Removing or hiding sign-in options on online oAuth2 login

Kurzweil Education 21 Reputation points
2022-01-06T15:40:13.643+00:00

Our Read The Web application uses oauth2 for users to login using their school Microsoft accounts.

Unfortunately we have received reports that students are able to circumvent web filtering by using the github sign-in option (and a number of other clicks using the initial 'security' link on the github login page) which is causing a major issue with school that are using our product and others utilizing the Microsoft oauth2 login at:

https://login.microsoftonline.com/common/oauth2/authorize

This post mentions one method of circumvention:
https://feedback.azure.com/d365community/idea/4b1c76f0-f525-ec11-b6e6-000d3a4f06a4

This is not the exact path that we have found but similar.

162923-image.png

Clicking the 'security' link at the bottom of this page provides a gateway to circumvention. There should not be -any- links on a sign-in page in my opinion.

After some research I have found what appears to be the answer that the sign-in options cannot be hidden.

https://learn.microsoft.com/en-us/answers/questions/318708/remove-sign-in-options.html
https://learn.microsoft.com/en-us/answers/questions/361891/how-to-remove-the-sign-in-options-from-the-login-p.html

Removing the entire sign-in screen is not an option.

There should be the option to remove or disable the sign-in options either at the oauth request level at the very minimum. Certainly there should not be any links on any sign-in page other that what are strictly required for operation.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes

3 answers

Sort by: Most helpful
  1. Kurzweil Education 21 Reputation points
    2022-01-11T16:42:33.263+00:00

    We are not in control of the filtering software - this is an issue reported by one of our clients in the K-12 education sector, thus why this is such an issue.

    Others have reported the same issue (a link was provided above).

    The customer reporting this issue has a number of safeguards in place, including a Smart Agent installed on the students computers.

    This is an example of the sequence used to get to a Google search page within the browser window that is opened during an OAuth2 request.

    With a web page open - our "Read The Web" extension is started.
    "Sign in with Microsoft" button is selected on the RTW extension.
    A browser window is opened with the Microsoft sign-in page presented from an oauth2 request.
    Sign in options is selected on this page - a Sign-in Options page is presented. * NOTE :: THIS option we DO NOT want available *
    Sign in with GitHub (personal accounts only) is selected.
    A "Sign in with GitHub to continue to Microsoft-Corporation" page is presented.
    The 'Security' link at the bottom of this page is clicked.
    The page 'https://github.com/security' is presented.
    At the bottom on the page, click on the 'YouTube' link
    The GitHub YouTube landing page is presented.
    Click on the Sign-In button.
    A Google sign-in page is presented.
    Click on the 'Learn More' link under 'Use Guest mode ... '
    A 'Google Chrome Help' page is presented.
    Click on 'Terms of Service' link at the bottom of the page.
    a Google TOS page is presented.
    Click on 'Main Menu' icon at top left of the page.
    Click on the Google logo.
    A Google search page is presented.

    At this point, the user can search for any page they want to visit (ie Twitter, etc) and this circumvents their browser filter software.

    Yes this quite involved and is an example of only one possible vector.

    As we provide this web extension for use in education, we are only able to control the configuration of the sign in page - this is where we want to not provide the Sign-in options at all. These options will not be needed by our customers ever.

    1 person found this answer helpful.

  2. James Hamil 27,221 Reputation points Microsoft Employee Moderator
    2022-01-06T22:45:14.3+00:00

    Hi @Kurzweil Education , for the screenshot you posted you cannot change the layout unfortunately. What is your user flow like, and why can't you remove the Github login page? The post you linked from Amanpreet is a good example of how you can pass through information without visiting this page. If you created your own sign up page, you should be able to authenticate through Github without ever seeing this. Let me know if you've tried any of this already or if this works. I'm determined to get this working for you as it should really be a default option. We might need to go back and forth a bit though to find a solution.

    Best,
    James


  3. JV 1 Reputation point
    2024-03-14T18:59:51.57+00:00

    Hey Dennis,

    You can fix this now with a custom CSS File. These are the settings I changed to resolve it for our organization.

    .ext-promoted-fed-cred-box

    {

    /* Styles for sign-in options text box */
    
    display: none !important;
    

    }

    I also removed the "Can't access your account?" URL since that was used as a bypass as well.

    Info about using the css template
    |https://learn.microsoft.com/en-us/entra/fundamentals/reference-company-branding-css-template

    CSS template File
    https://download.microsoft.com/download/7/2/7/727f287a-125d-4368-a673-a785907ac5ab/custom-styles-template-013023.css


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.