(In reply to Sean Burke [:leftmostcat] from comment #30)
Questions: And maybe I need to address this in a new post, but why am I prompted username/password when my namehint is already in the OAuth2 URL? Is it possible to suppress the credential prompt when a namehint is discovered? Since we have ADFS/SSO, I can enter username: a password: (blank) and it'll still discover the correct account and sign me in. So the TB credential prompt before OAuth isn't particularly necessary in all cases, is it?
To clarify, are you saying that you're entering your username in the "Email address" field in Thunderbird, but it's not filled in when the sign in window from Microsoft shows up?
Not quite. In TB I enter the User Name in the account settings. I initiate auth. The login.microsoftonline.com… auth window appears prompting a TB “Authentication Required” windows. “This site is asking you to sign in.” I enter “QWERTY” in the Username field and leave password blank. Press Ok. Immediately redirected to my ADFS IdP, which contains a username hint in the URL containing the User Name from the account settings. If successfully matched to the UPN of the logged on account and it’s authorized, it redirects back to login.microsoftonline.com to complete the auth and issue TB a token. I am not asked to enter anything into the Microsoft portal, just a basic form prompt from TB.
I further tested with a cloud-only account and there I was prompted to credential through the Microsoft form and did not see the TB credential form. So there is something there that when my identity is on-prem, TB is prompting. I would think it would instead allow the IdP to prompt if it was required to provide a credential rather than TB proxying that.
Let me know if you need any further info to understand this better.
That User Name is added as a namehint in the
Since our tenant is federated to our ADFS instance, it can single-sign on using that resource. The works because when TB opens the Oauth2 window, the namehint is already included in the URL. (This might be gotten due to a previous login, and Microsoft is able to use that). Azure AD sees the namehint (my UPN) in the URL and automatically redirects to the identity provider, ADFS, redirects back to Azure AD and In authenticated. The username/password prompt that TB presents does nothing in this scenario. As mentioned I can type anything I want in the username field, it will always defer to my domain account.