Background Session Refresh

change/@azure-msal-browser-440d27b3-88ff-459d-883e-a675b66d7976.json

@@ -0,0 +1,7 @@
+{
+  "type": "patch",
+  "comment": "Add a background ssoSilent call after interactive calls, with telemetry",
+  "packageName": "@azure/msal-browser",
+  "email": "sameera.gajjarapu@microsoft.com",
+  "dependentChangeType": "patch"
+}

change/@azure-msal-common-461989e8-10b5-48f1-91dd-836248c3fce6.json

@@ -0,0 +1,7 @@
+{
+  "type": "patch",
+  "comment": "Add a background ssoSilent call after interactive calls, with telemetry",
+  "packageName": "@azure/msal-common",
+  "email": "sameera.gajjarapu@microsoft.com",
+  "dependentChangeType": "patch"
+}

lib/msal-browser/src/config/Configuration.ts

@@ -113,6 +113,12 @@ export type BrowserAuthOptions = {
      * @deprecated This flag is deprecated and will be removed in the next major version where all extra query params will be encoded by default.
      */
     encodeExtraQueryParams?: boolean;
+    /**
+     * If set to true, MSAL will make a background ssoSilent call after successful interactive authentication
+     * (acquireTokenPopup, handleRedirectPromise) to refresh tokens silently.
+     * This is a boolean flag and defaults to false if not specified.
+     */
+    enableBackgroundSSO?: boolean;
 };
 
 /** @internal */
@@ -314,6 +320,7 @@ export function buildConfiguration(
         supportsNestedAppAuth: false,
         instanceAware: false,
         encodeExtraQueryParams: false,
+        enableBackgroundSSO: false,
     };
 
     // Default cache options for browser

lib/msal-browser/src/controllers/StandardController.ts

@@ -567,6 +567,9 @@ export class StandardController implements IController {
                         undefined,
                         result.account
                     );
+
+                    // Fire-and-forget ssoSilent to refresh tokens in background
+                    this.bkgdSsoSilent(result, "handleRedirectPromise");
                 } else {
                     /*
                      * Instrument an event only if an error code is set. Otherwise, discard it when the redirect response
@@ -930,6 +933,10 @@ export class StandardController implements IController {
                     undefined,
                     result.account
                 );
+
+                // Fire-and-forget ssoSilent to refresh tokens in background
+                this.bkgdSsoSilent(result, "acquireTokenPopup");
+
                 return result;
             })
             .catch((e: Error) => {
@@ -984,6 +991,78 @@ export class StandardController implements IController {
             visibilityChangeCount: 1,
         });
     }
+
+    /**
+     * Fire-and-forget ssoSilent call to refresh tokens in the background.
+     * This method does not block the caller and tracks telemetry for success/failure.
+     * This method only executes if enableBackgroundSSO is set to true in the cache configuration.
+     * @param result - The authentication result from the parent operation
+     * @param parentApiId - The API ID of the parent operation for logging purposes
+     */
+    private bkgdSsoSilent(
+        result: AuthenticationResult,
+        parentApiId: string
+    ): void {
+        // Check if background SSO is enabled
+        if (!this.config.auth.enableBackgroundSSO) {
+            return;
+        }
+
+        const correlationId = createNewGuid();
+        const bgSsoSilentMeasurement = this.performanceClient.startMeasurement(
+            PerformanceEvents.BackgroundSsoSilent,
+            correlationId
+        );
+        bgSsoSilentMeasurement.add({
+            parentApiId: parentApiId,
+        });
+
+        this.logger.verbose(
+            `Background ssoSilent initiated after ${parentApiId}`,
+            correlationId
+        );
+
+        /*
+         * Use setTimeout to ensure this runs in a separate macrotask after the current call stack completes
+         * This ensures the result is returned to the caller before ssoSilent starts and doesn't affect performance
+         */
+        setTimeout(() => {
+            const ssoSilentRequest: SsoSilentRequest = {
+                account: result.account,
+                correlationId: correlationId,
+            };
+
+            this.ssoSilent(ssoSilentRequest)
+                .then((ssoResult) => {
+                    this.logger.verbose(
+                        `Background ssoSilent completed successfully after ${parentApiId}`,
+                        correlationId
+                    );
+                    bgSsoSilentMeasurement.end(
+                        {
+                            success: true,
+                            accessTokenSize: ssoResult.accessToken.length,
+                            idTokenSize: ssoResult.idToken.length,
+                        },
+                        undefined,
+                        ssoResult.account
+                    );
+                })
+                .catch((error: Error) => {
+                    this.logger.warning(
+                        `Background ssoSilent failed after ${parentApiId}: ${error.message}`,
+                        correlationId
+                    );
+                    bgSsoSilentMeasurement.end(
+                        {
+                            success: false,
+                        },
+                        error,
+                        result.account
+                    );
+                });
+        }, 0);
+    }
     // #endregion
 
     // #region Silent Flow