[Documentation] Add missing "Implicit Flow vs Authorization Code Flow with PKCE" section to MSAL Browser README (#7903)

Copilot · tnorling · web-flow · commit 919a7b43833b · 2025-08-15T10:01:25.000-07:00
This PR fixes a missing documentation section in the MSAL Browser README that was referenced in the table of contents but didn't exist in the document. ## Issue The MSAL Browser README.md had: - A table of contents entry for "Authorization Code vs Implicit" linking to `#implicit-flow-vs-authorization-code-flow-with-pkce` - An inline reference in the "About" section pointing to the same anchor - But no actual section with that heading existed, causing broken links ## Solution Added the missing section "## Implicit Flow vs Authorization Code Flow with PKCE" that includes: ### Content Added - **Authorization Code Flow with PKCE explanation**: Details about the current OAuth 2.0 flow used by MSAL.js 2.x and its security benefits - **Implicit Flow (Deprecated) explanation**: Information about the previous flow used in MSAL.js 1.x and why it's deprecated - **Migration Considerations**: Guidance for developers migrating from v1.x to v2.x - **References to additional documentation**: Links to migration guides and Microsoft identity platform docs ### Section Structure ```markdown ## Implicit Flow vs Authorization Code Flow with PKCE ### Authorization Code Flow with PKCE - Enhanced Security - No Tokens in URLs - Refresh Token Support - OIDC Compliance ### Implicit Flow (Deprecated) - Security concerns outlined - Reasons for deprecation ### Migration Considerations - Configuration requirements - Migration guidance ``` The section is properly positioned between "Build and Test" and "Framework Wrappers" as indicated by the table of contents order. Fixes #7347.  --- 💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more [Copilot coding agent tips](https://gh.io/copilot-coding-agent-tips) in the docs. --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: tnorling <5307810+tnorling@users.noreply.github.com> Co-authored-by: Thomas Norling <thomas.norling@microsoft.com>
diff --git a/lib/msal-browser/README.md b/lib/msal-browser/README.md
@@ -132,6 +132,36 @@ npm test
 npm run test:coverage
 ```
 
+## Implicit Flow vs Authorization Code Flow with PKCE
+
+`@azure/msal-browser` implements the [OAuth 2.0 Authorization Code Flow with PKCE](https://tools.ietf.org/html/rfc7636) for browser-based applications. This is a significant improvement over the Implicit Flow that was used in `@azure/msal`, `msal` or `adal-angular`.
+
+### Authorization Code Flow with PKCE
+
+The Authorization Code Flow with Proof Key for Code Exchange (PKCE) is the current industry standard for securing OAuth 2.0 authorization in public clients, including single-page applications (SPAs). Key benefits include:
+
+- **Enhanced Security**: PKCE provides protection against authorization code interception attacks
+- **No Tokens in URLs**: Tokens are never exposed in the browser's URL or history
+- **Refresh Token Support**: Enables long-lived sessions through refresh tokens
+- **OIDC Compliance**: Fully compliant with OpenID Connect standards
+
+### Implicit Flow (Deprecated)
+
+The Implicit Flow was the previous standard for SPAs but has been deprecated due to security concerns:
+
+- **Tokens in URLs**: Access tokens are returned in URL fragments, making them visible in browser history and server logs
+- **No Refresh Tokens**: Implicit flow cannot securely deliver refresh tokens to public clients
+- **Increased Attack Surface**: Tokens are more susceptible to token leakage attacks
+
+### Migration Considerations
+
+- **`@azure/msal-browser` only supports Authorization Code Flow with PKCE** - Implicit Flow is not supported
+- If you're migrating from `@azure/msal`, `msal` or `adal-angular`, see our [migration guide](./docs/v1-migration.md)
+- Your Azure AD app registration needs to be configured for the Authorization Code Flow
+- Existing applications using Implicit Flow should migrate to Authorization Code Flow for improved security
+
+For more technical details about these flows, refer to the [Microsoft identity platform documentation](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow).
+
 ## Framework Wrappers
 
 If you are using a framework such as Angular or React you may be interested in using one of our wrapper libraries:
