Add issuer validation check whenever MSAL JS performs OIDC endpoint discovery

[lalimasharda]

This pull request adds issuer validation for OpenID Connect (OIDC) discovery in the @azure/msal-common package, ensuring that the issuer returned from the OIDC discovery document matches authority set by the application for security and correctness. It also introduces a new error code for issuer validation failures and updates internal metadata and documentation accordingly.

OIDC Issuer Validation Enhancements:

• Added a validateIssuer private method to the Authority class in Authority.ts to enforce issuer validation based on OIDC and Microsoft-specific rules. This method checks that the issuer from the discovery document matches the authority or known Microsoft hosts, including support for regional and CIAM tenant patterns. If validation fails, a ClientConfigurationError is thrown.
• Integrated the new validateIssuer method into the OIDC discovery flow within the Authority class to ensure issuer validation is performed after discovery metadata is fetched.

Error Handling and Codes:

• Introduced a new error code issuerValidationFailed in ClientConfigurationErrorCodes and exported it for use when issuer validation fails. [1] [2] [3]

Metadata and Test Updates:

• Added new metadata for the PPE environment in AuthorityMetadata.ts to support additional authority hosts.

Documentation and API Review:

• Updated the API review file (msal-common.api.md) to reflect the new error code, document the new method, and adjust line references for TSDoc warnings. [1] [2] [3]

Release and Change Tracking:

• Added a change file describing the patch and referencing the related issue and PR for tracking.

[Copilot]

Pull request overview

This PR strengthens msal-common’s endpoint discovery by validating the issuer returned from network-fetched OIDC discovery documents, and adds supporting metadata/error surface updates.

Changes:

• Add a new issuer_validation_failed ClientConfigurationErrorCodes value and update the API review report.
• Validate metadata.issuer after network OIDC discovery in Authority.updateEndpointMetadata, introducing validateIssuer rules for Microsoft cloud/CIAM scenarios.
• Extend hardcoded instance discovery metadata with login.windows-ppe.net (PPE) aliases and add a beachball change file.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
lib/msal-common/src/error/ClientConfigurationErrorCodes.ts	Adds new issuer_validation_failed error code constant.
lib/msal-common/src/authority/AuthorityMetadata.ts	Adds PPE instance discovery metadata aliases.
lib/msal-common/src/authority/Authority.ts	Calls issuer validation on network discovery results; adds validateIssuer implementation; minor log message tweak.
lib/msal-common/apiReview/msal-common.api.md	Updates API report to include the new error code.
change/@azure-msal-common-122605ed-d286-4abb-8312-feb6ede47a8d.json	Adds the required change file (patch).

[lalimasharda]

@copilot Can we create a helped method to convert any authority string into URL components and consolidate the selected lines

[Copilot]

@copilot Can we create a helped method to convert any authority string into URL components and consolidate the selected lines

Added private static parseUrlComponents(url: string): IUri in commit 743aeb3. It wraps new UrlString(url).getUrlComponents() and is the single place used inside validateIssuer for parsing the issuer URL, while the authority components are taken from the existing this.canonicalAuthorityUrlComponents getter.