generate access_token using username, password with OTP based login

cyberark / epv-api-scripts

These API scripts enable CyberArk users to automate privileged account management task like account creation, user management, and more.

https://www.cyberark.com/best

Apache License 2.0

201 stars 176 forks source link

generate access_token using username, password with OTP based login #18

Closed samiron7567 closed 4 years ago

samiron7567 commented 4 years ago

Hi All,

Was trying to figure out how to generate temporary access_token using username, password with OTP based login, so can run different API calls. I went through the documentation in CyberArk but unable to find one. Basically the idea is to get output of user locked accounts and do further automation.

Wrote below python script to make API call, however seems i am missing something. Any help would be greatly appreciated.

import requests
url = "https://pam.example.com/PasswordVault/API/Auth/radius/Logon"
payload = "{
    "username": "user1",
    "Password": "pass1",
    "useRadiusAuthentication":"yes"
}"
headers = {
  'Content-Type': 'application/json'
}
response = requests.request("POST", url, headers=headers, data = payload)
print(response.text.encode('utf8'))

Above API call is failing with:

{
    "ErrorCode": "ITATS542I",
    "ErrorMessage": "Enter the current code displayed in the Multi-Factor Authentication or Azure Authenticator mobile app to complete your authentication."
}

AssafMiron commented 4 years ago

Hey @samiron7567 ,

Try concatenating the OTP password with a comma after the password an example for it (in Powershell) can be seen here: https://github.com/cyberark/epv-api-scripts/tree/master/Account%20Onboard%20Utility/v10

and a video tutorial by @infamousjoeg here: https://www.youtube.com/watch?v=zxzUfEUN5dA&t=647s

samiron7567 commented 4 years ago

Is there a simple way of getting this RestAPI worked with application like Postman? I am not a powershell lover and its hard for me to understand from the referred powershell script.

And mostly why CyberArk has such bad documentation. Everywhere they populated document to use authentication other than OTP. They must provide more info on their documentation sites of how one can use various login procedure for automations.

infamousjoeg commented 4 years ago

@samiron7567 our REST API is documented in a Postman collection at https://CYBR.rocks/RESTAPI.

AssafMiron commented 4 years ago

@samiron7567 in addition to the public Postman, there is also a swagger documentation on the PVWA instance that is installed at your organization. Just go to https:///PasswordVault/Swagger There you will get the up to date REST API methods for your version

samiron7567 commented 4 years ago

Thanks for the reply @AssafMiron however its same as i was following documentation earlier. It is asking for MFA but there is no guide, where to put MFA actually within the document

curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' -d '{ \ "UserName": "aabcdzz", \ "Password": "mypass", \ "Type": "string", \ "SecureMode": true \ }' 'https://pam.example.com/PasswordVault/api/Auth/radius/Logon'

Here is output with Response code 500

{ "ErrorCode": "ITATS542I", "ErrorMessage": "Enter the current code displayed in the Multi-Factor Authentication or Azure Authenticator mobile app to complete your authentication." }

pspete commented 4 years ago

@samiron7567, when returning ITATS542I, a response to the Radius challenge is expected. This exception can be caught, and a second authentication request sent containing the OTP as the password value. Here is some tried & tested code which illustrates the logic: https://github.com/pspete/psPAS/blob/3efbf916908b04ddb761140dffa7cc2914d4df5e/psPAS/Functions/Authentication/New-PASSession.ps1#L540