Allow access token authentication

[carlosmmatos]

Allow a user to pass in an access token instead of authenticating with the API to help facilitate further automations.

[stevenwick]

Does this refer to the maintenance token? Looking for a possible way to pull the maintenance token via API and pass it to the device to uninstall automated the uninstall process if tamperproof protection is enabled.

[carlosmmatos]

@stevenwick - No this is for authenticating with the API.

As for the maintenance token being pulled via API, we already do that for powershell. See the uninstall section in the README for an example. You would just essentially pass in your API client id/secret:

[Vikasway]

I created a new API key and captured Client ID and Secret from console and used the same on my machine, however it throws me an error even though my credentials are correct.

Any idea how to fix it ?

Received a Forbidden response from https://api.us-2.crowdstrike.com/oauth2/token. Please check your credentials and try again. Error: Forbidden At C:\temp\Crowdstrike\Remediation_falcon_windows_uninstall.ps1:209 char:17

• throw $Message

• 
  + CategoryInfo          : OperationStopped: (Received a Forb...rror: Forbidden:String) [], RuntimeException
  + FullyQualifiedErrorId : Received a Forbidden response from https://api.us-2.crowdstrike.com/oauth2/token. Please
  check your credentials and try again. Error: Forbidden

[Henric-Andersson]

Same issue here, I doublechecked the client id/secret and looked at logs, but regardless of endpoint, this happens.

[Henric-Andersson]

In Falcon I see it reporting 403 as well

[carlosmmatos]

@Henric-Andersson | @Vikasway - what happens if you try using something else to test your creds? Can you try the following:

curl -X POST "https://<YOUR_API_BASE_URL>/oauth2/token" \
 -H "accept: application/json" \
 -H "Content-Type: application/x-www-form-urlencoded" \
 -d "client_id=xxxxxxxx&client_secret=yyyyyyyy"

• replace with your API url (ie, api.crowdstrike.com)
• replace the client_id=xxxxxxxx and client_secret=yyyyyyyy with your api key cred values

[Henric-Andersson]

That worked @carlosmmatos , see (somewhat masked) result here:

{
 "access_token": "secret stuff",
 "expires_in": 1799,
 "token_type": "bearer"
}

So I re-ran the script but it still fails.

We use https://api.crowdstrike.com/oauth2/token in the script, I even modified the script to manually encode the form data, but it still failed.

Next, I tried removing the CID and now it worked:

    # Configure OAuth2 authentication
    if ($credsProvided) {
        $BaseUrl = Get-FalconCloud $FalconCloud

        $Body = @{}
        $Body['client_id'] = $FalconClientId
        $Body['client_secret'] = $FalconClientSecret

        #if ($MemberCid) {
        #    $Body['member_cid'] = $MemberCid
        #}

        $BaseUrl, $Headers = Invoke-FalconAuth -WebRequestParams $WebRequestParams -BaseUrl $BaseUrl -Body $Body -FalconCloud $FalconCloud
        $Headers['Content-Type'] = 'application/json'
        $WebRequestParams.Add('Headers', $Headers)
    }

It would seem that me providing the member cid on command line was breaking this function.

[redhatrises]

That worked @carlosmmatos , see (somewhat masked) result here:

{
 "access_token": "secret stuff",
 "expires_in": 1799,
 "token_type": "bearer"
}

So I re-ran the script but it still fails.

We use https://api.crowdstrike.com/oauth2/token in the script, I even modified the script to manually encode the form data, but it still failed.

Next, I tried removing the CID and now it worked:

    # Configure OAuth2 authentication
    if ($credsProvided) {
        $BaseUrl = Get-FalconCloud $FalconCloud

        $Body = @{}
        $Body['client_id'] = $FalconClientId
        $Body['client_secret'] = $FalconClientSecret

        #if ($MemberCid) {
        #    $Body['member_cid'] = $MemberCid
        #}

        $BaseUrl, $Headers = Invoke-FalconAuth -WebRequestParams $WebRequestParams -BaseUrl $BaseUrl -Body $Body -FalconCloud $FalconCloud
        $Headers['Content-Type'] = 'application/json'
        $WebRequestParams.Add('Headers', $Headers)
    }

It would seem that me providing the member cid on command line was breaking this function.

membercid is only used for managed services CIDs and have a parent CID attached to them. So if the CID you are using is not a child CID, it shouldn't be used.

[Henric-Andersson]

lesson learned. Thanks