Allow Microsoft OAuth authentication for web applications only, restricting access to other Microsoft services

I am currently integrated Firebase into my website, allowing users to sign in using their Microsoft accounts through OAuth 2.0:

import {getAuth, signInWithRedirect, OAuthProvider} from "firebase/auth";

(...)

const provider = new OAuthProvider('microsoft.com');
const auth = getAuth();
signInWithRedirect(auth, provider);

This initiates the Microsoft Single Sign-on with a redirection process.

The authentication works smoothly with Firebase, except for one issue: After signing in with a Microsoft account on the web application, I find myself automatically signed into the complete Office 365 account and other related Microsoft sites in the background.

Therefore, if I open a new tab and access my Outlook 365 online mail, I am already logged in because of signing into the web application. If I happen to forget to log out of the web application, all my mailbox content, calendar details, and other Microsoft account information are left exposed.

Despite going through Azure Portal settings, including application/tenant id's, Scopes, and OAuth 2.0 parameters from Microsoft documentation, I couldn't find a solution to this concern.

While single sign-on is intended for user convenience, I would like to restrict it as a security measure in my case.

Is there a way to limit Microsoft sign-in to authenticate only within the web app/Firebase project, without affecting anything else?

javascriptfirebaseazureoauth-2.0active-directory

Answer №1

Unfortunately, there is no way to accomplish that task.

SSO stands for Single Sign-On, which means the user only needs to log in once and can access various applications without having to authenticate each time. By requesting Microsoft to handle user verification, they handle the login process and return the necessary information. However, this also means that the user can access other Microsoft services on that browser since their identity has already been confirmed.

Your best course of action is to educate your users about the potential security risks and advise them to log out after completing their tasks (which will also log them out from Microsoft).

If Microsoft does support backchannel initiated logout, you could consider implementing a feature to check if a user's session is still active and initiating a logout at Microsoft if it is not. Please note that I am unsure if this feature is supported by Microsoft.

Similar questions

If you have not found the answer to your question or you are interested in this topic, then look at other similar questions below or use the search

Implement pagination for an array in JavaScript

I am seeking a solution involving displaying a JavaScript object in a paged format. For instance, given the sample object below, I aim to present it as pages based on the value stored in the perPage variable. { "fruits":[ { "from":"Shanghai ...

javascriptvue.js

Is your server failing to respond to requests once there are too many within a session?

A web application I developed uses frequent $.ajax() calls to send and receive data between a virtual machine host and client. However, I have encountered a recurring issue where the connection cuts out after a certain number of consecutive calls within a ...

javascriptjqueryajaxapacheserver

Initially, my PDF file does not get selected, except in the Internet Explorer browser

I am currently facing an issue with selecting PDF files in Internet Explorer. The process works smoothly in Google Chrome, but I encounter a problem when trying to select PDFs in IE. Specifically, when I attempt to select a PDF for the first time in Inter ...

javascriptjqueryhtmlinternet-explorer

Deactivate a particular function key with the help of jQuery

Is there a way to disable the F8 key on a web page using jquery, plugins, or just javascript? Thank you in advance! :) blasteralfred ...

javascriptjqueryjquery-uijquery-pluginsjavascript-framework

Incorporate JSON information into HTML dropdown menu using Google API

I'm finding it difficult with this task. Below is a list that needs the name and address inserted into the dropdown menu from the JSON file. <div class="dropdown-list"> <div class="list-container"> <ul class="list" ...

javascriptjsongoogle-maps-api-3

Refresh the view in AngularJS following a successful $http.get request

I have a <ul> in my HTML view that is populated based on a $http.get request. HTML: <div id="recentlyReleased" ng-controller="sampleRecordController as recCtrl"> <h1>Sample Records</h1> <ul> <li class= ...

javascriptangularjs

What distinctions can be made between Controlled and Uncontrolled Components when using react-hooks-form?

Trying out the React Hooks form, I came across some interesting concepts like controlled and uncontrolled forms. Controlled Form <form onSubmit={handleSubmit(onSubmit)}> <input name="firstName" ref={register({ required: true })} /> ...

javascriptreactjsreact-hook-form

Change element position to relative while scrolling

I created a wrapper with an animation similar to the one on Apple's Airpods Pro page. It features a video that plays gradually as I scroll, with the text smoothly scrolling over it within a specific area (text-display). So far, this part is working w ...

javascriptjqueryhtmlcss

Ways to remove an item from firebase database

Currently, I am exploring ways to delete data stored in the Firebase database specifically under the requests category. Check out this example Below are the functions I have implemented to fetch and manipulate the data: export default { async contactArtis ...

javascriptfirebasevue.jsfirebase-realtime-databasevuex

Executing "mounted" in VueJS SSR with Quasar: A step-by-step guide

In accordance with the documentation: Given that there are no dynamic updates, only beforeCreate and created Vue lifecycle hooks will be triggered during SSR. This implies that any code within other lifecycle hooks like beforeMount or mounted will sole ...

javascriptvue.jsserver-side-renderingquasar-framework

Monitor a nested watch property for potential undefined or default values

Currently tackling an issue in my Vue2 project related to a specific property I'm trying to watch. Here's what the code snippet looks like: watch: { 'car.wheels': function(){ ... } Sometimes, 'wheels' is undefined ...

javascriptvue.jsvuejs2

Trouble keeping HTML/Javascript/CSS Collapsible Menu closed after refreshing the page

My issue is that the collapsible menu I have created does not remain closed when the page is refreshed. Upon reloading the page, the collapsible menu is always fully expanded, even if it was collapsed before the refresh. This creates a problem as there is ...

javascripthtmlcssmenu

Invoking a Node.js function using a URL reference

Is there a way to call a function located in a remote URL? I have the page URL and the function name. The server-side application is running on NodeJs Express, and the function structure is as follows: function executer(param1, param2){ //logic re ...

javascriptnode.jshttpexpress

I am looking to manage user-related data in the comment model using mongoose and express

I have a user, post, and comment modal This is my comment modal import mongoose from "mongoose"; const CommentSchema = new mongoose.Schema({ postId: { type: mongoose.Schema.Types.ObjectId, ref: "Post", }, userId: { t ...

javascriptnode.jsmongodbexpressmongoose

Designing a layout with one box on top and two beneath it, covering the entire page, can be achieved by following these steps

https://i.sstatic.net/A1eUh.png I am currently working on a project where I want to divide the screen into three sections. One section will cover half of the screen to display an image slider, and the remaining half will have two sections which is already ...

javascriptjqueryhtmlcss

Using the clientWidth property in React

While I have a solid background in Javascript, I am relatively new to working with React. In my previous projects where I coded directly in javascript for the browser, I frequently used the following code snippet: width = document.getElementById('elem ...

javascriptreactjssvgdynamicwidth

The ontrack listener for WebRTC peerConnection fails to fire

Primarily, the challenge I'm facing is unique from what I have come across in my research on "google". My setup involves using Spring Boot as a signaling server to establish connections between two different tabs of the browser or utilizing two peerCo ...

javascriptwebrtcrtcpeerconnection

Implementing objects in a three.js scene without displaying them on the screen

I have a function called createCylinder(n, len, rad) that is being invoked from another function named createScene(). Despite checking that the vertices and faces are correctly added without errors, the geometry itself is not rendering. I suspect this is ...

javascriptthree.js

Validating object keys

I am dealing with an array of objects and I need to find a way to pass multiple keys in the function checkArray to validate these keys within each object. var test = [ { // Object details here... }, { // Another object details here... } ...

javascriptjson

What is the best way to animate the preprending of a div in an AJAX response?

Here is the code I am currently working with: $.ajax({ type: 'POST', url: 'load_more.php', data: {val:myval}, success: function (data) { $("#load_current").prepend(data); ...

javascriptjqueryhtmlcssajax