AzureAD · jasonnutter · Sep 10, 2019 · Jul 25, 2019 · Sep 3, 2019 · Sep 9, 2019
@@ -258,3 +258,5 @@ lib-commonjs/
 lib-es6/
 lib/msal-core/lib-commonjs
 lib/msal-core/lib-es6
+*.tgz
+*.zip
@@ -45,6 +45,7 @@ Thumbs.db
 /src/*/__build__/
 __build__/**
 .webpack.json
+dist
 
 
 # IDE #

@@ -0,0 +1 @@
+package-lock=false
@@ -137,6 +137,7 @@ Besides the required clientID, you can optionally pass the following config opti
                   redirectUri: "http://localhost:4200/",
                   validateAuthority : true,
                   cacheLocation : "localStorage",
+                  storeAuthStateInCookie: false, // dynamically set to true when IE11
                   postLogoutRedirectUri: "http://localhost:4200/",
                   navigateToLoginRequestUrl : true,
                   popUp: true,
@@ -165,6 +166,8 @@ Defaults to `window.location.href`.
 
 * **cacheLocation** : Sets browser storage to either `localStorage` or `sessionStorage`. Defaults to `sessionStorage`.
 
+* **storeAuthStateInCookie** : Stores auth state in a browser cookie instead of local storage. Needs to be set to true when a user is on IE11, which may clear local storage contents when redirecting between websites in different zones. Defaults is `false`.
+
 * **postLogoutRedirectUri** : Redirects the user to postLogoutRedirectUri after logout. Defaults is 'redirectUri'.
 
 * **loadFrameTimeout** : The number of milliseconds of inactivity before a token renewal response from AAD should be considered timed out. Default is 6 seconds.
@@ -246,10 +249,27 @@ export const protectedResourceMap:[string, string[]][]=[ ['https://buildtodoserv
 
 In your API project, you need to enable CORS API requests to receive flight requests.
 
-> Note: The Iframe needs to access the cookies for the same domain that you did the initial sign in on. IE does not allow to access cookies in Iframe for localhost. Your URL needs to be fully qualified domain i.e http://yoursite.azurewebsites.com. Chrome does not have this restriction.
+#### Internet Explorer support
+
+This library supports Internet Explorer 11 with the following configuration:
+
+- For CORS API calls, the Iframe needs to access the cookies for the same domain that you did the initial sign in on. IE does not allow to access cookies in Iframe for localhost. Your URL needs to be fully qualified domain i.e http://yoursite.azurewebsites.com. Chrome does not have this restriction.
+- If you put your site in the trusted site list, cookies are not accessible for Iframe requests. You need to remove protected mode for Internet zone or add the authority URL for the login to the trusted sites as well.
+- IE may clear local storage when navigating between websites in different zones (e.g. your app and the login authority), which results in a broken experience when returning from the login page. To fix, set `storeAuthStateInCookie` to `true`.
+- There are known issues with popups in IE. We recommend using redirect flows by setting `popUp` to `false`.
 
-#### Trusted Site settings in IE
-If you put your site in the trusted site list, cookies are not accessible for Iframe requests. You need to remove protected mode for Internet zone or add the authority URL for the login to the trusted sites as well.
+It is recommended that these properties are set dynamically based on the user's browser.
+
+```js
+const isIE = window.navigator.userAgent.indexOf("MSIE ") > -1 || window.navigator.userAgent.indexOf("Trident/") > -1;
+
+MsalModule.forRoot({
+    // ...
+    popUp: !isIE,
+    storeAuthStateInCookie: ieIE
+});
+
+```
 
 ## Samples
 

@@ -1,5 +1,9 @@
 # Changelog
 
+## 0.1.4
+* Fix msal-angular to transpile for IE11 compatibility: https://github.com/AzureAD/microsoft-authentication-library-for-js/pull/868
+* Upgrade to msal-core version 0.2.2, namely including support for `storeAuthStateInCookie` for IE11.
+
 ## 0.1.3
 * Fix msal-angular exports to properly support IE11: https://github.com/AzureAD/microsoft-authentication-library-for-js/pull/785
   * **Note**: Unfortunately, the fix above caused breakage with `aot` compiling, so `0.1.3` has been deprecated in npm. We recommend pinning to `0.1.2` while we work on a fix. See https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/798
@@ -16,5 +20,5 @@
 
 
 ## 0.1.0
-Preview Release 
+Preview Release
-Original file line number
+Diff line change
@@ Expand Up / @@ -45,6 +45,7 @@ Thumbs.db @@
     /src/*/__build__/
     __build__/**
     .webpack.json
+    dist
     # IDE #
@@ Expand Down @@