MSAL.js

MSAL.js v2 is not compatible with Azure App Proxy, forcing single-page applications to downgrade to MSAL.js 1.x as a workaround. No timeline given for fixing this incompatibility.

When using ssoSilent flow, MSAL loads the redirect URI in an invisible iframe. Content security policies or HTTP headers on the redirect URI page can block this iframe from loading, preventing silent SSO.

MSAL focuses primarily on authentication and token issuance but does not fully address access control issues or implement role-based and feature-level access control within applications. Developers must build custom authorization logic.

MSAL.js applications commonly encounter redirect loops when loginRedirect is automatically triggered on page load without first verifying user sign-in status. Developers must manually implement account state checks before triggering authentication, adding boilerplate code to prevent loops.