search

hako / blackboard-dl

πŸ“šπŸ’» Downloads lectures and workshops automagically.
MIT License
8 stars 3 forks source link

Authentication does not work with mymasonportal.gmu.edu #12

Open ocelotsloth opened 4 years ago

ocelotsloth commented 4 years ago

Expected behavior

The utility would sign in and function.

Actual behavior

~/Projects/blackboard-dl testing.
❯ ./blackboard-dl 
Blackboard course downloader v0.5.1 - [c] 2017 Wesley Hill
[!] Search for your college/university: George Mason
1 result(s) for "George Mason"
[0] George Mason University
[?] What number is your college/university?: 0
[?] Would you like to save your selected college?: y
Selected college "George Mason University" saved in "selected_college.json".

George Mason University [secure βœ”]
https://mymasonportal.gmu.edu
-Login--------------------------
[?] Blackboard username: <redacted>
[?] Blackboard password (hidden): 
[+] Logging in...Login incorrect, please check your credentials and college and try again.
Hint: The college you selected was: George Mason University

Thoughts

My best guess is that the issue lies with how George Mason University performs authentication with their Blackboard installation. Rather than using the built in authentication methods they have set up Shibboleth for single sign on authentication.

I believe the best way forward would be to provide a way to manually provide session cookies. If you have better ideas that would be super.

ocelotsloth commented 4 years ago 
<data>
   <s>
      <name>George Mason University</name>
      <id>5940</id>
      <b2_url>https://mymasonportal.gmu.edu/webapps/Bb-mobile-BB5a30bcf95ea52/</b2_url>
      <country>USA</country>
      <has_community_system>1</has_community_system>
      <username_label>GMU</username_label>
      <force_web_login>https://mymasonportal.gmu.edu/webapps/Bb-mobile-BB5a30bcf95ea52/customAuthDevice</force_web_login>
      <has_mobile_central>0</has_mobile_central>
      <http_auth>0</http_auth>
      <from_people_soft>1</from_people_soft>
      <client_id>1241</client_id>
      <can_has_ssl_login>true</can_has_ssl_login>
      <display_lms_host>https://mymasonportal.gmu.edu</display_lms_host>
      <access>
         <wifi>1</wifi>
         <carrier>1</carrier>
         <sprint_local>0</sprint_local>
      </access>
      <has_planner_license>0</has_planner_license>
      <planner_license_level>BASIC</planner_license_level>
      <prospective_student_access>0</prospective_student_access>
      <preferred_contact_methods>0,1</preferred_contact_methods>
      <has_offline_license>1</has_offline_license>
      <people_soft_institution_id>200078</people_soft_institution_id>
      <euse>support@gmu.edu</euse>
      <euse_label>ITS Support</euse_label>
      <force_web_login_polling>1</force_web_login_polling>
      <gcm>1</gcm>
   </s>
</data>

Just to see if there is any information that could be used to determine if any university has some kind of SSO this is the XML returned from the college search api's call.

I do not see anything useful though. I think the best way to go is provide an optional failover when the password is incorrect. It'll have to come with starter instructions on how to extract the session cookies from your browser.

hako commented 4 years ago

Yeah, this one is a tricky one.

I don't have access to the Blackboard service anymore and this program is based on a horribly old Blackboard iOS app that isn't on the App Store. I'm surprised that even the search still works.

As for signing in, you're right, some schools like yours have some sort of SSO / Web Login mechanism, mine uses the default authentication method, which is what I only tested on at the time.

There are a few options:

  1. See the requests from the SSO / Web Login from a web browser from server to client.
  2. See the requests from the SSO / Web Login from the new Blackboard app on iOS or Android.

If you are familiar with Mitmproxy or Charles Proxy you'll be able to see the requests the app is making to Blackboard.

ocelotsloth commented 4 years ago

Yeah I spent some time playing with the code and got this far: https://github.com/ocelotsloth/blackboard-dl/commit/5adc3d63603ed54178d16ec63c90fba2d343b9ec

Unfortunately whatever API endpoint it's using doesn't understand the SAML auth header. That or I did it wrong...which is a decent possibility.

~/Projects/blackboard-dl master*.
❯ ./blackboard-dl -s --web_client_cache_guid <redacted>  --samlSessionId <redacted> 
Blackboard course downloader v0.5.1 - [c] 2017 Wesley Hill

George Mason University [secure βœ”]
https://mymasonportal.gmu.edu
[+] Logging in...<?xml version="1.0" encoding="UTF-8"?>
<mobileresponse status="NOT_LOGGED_IN"><![CDATA[Exception <class blackboard.plugin.beyond.bbAS.exception.BBMErrorCodeException> toString <blackboard.plugin.beyond.bbAS.exception.BBMErrorCodeException>]]></mobileresponse>
Unhandled exception: Index out of bounds (IndexError)
  from /usr/lib/crystal/array.cr:0:11 in 'pop'
  from src/blackboard-dl/client.cr:129:7 in 'get_courses'
  from src/cli.cr:145:5 in 'download'
  from src/cli.cr:86:7 in 'run'
  from src/cli.cr:263:1 in '__crystal_main'
  from /usr/lib/crystal/crystal/main.cr:97:5 in 'main_user_code'
  from /usr/lib/crystal/crystal/main.cr:86:7 in 'main'
  from /usr/lib/crystal/crystal/main.cr:106:3 in 'main'
  from __libc_start_main
  from _start
  from ???

(I added a puts to show the response right before the error)

While it was a fun thing to play with I think I'm quickly running up against the question of whether it'll actually save me any time to try and implement this (illustrated quite well by XKCD):

I might take another stab at this but for now I'll just have to download this stuff by hand.

ocelotsloth commented 4 years ago

I would expect the answer to be trying to interface with their JSON REST API:

https://developer.blackboard.com/portal/displayApi

I'll take a look tomorrow and see if I can intercept the client_id of their new iOS application. Should be fairly trivial to use their new, well documented, api then.