Closed Bug 1775500 Opened 2 years ago Closed 2 years ago

MS Teams web version on teams.microsoft.us not logging in due to cookies

Categories

(Core :: Privacy: Anti-Tracking, defect, P2)

Product:
Core
Component:
Privacy: Anti-Tracking
Version:
Firefox 101
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
104 Branch
Tracking Flags:
Tracking Status
firefox104 --- fixed

People

(Reporter: jfm5440, Assigned: pbz)

References

(Blocks 2 open bugs)

Details

Attachments

(2 files)

storage-access-prompt-ms-teams-login.png
22.45 KB, image/png
Details
Bug 1775500 - Enable MicrosoftLogin dFPI shim for Microsoft Teams on us domain. r=timhuang!
48 bytes, text/x-phabricator-request
Details | Review

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:101.0) Gecko/20100101 Firefox/101.0

Steps to reproduce:

Note: I Have to use WWW MS Teams because customer forbids stand alone app. Customer's site is not publicly visible.

With FF version 101 WWW login to their Teams site stopped working unless I disabled "isolate other cross-site cookies" in Settings::Privacy::Browser Privacy

Actual results:

Login loop stopping on a MS page saying "To open the web app, change your browser settings to allow third-party cookies or allow certain trusted domains."

Customer's Teams site URL is already in trusted domains exceptions list.

When I change Browser Privacy from Standard to Custom and set Cookies to ONLY "cross site tracking cookies" I can log in as normal.

If I set to default "Cross site tracking cookies, and isolate other cross-site cookies" login loops landing on MS error page.

Note that I am using multi-account containers.

Expected results:

Login to WWW version of Teams

Note I tried disabling multi-account containers. Same login loop at Microsoft.

The Bugbug bot thinks this bug should belong to the 'Core::Networking: Cookies' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → Networking: Cookies
Product: Firefox → Core

Hello! I have tried to reproduce the issue with firefox 104.0a1(2022-07-01) with MacOS 12 but unfortunately I wasn't able to reproduce the issue. Could you please answer the following questions in order to further investigate this issue?

  1. Does this issue happen with a new profile? Here is a link on how to create one: https://support.mozilla.org/en-US/kb/profile-manager-create-remove-switch-firefox-profiles
  2. Does this issue happen in the latest nightly? Here is a link from where you can download it: https://www.mozilla.org/en-US/firefox/channel/desktop/
  3. Do you have any addons installed if so can you list them?
Flags: needinfo?(jfm5440)

I tried restarting FF with add-ons disabled (option-launch). Same behavior.

I can reproduce the same login loop using FF 102 on Windows 10. (I'm using FF 102 on Mac not 104 as you are)

One specific item that may be germane: I have to log into Microsoft 365 using a PIV card. Then I go to Teams from OWA. We can't log into Teams web app directly.

I have not tried a fresh profile nor the latest nightly. I'll see if I can try that on my Windows laptop but I can't afford experimenting on my Mac environment.

Flags: needinfo?(jfm5440)
Component: Networking: Cookies → Privacy: Anti-Tracking
Blocks: tp-breakage
Blocks: dfpi-breakage
No longer blocks: tp-breakage

Hi Oana,

Would you be able to help us with reproducing the issue by following the info in comment 4? Thanks.

Flags: needinfo?(oana.arbuzov)

(In reply to John M. from comment #4)

I tried restarting FF with add-ons disabled (option-launch). Same behavior.

I can reproduce the same login loop using FF 102 on Windows 10. (I'm using FF 102 on Mac not 104 as you are)

One specific item that may be germane: I have to log into Microsoft 365 using a PIV card. Then I go to Teams from OWA. We can't log into Teams web app directly.

I have not tried a fresh profile nor the latest nightly. I'll see if I can try that on my Windows laptop but I can't afford experimenting on my Mac environment.

Thanks! I can't reproduce this with our Microsoft test accounts (personal and enterprise) either.

When switching to Microsoft Teams, do you see a prompt like the one in the screenshot I've attached?
Also, does it make a difference if you switch from OWA to Teams or directly navigate to teams.microsoft.com and login?

Flags: needinfo?(jfm5440)

No I do not get that screen.

It is definitely a login loop. Looking at the history it is bouncing between these URLs (i've changed the client's subdomain to "xxx" below):

device.login.microsoftonline.us
xxx.teams.microsoft.us
device.login.microsoftonline.us
xxx.teams.microsoft.us
etc etc
Ending at this error page

https://xxx.teams.microsoft.us/error/auth_failure?session=14ba0029-7340-7df5-55a5-416982a02fe8&errorDescription=Third+party+tokens+are+not+enabled.+Retried+3+times+without+success.&errorMessage=Third+Party+Tokens+Not+Enabled&errorStep=get_third_party_tokens

(I have added those URLs along with the recommended ones to the cookie exception list also. No change.)

We are not able to login to Teams with the stand-alone app nor directly at teams.microsoft.com. Our only path to Teams is via OWA and selecting Teams from the Apps pick list dropdown.

Flags: needinfo?(jfm5440)

Thanks John! Could you see if adding the relevant domains to the allow-list fixes the issue? Here is how to do this:

  1. Go to about:config and click "Accept Risk and Continue"
  2. Enter privacy.restrict3rdpartystorage.skip_list in the "Search preference name" text input
  3. From the radio buttons select "String"
  4. Press the "+" button on the right
  5. In the new input field on the right enter https://*.teams.microsoft.us,https://login.microsoftonline.us
  6. Save the entry via the check-mark button on the right
  7. Test the login again

Be sure to remove the pref from about:config again after testing or use a separate Firefox profile for this test.

Flags: needinfo?(jfm5440)

I was not able to reproduce the issue on my side.
Also I get the popup related to cookies when accessing the site https://teams.microsoft.com/
https://prnt.sc/xnDDZxwjlBgC
https://prnt.sc/BzSfHReT01HM

If I set the "Privacy>Custom>Cookies>Cross-site tracking cookies and isolate other cross-site cookies" option and choosing to allow or block cookies from the popup, the page refreshes a few times, the sign-in is performed and I can access Teams.
https://prnt.sc/1-nH9mqqsCLv

If I set the "Privacy>Custom>Cookies>Cross-site tracking cookies", the page refreshes a few times, the sign-in is performed and I can access Teams.

Tested with:
Browser / Version: Firefox Nightly 104.0a1 (2022-07-04), Firefox Release 102.0
Operating System: Windows 10 Pro

Flags: needinfo?(oana.arbuzov)

(In reply to Oana Arbuzov [:oanaarbuzov] from comment #11)

I was not able to reproduce the issue on my side.
Also I get the popup related to cookies when accessing the site https://teams.microsoft.com/
https://prnt.sc/xnDDZxwjlBgC
https://prnt.sc/BzSfHReT01HM

If I set the "Privacy>Custom>Cookies>Cross-site tracking cookies and isolate other cross-site cookies" option and choosing to allow or block cookies from the popup, the page refreshes a few times, the sign-in is performed and I can access Teams.
https://prnt.sc/1-nH9mqqsCLv

If I set the "Privacy>Custom>Cookies>Cross-site tracking cookies", the page refreshes a few times, the sign-in is performed and I can access Teams.

Tested with:
Browser / Version: Firefox Nightly 104.0a1 (2022-07-04), Firefox Release 102.0
Operating System: Windows 10 Pro

This is expected since you're testing with the main Microsoft Teams instance which we have deployed a fix for. The breakage in this bug is for *.teams.microsoft.us domains. We can't really test this without credentials to a deployment on that domain.

Severity: -- → S3
Priority: -- → P2
See Also: → 1638383
Assignee: nobody → pbz
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true

(In reply to Paul Zühlcke [:pbz] from comment #10)

Thanks John! Could you see if adding the relevant domains to the allow-list fixes the issue? Here is how to do this:

  1. Go to about:config and click "Accept Risk and Continue"
  2. Enter privacy.restrict3rdpartystorage.skip_list in the "Search preference name" text input
  3. From the radio buttons select "String"
  4. Press the "+" button on the right
  5. In the new input field on the right enter https://*.teams.microsoft.us,https://login.microsoftonline.us
  6. Save the entry via the check-mark button on the right
  7. Test the login again

Be sure to remove the pref from about:config again after testing or use a separate Firefox profile for this test.

This fixed the issue. Logon to Teams with standard cookie protection now works.

Flags: needinfo?(jfm5440)

(In reply to John M. from comment #14)

(In reply to Paul Zühlcke [:pbz] from comment #10)

Thanks John! Could you see if adding the relevant domains to the allow-list fixes the issue? Here is how to do this:

  1. Go to about:config and click "Accept Risk and Continue"
  2. Enter privacy.restrict3rdpartystorage.skip_list in the "Search preference name" text input
  3. From the radio buttons select "String"
  4. Press the "+" button on the right
  5. In the new input field on the right enter https://*.teams.microsoft.us,https://login.microsoftonline.us
  6. Save the entry via the check-mark button on the right
  7. Test the login again

Be sure to remove the pref from about:config again after testing or use a separate Firefox profile for this test.

This fixed the issue. Logon to Teams with standard cookie protection now works.

Thanks for confirming! We're working on a fix for this. For now you can keep that pref set as a workaround, but once the bug is fixed I suggest to remove it again.

Blocks: 1740763
Summary: MS Teams web version not logging in due to cookies → MS Teams web version on teams.microsoft.us not logging in due to cookies
Pushed by pzuhlcke@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/99ccdcd282ca
Enable MicrosoftLogin dFPI shim for Microsoft Teams on us domain. r=timhuang,webcompat-reviewers,twisniewski

https://hg.mozilla.org/mozilla-central/rev/99ccdcd282ca

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox104: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 104 Branch

The shim has shipped a while ago. We should check if we still need the partition-exception-list entry.

Flags: needinfo?(pbz)

Since this is a private teams instance I can't verify the shim is working myself. John, could you please help test it again? Before testing, please set privacy.antitracking.enableWebcompat to false via about:config. This is to ensure it's really the shim fixing the issue, and not our allow-list.

Flags: needinfo?(pbz) → needinfo?(jfm5440)

(In reply to Paul Zühlcke [:pbz] from comment #19)

Since this is a private teams instance I can't verify the shim is working myself. John, could you please help test it again? Before testing, please set privacy.antitracking.enableWebcompat to false via about:config. This is to ensure it's really the shim fixing the issue, and not our allow-list.

I set it to false and WWW Teams using microsoft.us appears to be OK.

Flags: needinfo?(jfm5440)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: