Removing or hiding sign-in options on online oAuth2 login

Question

Removing or hiding sign-in options on online oAuth2 login

Kurzweil Education 21

Our Read The Web application uses oauth2 for users to login using their school Microsoft accounts.

Unfortunately we have received reports that students are able to circumvent web filtering by using the github sign-in option (and a number of other clicks using the initial 'security' link on the github login page) which is causing a major issue with school that are using our product and others utilizing the Microsoft oauth2 login at:

https://login.microsoftonline.com/common/oauth2/authorize

This post mentions one method of circumvention:
https://feedback.azure.com/d365community/idea/4b1c76f0-f525-ec11-b6e6-000d3a4f06a4

This is not the exact path that we have found but similar.

Clicking the 'security' link at the bottom of this page provides a gateway to circumvention. There should not be -any- links on a sign-in page in my opinion.

After some research I have found what appears to be the answer that the sign-in options cannot be hidden.

https://learn.microsoft.com/en-us/answers/questions/318708/remove-sign-in-options.html
https://learn.microsoft.com/en-us/answers/questions/361891/how-to-remove-the-sign-in-options-from-the-login-p.html

Removing the entire sign-in screen is not an option.

There should be the option to remove or disable the sign-in options either at the oauth request level at the very minimum. Certainly there should not be any links on any sign-in page other that what are strictly required for operation.

Brian Troudy 6 Reputation points

2022-01-21T00:55:28.497+00:00

I am in the K-12 education sector and can vouch for others above. This is a significant issue for us. The app we are attempting to federate is G-Suite via SAML.

The ability to remove the "Sign In Options" button as well as disable the ability to sign in with personal accounts is huge. Our students will only be authenticating with our Microsoft tenant accounts, but what accounts are allowed is not a configurable option via SAML.

-Brian
Edward Brison 1 Reputation point

2022-11-16T17:54:49.033+00:00

I hate to revive this topic but i am a Network Engineer for a K-12 School in Idaho. Our chromebook fleet is significantly affected by this exploit. We use Azure sso for our chromebooks and block github at the firewall which solves the problem at school but not for remote students. This does bring us out of CIPA compliance because none of this traffic is monitored. Is there no way for you guys to just remove the link on the github login page that redirects to the github website? That would solve the problem as they would not be able to navigate away from the login page. We have been dealing with this issue all year and it is rampant. Remote students are just able to never login to their chromebooks and do whatever they want and we cant stop them.
Kurzweil Education 21 Reputation points

2022-11-17T14:45:03.127+00:00

Sadly we still have not received any more responses to this issue and it seems to be a common issue among educational software/services providers. We have found no work arounds for this at this point in time. It would be nice if Microsoft would at least take some interest in this issue especially if they want to continue to provide services to the education market. Eventually the market will be forced to block this login method in order to keep in compliance.
JV 1 Reputation point

2022-12-12T22:59:49.323+00:00

I am apart of another K-12 organization that is having issues with this. I have opened tickets, contacted our MSFT rep and it's gone no where. Insane no one at Microsoft seems to care about K-12 compliance requirements. I had a small glimmer of hope when I saw the announcement of Advanced Branding today in Azure (https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/how-to-customize-branding)....however it still doesn't give any ability to remove sign-in options.
Dennis Wendt 0 Reputation points

2024-03-14T17:59:32.18+00:00

Hello All -

This is still an issue for all K12's - 03/2024

Has there been any changes, work arounds, or new developments for this issue?

Dennis

3 answers

Your answer

Brian Troudy 6 Reputation points

2022-01-21T00:55:28.497+00:00

I am in the K-12 education sector and can vouch for others above. This is a significant issue for us. The app we are attempting to federate is G-Suite via SAML.

The ability to remove the "Sign In Options" button as well as disable the ability to sign in with personal accounts is huge. Our students will only be authenticating with our Microsoft tenant accounts, but what accounts are allowed is not a configurable option via SAML.

-Brian
Edward Brison 1 Reputation point

2022-11-16T17:54:49.033+00:00

I hate to revive this topic but i am a Network Engineer for a K-12 School in Idaho. Our chromebook fleet is significantly affected by this exploit. We use Azure sso for our chromebooks and block github at the firewall which solves the problem at school but not for remote students. This does bring us out of CIPA compliance because none of this traffic is monitored. Is there no way for you guys to just remove the link on the github login page that redirects to the github website? That would solve the problem as they would not be able to navigate away from the login page. We have been dealing with this issue all year and it is rampant. Remote students are just able to never login to their chromebooks and do whatever they want and we cant stop them.
Kurzweil Education 21 Reputation points

2022-11-17T14:45:03.127+00:00

Sadly we still have not received any more responses to this issue and it seems to be a common issue among educational software/services providers. We have found no work arounds for this at this point in time. It would be nice if Microsoft would at least take some interest in this issue especially if they want to continue to provide services to the education market. Eventually the market will be forced to block this login method in order to keep in compliance.
JV 1 Reputation point

2022-12-12T22:59:49.323+00:00

I am apart of another K-12 organization that is having issues with this. I have opened tickets, contacted our MSFT rep and it's gone no where. Insane no one at Microsoft seems to care about K-12 compliance requirements. I had a small glimmer of hope when I saw the announcement of Advanced Branding today in Azure (https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/how-to-customize-branding)....however it still doesn't give any ability to remove sign-in options.
Dennis Wendt 0 Reputation points

2024-03-14T17:59:32.18+00:00

Hello All -

This is still an issue for all K12's - 03/2024

Has there been any changes, work arounds, or new developments for this issue?

Dennis

Answer 1

Kurzweil Education 21

We are not in control of the filtering software - this is an issue reported by one of our clients in the K-12 education sector, thus why this is such an issue.

Others have reported the same issue (a link was provided above).

The customer reporting this issue has a number of safeguards in place, including a Smart Agent installed on the students computers.

This is an example of the sequence used to get to a Google search page within the browser window that is opened during an OAuth2 request.

With a web page open - our "Read The Web" extension is started.
"Sign in with Microsoft" button is selected on the RTW extension.
A browser window is opened with the Microsoft sign-in page presented from an oauth2 request.
Sign in options is selected on this page - a Sign-in Options page is presented. * NOTE :: THIS option we DO NOT want available *
Sign in with GitHub (personal accounts only) is selected.
A "Sign in with GitHub to continue to Microsoft-Corporation" page is presented.
The 'Security' link at the bottom of this page is clicked.
The page 'https://github.com/security' is presented.
At the bottom on the page, click on the 'YouTube' link
The GitHub YouTube landing page is presented.
Click on the Sign-In button.
A Google sign-in page is presented.
Click on the 'Learn More' link under 'Use Guest mode ... '
A 'Google Chrome Help' page is presented.
Click on 'Terms of Service' link at the bottom of the page.
a Google TOS page is presented.
Click on 'Main Menu' icon at top left of the page.
Click on the Google logo.
A Google search page is presented.

At this point, the user can search for any page they want to visit (ie Twitter, etc) and this circumvents their browser filter software.

Yes this quite involved and is an example of only one possible vector.

As we provide this web extension for use in education, we are only able to control the configuration of the sign in page - this is where we want to not provide the Sign-in options at all. These options will not be needed by our customers ever.

James Hamil 27,221 Reputation points Microsoft Employee Moderator

2022-01-12T00:16:49.2+00:00

Hi @Kurzweil Education , I'm going to reach out to a few people to see what can be done about this. I'll let you know when I hear back.

Best,
James
James Hamil 27,221 Reputation points Microsoft Employee Moderator

2022-01-20T00:18:39.177+00:00

Hi @Kurzweil Education , sorry for the delay in response. I reached out to a member of my team and he did some testing.

"I did some test on this and it looks like, if you are using the common/organizations endpoint, you would get the github sign-in option under the sign-options, but on get "Signin to an organization". But if you use tenantid/tenant-name the github signin option will be visible under the signin-options.
As per the docs, if your app supports only Microsoft accounts then the github option to signin wont be visible, but if you app supports personal accounts, then the github signin option will be visible.

Having said this, upon more testing, found that even if you have registered your app as a multi-tenant (work and school accounts only) and used the common endpoint, still, found that the signin-option comes up twice in the sign-in journey and in the second case, we get the github option, since in the second case, the endpoint gets changed to tenant-name."

We're going to reach out to a few PMs and see what else we can do. Thank you for your patience!

Best,
James
Kurzweil Education 21 Reputation points

2022-01-20T15:08:45.177+00:00

Thank you.
Brian Troudy 6 Reputation points

2022-01-21T00:47:12.34+00:00

I am in the K-12 education sector and can vouch for others above. This is a significant issue for us. The app we are attempting to federate is G-Suite via SAML.

The ability to remove the "Sign In Options" button as well as disable the ability to sign in with personal accounts is huge. Our students will only be authenticating with our Microsoft tenant accounts, but what accounts are allowed is not a configurable option via SAML.

-Brian
James Hamil 27,221 Reputation points Microsoft Employee Moderator

2022-01-21T23:56:43.717+00:00

Thanks for the feedback @Brian Troudy . Have you had any luck with workarounds? We're looking to fix this but it would be good to know about
Brian Troudy 6 Reputation points

2022-01-24T19:33:47.16+00:00

We have had no luck with any workarounds.

The big issue that this "loophole" presents to our organization is with our Chromebook fleet. With G-Suite federated to AAD, the login process of a managed Chromebook allows for this exploitable login screen. With this, our students now have free, unrestricted, and unaudited network access via the Github method mentioned above. I can limit/block github.com with our content filter on our student network, but this solution only works while the Chromebook is on-prem. Once a student takes the Chromebook home, all bets are off. All of the software content filtering solutions that can be used to block github on a Chromebook operate in the user space on the device. Since a "user" hasn't logged in at this point, none of our filtering solutions would have loaded. This loophole actually puts us out of legal compliance from a CIPA perspective...

-Brian

Answer 2

James Hamil 27,221 Microsoft Employee Moderator

Hi @Kurzweil Education , for the screenshot you posted you cannot change the layout unfortunately. What is your user flow like, and why can't you remove the Github login page? The post you linked from Amanpreet is a good example of how you can pass through information without visiting this page. If you created your own sign up page, you should be able to authenticate through Github without ever seeing this. Let me know if you've tried any of this already or if this works. I'm determined to get this working for you as it should really be a default option. We might need to go back and forth a bit though to find a solution.

Best,
James

Kurzweil Education 21 Reputation points

2022-01-07T20:25:11.067+00:00

Our user flow requires users to login in and we do not know their login credentials prior to them starting our extension.

We did not create a sign in page but simply request an oauth signin via the authorize call specified above.

I would love to hide the Github (and indeed all of the sign in options) on the initial sign in page.

Our users will never be authenticating via Github, only their Microsoft accounts.

but this does not appear to be possible. If it is, please provide an example.

My previous screenshot was intended to show the link that is being used to circumvent web filters.
Kurzweil Education 21 Reputation points

2022-01-10T14:37:44.573+00:00

Please see my comment below.
James Hamil 27,221 Reputation points Microsoft Employee Moderator

2022-01-10T22:12:27.337+00:00

Hi @Kurzweil Education , how are the students circumventing the web filters? Are you using any Microsoft products for the filtering? It may be easier to work backwards.
Kurzweil Education 21 Reputation points

2022-01-11T16:43:28.367+00:00

Please see my reply below:

Answer 3

JV 1

Hey Dennis,

You can fix this now with a custom CSS File. These are the settings I changed to resolve it for our organization.

.ext-promoted-fed-cred-box

{

/* Styles for sign-in options text box */

display: none !important;

}

I also removed the "Can't access your account?" URL since that was used as a bypass as well.

Info about using the css template
|https://learn.microsoft.com/en-us/entra/fundamentals/reference-company-branding-css-template

CSS template File
https://download.microsoft.com/download/7/2/7/727f287a-125d-4368-a673-a785907ac5ab/custom-styles-template-013023.css

JV 1 Reputation point

2024-03-14T19:02:17.6433333+00:00

@Dennis Wendt
Dennis Wendt 0 Reputation points

2025-01-09T14:50:30.8866667+00:00

Hello -

This has not been resolved by the solutions provided - K12 students can still get to GITHUB and by-pass content filtering.

Share via

Removing or hiding sign-in options on online oAuth2 login

3 answers

Your answer