search

google / timesketch

Collaborative forensic timeline analysis
Apache License 2.0
2.52k stars 577 forks source link

GCP IAP authentication seems to be broken for the desktop client #3078

Open wajihyassine opened 2 months ago

wajihyassine commented 2 months ago

Describe the bug A clear and concise description of what the bug is.

When enabling GCP IAP authentication with Timesketch release, authentication properly redirects when connecting to Timesketch using the Web UI but does not work when using the Timesketch desktop client.

To Reproduce Steps to reproduce the behavior:

  1. Go to Timesketch config file. Enable GCP IAP Authentication using latest release
  2. Install timesketch cli
  3. Attempt to use Oauth Desktop client with timesketch cli
  4. See error

Expected behavior

For authentication request to go through

Screenshots If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

Additional context Original error

Unable to connect to the Timesketch server, are you connected to the network? Is the timesketch server running and accessible from your host? The error message is Unable to connect to server, error: Unable to authenticate, with error [401] Unauthorized Invalid IAP credentials: Unable to parse JWT

When adding In client.py:authenticate_oauth_session 

headers={"Proxy-Authorization": auth_bearer}
session.headers.update(headers)

The GCP IAP connection goes through and some commands like timesketch sketch list works but commands like timesketch timelines list errors out with

WARNING:timesketch_api.client:Unable to json decode the Timesketch API response!
Traceback (most recent call last):
  File "/Users/wyassine/tsenv/lib/python3.12/site-packages/requests-2.31.0-py3.12.egg/requests/models.py", line 971, in json
    return complexjson.loads(self.text, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
...snip
ValueError: Error parsing response for request 'https://<domain>.com/api/v1/sketches/22' - Unable to json decode the Timesketch API response!

Also you need to configure a GOOGLE_OIDC_DISCOVERY_URL URL with https://accounts.google.com/.well-known/openid-configuration else you will run into a None Type error even though we are configuring GCP IAP and not OIDC

wajihyassine commented 2 months ago

FYI @berggren around what we chatted about before