Search code examples
javascriptfirebaseazureoauth-2.0active-directory

Limit Microsoft OAuth authentication to only authenticate webapplication, not all microsoft services

I am using firebase for a website, where users can sign in with their microsoft accounts via OAuth 2.0:

import {getAuth, signInWithRedirect, OAuthProvider} from "firebase/auth";

(...)

const provider = new OAuthProvider('microsoft.com');
const auth = getAuth();
signInWithRedirect(auth, provider);

It prompts the Microsoft Single Sign-on with a redirection work-flow.

The authentification works nice with firebase, except one detail: When I sign in with the Microsoft account in the browser for the webapplication, I am also signed in to my complete Office 365 account in the background and other potential microsoft sites.

So if I open a new tab and go to the my Outlook 365 online mail, then I am already logged in since I logged into my webapplication. If I happen to forget to log out from the webapplication, my entire mailbox, calendar with all the microsoft account information are exposed.

I have looked through all the pages and settings in the Azure Portal where I set up application/tenant id's, looked at Scopes and looked at OAuth 2.0 parameters from the Mirosoft documentation,but I can't find anything about this issue.

Single sign-on is originally made as a convenience for the user, but in my case I would like to prevent it as a security measure.

How can I limit the microsoft sign-in to only authenticate in the webapp/firebase project, and nothing else?

Solution

  • The simple answer is - you can't do that.

    SSO is exactly what it means - Single Sign-On. The user logs in once and can use different apps without the need of authenticating again. You ask Microsoft to verify the identity of the user for you. Microsoft logs the user in and gives you back the answer. But it means, that on this browser the user will be able to use other Microsoft services as they already verified their identity.

    The only thing you can do is to inform your users about the security risks and tell them to make sure to log out at the end of their work (you can then log them out at Microsoft as well).

    If MS supports backchannel initiated log out, then you can try to implement some action that will check if your user's session is still active, and if not, then initiate a logout at MS. I don't know if they support it though.