Third party partitioning in Google Chrome breaking Power BI authentication for embedded dashboards

[ghost]

Dear experts,

In our company (38.000 employees), Power BI secure embedded dashboards ( Power BI embed for your organization aka user owns data ) fail to complete the authentication process since last week.

This affects our clients and employees severely.

After much investigation we discovered that the flag value 'disable' for the chrome://flag "Experimental third-party storage partitioning" resolves the issue for us. We also observe that the flag value 'default" affects some embedded dashboards, but not all of them. We observe that the flag value "enable" affects all embedded dashboards.

We do not experience these issues in the web browsers Edge or Firefox. We struggle to find the right place to report this issue. I hope this this the right place. And if not, I hope that someone here would be so kind to point us to the right place, or send this message to the appropriate team responsible for the mentioned technology. We would be very thankfull for any response.

We have not signed up to be a group A organisation, so we should only be getting the changes in 2024 if we understand your website correctly. We should not be seeing it enabled now.

Kind regards, Thijs the Vries, on behalf of the Savills web development and BI teams

Google Chrome | 117.0.5938.150 (Official Build) (64-bit) (cohort: Stable) Revision | e3344ddefa12e60436fa28c81cf207c1afb4d0a9-refs/branch-heads/5938@{#1539} OS | Windows 11 Version 22H2 (Build 22621.2361) JavaScript | V8 11.7.439.21 User Agent | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Command Line | "C:\Program Files\Google\Chrome\Application\chrome.exe" --flag-switches-begin --disable-features=ThirdPartyStoragePartitioning --flag-switches-end --origin-trial-disabled-features=WebGPU --disable-nacl

[miketaylr]

It's interesting that this works in Firefox, which also partitions 3rd party storage.

As for mitigations, there are a few options:

1) Register for the deprecation trial https://developer.chrome.com/blog/storage-partitioning-deprecation-trial/ 2) For managed environments, there is a policy that can be enabled https://chromeenterprise.google/policies/#DefaultThirdPartyStoragePartitioningSetting

We have not signed up to be a group A organisation, so we should only be getting the changes in 2024 if we understand your website correctly. We should not be seeing it enabled now.

Would you mind explaining this part? Forgive my ignorance, I'm not sure what a Group A organization is.

[miketaylr]

@nl-savills-insightdata do you happen to have any insight into the technical details of how authentication relies on unpartitioned 3P storage?

[ghost]

@miketaylr Sorry for the delayed response. We have been working with Microsoft until late last night to get this accepted as a issue on their side. Their support department has now submitted it as a issue with the developement team. Hopefully their development team agrees that they should make changes.

Thanks for the suggested mitigation options! Our IT admin is now working on this. They were not able to find it earlier as they were searching for cookies instead of storage. Very happy that a policy is available.

We updated Firefox and can confirm the behaviour is now also showing up on firefox, so you are totally right about that. Sorry, we should have checked the browser version in the first place.

Regarding the group A organisation. This referred to organisations who have opted in for mode A testing as detailed on your website. As the flag was called experimental we wrongly assumed it was in testing. However, after your message we tried to understand the process better and if we now understand correctly third party storage partitioning has reached general availability?

Regarding the technical details of how authentication relies on unpartitioned 3P storage. I only know the details of what can be found online, I'm not an expert on that topic. please refer to this article: https://textslashplain.com/2023/04/12/auth-flows-in-a-partitioned-world/

It would be good if Microsoft would join the discussion. Do you happen to know the right people at microsoft to bring in to the discussion?

[miketaylr]

We updated Firefox and can confirm the behaviour is now also showing up on firefox, so you are totally right about that. Sorry, we should have checked the browser version in the first place.

All good, thanks for confirming.

Regarding the group A organisation. This referred to organisations who have opted in for mode A testing as detailed on your website. As the flag was called experimental we wrongly assumed it was in testing. However, after your message we tried to understand the process better and if we now understand correctly third party storage partitioning has reached general availability?

Ah, Mode A. Sorry I was imagining something else. :) And yes, 3P storage partitioning has reached general availability. I've requested an update to move Storage Partitioning from "in development" to "launched" at https://privacysandbox.com/open-web/.

Thanks for the pointer to https://textslashplain.com/2023/04/12/auth-flows-in-a-partitioned-world/.

Re: Microsoft... it's a large company. :) I know some folks who work on Edge, but not other teams. Was there someone in particular you were hoping to chat with?

[ghost]

Re: Microsoft... it's a large company. :) I know some folks who work on Edge, but not other teams. Was there someone in particular you were hoping to chat with?

Not a specific person, just someone who is reponsible for, and works on, the authentication flow for Power BI embedded. I shall share this page with the MS support agent in the hope that the agent with share it with the actual engineers from the development team. Hopefully they will visit this page. But if you know someone at MS who could, and is willing to, share this page with the right engineers at MS, that would be even better.

[miketaylr]

Not a specific person, just someone who is reponsible for, and works on, the authentication flow for Power BI embedded.

I'll ping a contact on Slack, and see if they can raise this internally to the right team.

[ghost]

I'll ping a contact on Slack, and see if they can raise this internally to the right team.

Thank you very much for that! I appreciate it very much