Cloud App Security (CAS)

koltyakov / sp-rest-proxy

🌐 SharePoint API Proxy for local development

MIT License

170 stars 43 forks source link

Cloud App Security (CAS) #94

Closed tarundhillon closed 4 years ago

tarundhillon commented 4 years ago

Hi Andrew,

One of our clients has recently enabled CAS which in the background redirects the requests to a different URL ending with ...us3.cas.ms, this has blocked our existing dev environment setup using sp-rest-proxy

I am now getting the below error

AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance.

I have tried both SAML (which previously worked) and On Demand with Electron without much success. Wondering if there were any other work-arounds or alternatives ?

Thanks Tarun

koltyakov commented 4 years ago

Hi @tarundhillon,

Not sure that if CAS policies are applied you can get around it as the goal of conditional access is blocking due to conditions.

What I think might work is Add-In Only auth strategy.

tarundhillon commented 4 years ago

Thanks @koltyakov !! Vaild point and it makes sense.

I was wondering if a semi manual process of such as copy pasting an Auth code from another login window and using that in the sp-rest-proxy to get over CORS could work ?

koltyakov commented 4 years ago

On-Demand auth does that exactly. After authenticated, it takes auth cookie(s) through electron and uses it in Node. So semi-manual will end up with the same.

Didn't Add-In Only help?

Azure AD auth can be helpful (ADAL.js) but it's not represented in sp-rest-proxy.

koltyakov commented 4 years ago

Oh, App Password also might work, but most admins disable it as I have seen.

tarundhillon commented 4 years ago

For the add-in since I don't have access to azure console I don't have details on client-id or setup a secret.

Electron triggers an entirely new login flow (I'd token - access token), is there a way to directly pass access token from another session .. sessions can last sometime .. not ideal but will workable I guess

Let me try App password also ..

Thanks

koltyakov commented 4 years ago

Add-ins don’t require Azure console they are SharePoint scoped. Check the link to the strategy description in my previous message.

There is no existing AdHoc way of passing FedAuth cookie directly. Rather than monkey patch auth library.

My hopes for your case with CAS is Add-in Only and App password still.

tarundhillon commented 4 years ago

Thanks for your help @koltyakov

AddIn didn't work because we dont have permissions to register an application (appregnew.aspx)
App Password is also disabled in office 365

I think my only option is to wait for IT department to make their judgement

Once again thanks for suggesting options and advise.