: "true",
-            signPopToken: "true",
+    describe("getDOMExtraParams tests", () => {
+        it("should return a valid DOMExtraParameters object", async () => {
+            getSupportedContractsMock.mockResolvedValue([
+                PlatformAuthConstants.PLATFORM_DOM_APIS,
+            ]);
+            const platformAuthDOMHandler =
+                await PlatformAuthDOMHandler.createProvider(
+                    logger,
+                    performanceClient,
+                    "test-correlation-id"
+                );
+            const testExtraParameters = {
+                prompt: PromptValue.NONE,
+                nonce: "test-nonce",
+                claims: "test-claims",
+                instanceAware: true,
+                windowTitleSubstring: "test-window-substring",
+                extendedExpiryToken: true,
+                signPopToken: true,
+            };
+            const domExtraParams =
+                //@ts-ignore
+                platformAuthDOMHandler.getDOMExtraParams(testExtraParameters);
+            expect(domExtraParams).toEqual({
+                prompt: "none",
+                nonce: "test-nonce",
+                claims: "test-claims",
+                instanceAware: "true",
+                windowTitleSubstring: "test-window-substring",
+                extendedExpiryToken: "true",
+                signPopToken: "true",
+            });
         });
     });
 });
diff --git a/lib/msal-browser/test/error/NativeAuthError.spec.ts b/lib/msal-browser/test/error/NativeAuthError.spec.ts
@@ -6,6 +6,7 @@ import {
 } from "../../src/error/NativeAuthError";
 import {
     InteractionRequiredAuthError,
+    InteractionRequiredAuthErrorCodes,
     InteractionRequiredAuthErrorMessage,
 } from "@azure/msal-common";
 import {
@@ -119,6 +120,23 @@ describe("NativeAuthError Unit Tests", () => {
                 );
             });
 
+            it("translates UX_NOT_ALLOWED status into corresponding InteractionRequiredError", () => {
+                const error = createNativeAuthError(
+                    "interaction_required",
+                    "interaction is required",
+                    {
+                        error: 1,
+                        protocol_error: "testProtocolError",
+                        properties: {},
+                        status: NativeStatusCode.UX_NOT_ALLOWED,
+                    }
+                );
+                expect(error).toBeInstanceOf(InteractionRequiredAuthError);
+                expect(error.errorCode).toBe(
+                    InteractionRequiredAuthErrorCodes.uxNotAllowed
+                );
+            });
+
             it("translates USER_CANCEL status into corresponding BrowserAuthError", () => {
                 const error = createNativeAuthError(
                     "user_cancel",
diff --git a/lib/msal-common/apiReview/msal-common.api.md b/lib/msal-common/apiReview/msal-common.api.md
@@ -2603,6 +2603,7 @@ declare namespace InteractionRequiredAuthErrorCodes {
         noTokensFound,
         nativeAccountUnavailable,
         refreshTokenExpired,
+        uxNotAllowed,
         interactionRequired,
         consentRequired,
         loginRequired,
@@ -4481,6 +4482,11 @@ const userCanceled = "user_canceled";
 // @public (undocumented)
 const userTimeoutReached = "user_timeout_reached";
 
+// Warning: (ae-missing-release-tag) "uxNotAllowed" is part of the package's API, but it is missing a release tag (@alpha, @beta, @public, or @internal)
+//
+// @public (undocumented)
+const uxNotAllowed = "ux_not_allowed";
+
 // Warning: (tsdoc-param-tag-missing-hyphen) The @param block should be followed by a parameter name and then a hyphen
 // Warning: (tsdoc-param-tag-missing-hyphen) The @param block should be followed by a parameter name and then a hyphen
 // Warning: (ae-missing-release-tag) "validateAuthorizationResponse" is part of the package's API, but it is missing a release tag (@alpha, @beta, @public, or @internal)
diff --git a/lib/msal-common/src/error/InteractionRequiredAuthError.ts b/lib/msal-common/src/error/InteractionRequiredAuthError.ts
@@ -16,6 +16,7 @@ export const InteractionRequiredServerErrorMessage = [
     InteractionRequiredAuthErrorCodes.consentRequired,
     InteractionRequiredAuthErrorCodes.loginRequired,
     InteractionRequiredAuthErrorCodes.badToken,
+    InteractionRequiredAuthErrorCodes.uxNotAllowed,
 ];
 
 export const InteractionRequiredAuthSubErrorMessage = [
@@ -36,6 +37,8 @@ const InteractionRequiredAuthErrorMessages = {
         "Refresh token has expired.",
     [InteractionRequiredAuthErrorCodes.badToken]:
         "Identity provider returned bad_token due to an expired or invalid refresh token. Please invoke an interactive API to resolve.",
+    [InteractionRequiredAuthErrorCodes.uxNotAllowed]:
+        "`canShowUI` flag in Edge was set to false. User interaction required on web page. Please invoke an interactive API to resolve.",
 };
 
 /**
diff --git a/lib/msal-common/src/error/InteractionRequiredAuthErrorCodes.ts b/lib/msal-common/src/error/InteractionRequiredAuthErrorCodes.ts
@@ -7,6 +7,7 @@
 export const noTokensFound = "no_tokens_found";
 export const nativeAccountUnavailable = "native_account_unavailable";
 export const refreshTokenExpired = "refresh_token_expired";
+export const uxNotAllowed = "ux_not_allowed";
 
 // Codes potentially returned by server
 export const interactionRequired = "interaction_required";

Original file line number	Diff line number	Diff line change
`@@ -102,6 +102,10 @@ export function createNativeAuthError(`
`102`	`102`	`return createBrowserAuthError(`
`103`	`103`	`BrowserAuthErrorCodes.noNetworkConnectivity`
`104`	`104`	`);`
	`105`	`+ case NativeStatusCodes.UX_NOT_ALLOWED:`
	`106`	`+ return createInteractionRequiredAuthError(`
	`107`	`+ InteractionRequiredAuthErrorCodes.uxNotAllowed`
	`108`	`+ );`
`105`	`109`	`}`
`106`	`110`	`}`
`107`	`111`