From 82b45332f48356adc80e6065c90f51bf29660ca5 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 14 Nov 2025 21:37:04 +0000 Subject: [PATCH 1/4] Initial plan From fe83c2638547b617ebf842901f5afc384a287d9a Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 14 Nov 2025 21:40:16 +0000 Subject: [PATCH 2/4] Add instance aware flow restrictions to copilot-instructions.md Co-authored-by: jo-arroyo <45890484+jo-arroyo@users.noreply.github.com> --- .github/copilot-instructions.md | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md index 5d932950e9..035fab0956 100644 --- a/.github/copilot-instructions.md +++ b/.github/copilot-instructions.md @@ -190,6 +190,29 @@ microsoft-authentication-library-for-js/ - Write unit tests for new functionality and bug fixes - Document all public API changes +### Instance Aware Flow Restrictions + +**IMPORTANT: The instance aware flow is only available for 1st party Microsoft customers and should NEVER be suggested or used for 3rd party customers.** + +- **Do not suggest** the `instanceAware` configuration option or `instance_aware` query parameter for 3rd party applications +- **Do not recommend** instance aware flow in code examples, documentation, or solutions for external developers +- Instance aware flow documentation exists at `lib/msal-browser/docs/instance-aware.md` but is intended only for internal Microsoft use cases +- If asked about multi-cloud or cloud instance scenarios by 3rd party developers, provide alternative solutions that do not involve instance aware flow + +**What is Instance Aware Flow:** +- A feature that allows the STS to send back additional parameters in the `/authorize` response to specify where tokens should be retrieved from +- Enabled via `instanceAware: true` in auth config or `instance_aware: "true"` in request `extraQueryParameters` +- Used primarily for scenarios where user accounts may reside in different cloud instances + +**When to use (1st party only):** +- Only for Microsoft internal applications and services +- When the application needs to handle users across different cloud instances (e.g., public cloud, government clouds, etc.) + +**What to suggest instead for 3rd party customers:** +- Standard MSAL authentication flows without instance aware configuration +- Proper authority configuration for the specific cloud environment the application targets +- Separate application registrations for different cloud environments if needed + ### Telemetry and Performance Monitoring **IMPORTANT: Add telemetry for any new operations or significant code paths in msal-browser and msal-common where observability would be useful.** From ec2b4b8b7ad6572540721cae7e2e6f557120d3d3 Mon Sep 17 00:00:00 2001 From: Jo Arroyo Date: Fri, 14 Nov 2025 15:15:33 -0800 Subject: [PATCH 3/4] Apply suggestions from code review Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .github/copilot-instructions.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md index 035fab0956..391e4fcf40 100644 --- a/.github/copilot-instructions.md +++ b/.github/copilot-instructions.md @@ -199,16 +199,16 @@ microsoft-authentication-library-for-js/ - Instance aware flow documentation exists at `lib/msal-browser/docs/instance-aware.md` but is intended only for internal Microsoft use cases - If asked about multi-cloud or cloud instance scenarios by 3rd party developers, provide alternative solutions that do not involve instance aware flow -**What is Instance Aware Flow:** +**What Is Instance Aware Flow:** - A feature that allows the STS to send back additional parameters in the `/authorize` response to specify where tokens should be retrieved from - Enabled via `instanceAware: true` in auth config or `instance_aware: "true"` in request `extraQueryParameters` - Used primarily for scenarios where user accounts may reside in different cloud instances -**When to use (1st party only):** +**When to Use (1st Party Only):** - Only for Microsoft internal applications and services - When the application needs to handle users across different cloud instances (e.g., public cloud, government clouds, etc.) -**What to suggest instead for 3rd party customers:** +**What to Suggest Instead for 3rd Party Customers:** - Standard MSAL authentication flows without instance aware configuration - Proper authority configuration for the specific cloud environment the application targets - Separate application registrations for different cloud environments if needed From 5203bc9ecb6e7bba395172b2a46356d7c4746b34 Mon Sep 17 00:00:00 2001 From: Jo Arroyo Date: Wed, 19 Nov 2025 21:51:53 -0800 Subject: [PATCH 4/4] Update instructions --- .github/copilot-instructions.md | 20 +++++--------------- 1 file changed, 5 insertions(+), 15 deletions(-) diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md index 391e4fcf40..8f95a44188 100644 --- a/.github/copilot-instructions.md +++ b/.github/copilot-instructions.md @@ -192,23 +192,13 @@ microsoft-authentication-library-for-js/ ### Instance Aware Flow Restrictions -**IMPORTANT: The instance aware flow is only available for 1st party Microsoft customers and should NEVER be suggested or used for 3rd party customers.** +**IMPORTANT: The instance aware flow is not supported and should NEVER be suggested or used with this library** -- **Do not suggest** the `instanceAware` configuration option or `instance_aware` query parameter for 3rd party applications -- **Do not recommend** instance aware flow in code examples, documentation, or solutions for external developers -- Instance aware flow documentation exists at `lib/msal-browser/docs/instance-aware.md` but is intended only for internal Microsoft use cases -- If asked about multi-cloud or cloud instance scenarios by 3rd party developers, provide alternative solutions that do not involve instance aware flow +- **Do not suggest** the `instanceAware` configuration option or `instance_aware` query parameter +- **Do not recommend** instance aware flow in code examples, documentation, or solutions +- If asked about multi-cloud or cloud instance scenarios, provide alternative solutions that do not involve instance aware flow -**What Is Instance Aware Flow:** -- A feature that allows the STS to send back additional parameters in the `/authorize` response to specify where tokens should be retrieved from -- Enabled via `instanceAware: true` in auth config or `instance_aware: "true"` in request `extraQueryParameters` -- Used primarily for scenarios where user accounts may reside in different cloud instances - -**When to Use (1st Party Only):** -- Only for Microsoft internal applications and services -- When the application needs to handle users across different cloud instances (e.g., public cloud, government clouds, etc.) - -**What to Suggest Instead for 3rd Party Customers:** +**What to Suggest Instead:** - Standard MSAL authentication flows without instance aware configuration - Proper authority configuration for the specific cloud environment the application targets - Separate application registrations for different cloud environments if needed