question

KurzweilEducation-6539 avatar image
2 Votes"
KurzweilEducation-6539 asked JamesHamil-MSFT commented

Removing or hiding sign-in options on online oAuth2 login

Our Read The Web application uses oauth2 for users to login using their school Microsoft accounts.

Unfortunately we have received reports that students are able to circumvent web filtering by using the github sign-in option (and a number of other clicks using the initial 'security' link on the github login page) which is causing a major issue with school that are using our product and others utilizing the Microsoft oauth2 login at:

https://login.microsoftonline.com/common/oauth2/authorize

This post mentions one method of circumvention:
https://feedback.azure.com/d365community/idea/4b1c76f0-f525-ec11-b6e6-000d3a4f06a4

This is not the exact path that we have found but similar.

162923-image.png

Clicking the 'security' link at the bottom of this page provides a gateway to circumvention. There should not be -any- links on a sign-in page in my opinion.

After some research I have found what appears to be the answer that the sign-in options cannot be hidden.

https://docs.microsoft.com/en-us/answers/questions/318708/remove-sign-in-options.html
https://docs.microsoft.com/en-us/answers/questions/361891/how-to-remove-the-sign-in-options-from-the-login-p.html

Removing the entire sign-in screen is not an option.

There should be the option to remove or disable the sign-in options either at the oauth request level at the very minimum. Certainly there should not be any links on any sign-in page other that what are strictly required for operation.


azure-active-directoryazure-ad-saml-sso
image.png (21.4 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I am in the K-12 education sector and can vouch for others above. This is a significant issue for us. The app we are attempting to federate is G-Suite via SAML.

The ability to remove the "Sign In Options" button as well as disable the ability to sign in with personal accounts is huge. Our students will only be authenticating with our Microsoft tenant accounts, but what accounts are allowed is not a configurable option via SAML.

-Brian

0 Votes 0 ·
JamesHamil-MSFT avatar image
0 Votes"
JamesHamil-MSFT answered KurzweilEducation-6539 commented

Hi @KurzweilEducation-6539 , for the screenshot you posted you cannot change the layout unfortunately. What is your user flow like, and why can't you remove the Github login page? The post you linked from Amanpreet is a good example of how you can pass through information without visiting this page. If you created your own sign up page, you should be able to authenticate through Github without ever seeing this. Let me know if you've tried any of this already or if this works. I'm determined to get this working for you as it should really be a default option. We might need to go back and forth a bit though to find a solution.

Best,
James


· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Our user flow requires users to login in and we do not know their login credentials prior to them starting our extension.

We did not create a sign in page but simply request an oauth signin via the authorize call specified above.

I would love to hide the Github (and indeed all of the sign in options) on the initial sign in page.

Our users will never be authenticating via Github, only their Microsoft accounts.

163322-image.png

but this does not appear to be possible. If it is, please provide an example.

My previous screenshot was intended to show the link that is being used to circumvent web filters.

0 Votes 0 ·
image.png (48.7 KiB)
JamesHamil-MSFT avatar image JamesHamil-MSFT KurzweilEducation-6539 ·

Hi @KurzweilEducation-6539 , how are the students circumventing the web filters? Are you using any Microsoft products for the filtering? It may be easier to work backwards.

0 Votes 0 ·

Please see my reply below:

0 Votes 0 ·

Please see my comment below.

0 Votes 0 ·
KurzweilEducation-6539 avatar image
1 Vote"
KurzweilEducation-6539 answered JamesHamil-MSFT commented

We are not in control of the filtering software - this is an issue reported by one of our clients in the K-12 education sector, thus why this is such an issue.

Others have reported the same issue (a link was provided above).

The customer reporting this issue has a number of safeguards in place, including a Smart Agent installed on the students computers.

This is an example of the sequence used to get to a Google search page within the browser window that is opened during an OAuth2 request.

With a web page open - our "Read The Web" extension is started.
"Sign in with Microsoft" button is selected on the RTW extension.
A browser window is opened with the Microsoft sign-in page presented from an oauth2 request.
Sign in options is selected on this page - a Sign-in Options page is presented. NOTE :: THIS option we DO NOT want available
Sign in with GitHub (personal accounts only) is selected.
A "Sign in with GitHub to continue to Microsoft-Corporation" page is presented.
The 'Security' link at the bottom of this page is clicked.
The page 'https://github.com/security' is presented.
At the bottom on the page, click on the 'YouTube' link
The GitHub YouTube landing page is presented.
Click on the Sign-In button.
A Google sign-in page is presented.
Click on the 'Learn More' link under 'Use Guest mode ... '
A 'Google Chrome Help' page is presented.
Click on 'Terms of Service' link at the bottom of the page.
a Google TOS page is presented.
Click on 'Main Menu' icon at top left of the page.
Click on the Google logo.
A Google search page is presented.

At this point, the user can search for any page they want to visit (ie Twitter, etc) and this circumvents their browser filter software.

Yes this quite involved and is an example of only one possible vector.

As we provide this web extension for use in education, we are only able to control the configuration of the sign in page - this is where we want to not provide the Sign-in options at all. These options will not be needed by our customers ever.

· 6
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @KurzweilEducation-6539 , I'm going to reach out to a few people to see what can be done about this. I'll let you know when I hear back.

Best,
James

1 Vote 1 ·

Hi @KurzweilEducation-6539 , sorry for the delay in response. I reached out to a member of my team and he did some testing.

"I did some test on this and it looks like, if you are using the common/organizations endpoint, you would get the github sign-in option under the sign-options, but on get "Signin to an organization". But if you use tenantid/tenant-name the github signin option will be visible under the signin-options.
As per the docs, if your app supports only Microsoft accounts then the github option to signin wont be visible, but if you app supports personal accounts, then the github signin option will be visible.

Having said this, upon more testing, found that even if you have registered your app as a multi-tenant (work and school accounts only) and used the common endpoint, still, found that the signin-option comes up twice in the sign-in journey and in the second case, we get the github option, since in the second case, the endpoint gets changed to tenant-name."

We're going to reach out to a few PMs and see what else we can do. Thank you for your patience!

Best,
James

0 Votes 0 ·

Thank you.

0 Votes 0 ·

I am in the K-12 education sector and can vouch for others above. This is a significant issue for us. The app we are attempting to federate is G-Suite via SAML.

The ability to remove the "Sign In Options" button as well as disable the ability to sign in with personal accounts is huge. Our students will only be authenticating with our Microsoft tenant accounts, but what accounts are allowed is not a configurable option via SAML.

-Brian

0 Votes 0 ·

Thanks for the feedback @BrianTroudy-2321 . Have you had any luck with workarounds? We're looking to fix this but it would be good to know about

0 Votes 0 ·
Show more comments