AzureAD · jo-arroyo · May 21, 2025 · Apr 12, 2025 · Apr 12, 2025 · Apr 12, 2025
@@ -109,7 +109,6 @@ body:
                 },
                 cache: {
                   cacheLocation: "sessionStorage"
-                  storeAuthStateInCookie: false
                 }
               }
       validations:

diff --git a/change/@azure-msal-browser-6f00d163-ea6e-4461-8d64-f654afaa2e5c.json b/change/@azure-msal-browser-6f00d163-ea6e-4461-8d64-f654afaa2e5c.json
@@ -0,0 +1,7 @@
+{
+  "type": "major",
+  "comment": "Configuration changes to CacheOptions #7697",
+  "packageName": "@azure/msal-browser",
+  "email": "[email protected]",
+  "dependentChangeType": "patch"
+}
diff --git a/change/@azure-msal-common-c037e1e0-4f7a-49c5-912a-ce0ea99fcf1e.json b/change/@azure-msal-common-c037e1e0-4f7a-49c5-912a-ce0ea99fcf1e.json
@@ -0,0 +1,7 @@
+{
+  "type": "minor",
+  "comment": "Deprecate claimsBasedCachingEnabled as part of Configuration change #7697",
+  "packageName": "@azure/msal-common",
+  "email": "[email protected]",
+  "dependentChangeType": "patch"
+}
@@ -58,7 +58,6 @@ import { PublicClientApplication, InteractionType, BrowserCacheLocation } from "
         },
         cache: {
           cacheLocation: BrowserCacheLocation.LocalStorage,
-          storeAuthStateInCookie: true, // set to true for IE 11
         },
         system: {
           loggerOptions: {
@@ -261,7 +260,6 @@ fetch("/assets/configuration.json")
     },
     "cache": {
       "cacheLocation": "localStorage",
-      "storeAuthStateInCookie": true
     }
   },
   "guard": {
@@ -471,7 +469,6 @@ export class AppModule {}
     },
     "cache": {
       "cacheLocation": "localStorage",
-      "storeAuthStateInCookie": true
     }
   },
   "guard": {

@@ -222,7 +222,6 @@ import { PublicClientApplication, InteractionType, BrowserCacheLocation } from "
             },
             cache: {
                 cacheLocation : BrowserCacheLocation.LocalStorage,
-                storeAuthStateInCookie: true, // set to true for IE 11
             },
             system: {
                 loggerOptions: {

@@ -31,7 +31,6 @@ import { PublicClientApplication, InteractionType, BrowserCacheLocation } from "
             },
             cache: {
                 cacheLocation : BrowserCacheLocation.LocalStorage,
-                storeAuthStateInCookie: true, // set to true for IE 11
             },
             system: {
                 loggerOptions: {
@@ -115,7 +114,6 @@ import { PublicClientApplication, InteractionType, BrowserCacheLocation } from "
             },
             cache: {
                 cacheLocation : BrowserCacheLocation.LocalStorage,
-                storeAuthStateInCookie: true, // set to true for IE 11
             },
             system: {
                 loggerOptions: {

@@ -409,8 +409,6 @@ export type CacheLookupPolicy = (typeof CacheLookupPolicy)[keyof typeof CacheLoo
 export type CacheOptions = {
     cacheLocation?: BrowserCacheLocation | string;
     temporaryCacheLocation?: BrowserCacheLocation | string;
-    storeAuthStateInCookie?: boolean;
-    cacheMigrationEnabled?: boolean;
     claimsBasedCachingEnabled?: boolean;
 };
 

@@ -71,6 +71,9 @@ To faciliate efficient token acquisition while maintaining a good UX, MSAL cache
 > :bulb: The authorization code is only stored in memory and will be discarded after redeeming it for tokens.
 
 ## Warning :warning:
+
+**NOTE: `temporaryCacheLocation` is deprecated as of MSAL v5 and will be removed in a future release.**
+
 Overriding `temporaryCacheLocation` should be done with caution. Specifically when choosing `localStorage`. Interaction in more than one tab/window will not be supported and you may receive `interaction_in_progress` errors unexpectedly. This is an escape hatch, not a fully supported feature.
 
 When using MSAL.js with the default configuration in a scenario where the user is redirected after successful authentication in a new window or tab, the OAuth 2.0 Authorization Code with PKCE flow will be interrupted. In this case, the original window or tab where the authentication state (code verifier and challenge) are stored, will be lost, and the authentication flow will fail.

@@ -23,8 +23,6 @@ const msalConfig = {
     cache: {
         cacheLocation: "sessionStorage",
         temporaryCacheLocation: "sessionStorage",
-        storeAuthStateInCookie: false,
-        secureCookies: false,
         claimsBasedCachingEnabled: true,
     },
     system: {
@@ -95,11 +93,8 @@ const msalInstance = new PublicClientApplication(msalConfig);
 | Option                      | Description                                                                                                                                                                                                                                                                                                                                                                                                                     | Format                                                                                                  | Default Value                                       |
 | --------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------- | --------------------------------------------------- |
 | `cacheLocation`             | Location of token cache in browser.                                                                                                                                                                                                                                                                                                                                                                                             | String value that must be one of the following: `"sessionStorage"`, `"localStorage"`, `"memoryStorage"` | `sessionStorage`                                    |
-| `temporaryCacheLocation`    | Location of temporary cache in browser. This option should only be changed for specific edge cases. Please refer to [caching](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/caching.md#cached-artifacts) for more.                                                                                                                                                          | String value that must be one of the following: `"sessionStorage"`, `"localStorage"`, `"memoryStorage"` | `sessionStorage`                                    |
-| `storeAuthStateInCookie`    | If true, stores cache items in cookies as well as browser cache. Should be set to true for use cases using IE.                                                                                                                                                                                                                                                                                                                  | boolean                                                                                                 | `false`                                             |
-| `secureCookies`             | If true and `storeAuthStateInCookies` is also enabled, MSAL adds the `Secure` flag to the browser cookie so it can only be sent over HTTPS.                                                                                                                                                                                                                                                                                     | boolean                                                                                                 | `false`                                             |
-| `cacheMigrationEnabled`     | If true, cache entries from older versions of MSAL will be updated to conform to the latest cache schema on startup. If your application has not been recently updated to a new version of MSAL.js you can safely turn this off. In the event old cache entries are not migrated it may result in a cache miss when attempting to retrieve accounts or tokens and affected users may need to re-authenticate to get up to date. | boolean                                                                                                 | `true` when using `localStorage`, `false` otherwise |
-| `claimsBasedCachingEnabled` | If `true`, access tokens will be cached under a key containing the hash of the requested claims string, resulting in a cache miss and new network token request when the same token request is made with different or missing claims. If set to `false`, tokens will be cached without claims, but all requests containing claims will go to the network and overwrite any previously cached token with the same scopes.        | boolean                                                                                                 | `false`                                             |
+| `temporaryCacheLocation`    | Location of temporary cache in browser. This option should only be changed for specific edge cases. Please refer to [caching](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/caching.md#cached-artifacts) for more. **Note: This is deprecated and will be removed in a future release.**                                                                                    | String value that must be one of the following: `"sessionStorage"`, `"localStorage"`, `"memoryStorage"` | `sessionStorage`                                    |
+| `claimsBasedCachingEnabled` | If `true`, access tokens will be cached under a key containing the hash of the requested claims string, resulting in a cache miss and new network token request when the same token request is made with different or missing claims. If set to `false`, tokens will be cached without claims, but all requests containing claims will go to the network and overwrite any previously cached token with the same scopes. **Note: This is deprecated and will be removed in a future release.**  | boolean                                                                                                 | `false`                                             |
 
 See [Caching in MSAL](./caching.md) for more.
 

@@ -69,8 +69,6 @@ import { EventHandler } from "../event/EventHandler.js";
 
 /**
  * This class implements the cache storage interface for MSAL through browser local or session storage.
- * Cookies are only used if storeAuthStateInCookie is true, and are only used for
- * parameters such as state and nonce, generally.
  */
 export class BrowserCacheManager extends CacheManager {
     // Cache configuration, either set by user or default values.
@@ -889,21 +887,10 @@ export class BrowserCacheManager extends CacheManager {
 
     /**
      * Gets cache item with given key.
-     * Will retrieve from cookies if storeAuthStateInCookie is set to true.
      * @param key
      */
     getTemporaryCache(cacheKey: string, generateKey?: boolean): string | null {
         const key = generateKey ? this.generateCacheKey(cacheKey) : cacheKey;
-        if (this.cacheConfig.storeAuthStateInCookie) {
-            const itemCookie = this.cookieStorage.getItem(key);
-            if (itemCookie) {
-                this.logger.trace(
-                    "BrowserCacheManager.getTemporaryCache: storeAuthStateInCookies set to true, retrieving from cookies"
-                );
-                return itemCookie;
-            }
-        }
-
         const value = this.temporaryCacheStorage.getItem(key);
         if (!value) {
             // If temp cache item not found in session/memory, check local storage for items set by old versions
@@ -932,8 +919,6 @@ export class BrowserCacheManager extends CacheManager {
 
     /**
      * Sets the cache item with the key and value given.
-     * Stores in cookie if storeAuthStateInCookie is set to true.
-     * This can cause cookie overflow if used incorrectly.
      * @param key
      * @param value
      */
@@ -943,14 +928,7 @@ export class BrowserCacheManager extends CacheManager {
         generateKey?: boolean
     ): void {
         const key = generateKey ? this.generateCacheKey(cacheKey) : cacheKey;
-
         this.temporaryCacheStorage.setItem(key, value);
-        if (this.cacheConfig.storeAuthStateInCookie) {
-            this.logger.trace(
-                "BrowserCacheManager.setTemporaryCache: storeAuthStateInCookie set to true, setting item cookie"
-            );
-            this.cookieStorage.setItem(key, value, undefined);
-        }
     }
 
     /**
@@ -963,17 +941,10 @@ export class BrowserCacheManager extends CacheManager {
 
     /**
      * Removes the temporary cache item with the given key.
-     * Will also clear the cookie item if storeAuthStateInCookie is set to true.
      * @param key
      */
     removeTemporaryItem(key: string): void {
         this.temporaryCacheStorage.removeItem(key);
-        if (this.cacheConfig.storeAuthStateInCookie) {
-            this.logger.trace(
-                "BrowserCacheManager.removeItem: storeAuthStateInCookie is true, clearing item cookie"
-            );
-            this.cookieStorage.removeItem(key);
-        }
     }
 
     /**
@@ -1374,8 +1345,6 @@ export const DEFAULT_BROWSER_CACHE_MANAGER = (
     const cacheOptions: Required<CacheOptions> = {
         cacheLocation: BrowserCacheLocation.MemoryStorage,
         temporaryCacheLocation: BrowserCacheLocation.MemoryStorage,
-        storeAuthStateInCookie: false,
-        cacheMigrationEnabled: false,
         claimsBasedCachingEnabled: false,
     };
     return new BrowserCacheManager(

@@ -114,18 +114,14 @@ export type CacheOptions = {
      */
     cacheLocation?: BrowserCacheLocation | string;
     /**
+     * @deprecated
+     * temporaryCacheLocation is deprecated and will be removed in a future release.
      * Used to specify the temporaryCacheLocation user wants to set. Valid values are "localStorage", "sessionStorage" and "memoryStorage".
      */
     temporaryCacheLocation?: BrowserCacheLocation | string;
     /**
-     * If set, MSAL stores the auth request state required for validation of the auth flows in the browser cookies. By default this flag is set to false.
-     */
-    storeAuthStateInCookie?: boolean;
-    /**
-     * If set, MSAL will attempt to migrate cache entries from older versions on initialization. By default this flag is set to true if cacheLocation is localStorage, otherwise false.
-     */
-    cacheMigrationEnabled?: boolean;
-    /**
+     * @deprecated
+     * claimsBasedCachingEnabled is deprecated and will be removed in a future release.
      * Flag that determines whether access tokens are stored based on requested claims
      */
     claimsBasedCachingEnabled?: boolean;
@@ -279,13 +275,6 @@ export function buildConfiguration(
     const DEFAULT_CACHE_OPTIONS: Required<CacheOptions> = {
         cacheLocation: BrowserCacheLocation.SessionStorage,
         temporaryCacheLocation: BrowserCacheLocation.SessionStorage,
-        storeAuthStateInCookie: false,
-        // Default cache migration to true if cache location is localStorage since entries are preserved across tabs/windows. Migration has little to no benefit in sessionStorage and memoryStorage
-        cacheMigrationEnabled:
-            userInputCache &&
-            userInputCache.cacheLocation === BrowserCacheLocation.LocalStorage
-                ? true
-                : false,
         claimsBasedCachingEnabled: false,
     };
 

@@ -257,8 +257,6 @@ export class StandardController implements IController {
         const nativeCacheOptions: Required<CacheOptions> = {
             cacheLocation: BrowserCacheLocation.MemoryStorage,
             temporaryCacheLocation: BrowserCacheLocation.MemoryStorage,
-            storeAuthStateInCookie: false,
-            cacheMigrationEnabled: false,
             claimsBasedCachingEnabled: false,
         };
         this.nativeInternalStorage = new BrowserCacheManager(

diff --git a/lib/msal-browser/src/error/BrowserConfigurationAuthError.ts b/lib/msal-browser/src/error/BrowserConfigurationAuthError.ts
@@ -13,7 +13,7 @@ export const BrowserConfigurationAuthErrorMessages = {
     [BrowserConfigurationAuthErrorCodes.stubbedPublicClientApplicationCalled]:
         "Stub instance of Public Client Application was called. If using msal-react, please ensure context is not used without a provider. For more visit: aka.ms/msaljs/browser-errors",
     [BrowserConfigurationAuthErrorCodes.inMemRedirectUnavailable]:
-        "Redirect cannot be supported. In-memory storage was selected and storeAuthStateInCookie=false, which would cause the library to be unable to handle the incoming hash. If you would like to use the redirect API, please use session/localStorage or set storeAuthStateInCookie=true.",
+        "Redirect cannot be supported. In-memory storage was selected, which would cause the library to be unable to handle the incoming hash. If you would like to use the redirect API, please use session/localStorage.",
 };
 
 /**

@@ -175,11 +175,8 @@ export function redirectPreflightCheck(
 ): void {
     preflightCheck(initialized);
     blockRedirectInIframe(config.system.allowRedirectInIframe);
-    // Block redirects if memory storage is enabled but storeAuthStateInCookie is not
-    if (
-        config.cache.cacheLocation === BrowserCacheLocation.MemoryStorage &&
-        !config.cache.storeAuthStateInCookie
-    ) {
+    // Block redirects if memory storage is enabled
+    if (config.cache.cacheLocation === BrowserCacheLocation.MemoryStorage) {
         throw createBrowserConfigurationAuthError(
             BrowserConfigurationAuthErrorCodes.inMemRedirectUnavailable
         );

@@ -120,8 +120,6 @@ import { INTERACTION_TYPE } from "../../src/utils/BrowserConstants.js";
 const cacheConfig = {
     temporaryCacheLocation: BrowserCacheLocation.SessionStorage,
     cacheLocation: BrowserCacheLocation.SessionStorage,
-    storeAuthStateInCookie: false,
-    cacheMigrationEnabled: false,
     claimsBasedCachingEnabled: false,
 };
 
@@ -1934,14 +1932,13 @@ describe("PublicClientApplication.ts Class Unit Tests", () => {
             }
         });
 
-        it("throws error if cacheLocation is Memory Storage and storeAuthStateInCookie is false", async () => {
+        it("throws error if cacheLocation is Memory Storage", async () => {
             pca = new PublicClientApplication({
                 auth: {
                     clientId: TEST_CONFIG.MSAL_CLIENT_ID,
                 },
                 cache: {
                     cacheLocation: BrowserCacheLocation.MemoryStorage,
-                    storeAuthStateInCookie: false,
                 },
                 system: {
                     allowPlatformBroker: false,
@@ -7290,8 +7287,6 @@ describe("PublicClientApplication.ts Class Unit Tests", () => {
                 {
                     cacheLocation: BrowserCacheLocation.LocalStorage,
                     temporaryCacheLocation: BrowserCacheLocation.SessionStorage,
-                    storeAuthStateInCookie: false,
-                    cacheMigrationEnabled: false,
                     claimsBasedCachingEnabled: false,
                 },
                 new CryptoOps(new Logger({})),