Remove extraQueryParameters and extraParameters fields from Request types in msal-node

[Avery-Dunn]

Removes the extraQueryParameters/extraParameters API according to KR 3310905, similar to what is being done in MSAL.NET and MSAL Java:
AzureAD/microsoft-authentication-library-for-dotnet#5536
AzureAD/microsoft-authentication-library-for-java#1001

This API was meant for niche scenarios which the library did not explicitly cover, and extensive usage could lead to bad caching behavior: these extra query parameters could affect the contents and validity of tokens but were not used in our caching scheme, so if they changed between requests we could return tokens that were not valid for the latest set of parameters.

Therefore we are deprecating the current API and, if there is a need for it, may add a new API in the future to perform similar behavior in a more robust way (like was done in MSAL .NET due to requests from first-party customers).

[sameerag]

@hectormmg Do we want this for node public client too? This will deviate from msal-browser, please review.

[Copilot]

Pull Request Overview

This pull request removes the deprecated extraQueryParameters and extraParameters API fields from request types in msal-node as part of a cross-library deprecation effort. This is a major breaking change to address caching issues where these parameters could affect token validity without being included in the cache key.

Key Changes:

• Removes extraQueryParameters and extraParameters from OnBehalfOfRequest and ClientCredentialRequest request types
• Updates corresponding type definitions using TypeScript's Omit utility to exclude these fields from BaseAuthRequest
• Removes test cases that validated the behavior of these deprecated fields

Reviewed Changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
lib/msal-node/src/request/CommonOnBehalfOfRequest.ts	Uses Omit to exclude extraQueryParameters and extraParameters from BaseAuthRequest for OBO requests
lib/msal-node/src/request/OnBehalfOfRequest.ts	Removes JSDoc documentation for the deprecated fields
lib/msal-node/src/request/CommonClientCredentialRequest.ts	Uses Omit to exclude extraQueryParameters and extraParameters from BaseAuthRequest for client credential requests
lib/msal-node/src/request/ClientCredentialRequest.ts	Removes JSDoc documentation for the deprecated fields
lib/msal-node/test/client/OnBehalfOfClient.spec.ts	Removes test case validating extraQueryParameters functionality
lib/msal-node/test/client/ClientCredentialClient.spec.ts	Removes test case validating extraQueryParameters functionality
change/@azure-msal-node-ad99a1d3-bdf2-499d-a4a2-7b4ef4153d6a.json	Beachball change file marking this as a major version bump

[Avery-Dunn]

@hectormmg Do we want this for node public client too? This will deviate from msal-browser, please review.

@sameerag, @hectormmg and I discussed this separately and decided to only make changes to the confidential client side in this PR. We can handle the public client side if a customer some day encounters the issue we saw in MSAL .NET, since it should only occur in niche testing scenarios anyway.

In the latest commits I've reverted all the changes that affect the public client (i.e., everything except the OBO and client credential flows).

[Robbie-Microsoft]

[deleted]

[hectormmg]

Thanks @Avery-Dunn, lgtm! Do you think it's worth documenting somewhere in the Confidential Client docs that these request parameters were removed and are not available like they are for public client? I doubt they're widely used but they may hedge some incoming questions.