MSAL Browser 5.1.0 popup flow redirects instead of closing and never posts result back to opener causing timed_out and no-callback

[jplevene]

Library version

@azure/msal-browser@5.1.0

Browser(s)

Chrome 121 (normal + incognito)
Edge (optional)

Framework

Plain JavaScript (no React/Angular/Vue)

Description

Upgrading from MSAL Browser 4.27.0 → 5.1.0 breaks the popup login flow.

In 5.1.0:

• The popup redirects to my app URL instead of closing.
• The opener never receives the authentication result.
• After ~6 seconds MSAL throws BrowserAuthError: timed_out.
• Closing the popup manually does not trigger a callback.

This is a regression from 4.27.0, where the popup closes and the promise resolves correctly.

Error message

BrowserAuthError: timed_out

Popup console also shows:

requestStorageAccess: Permission denied

Reproduction steps

1. Load the minimal repro HTML file (attached below).
2. Click “Sign in with Microsoft”.
3. Complete login in the popup.
4. Observe that the popup redirects to the app URL and stays open.
5. Opener never receives the result.
6. After timeout, MSAL throws timed_out.

Expected behavior

• Popup should close automatically.
• loginPopup() should resolve with an AuthenticationResult.
• Closing the popup manually should reject with popup_window_closed.

Actual behavior

• Popup redirects to the app URL.
• Popup stays open.
• No postMessage back to opener.
• Opener throws BrowserAuthError: timed_out.

MSAL configuration

const msalConfig = {
  auth: {
    clientId: "my-client-id",
    authority: "https://login.microsoftonline.com/common"
  },
  cache: {
    cacheLocation: "localStorage",
    storeAuthStateInCookie: false
  }
};

MSAL logs

(Replace this with your actual logs)

[MSAL][Verbose] Initializing PublicClientApplication
[MSAL][Verbose] Initializing browser storage
[MSAL][Verbose] Event: msal:loginStart
[MSAL][Verbose] PopupHandler.openPopup called
[MSAL][Verbose] Popup opened successfully
[MSAL][Verbose] Navigating popup to https://login.microsoftonline.com/common/oauth2/v2.0/authorize...
[MSAL][Verbose] Monitoring popup for hash
[MSAL][Warning] requestStorageAccess: Permission denied
[MSAL][Verbose] No response from popup yet, continuing to wait...
[MSAL][Verbose] Still waiting for response from popup...
[MSAL][Error] BrowserAuthError: timed_out
    at PopupClient.monitorPopupForHash
    at PopupClient.initiateAuthRequest
    at PublicClientApplication.loginPopup

Popup window logs:

[MSAL][Verbose] Popup redirect detected
[MSAL][Verbose] Processing auth code...
(no postMessage sent)

Regression?

Yes — works in 4.27.0, broken in 5.1.0.

Minimal reproduction

Working (4.27.0)

<!DOCTYPE html>
<html>
<head>
  <meta charset="utf-8" />
  <title>MSAL 4.27.0 Popup Working Repro</title>

  <!-- MSAL 4.x (works) -->
  <script src="https://alcdn.msauth.net/browser/4.27.0/js/msal-browser.min.js"></script>

</head>

<body>
  <h2>MSAL 4.27.0 — Popup Works</h2>
  <button id="login">Sign in with Microsoft</button>

  <script>
    const msalConfig = {
      auth: {
        clientId: "my-client-id",
        authority: "https://login.microsoftonline.com/common"
      }
    };

    const msalInstance = new msal.PublicClientApplication(msalConfig);

    document.getElementById("login").onclick = () => {
      console.log("Opening popup…");

      msalInstance.loginPopup({
        scopes: ["User.Read", "openid", "profile", "offline_access"],
        prompt: "select_account"
      })
      .then(result => {
        console.log("Popup resolved:", result);
        alert("SUCCESS — Popup closed and returned account: " + result.account.username);
      })
      .catch(err => {
        console.error("Popup error:", err);
        alert("ERROR: " + (err.errorCode || err.message));
      });
    };
  </script>
</body>
</html>

Broken (5.1.0)

<!DOCTYPE html>
<html>
<head>
  <meta charset="utf-8" />
  <title>MSAL 5.1.0 Popup Broken Repro</title>

  <!-- MSAL 5.x (broken popup behaviour) -->
  <script src="https://alcdn.msauth.net/browser/5.1.0/js/msal-browser.min.js"></script>

</head>

<body>
  <h2>MSAL 5.1.0 — Popup Redirects + No Callback</h2>
  <button id="login">Sign in with Microsoft</button>

  <script>
    const msalConfig = {
      auth: {
        clientId: "my-client-id",
        authority: "https://login.microsoftonline.com/common"
      }
    };

    const msalInstance = new msal.PublicClientApplication(msalConfig);

    // Required in 5.x
    msalInstance.initialize().then(() => {
      console.log("MSAL initialized");
    });

    document.getElementById("login").onclick = () => {
      console.log("Opening popup…");

      msalInstance.loginPopup({
        scopes: ["User.Read", "openid", "profile", "offline_access"],
        prompt: "select_account"
      })
      .then(result => {
        console.log("Popup resolved:", result);
        alert("SUCCESS — Popup closed and returned account: " + result.account.username);
      })
      .catch(err => {
        console.error("Popup error:", err);
        alert("ERROR: " + (err.errorCode || err.message));
      });
    };
  </script>
</body>
</html>

---

[github-actions]

Invalid Issue Template:
Please open a new issue and use one of the provided issue templates. Thanks!