You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The README grew out of shape. We tidy it up and also fix imprecise
terminology around the OAuth2 flow.
Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
Copy file name to clipboardExpand all lines: README.md
+15-22Lines changed: 15 additions & 22 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -16,18 +16,11 @@ check this by running the `intune-portal` application and check if your user
16
16
is logged in (after clicking `sign-in`).
17
17
Also make sure to install the host components (see *Installation* below).
18
18
19
-
## Dependencies
20
-
21
-
The extension requires pydbus as a runtime dependency. On a Debian system please install `python3-pydbus`:
22
-
23
-
```bash
24
-
sudo apt install python3-pydbus
25
-
```
26
-
27
-
**Note:** If you are using a python version manager such as asdf you must install the python packages manually: `pip install PyGObject pydbus`
28
-
29
19
## Installation
30
20
21
+
The extension requires pydbus as a runtime dependency. On a Debian system please install `python3-pydbus`.
22
+
If you are using a python version manager such as `asdf` you must install the python packages manually: `pip install PyGObject pydbus`
23
+
31
24
### Firefox: Signed Version from Github Releases
32
25
33
26
You can get a signed version of the browser extension from our Github releases.
@@ -36,7 +29,7 @@ As this only covers the browser part, the host tooling still needs to be install
36
29
1. clone this repository
37
30
2. run `make local-install-firefox`
38
31
3. Get the `linux_entra_sso-<version>.xpi` file from the [project's releases page](https://github.com/siemens/linux-entra-sso/releases)
39
-
4. Enable "Access your data for https://login.microsoftonline.com" under the extension's permissions
32
+
4. Enable "Access your data for `https://login.microsoftonline.com`" under the extension's permissions
40
33
41
34
### Chrome: Signed Version from Chrome Web Store
42
35
@@ -61,7 +54,7 @@ To build the extension and install the host parts, perform the following steps:
61
54
4. Firefox only: Permit unsigned extensions in Firefox by setting `xpinstall.signatures.required` to `false`
62
55
4. Chrome only: In extension menu, enable `Developer mode`.
63
56
5. Install the extension in the Browser from the local `linux-entra-sso-*.xpi` file (Firefox). On Chrome, use `load unpacked` and point to `build/chrome`
64
-
6. Enable "Access your data for https://login.microsoftonline.com" under the extension's permissions
57
+
6. Enable "Access your data for `https://login.microsoftonline.com`" under the extension's permissions
65
58
66
59
### Global Installation of Host Components
67
60
@@ -76,28 +69,28 @@ The provided defaults work on a Debian system. For details, have a look at the M
76
69
77
70
## Usage
78
71
79
-
No configuration is required. The SSO is automatically enabled.
72
+
**No configuration is required.** The SSO is automatically enabled.
80
73
If you want to disable the SSO for this session, click on the tray icon and select the guest account.
74
+
In case you are already logged in, you might need to clear all cookies on `login.microsoftonline.com`.
75
+
76
+
### Technical Background
81
77
82
-
However, you might need to clear all cookies on
83
-
`login.microsoftonline.com`, in case you are already logged. The extension
84
-
will automatically acquire a [PRT SSO Cookie](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-oapxbc/105e4d17-defd-4637-a520-173db2393a4b)
85
-
from the locally running device identity broker and inject that into the OAuth2 login workflow for all Microsoft Entra ID enabled sites
86
-
(the ones you log in via `login.microsoftonline.com`).
78
+
When enabled, the extension acquires a [PRT SSO Cookie](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-oapxbc/105e4d17-defd-4637-a520-173db2393a4b)
79
+
from the locally running `microsoft-identity-broker` service and inject that into the OAuth2 login flow on Microsoft Entra ID (`login.microsoftonline.com`).
87
80
88
81
## Known Limitations
89
82
90
83
### SNAP version not supported
91
84
92
85
This extension will not work on the snap version of Firefox.
93
-
The extension executes a script `linux-entra-sso.py` on the host that communicates via DBus with the `microsoft-identity-broker` service.
94
-
As the SNAP executes Firefox inside a container, the communication with DBus will not work. Please use the `firefox-esr` Debian package instead.
86
+
The extension executes a script `linux-entra-sso.py` on the host that communicates via D-Bus with the `microsoft-identity-broker` service.
87
+
As the SNAP executes Firefox inside a container, the communication with D-Bus will not work. Please use the `firefox-esr` Debian package instead.
95
88
96
89
### Expired Tokens on Chrome
97
90
98
-
Due to not having the WebRequestsBlocking API on Chrome, the extension needs to use a different mechanism to inject the token.
91
+
Due to not having the `WebRequestsBlocking` API on Chrome, the extension needs to use a different mechanism to inject the token.
99
92
While in Firefox the token is requested on-demand when hitting the SSO login URL, in Chrome the token is requested periodically.
100
-
Then, a declarativeNetRequest API rule is setup to inject the token. As the lifetime of the tokens is limited and cannot be checked,
93
+
Then, a `declarativeNetRequest` API rule is setup to inject the token. As the lifetime of the tokens is limited and cannot be checked,
101
94
outdated tokens might be injected. Further, a generic SSO URL must be used when requesting the token, instead of the actual one.
0 commit comments