Add support for authorize call using method POST #7920
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
msal-browser
…rizationRequest instead of baseAuthRequest
github-actions
bot
added
the
samples
hectormmg
requested review from
sameerag,
tnorling,
jo-arroyo,
peterzenz,
Robbie-Microsoft,
konstantin-msft,
lalimasharda and
shylasummers
as code owners
There was a problem hiding this comment.
Pull Request Overview
This PR adds support for sending authorize requests using the HTTP POST method in addition to the existing GET method. The feature enables passing parameters in the request body through the new authorizePostBodyParameters property.
- Introduces new
httpMethodandauthorizePostBodyParametersoptions to auth requests - Adds validation logic to ensure proper method/parameter combinations
- Implements POST-based authorization flows for both redirect and popup clients
Reviewed Changes
Copilot reviewed 17 out of 17 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| samples/msal-browser-samples/VanillaJSTestApp2.0/app/default/authConfig.js | Updates sample configuration to demonstrate POST method usage with body parameters |
| samples/msal-browser-samples/VanillaJSTestApp2.0/app/default/auth.js | Minor cleanup removing unused redirectUri parameter |
| lib/msal-common/src/utils/Constants.ts | Defines HttpMethod constants for GET and POST |
| lib/msal-common/src/request/RequestParameterBuilder.ts | Adds utility function for handling POST body parameters |
| lib/msal-common/src/request/BaseAuthRequest.ts | Extends request interface with httpMethod and authorizePostBodyParameters |
| lib/msal-common/src/exports-common.ts | Exports the new HttpMethod constant |
| lib/msal-common/src/error/ClientConfigurationErrorCodes.ts | Adds error codes for invalid request configurations |
| lib/msal-common/src/error/ClientConfigurationError.ts | Defines error messages for new validation scenarios |
| lib/msal-browser/test/utils/StringConstants.ts | Adds test constants for authorize body parameters |
| lib/msal-browser/test/interaction_client/*.spec.ts | Comprehensive test coverage for new POST method functionality |
| lib/msal-browser/src/request/RequestHelpers.ts | Implements request validation logic for method/parameter combinations |
| lib/msal-browser/src/protocol/Authorize.ts | Adds getCodeForm function for POST-based authorization |
| lib/msal-browser/src/interaction_client/StandardInteractionClient.ts | Integrates request method validation into client initialization |
| lib/msal-browser/src/interaction_client/RedirectClient.ts | Implements executeCodeFlowWithPost method for redirect scenarios |
| lib/msal-browser/src/interaction_client/PopupClient.ts | Implements executeCodeFlowWithPost method for popup scenarios |
Comments suppressed due to low confidence (1)
lib/msal-browser/test/interaction_client/RedirectClient.spec.ts:26
- The imported testNavUrl constant appears to be used in tests but its definition is not shown in the diff. Ensure this constant is properly defined and exported from the StringConstants file.
testNavUrl,
lib/msal-browser/src/interaction_client/StandardInteractionClient.ts
Outdated
Show resolved
Hide resolved
github-actions
bot
removed
the
samples
github-actions
bot
added
the
samples
konstantin-msft
approved these changes
Jul 22, 2025
shylasummers
approved these changes
Jul 22, 2025
hectormmg
added a commit
that referenced
this pull request
Aug 13, 2025
This PR: - Adds the `httpMethod` and `authorizePostBodyParameters` options to `BaseAuthRequest` - Enables calls to the `/authorize` endpoint using HTTP method "POST" using the `Redirect`, `Popup`, and `SilentIFrame` flows - Ensures `extraQueryParameters` are still encoded into the request URL in `POST` flow - Ensures `httpMethod` cannot be set to 'GET' when using the EAR protocol mode (throws when the request is validated) - Ensures request validation to make sure the combinations of `httpMethod` and `authorizePostBodyParameters` as well as `httpMethod` and protocol mode happens before synchronous popup is opened.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR:
httpMethodandauthorizePostBodyParametersoptions toBaseAuthRequest/authorizeendpoint using HTTP method "POST" using theRedirect,Popup, andSilentIFrameflowsextraQueryParametersare still encoded into the request URL inPOSTflowhttpMethodcannot be set to 'GET' when using the EAR protocol mode (throws when the request is validated)httpMethodandauthorizePostBodyParametersas well ashttpMethodand protocol mode happens before synchronous popup is opened.