Authentication Failure

[andrewryanis]

🐛 Summary

I Installed the app as described in the repo, when I attempt to run goosey auth I get the following error

When I attempt to execute it outside of the venv I get a different auth error.

Any help would be greatly appreciated!

[victoriawallace-cisa]

Hello, can you run goosey auth --debug in your venv and post the output here?

[andrewryanis]

No problem!

Seems to be the same in the venv and outside.

EDIT: deleted images, no longer need the debug logs

[victoriawallace-cisa]

I was able to replicate your issue. Please ensure you have set the appid and clientsecret correctly in the .conf file. The client secret value is the value of the client secret and not the secret ID.

[victoriawallace-cisa]

Please let us know if you are able to run goosey auth with a valid client secret.

[andrewryanis]

Yes I am using a valid client secret, It does have a number of special characters could that be causing the issue? None of them are %.

I was able to run it partially it returned the activitylogs for example.

[victoriawallace-cisa]

In goosey/auth.py, can you change the following lines starting at 213:

Change these lines:

        if 'expires_in' in self.tokendata:
            expiration_time = time.time() + self.tokendata['expires_in']
        self.tokendata['expires_on'] = expiration_time

To this:

        if 'expires_in' in self.tokendata:
            expiration_time = time.time() + self.tokendata['expires_in']
            self.tokendata['expires_on'] = expiration_time

Afterwards, please save the auth.py file, do another pip install, and try to do a goosey auth. Can you show me the output of your goosey auth afterwards?

EDIT: Also, in your .ugt_auth file, does any of the entries under app_auth have an "expires_in" and "expires_on" field?

[andrewryanis]

I have replaced the lines of code,

.Venv

Content of .ugt_auth "expires_in": 3599, "expires_on": 1680041014.123685,

[victoriawallace-cisa]

It looks like you're having issue with authenticating with selenium. Can you run goosey auth --interactive --debug and see if there's an issue that's preventing auth from occurring successfully? While the browser window is being controlled by selenium, please don't click away from the window or try to interact with it, it should do everything automatically.

Also, do you also have another MFA method that isn't the push notification from the Microsoft authenticator app?

[andrewryanis]

My notification isn't a push notification you must enter the code manually from authenticator. But it looks like that may have been the issue, I entered the code as the screen popped in firefox. I guess it was getting stuck there waiting for the auth code.

[victoriawallace-cisa]

Thanks for confirming--we'll be implementing more verbose logging for potential application authentication issues and an update to the readme regarding what types of MFA are supported.

[andrewryanis]

Still giving an error here

[victoriawallace-cisa]

It looks like you only have a partial authentication. It doesn't look like the device code tokens all populated in the .ugt_auth file based on the error message. You could probably run goosey auth --interactive again to make sure you are putting in your MFA code during the correct times. In .ugt_auth, you should see both app_auth and mfa sections, where the mfa section has the id_token_claims subsection. If you don't see that, something went wrong during authentication. We will look into potentially incorporating different types of MFA in the future.

[victoriawallace-cisa]

@andrewryanis We implemented more MFA authentication types (number matching, app OTP code, and SMS OTP code) in the most recent update. Can you try those out and let us know how it goes?

[victoriawallace-cisa]

No response received, closing this issue.