search

mozilla / multi-account-containers

Firefox Multi-Account Containers lets you keep parts of your online life separated into color-coded tabs that preserve your privacy. Cookies are separated by container, allowing you to use the web with multiple identities or accounts simultaneously.
https://addons.mozilla.org/firefox/addon/multi-account-containers/
Mozilla Public License 2.0
2.68k stars 331 forks source link

Enabling Windows SSO login in Firefox settings bypass container isolation #2393

Open codesmacgodes opened 2 years ago

codesmacgodes commented 2 years ago

Before submitting a bug report

Step to reproduce

This issue seems more along the lines of a "technical debt" than a bug, or a feature request.

I first used account containers quite some time ago when it was built into firefox, and pretty much cookies and local data were how browsers maintained state with respect to a given web site. When it comes to isolating those things with Container Tabs, that has been as good as a private browsing window, as far as I've known. I think the landscape shifted a little when Firefox added support for Windows Single Sign-on, though.

I think some kind of warning about the dubious interaction between the features, a prompt to disable the setting, or even a checkbox per container may be in order. Hopefully someone has a better idea.

Actual behavior

When I create a new container, and visit certain websites from MS or with MS integrations, each brand new container is as likely to be "already logged in" as any other.

Expected behavior

The expectation of a blank slate from the fresh container tab doesn't hold. It could be considered a privacy thing.

Additional informations

Trying to talk myself out of submitting an issue, I did consider how my expectations might be unusual . . . it is kind of similar to to having entered a primary password, afer all. Primary password makes information available for potential use in all containers (and private windows) at once. I think this is different, though, because the relatively recent windows SSO feature is automatically used, not just made available. With a saved password, I can make a new container but I'm still not logged in for my first connection to a site, in a container tab. The issue is that a windows SSO login is as good as done, as soon as there's any opportunity to use it.

It's just a hunch, but I suspect this could need some corresponding work in Firefox itself, as well.

Provide a copy of Troubleshooting Information page

I don't think the "about:support" is likely to help with this kind of "bug". The issue is with the intended behavior on all affected platforms.
dgriffinzero commented 2 years ago

I've noticed this as well. Multi-Account Container is an absolute must when managing multiple Azure/0365 tenants, but this bug is massively annoying. My workaround thus far has been to disable the SSO integration, then close and reopen before creating new containers. Once they're created, switch back to my base account, reload the page, then turn SSO back on before closing and reopening Firefox.

Flappiee commented 1 year ago

I experience the same behaviour. The containers in Firefox are a greate feature, however, when the SSO option is enabled, i prefer to not auto login to Office365 when opening a new container window!

Please fix this!

woodyard commented 1 year ago

Would be nice to know if this issue is on a to-do list or on a no-go list so to speak. Can we expect this to be fixed?

dannycolin commented 1 year ago

I've create an Microsoft accoutn and tried to reproduce this in a fresh Firefox profile. On my side, Multi-Account Containers was working as expected meaning that it wasn't autologin me in a newly created container.

Without more informations, we can't even confirm that there's a bug. If someone is able to reproduce in a fresh profile and provide a more detailed "step-to-reproduce" (bonus point if it's a screen recording) that could be very useful.

woodyard commented 1 year ago

I've create an Microsoft accoutn and tried to reproduce this in a fresh Firefox profile. On my side, Multi-Account Containers was working as expected meaning that it wasn't autologin me in a newly created container.

Without more informations, we can't even confirm that there's a bug. If someone is able to reproduce in a fresh profile and provide a more detailed "step-to-reproduce" (bonus point if it's a screen recording) that could be very useful.

The "Windows single sign-on" toggle In Firefox settings should work as a toggle per container instead. Either that or a possibility to override the general app setting on a per container basis.. Hope it makes sense :)

dannycolin commented 1 year ago

The "Windows single sign-on" toggle In Firefox settings

Do you mean that you're logged to your account directly in the Firefox settings? If yes, any chance, you could share a screenshot because I'm on Linux so I might not see the same thing than you ;).

woodyard commented 1 year ago

Sure. Here I have a container where I normally work on M365 tenant B (1 on image). I have just enabled SSO in FF settings and goto www.office.com in that container. Now it logs me in with SSO to the tenant that my PC is joined to (2 on image). I would have wanted that I could turn OFF (or ON) that SSO function on a per container basis.

image

dannycolin commented 1 year ago

Thanks, this is exactly the missing piece of information I needed. However, the bad news is there's nothing that can be done on our side (Multi-Account Container) since the addon doesn't have any control on this Firefox feature.

I filed a bug upstream at https://bugzilla.mozilla.org/show_bug.cgi?id=1800971

woodyard commented 1 year ago

Thanks, this is exactly the missing piece of information I needed. However, the bad news is there's nothing that can be done on our side (Multi-Account Container) since the addon doesn't have any control on this Firefox feature.

I filed a bug upstream at https://bugzilla.mozilla.org/show_bug.cgi?id=1800971

Thank you, Danny!

OeveringIT commented 1 year ago

Hi, just leaving a reply as a user really wanting/needing this. And I fully agree with @woodyard, this should be a option to allow SSO to a specific container.

Background: I have the tendency to put everything of my employer in one container and the computer is signed in through AzureAD. From other customers everything (that uses O365) will go into a own container and I don't like to pollute the "non-container" with useless SSO sessions and for that one I'd like to turn it off (as well as all other containers).

Thanks so much on working on this and this plugin is a lifesaver in my day to day work!

Perdjesk commented 1 year ago

This issue describes similar use case as https://github.com/mozilla/multi-account-containers/issues/1966 (description specific for SPNEGO SSO type).

Both issue can be merged IMO with enumeration of all types of SSO considered.

/cc @dannycolin

EDIT: Note after some looking around in code and comments at https://bugzilla.mozilla.org/show_bug.cgi?id=1800971.

The Windows SSO (i.e network.http.windows-sso.enabled using Win32 API located at /netwerk/protocol/http/HttpWinUtils.cpp) is a completely separated implementation than the "classical" SSO using SPNEGO (located at /extensions/auth).

The Windows SSO on Win32API seems to be never used in private browsing nsHttpChannel.cpp#424. The SPNEGO SSO can be enabled in private browsing by using the configuration flag network.auth.private-browsing-sso=true

It might be a slight discrepancy to not have included the Windows/Win32API SSO as part of the flag network.auth.private-browsing-sso.

dannycolin commented 1 year ago

@Perdjesk Lets keep these two separated then.

nils2614 commented 1 year ago

This issue seems to be fixed in Firefox version 113: https://bugzilla.mozilla.org/show_bug.cgi?id=1800971#c18

Flappiee commented 1 year ago

Can confirm this. Running 115.0.2. Enabled the SSO Feature. When opening a new tab, there is no SSO. In the default tab, SSO works. Great to have this fixed!