Outlook.com and OAuth
-
I have OAuth problem with Outlook.com. When I add the Outlook.com account into mail client using OAuth option
It logs me in across all MS services, which is a wrong and unsafe behavior. For example opening mail URLhttps://outlook.office365.com/mailgoes as expected, and I receive OAuth authentication login
I cannot say the same about other MS services like MS account. When I enteraccount.microsoft.comit redirects me directly to my account without any further authentication, which is not good and not secure.
I created a separate thread for the same issue as in Gmail and OAuth in 2024 just because in those thread you claimed thatThat, apparently came from this Google login, which is outside Vivaldi's purview
By this thread I want to show you this is not only GMail problem like you intend to say, this is a problem of the Vivaldi OAuth implementation, regardless of the email provider
-
@astero Exact same issue as in that thread. The Microsoft login cookie may very well do the same as the Google login cookie. Again, Vivaldi cannot control what an external provider's cookies do. Some cookies will provide that authentication, while others will not.
If you feel this is an issue with the OAuth implementation of the Mail client, submit a bug report and post the bug report number (VB-xxxxxx) in both threads. Thank you.
-
@edwardp said in Outlook.com and OAuth:
Again, Vivaldi cannot control what an external provider's cookies do
Very poor justification. Why Chromium can do this with its site isolation feature and you cannot?
https://www.chromium.org/Home/chromium-security/site-isolation/
You are based on Chromium so I don't see any reason why Vivaldi cannot utilize this feature for the mail client.
I created a bug VB-111328 for this problem.
-
@astero when the Chromium framework Vivaldi is built on is asked to return a cookie from a domain, it doesn't matter which bit of the UI is causing that request. This is not about different websites, so that's irrelevant. It's also not about Chrome since that doesn't have one part of it's UI dealing with mail and another part dealing with WWW.
What you're actually asking for is complete separation of user data for dealing with mail from data dealing with "the web". That might be possible but I suspect it's not easy since, ironically, that's not how Chrome works. If you really want that then the simplest solution is to create a new user profile for your mail.
-
@mossman said in Outlook.com and OAuth:
that's not how Chrome works
yes, because Chrome doesn't have mail client. I didn't check the code, just guessing, but I guess at least some pieces of Chrome site isolation framework can be reused for Vivaldi mail client.
