AzureAD
diff --git a/‎README.md‎
Lines changed: 25 additions & 14 deletions b/‎README.md‎
Lines changed: 25 additions & 14 deletions
diff --git a/‎SECURITY.md‎
Lines changed: 0 additions & 16 deletions b/‎SECURITY.md‎
Lines changed: 0 additions & 16 deletions
diff --git a/‎docs/diagrams/png/PackageStructure.png‎
-2.42 KB b/‎docs/diagrams/png/PackageStructure.png‎
-2.42 KB
diff --git a/‎lib/msal-browser/README.md‎
Lines changed: 24 additions & 29 deletions b/‎lib/msal-browser/README.md‎
Lines changed: 24 additions & 29 deletions
@@ -1,13 +1,15 @@
 # Microsoft Authentication Library for JavaScript (MSAL.js)
 
-The Microsoft Authentication Library for JavaScript enables both client-side and server-side JavaScript applications to authenticate users using [Azure AD](https://docs.microsoft.com/azure/active-directory/develop/v2-overview) for work and school accounts (AAD), Microsoft personal accounts (MSA), and social identity providers like Facebook, Google, LinkedIn, Microsoft accounts, etc. through [Azure AD B2C](https://docs.microsoft.com/azure/active-directory-b2c/active-directory-b2c-overview#identity-providers) service. It also enables your app to get tokens to access [Microsoft Cloud](https://www.microsoft.com/enterprise) services such as [Microsoft Graph](https://graph.microsoft.io).
+The Microsoft Authentication Library for JavaScript enables both client-side and server-side JavaScript applications to authenticate users using [Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/develop/v2-overview) for work and school accounts, Microsoft personal accounts (MSA), and social identity providers like Facebook, Google, LinkedIn, Microsoft accounts, etc. through [Azure AD B2C](https://docs.microsoft.com/azure/active-directory-b2c/active-directory-b2c-overview#identity-providers) service. It also enables your app to get tokens to access [Microsoft Cloud](https://www.microsoft.com/enterprise) services such as [Microsoft Graph](https://graph.microsoft.io).
 
 ## Repository
 
 ### Core, wrapper and extensions libraries
 
 The [`lib`](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib) folder contains the source code for our libraries in active development. You will also find all the details about **installing the libraries** in their respective README.md.
 
+-   [Microsoft Authentication Library for JavaScript](lib/msal-browser/): A browser-based, framework-agnostic browser library that enables authentication and token acquisition with the Microsoft Identity platform in JavaScript applications. Implements the OAuth 2.0 [Authorization Code Flow with PKCE](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow), and is [OpenID-compliant](https://docs.microsoft.com/azure/active-directory/develop/v2-protocols-oidc).
+
 -   [Microsoft Authentication Library for Node.js](lib/msal-node/): A [Node.js](https://nodejs.org/en/) library that enables authentication and token acquisition with the Microsoft Identity platform in JavaScript applications. Implements the following OAuth 2.0 protocols and is [OpenID-compliant](https://docs.microsoft.com/azure/active-directory/develop/v2-protocols-oidc):
 
     -   [Authorization Code Grant](https://oauth.net/2/grant-types/authorization-code/) with [PKCE](https://oauth.net/2/pkce/)
@@ -17,7 +19,6 @@ The [`lib`](https://github.com/AzureAD/microsoft-authentication-library-for-js/t
     -   [Silent Flow](https://docs.microsoft.com/azure/active-directory/develop/msal-acquire-cache-tokens#acquiring-tokens-silently-from-the-cache)
     -   [On-behalf-of Flow](https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow)
 
--   [Microsoft Authentication Library for JavaScript](lib/msal-browser/): A browser-based, framework-agnostic browser library that enables authentication and token acquisition with the Microsoft Identity platform in JavaScript applications. Implements the OAuth 2.0 [Authorization Code Flow with PKCE](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow), and is [OpenID-compliant](https://docs.microsoft.com/azure/active-directory/develop/v2-protocols-oidc).
 
 -   [Native Authentication Support for JavaScript](lib/msal-browser/src/custom_auth/): MSAL also provides native authentication APIs that allow applications to implement a native experience with end-to-end customizable flows in their applications. With native authentication, users are guided through a rich, native, sign-up and sign-in journey without leaving the app. The native authentication feature is available for SPAs on [External ID for customers](https://learn.microsoft.com/en-us/entra/identity-platform/concept-native-authentication). It is recommended to always use the most up-to-date version of the SDK.
 
@@ -27,33 +28,43 @@ The [`lib`](https://github.com/AzureAD/microsoft-authentication-library-for-js/t
 -   [Microsoft Authentication Library for Angular](lib/msal-angular/): A wrapper of the msal-browser library for apps using Angular framework.
 -   [Microsoft Authentication Extensions for Node](extensions/msal-node-extensions/): The Microsoft Authentication Extensions for Node offers secure mechanisms for client applications to perform cross-platform token cache serialization and persistence. It gives additional support to the Microsoft Authentication Library for Node (MSAL).
 
-### Libraries in Long-term Support (LTS)
+### Library Version Support Status
+
+
+| Package Name | Current Version | LTS Version | 
+|--------------|-----------------|-------------|
+| @azure/msal-browser |v5 | v4 |
+| @azure/msal-node | v5 | v3 | 
+| @azure/msal-react | v5 | v3 | 
+| @azure/msal-angular | v5 | v4 |
+| @azure/msal-node-extensions | v5 | v1 |
+| ~~@azure/msal (msal-core)~~|  | Fully Deprecated  |
+| ~~@azure/msal-angularjs~~ |  | Fully Deprecated  |
 
-The following libraries, hosted on the `msal-lts` branch, are no longer in active development, but they are still receiving critical security bug fix support.
+**Disambiguation:**
+- The MSAL team provides full support to the current version for each package in the table below.
+- LTS (long-term support) versions will still receive some support and critical bug-fixes but will not ship new features. Our recommendation if you encounter any issues will always be to upgrade to the latest version of the library.
+- All supported packages were brought up to version parity as of `v5`. Packages with versions lower than `v4` in the LTS column skipped as many versions as required to jump directly to `v5`.
+
+#### MSAL Browser CDN Deprecation
+
+> :warning: The `@azure/msal-browser` CDN has been fully deprecated as of `@azure/msal-browser@3.0.0` and is no longer supported. App developers using the MSAL CDN must upgrade to the latest possible version and consume MSAL through a package manager or bundling tool of their choice. For more information on version support, consult the table above.
 
--   [Microsoft Authentication Library for JavaScript v2.x](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/msal-lts/lib/msal-browser)
--   [Microsoft Authentication Library for Node.js v1.x](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/msal-lts/lib/msal-node)
--   [Microsoft Authentication Library for React v1.x](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/msal-lts/lib/msal-react)
--   [Microsoft Authentication Library for Angular v2.x](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/msal-lts/lib/msal-angular)
 
 ### Package Structure
 
-We ship a number of different packages which are meant for different platforms. You can see the relationship between packages and different authentication flows they implement below.
+We ship a number of different packages which are meant for different platforms. You can see the relationship between packages and their dependencies below.
 
 ![Package Structure](docs/diagrams/png/PackageStructure.png)
 
 ### Samples
 
-The [`samples`](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/samples) folder contains sample applications for our libraries. A complete list of samples can be found in the respective package folders or [on our wiki](https://github.com/AzureAD/microsoft-authentication-library-for-js/wiki/Samples).
+The [`samples`](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/samples) folder contains sample applications for our libraries. A complete list of samples can be found in the respective package folders.
 
 ## Package versioning
 
 All of our libraries follow [semantic versioning](https://semver.org). We recommend using the latest version of each library to ensure you have the latest security patches and bug fixes.
 
-## Roadmap
-
-Please check the [roadmap](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/roadmap.md) to see what we are working on and what we have planned for future releases.
-
 ## Community Help and Support
 
 -   [GitHub Issues](../../issues) is the best place to ask questions, report bugs, and new request features.
 
@@ -1,21 +1,5 @@
 # Security Policy
 
-## Supported Versions
-
-The following versions of our libraries are receiving security updates:
-
-| Version                       | Supported          |
-| -------                       | ------------------ |
-| `@azure/msal-browser@2.x.x`   | :white_check_mark: |
-| `msal@1.x.x`                  | :white_check_mark: |
-| `msal@0.x.x`                  | :x:                |
-| `@azure/msal-angular@2.x.x`   | :white_check_mark: |
-| `@azure/msal-angular@1.x.x`   | :white_check_mark: |
-| `@azure/msal-angular@0.x.x`   | :x:                |
-| `@azure/msal-angularjs@0.1.x` | :white_check_mark: |
-| `@azure/msal-react@1.x.x`     | :white_check_mark: |
-| `@azure/msal-node@1.x.x`      | :white_check_mark: |
-
 ## Reporting a Vulnerability
 
 If you find a security issue with our libraries or services [please report it to the Microsoft Security Response Center (MSRC)](https://aka.ms/report-security-issue) with as much detail as possible. Your submission may be eligible for a bounty through the [Microsoft Bounty](http://aka.ms/bugbounty) program. Please do not post security issues to GitHub Issues or any other public site. We will contact you shortly upon receiving the information. We encourage you to get notifications of when security incidents occur by visiting [this page](https://www.microsoft.com/msrc/technical-security-notifications) and subscribing to Security Advisory Alerts.
@@ -13,6 +13,9 @@
 1. [Roadmap](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/roadmap.md)
 1. [Prerequisites](#prerequisites)
 1. [Installation](#installation)
+    - [CDN Deprecation](#cdn-deprecation)
+    - [Via npm](#via-npm)
+    - [Via Yarn](#via-yarn)
 1. [Usage](#usage)
     - [Migrating from Previous MSAL Versions](#migrating-from-previous-msal-versions)
     - [MSAL Basics](#msal-basics)
@@ -27,20 +30,17 @@
 
 ## About
 
-The MSAL library for JavaScript enables client-side JavaScript applications to authenticate users using [Azure AD](https://docs.microsoft.com/azure/active-directory/develop/v2-overview) work and school accounts (AAD), Microsoft personal accounts (MSA) and social identity providers like Facebook, Google, LinkedIn, Microsoft accounts, etc. through [Azure AD B2C](https://docs.microsoft.com/azure/active-directory-b2c/active-directory-b2c-overview#identity-providers) service. It also enables your app to get tokens to access [Microsoft Cloud](https://www.microsoft.com/enterprise) services such as [Microsoft Graph](https://graph.microsoft.io).
+The MSAL library for JavaScript enables client-side JavaScript applications to authenticate users using [Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/develop/v2-overview) work and school accounts (AAD), Microsoft personal accounts (MSA) and social identity providers like Facebook, Google, LinkedIn, Microsoft accounts, etc. through [Azure AD B2C](https://docs.microsoft.com/azure/active-directory-b2c/active-directory-b2c-overview#identity-providers) service. It also enables your app to get tokens to access [Microsoft Cloud](https://www.microsoft.com/enterprise) services such as [Microsoft Graph](https://graph.microsoft.io).
 
 The `@azure/msal-browser` package described by the code in this folder uses the [`@azure/msal-common` package](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-common) as a dependency to enable authentication in JavaScript Single-Page Applications without backend servers. This version of the library uses the OAuth 2.0 Authorization Code Flow with PKCE. To read more about this protocol, as well as the differences between implicit flow and authorization code flow, see the section [below](#implicit-flow-vs-authorization-code-flow-with-pkce).
 
-This is an improvement upon the previous `@azure/msal` library which will utilize the authorization code flow in the browser. Most features available in the old library will be available in this one, but there are nuances to the authentication flow in both. The `@azure/msal-browser` package does NOT support the implicit flow.
+The `@azure/msal-browser` package **does NOT** support the implicit flow.
+
 
 ## FAQ
 
 See [here](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/FAQ.md).
 
-## Roadmap
-
-See [here](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/roadmap.md).
-
 ## Prerequisites
 
 -   `@azure/msal-browser` is meant to be used in [Single-Page Application scenarios](https://docs.microsoft.com/azure/active-directory/develop/scenario-spa-overview).
@@ -49,18 +49,32 @@ See [here](https://github.com/AzureAD/microsoft-authentication-library-for-js/bl
 
 ## Installation
 
+### CDN Deprecation
+
+> :warning: The `@azure/msal-browser` CDN has been fully deprecated as of `@azure/msal-browser@3.0.0` and is no longer supported. App developers using the MSAL CDN must upgrade to the latest possible version and consume MSAL through a package manager or bundling tool of their choice. For more information on version support, consult the table in the project [README.md](../../README.md#library-version-support-status).
+
 ### Via NPM
 
 ```javascript
 npm install @azure/msal-browser
 ```
 
+### Via Yarn
+
+```javascript
+yarn add @azure/msal-browser
+```
+
 ## Usage
 
 ### Migrating from Previous MSAL Versions
 
--   [Migrating from MSAL v1.x to MSAL v2.x](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/v1-migration.md)
+Select the guide that matches your current MSAL version:
+
+-   [Migrating from MSAL v4.x to MSAL v5.x](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/v4-migration.md)
+-   [Migrating from MSAL v3.x to MSAL v4.x](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/v3-migration.md)
 -   [Migrating from MSAL v2.x to MSAL v3.x](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/v2-migration.md)
+-   [Migrating from MSAL v1.x to MSAL v2.x](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/v1-migration.md)
 
 ### MSAL Basics
 
@@ -131,11 +145,9 @@ npm test
 npm run test:coverage
 ```
 
-## Implicit Flow vs Authorization Code Flow with PKCE
-
-`@azure/msal-browser` implements the [OAuth 2.0 Authorization Code Flow with PKCE](https://tools.ietf.org/html/rfc7636) for browser-based applications. This is a significant improvement over the Implicit Flow that was used in `@azure/msal`, `msal` or `adal-angular`.
+## Authorization Code Flow with Proof Key for Code Exchange (PKCE)
 
-### Authorization Code Flow with PKCE
+`@azure/msal-browser` implements the [OAuth 2.0 Authorization Code Flow with PKCE](https://tools.ietf.org/html/rfc7636) for browser-based applications.
 
 The Authorization Code Flow with Proof Key for Code Exchange (PKCE) is the current industry standard for securing OAuth 2.0 authorization in public clients, including single-page applications (SPAs). Key benefits include:
 
@@ -144,28 +156,11 @@ The Authorization Code Flow with Proof Key for Code Exchange (PKCE) is the curre
 - **Refresh Token Support**: Enables long-lived sessions through refresh tokens
 - **OIDC Compliance**: Fully compliant with OpenID Connect standards
 
-### Implicit Flow (Deprecated)
-
-The Implicit Flow was the previous standard for SPAs but has been deprecated due to security concerns:
-
-- **Tokens in URLs**: Access tokens are returned in URL fragments, making them visible in browser history and server logs
-- **No Refresh Tokens**: Implicit flow cannot securely deliver refresh tokens to public clients
-- **Increased Attack Surface**: Tokens are more susceptible to token leakage attacks
-
-### Migration Considerations
-
-- **`@azure/msal-browser` only supports Authorization Code Flow with PKCE** - Implicit Flow is not supported
-- If you're migrating from `@azure/msal`, `msal` or `adal-angular`, see our [migration guide](./docs/v1-migration.md)
-- Your Azure AD app registration needs to be configured for the Authorization Code Flow
-- Existing applications using Implicit Flow should migrate to Authorization Code Flow for improved security
-
-For more technical details about these flows, refer to the [Microsoft identity platform documentation](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow).
-
 ## Framework Wrappers
 
 If you are using a framework such as Angular or React you may be interested in using one of our wrapper libraries:
 
--   Angular: [@azure/msal-angular v2](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-angular)
+-   Angular: [@azure/msal-angular](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-angular)
 -   React: [@azure/msal-react](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-react)
 
 ## Security Reporting