Share via

Removing or hiding sign-in options on online oAuth2 login

Kurzweil Education 21 Reputation points
2022-01-06T15:40:13.643+00:00

Our Read The Web application uses oauth2 for users to login using their school Microsoft accounts.

Unfortunately we have received reports that students are able to circumvent web filtering by using the github sign-in option (and a number of other clicks using the initial 'security' link on the github login page) which is causing a major issue with school that are using our product and others utilizing the Microsoft oauth2 login at:

https://login.microsoftonline.com/common/oauth2/authorize

This post mentions one method of circumvention:
https://feedback.azure.com/d365community/idea/4b1c76f0-f525-ec11-b6e6-000d3a4f06a4

This is not the exact path that we have found but similar.

162923-image.png

Clicking the 'security' link at the bottom of this page provides a gateway to circumvention. There should not be -any- links on a sign-in page in my opinion.

After some research I have found what appears to be the answer that the sign-in options cannot be hidden.

https://learn.microsoft.com/en-us/answers/questions/318708/remove-sign-in-options.html
https://learn.microsoft.com/en-us/answers/questions/361891/how-to-remove-the-sign-in-options-from-the-login-p.html

Removing the entire sign-in screen is not an option.

There should be the option to remove or disable the sign-in options either at the oauth request level at the very minimum. Certainly there should not be any links on any sign-in page other that what are strictly required for operation.

Azure
Azure
A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.
993 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,842 questions

7 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Kurzweil Education 21 Reputation points
    2022-01-11T16:42:33.263+00:00

    We are not in control of the filtering software - this is an issue reported by one of our clients in the K-12 education sector, thus why this is such an issue.

    Others have reported the same issue (a link was provided above).

    The customer reporting this issue has a number of safeguards in place, including a Smart Agent installed on the students computers.

    This is an example of the sequence used to get to a Google search page within the browser window that is opened during an OAuth2 request.

    With a web page open - our "Read The Web" extension is started.
    "Sign in with Microsoft" button is selected on the RTW extension.
    A browser window is opened with the Microsoft sign-in page presented from an oauth2 request.
    Sign in options is selected on this page - a Sign-in Options page is presented. * NOTE :: THIS option we DO NOT want available *
    Sign in with GitHub (personal accounts only) is selected.
    A "Sign in with GitHub to continue to Microsoft-Corporation" page is presented.
    The 'Security' link at the bottom of this page is clicked.
    The page 'https://github.com/security' is presented.
    At the bottom on the page, click on the 'YouTube' link
    The GitHub YouTube landing page is presented.
    Click on the Sign-In button.
    A Google sign-in page is presented.
    Click on the 'Learn More' link under 'Use Guest mode ... '
    A 'Google Chrome Help' page is presented.
    Click on 'Terms of Service' link at the bottom of the page.
    a Google TOS page is presented.
    Click on 'Main Menu' icon at top left of the page.
    Click on the Google logo.
    A Google search page is presented.

    At this point, the user can search for any page they want to visit (ie Twitter, etc) and this circumvents their browser filter software.

    Yes this quite involved and is an example of only one possible vector.

    As we provide this web extension for use in education, we are only able to control the configuration of the sign in page - this is where we want to not provide the Sign-in options at all. These options will not be needed by our customers ever.

    1 person found this answer helpful.
  2. James Hamil 22,266 Reputation points Microsoft Employee
    2022-01-06T22:45:14.3+00:00

    Hi @Kurzweil Education , for the screenshot you posted you cannot change the layout unfortunately. What is your user flow like, and why can't you remove the Github login page? The post you linked from Amanpreet is a good example of how you can pass through information without visiting this page. If you created your own sign up page, you should be able to authenticate through Github without ever seeing this. Let me know if you've tried any of this already or if this works. I'm determined to get this working for you as it should really be a default option. We might need to go back and forth a bit though to find a solution.

    Best,
    James

  3. Edward Brison 1 Reputation point
    2022-11-16T17:54:49.033+00:00

    I hate to revive this topic but i am a Network Engineer for a K-12 School in Idaho. Our chromebook fleet is significantly affected by this exploit. We use Azure sso for our chromebooks and block github at the firewall which solves the problem at school but not for remote students. This does bring us out of CIPA compliance because none of this traffic is monitored. Is there no way for you guys to just remove the link on the github login page that redirects to the github website? That would solve the problem as they would not be able to navigate away from the login page. We have been dealing with this issue all year and it is rampant. Remote students are just able to never login to their chromebooks and do whatever they want and we cant stop them.

    0 comments
  4. Kurzweil Education 21 Reputation points
    2022-11-17T14:45:03.127+00:00

    Sadly we still have not received any more responses to this issue and it seems to be a common issue among educational software/services providers. We have found no work arounds for this at this point in time. It would be nice if Microsoft would at least take some interest in this issue especially if they want to continue to provide services to the education market. Eventually the market will be forced to block this login method in order to keep in compliance.

    0 comments
  5. JV 1 Reputation point
    2022-12-12T22:59:49.323+00:00

    I am apart of another K-12 organization that is having issues with this. I have opened tickets, contacted our MSFT rep and it's gone no where. Insane no one at Microsoft seems to care about K-12 compliance requirements. I had a small glimmer of hope when I saw the announcement of Advanced Branding today in Azure (https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/how-to-customize-branding)....however it still doesn't give any ability to remove sign-in options.

    0 comments