September 7th, 2023

Introducing MSAL.Browser v3: What developers need to know

Emily Lauber
Product Manager

We’re excited to announce the latest versions of the Microsoft Authentication Library (MSAL) for JavaScript are now Generally Available with improved performance and updated framework support. This update, informed by feedback from the development community, is lighter for faster page loads, has optimized caching, and contains many small performance improvements—all while providing minimal breaking code changes for developers.

You can explore the library source code on GitHub, where you can also suggest features and improvements.

A primer on MSAL.js

The MSAL.js library is a cornerstone open-source SDK which supports both internal (Microsoft) and external customers’ browser authentication needs within Microsoft Entra. It supports enterprise, consumer, and b2c scenarios for web development. MSAL.js is an umbrella term that includes multiple libraries within the JavaScript ecosystem:

  • MSAL.Browser for single-page applications (SPA)
  • MSAL.Angular, an MSAL.Browser wrapper for Angular
  • MSAL.React, an MSAL.Browser wrapper for React
  • MSAL.Node for public and confidential client applications
  • MSAL.Node.Extensions for extending MSAL.Node – includes features such as cross-platform token cache persistence and native brokering

What’s new in MSAL.Browser version 3

Based on feedback we received, the latest version of MSAL.Browser benefits developers in several ways.

Reduction in size

The package size is smaller, leading to better performance. This was done by dropping support for legacy software like Internet Explorer and migrating to the latest standards (from ES6/ES5 to ES2020).

Upgraded framework support

The MSAL.Browser-supported wrappers, React and Angular, have been updated to match version support from the frameworks themselves.

  • MSAL.Angular v3 supports Angular 15 and 16 and drops support for prior versions.
  • MSAL.React v2 supports React 16, 17, and 18, same as MSAL.React v1.

MSAL.Node v2 now supports Node.js 20 and drops support for Node.js 16 and below.

These changes aim to keep MSAL.js aligned with the larger browser development ecosystem.

Minor breaking code change

MSAL.Browser and MSAL.Angular now require the Initialize call before acquiring any tokens.

MSAL.Browser v3 introduces new default behavior for claims-based caching. The default behavior in the new library version is to refresh the token every time claims are requested. The received token overwrites the cached token for silent requests without claims. This update requires no action from developers. If you would like to revert to the legacy behavior, you can read how here.

The latest MSAL.js releases are no longer available on Microsoft-hosted Content Delivery Networks (CDN). The libraries continue to be available on npm.

Your next steps

As a developer using MSAL.Browser, here’s your playbook to benefit from the latest library changes:

  • Update to the now generally available latest major versions.
  • In order to upgrade, you’ll need to update MSAL.Browser to require the Initialize call. Please see the migration guide for the appropriate MSAL.js library:
  • Plan for monthly minor version updates to keep your app up-to-date with the latest features.
  • Subscribe to the Github pre-release channel and provide feedback early and often via Github Issues

Looking ahead to v4

The team is already planning for what we can improve next in v4. Our aim is to add more secure-by-default configuration options and continue with the ongoinging performance improvements. If you have any suggestions or feedback on what could be improved in our next major release, please reach out. The MSAL.js team is working towards a model where we can release major versions of the library more frequently, all while continuing to offer stability and reliability to developers who use it.

Major versions will be made available as a pre-release for the community to test. The timeline of a major version going from pre-release to general availability will depend on the specific changes within that release and the feedback gathered from the community during the pre-release stage.

Once a new major version is generally available, the previous version will enter Long-Term Support (LTS) and receive security updates for one year after it is superseded by the latest major version. LTS versions will only receive security updates. New features and bug fixes will go into the latest major version.

Thank you and we’ll see you on the authenticated side!

To get started with MSAL.js, explore our documentation and samples.

Author

Emily Lauber
Product Manager

0 comments

Discussion are closed.