Reset Redirecturi during broker fallback (#8049)

If a user attempts a broker flow but the broker isn’t available on their
machine, the flow falls back to the browser. However, since a redirect
URI was provided for the broker flow, an error is thrown.

This PR adds a check to determine whether the broker is enabled in the
config and resets the redirect URI to an empty string instead of
throwing an error.

Author: Ugonnaak1

change/@azure-msal-node-f21ce81f-a941-4847-a7e4-e9ea5b515c40.json

@@ -0,0 +1,7 @@
+{
+  "type": "patch",
+  "comment": "broker redirect uri changes",
+  "packageName": "@azure/msal-node",
+  "email": "[email protected]",
+  "dependentChangeType": "patch"
+}

lib/msal-node/src/client/PublicClientApplication.ts

@@ -180,8 +180,14 @@ export class PublicClientApplication
         }
 
         if (request.redirectUri) {
-            throw NodeAuthError.createRedirectUriNotSupportedError();
+            // If its not a broker fallback scenario, we throw a error
+            if (!this.config.broker.nativeBrokerPlugin) {
+                throw NodeAuthError.createRedirectUriNotSupportedError();
+            }
+            // If a redirect URI is provided for a broker flow but MSAL runtime startup failed, we fall back to the browser flow and will ignore the redirect URI provided for the broker flow
+            request.redirectUri = "";
         }
+
         const { verifier, challenge } =
             await this.cryptoProvider.generatePkceCodes();
 
@@ -275,7 +281,11 @@ export class PublicClientApplication
         }
 
         if (request.redirectUri) {
-            throw NodeAuthError.createRedirectUriNotSupportedError();
+            // If its not a broker fallback scenario, we throw a error
+            if (!this.config.broker.nativeBrokerPlugin) {
+                throw NodeAuthError.createRedirectUriNotSupportedError();
+            }
+            request.redirectUri = "";
         }
 
         return super.acquireTokenSilent(request);

lib/msal-node/test/client/PublicClientApplication.spec.ts

@@ -629,6 +629,43 @@ describe("PublicClientApplication", () => {
                 "RedirectUri is not supported in this scenario"
             );
         });
+
+        test("acquireTokenSilent resets redirectUri when broker fallback occurs", async () => {
+            // Create a broker plugin with broker unavailable
+            const mockBrokerPlugin = new MockNativeBrokerPlugin();
+            mockBrokerPlugin.isBrokerAvailable = false;
+
+            const authApp = new PublicClientApplication({
+                ...appConfig,
+                broker: {
+                    nativeBrokerPlugin: mockBrokerPlugin,
+                },
+            });
+
+            const silentFlowClient = getMsalCommonAutoMock().SilentFlowClient;
+            jest.spyOn(msalCommon, "SilentFlowClient").mockImplementation(
+                (config) => new silentFlowClient(config)
+            );
+            jest.spyOn(
+                silentFlowClient.prototype,
+                "acquireCachedToken"
+            ).mockResolvedValue([
+                mockAuthenticationResult,
+                CacheOutcome.NOT_APPLICABLE,
+            ]);
+
+            const request: SilentFlowRequest = {
+                scopes: TEST_CONSTANTS.DEFAULT_GRAPH_SCOPE,
+                account: testAccount,
+                redirectUri: "http://localhost:3000/redirect",
+            };
+
+            // This should not throw and should reset redirectUri to empty string and continue with the request
+            const response = await authApp.acquireTokenSilent(request);
+
+            expect(response).toEqual(mockAuthenticationResult);
+            expect(request.redirectUri).toBe("");
+        });
     });
 
     describe("acquireTokenInteractive tests", () => {
@@ -1050,6 +1087,51 @@ describe("PublicClientApplication", () => {
                 authApp.acquireTokenInteractive(request)
             ).rejects.toThrow("RedirectUri is not supported in this scenario");
         });
+
+        test("acquireTokenInteractive resets redirectUri when broker fallback occurs", async () => {
+            // Create a broker plugin with broker unavailable to simulate fallback scenario
+            const mockBrokerPlugin = new MockNativeBrokerPlugin();
+            mockBrokerPlugin.isBrokerAvailable = false;
+
+            const authApp = new PublicClientApplication({
+                ...appConfig,
+                broker: {
+                    nativeBrokerPlugin: mockBrokerPlugin,
+                },
+            });
+
+            const request: InteractiveRequest = {
+                scopes: TEST_CONSTANTS.DEFAULT_GRAPH_SCOPE,
+                redirectUri: "http://localhost:3000/redirect",
+                openBrowser: jest.fn(),
+            };
+
+            jest.spyOn(
+                LoopbackClient.prototype,
+                "listenForAuthCode"
+            ).mockResolvedValue({
+                code: TEST_CONSTANTS.AUTHORIZATION_CODE,
+            });
+
+            jest.spyOn(
+                LoopbackClient.prototype,
+                "getRedirectUri"
+            ).mockReturnValue(TEST_CONSTANTS.REDIRECT_URI);
+
+            jest.spyOn(authApp, "acquireTokenByCode").mockResolvedValue(
+                mockAuthenticationResult
+            );
+
+            jest.spyOn(authApp, "getAuthCodeUrl").mockResolvedValue(
+                TEST_CONSTANTS.AUTH_CODE_URL
+            );
+
+            // This should not throw and should reset redirectUri to empty string
+            const response = await authApp.acquireTokenInteractive(request);
+
+            expect(response).toEqual(mockAuthenticationResult);
+            expect(request.redirectUri).toBe("");
+        });
     });
 
     describe("signOut tests", () => {