Add --origin Argument for Handling Single Page Application Refresh Tokens #99
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Added origin attribute to be appended to HTTP requests when using Browser based tokens.
Added static origin values for Azure portal client ID.
Updated checktoken function to use authenticate_with_refresh_native and v2 custom methods instead of Microsoft adal.
Corrected try and except statements
Modify expire time to utilize token values returned from authenticate_with_refresh_token_native functions.
Improvements to more efficiently handle adding "Origin" header to Single Page Application token refresh requests. Removed static client id, implemented a static header for adal when self.origin is set in Auth.py, updated checktoken function in gather.py to use adal authorization with refresh token instead of native, removed unnecessary comments.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This pull requests includes updates to roadlib's auth.py and roadrecon's gather.py. The changes add the argument --origin which appends a header origin value to refresh token requests which is required when using Single Page Application (SPA) refresh tokens such as the Azure portal or Office Online Application portal. Users obtain a refresh token from an authenticated browser session, supply the SPA client-id, and pass an '--origin' value such as 'https://portal.azure.com' so they can then obtain an access token. Example syntax when using a refresh token from the Azure portal : roadtx gettokens -c c44b4083-3bb0-49c1-b47d-974e53cbdf3c --origin "https://portal.azure.com" --refresh-token ""
These changes have been tested and allow running collections and obtaining tokens in hardened Azure environments where device-code flow, external applications, and Selenium browser implementations are not an option. Obtaining refresh tokens from a user's authenticated browser session logged into one of the portals and supplying it to obtain an access token makes for a simple and efficient workflow. The checktoken function of gather.py was modified to handle requesting a new token with the appropriate origin header value for collections in large tenants.