[v5] Strict matching default for MSAL Interceptor (#8355)

This PR makes strictMatching the default for the MSAL Angular
interceptor.

Author: jo-arroyo

change/@azure-msal-angular-0e4576d0-f88b-40f7-9d46-acfeca4f1bad.json

@@ -0,0 +1,7 @@
+{
+  "type": "minor",
+  "comment": "Make strictMatching default [#8355](https://github.com/AzureAD/microsoft-authentication-library-for-js/pull/8355)",
+  "packageName": "@azure/msal-angular",
+  "email": "joarroyo@microsoft.com",
+  "dependentChangeType": "patch"
+}

change/@azure-msal-common-8da2a968-6ae2-4495-8ca6-e327ce3f5bd1.json

@@ -0,0 +1,7 @@
+{
+  "type": "minor",
+  "comment": "Remove matchPattern from StringUtils [#8355](https://github.com/AzureAD/microsoft-authentication-library-for-js/pull/8355)",
+  "packageName": "@azure/msal-common",
+  "email": "joarroyo@microsoft.com",
+  "dependentChangeType": "patch"
+}

lib/msal-angular/docs/msal-interceptor.md

@@ -147,6 +147,56 @@ Other things to note regarding the `protectedResourceMap`:
 * **Wildcards**: `protectedResourceMap` supports using `*` for wildcards. When using wildcards, if multiple matching entries are found in the `protectedResourceMap`, the first match found will be used (based on the order of the `protectedResourceMap`). 
 * **Relative paths**: If there are relative resource paths in your application, you may need to provide the relative path in the `protectedResourceMap`. This also applies to issues that may arise with ngx-translate. Be aware that the relative path in your `protectedResourceMap` may or may not need a leading slash depending on your app, and may need to try both.
 
+### Strict Matching (`strictMatching`)
+
+In msal-angular v5, URL component pattern matching for `protectedResourceMap` entries uses strict matching semantics by default. The `strictMatching` field on `MsalInterceptorConfiguration` controls this behaviour.
+
+#### What strict matching changes
+
+| Behaviour | Legacy (`strictMatching: false`) | Strict (default in v5) |
+|-----------|----------------------------------|------------------------|
+| Metacharacter escaping | `.` and other regex metacharacters are **not** escaped; they act as regex operators | All metacharacters (including `.`) are treated as **literals** |
+| Anchoring | Pattern may match anywhere within the string | Pattern must match the **full string** (`^…$`) |
+| Host wildcard (`*`) | `*` matches any character sequence, including `.` | `*` matches any character sequence that does **not** include `.` (wildcards stay within a single DNS label) |
+| Path/search/hash wildcard (`*`) | `*` matches any character sequence | `*` matches any character sequence (unchanged) |
+| `?` character | Passed through to the underlying regex | Treated as a **literal** `?` (URL query-string separator, not a wildcard) |
+
+With strict matching (the v5 default):
+- A pattern like `*.contoso.com` matches `app.contoso.com` but **not** `a.b.contoso.com` (wildcard cannot span dot separators).
+- A pattern like `https://graph.microsoft.com/v1.0/me` matches only that exact URL.
+
+#### Default behaviour in v5 (no configuration needed)
+
+Strict matching is enabled by default. No additional configuration is required:
+
+```javascript
+{
+    interactionType: InteractionType.Redirect,
+    protectedResourceMap: new Map([
+        ["https://*.contoso.com/api", ["contoso.scope"]],
+        ["https://graph.microsoft.com/v1.0/me", ["user.read"]]
+    ])
+    // strictMatching defaults to true in v5
+}
+```
+
+#### Opting out to legacy matching (`strictMatching: false`)
+
+If your patterns rely on the looser matching from v4, you can set `strictMatching: false` to retain the legacy behaviour temporarily:
+
+> **Note:** Legacy matching (`strictMatching: false`) is provided for backwards compatibility and may be removed in a future major version. We recommend updating your `protectedResourceMap` patterns to work with strict matching.
+
+```javascript
+{
+    interactionType: InteractionType.Redirect,
+    protectedResourceMap: new Map([
+        ["https://*.contoso.com/api", ["contoso.scope"]],
+        ["https://graph.microsoft.com/v1.0/me", ["user.read"]]
+    ]),
+    strictMatching: false  // Use legacy matching for backwards compatibility
+}
+```
+
 ### Optional authRequest
 
 For more information on the optional `authRequest` that can be set in the `MsalInterceptorConfiguration`, please see our [multi-tenant doc here](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-angular/docs/multi-tenant.md#dynamic-auth-request).

lib/msal-angular/docs/v4-v5-upgrade-guide.md

@@ -4,7 +4,13 @@ MSAL Angular v5 requires a minimum version of Angular 19 and is dropping support
 
 Please see the [MSAL Browser v4-v5 migration guide](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/v4-migration.md) for browser support and other key changes.
 
-## Changes in `@azure/msal-angular@5`
+## Breaking changes in `@azure/msal-angular@5`
+
+### Strict matching for `protectedResourceMap`
+
+In msal-angular v5, URL pattern matching for protectedResourceMap entries uses strict matching semantics by default. Strict matching treats pattern metacharacters as literals, anchors matches to the full URL component, and applies host wildcard rules that do not span dot separators. If your v4 configuration relied on looser matching behavior, update your protectedResourceMap patterns to align with strict matching, or set strictMatching to false to retain legacy behavior temporarily. See [MSAL Interceptor docs](./msal-interceptor.md#strict-matching-strictmatching) for more details.
+
+## Other changes in `@azure/msal-angular@5`
 
 ### `inject(TOKEN)` syntax
 
@@ -33,4 +39,4 @@ Note: Passing a hash string directly to `handleRedirectObservable(hash)` is now
 
 ### `logout()`
 
-`logout()` has been removed. Please use `logoutRedirect()` or `logoutPopup()` instead.
+`logout()` has been removed. Please use `logoutRedirect()` or `logoutPopup()` instead.

lib/msal-angular/src/msal.interceptor.config.ts

@@ -31,6 +31,19 @@ export type MsalInterceptorConfiguration = {
         req: HttpRequest<unknown>,
         originalAuthRequest: MsalInterceptorAuthRequest
       ) => MsalInterceptorAuthRequest);
+  /**
+   * When `true` (the default in v5), enables stricter, more correct URL component pattern matching for
+   * `protectedResourceMap` entries. Strict matching uses anchored regex patterns and
+   * treats metacharacters (including `.`) as literals, so patterns match only their
+   * intended strings. Wildcards still apply, but host-component wildcards
+   * are constrained to a single DNS label.
+   *
+   * Set to `false` to use the legacy matching behaviour from v4 for
+   * backwards compatibility.
+   *
+   * @default true
+   */
+  strictMatching?: boolean;
 };
 
 export type ProtectedResourceScopes = {