Fix cache not being used when scopes are empty in acquireTokenSilent

[Copilot]

Problem

When acquireTokenSilent is called with empty scopes (scopes: []), the cache lookup fails with a configuration error, causing unnecessary network requests to Azure AD instead of using cached tokens.

import { useAccount, useMsal } from '@azure/msal-react';

const { instance, accounts } = useMsal();
const account = useAccount(accounts[0]);

const loginRequest = {
  scopes: [] // This causes cache miss and network request
};

let response = await instance.acquireTokenSilent({
        ...loginRequest,
        account
});

Root Cause

The ScopeSet constructor throws an error for empty scope arrays in ScopeSet.createSearchScopes(), preventing cache lookup from occurring in CacheManager.getAccessToken(). This causes the silent flow to fall back to network requests even when valid cached tokens exist.

Solution

Modified ScopeSet.createSearchScopes() to handle empty scopes gracefully by defaulting to OIDC default scopes (openid, profile, offline_access) for cache lookups. The method now:

1. Filters and trims input scopes as before
2. If no valid scopes remain, uses OIDC default scopes instead of throwing an error
3. Applies existing scope processing logic (removing offline_access for OIDC-only scope sets)

Changes Made

• Modified ScopeSet.createSearchScopes(): Added logic to default to OIDC scopes when input is empty
• Added comprehensive tests: Covers empty arrays, null/undefined inputs, mixed scenarios
• Maintains complete backward compatibility: Constructor still validates, non-empty scopes work unchanged

Behavior

• Before: Empty scopes → ClientConfigurationError → Network request
• After: Empty scopes → Cache search with ["openid", "profile"] → Cache hit if available → Network fallback if needed

Benefits

• Performance: Eliminates unnecessary network requests when cached tokens exist
• Developer Experience: More intuitive behavior when scopes are omitted
• Security: Only returns tokens with default OIDC scopes, maintaining principle of least privilege
• Compatibility: Zero breaking changes to existing functionality

This surgical fix resolves the issue while maintaining all existing behaviors and security boundaries.

Fixes #6969.

---

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

[tnorling]

Please create changefiles and fix the lint errors

[Copilot]

Please create changefiles and fix the lint errors

Changefile created and lint/formatting issues fixed. Applied Prettier formatting and created changefile for @azure/msal-common package. All tests are passing (38/38 in ScopeSet test suite). Commit: 6aadd68