Support for service token auth

[ehhthing]

Cloudflare Zero Trust has support for service token auth: https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/parameters/#authentication-with-service-tokens

This would be really good for deployments with servers and such.

[poscat0x04]

I agree. I'd like to add support for this method of registration. Unfortunately, I don't know how server token auth works or how to use them. Like what does a normal registration process using service token auth look like?

[ehhthing]

I would love to figure this out, but as of right now I'm not really sure how to intercept requests coming out of the warp service on Linux. Would you be able to shed some light on how you intercepted these requests? Like, is there cert pinning?

[poscat0x04]

Well I MITM'd the iOS client. The tool I used is called "Quantumult X" but other tools such as mitmproxy can certainly do It as well.

[poscat0x04]

Ah the managed deployment procedure can be found here: https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/

[ruimarinho]

@poscat0x04 anything I can help to see if we can figure this out?

[ruimarinho]

It also reads an XML file on the Linux variant -- https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/#linux

[poscat0x04]

To support this, we need to figure out how to make API calls with service tokens, which means we need to reverse engineer the client by MITMing the registration calls. I'm too lazy to do this rn (cause I'd have to learn how to MITM stuff on Linux using mitmproxy etc.) but if anyone figures out the API, I'd be happy to implement it into wgcf-teams.

[ruimarinho]

iOS also supports this. What would be the easiest platform?

[poscat0x04]

IDK how to do MDM on iOS :( I guess either Linux or Windows or MacOS is fine.

edit: MacOS is kind of problematic