search

s-KaiNet / node-sp-auth

Unattended SharePoint http authentication with nodejs
MIT License
137 stars 56 forks source link

Issue with On Demand Auth #55

Open jeremykirkup opened 6 years ago

jeremykirkup commented 6 years ago

I have an environment where we are using federated login mechanism.

When I run the simple example I get the company custom login redirect and I assume I get back a valid auth token/cookie from there. However when I try to read from the site url supplied I get an error. When I am logged in with the same user credentials I dont have any issue hitting the web url directly

https://one.abc.net/sites/RIBWiki/_api/web

Then adapting the somple example as follows:

spauth
  .getAuth('https://one.abc.net/sites/RIBWiki/', {
    ondemand: true
  })
  .then(data => {
    let headers = data.headers;
    headers['Accept'] = 'application/json;odata=verbose';

    request.get({
      url: 'https://one.abc.net/sites/RIBWiki/_api/web',
      headers: headers,
      json: true,
      rejectUnauthorized: false
    }).then(response => {
      console.log(response.d.Title);
    });
  });

This the error I get from the simple example code :

Unhandled rejection StatusCodeError: 403 - "{\"error\":{\"code\":\"-2147024891, System.UnauthorizedAccessException\",\"message\":{\"lang\":\"en-US\",\"value\":\ "Access denied. You do not have permission to perform this action or access this resource.\"}}}" at new StatusCodeError (C:\PS\sppull\node_modules\request-promise-core\lib\e rrors.js:32:15) at Request.plumbing.callback (C:\PS\sppull\node_modules\request-promise-core \lib\plumbing.js:104:33) at Request.RP$callback [as _callback] (C:\PS\sppull\node_modules\request-pro mise-core\lib\plumbing.js:46:31) at Request.self.callback (C:\PS\sppull\node_modules\request\request.js:185:2 2) at emitTwo (events.js:126:13) at Request.emit (events.js:214:7) at Request. (C:\PS\sppull\node_modules\request\request.js:1161:10 ) at emitOne (events.js:116:13) at Request.emit (events.js:211:7) at IncomingMessage. (C:\PS\sppull\node_modules\request\request.js :1083:12) at Object.onceWrapper (events.js:313:30) at emitNone (events.js:111:20) at IncomingMessage.emit (events.js:208:7) at endReadableNT (_stream_readable.js:1055:12) at _combinedTickCallback (internal/process/next_tick.js:138:11) at process._tickCallback (internal/process/next_tick.js:180:9)

koltyakov commented 6 years ago

Silly question but does the user account has corresponding permissions? Another one, can it be that mixed authentication is used?

s-KaiNet commented 6 years ago

If you console.log(data), does it show valid headers? Could you post it here (truncate for security)?

s-KaiNet commented 6 years ago

If you have multiple auth providers (including forms for example), you could try adding additional header in your code: 

spauth
  .getAuth('https://one.abc.net/sites/RIBWiki/', {
    ondemand: true
  })
  .then(data => {
    let headers = data.headers;
    headers['Accept'] = 'application/json;odata=verbose';
    headers['x-forms_based_auth_accepted'] = 'f'; // <-- this one
    request.get({
      url: 'https://one.abc.net/sites/RIBWiki/_api/web',
      headers: headers,
      json: true,
      rejectUnauthorized: false
    }).then(response => {
      console.log(response.d.Title);
    });
  });
jeremykirkup commented 6 years ago

Yes I do get a FedAuth header back when I console.log the data

{ headers: { Cookie: 'FedAuth=SENSITIVE_DATA_HERE' } }

Unfortunately, I am not aware of there being any other auth providers (and at this point in time I dont know who is the right person to speak to to understand how this instance has been configured).

I will try and find out more information.

I do know that this was actually a special MicroSoft cloud hosted on-premise 2013 instance that was recently migrated to O365.

I can connect with PnP PowerShell but I have to use the -UseWebLogin flag for federated login

Connect-PnPOnline -Url $siteURL -UseWebLogin

I was hoping that the ADFS might work. As part of the corporate SSO when logging in it uses the windows domain credentials and I'm pretty sure that it isnt syncing to Azure AD.

I have sniffed out some of the traffic and there are endpoints like this

https://idpint.abc.com/nidp/wsfed/ep

and strings such as

wtrealm=urn:federation:MicrosoftOnline

I think that this is a 3rd party integration rather than ADFS here.

FYI, I looked at this orginally because I wanted to use the SPGo visual studio code add-in. That works OOB with a dev O365 tenant. I pulled it apart and saw that it was using sppull node package that in turn is calling into node-sp-auth :-)

Microsoft really dont like you emebedding credentials these days it seems.

Many thanks

Jes

jeremykirkup commented 6 years ago

Further to this the header that was returned FedAuth was a base 64 encoded XML fragment similar to below (slightly tweaked for security and readability)

<?xml version="1.0" encoding="utf-8"?>

V4,0h.f|membership| 1003bffda228914k@live.com,0#.f| membership|jeremy.kirkup@abc.co.uk, 131818397140000000, 131751632470000000, 131822717222985389, 0.0.0.0,3, 94cfddbc-0627-494a-ad7a-29aea3aea832,, V2!1003BFFDA228913E!13181839714, 6345909e-f065-7000-b201-a74c734dd0d3, 6345909e-f065-7000-b201-a74c734dd0d3, ,0, 131818433222360601, 131820989222360601, OleB6sPE+qDZ+rpTjUmwz/Bnd/03LDREFtHNu6w1sDpCtGZHkP7USLQxFkJWJnXgMVh2Z3psS3rnUSC19bZ1CwTkfw2wdcbEbCZS0keFE9ZOt8tenGVNYlMBSzgRhvOYj0UWWmhOREIa+yvmdj+9RBYLq0jEvccZpVL1VPc2gB3Bnv6Gl6NR2vWXH07SYI8WiqePTq5WdI2nAQbIMH00DdW4KEVoYXenmJFgeFB3ezM05CEWd4I6IXIEAHKaX8N4Y6CWij7IcNZqtEliKJt/eUTwrPGoh0DeGBBvxyejk5Z8Ji8g7QbYDR7RuJB0e47RQw2swHrmVmR9gCyG7uBv6w==