search

Gerenios / AADInternals

AADInternals PowerShell module for administering Azure AD and Office 365
http://aadinternals.com/aadinternals
MIT License
1.2k stars 210 forks source link

AccessToken_utils.ps1 - ConvergedProofUpRedirect #83

Open zjorz opened 4 months ago

zjorz commented 4 months ago 
                # MFA action required
                if($config.pgid -eq "ConvergedProofUpRedirect")
                {
                    Write-Verbose "ConvergedProofUpRedirect"
                    $MFADays = $config.iRemainingDaysToSkipMfaRegistration
                    if($MFADays)
                    {
                        Write-Warning "MFA must be set up in $($MFA) days"
                        # Create the body
                        $body = @{
                            "LoginOptions" = 1
                            "ctx"          = $config.sCtx
                            "flowToken"    = $config.sFT
                            "canary"       = $config.canary
                        }

                        $url = $config.urlSkipMfaRegistration
                        $response = Invoke-WebRequest2 -Uri $url -WebSession $LoginSession -MaximumRedirection 0 -Headers $Headers -ErrorAction SilentlyContinue
                    }
                    else
                    {
                        throw "MFA method must be registered."
                    }
                }

the $body variable is defined but it appears NOT to be used in the line "$response = Invoke-WebRequest2....."

I have tried to fix that with $response = Invoke-WebRequest2 -Uri $url -Method POST -Headers $headers -Body $body -ContentType "application/json; charset=UTF-8" -WebSession $loginSession -MaximumRedirection 0 -ErrorAction SilentlyContinue

                        $body = @{
                            "LoginOptions" = 1
                            "ctx"          = $config.sProofUpAuthState # sCtx appears not to exist in the $config
                            "flowToken"    = $config.sFT
                            "canary"       = $config.canary
                        }

I keep getting the error: AADSTS90100: Ctx Parameter Is Empty Or Not Valid.

I have used dev tools and I see it doing exactly what I specify above, still it fails. Wondering why, but not able to understand. You guys know why?

zjorz commented 4 months ago

I fixed it myself...obviously there is a bug as the body is not used at all. In my case after fixing it, I made a mistake with the fort of the body. long story short, here is the solution

        $headers = @{
            "Content-Type" = "application/json; charset=utf-8"
            "User-Agent"   = "<WHATEVER YOUR USER AGENT IS>"
        }

                    $body = @{
                        "ctx"          = $config.sProofUpAuthState # sCtx appears not to exist in the $config
                        "flowToken"    = $config.sFT
                        "canary"       = $config.canary
                    }

$response = Invoke-WebRequest2 -Uri $url -Method POST -Headers $headers -Body $body -WebSession $loginSession -MaximumRedirection 0 -ErrorAction SilentlyContinue

with these changes the "ConvergedProofUpRedirect" now works