Add Azure Active Directory Scan with Oauth2

[CurlyBytes]

Hi i did stumble your article, i did amaze on how you customize the scripts(not a python developer here)

do you have any example on how to do it on Single Sign On scan application? like using Azure Active directory, by supplying, client id, client password/secret and scope

Thanks a lot

[dicksnel]

Hi @cocoytech , do you have an example app I can test with?

This should already be supported, you can provide the login URL and the hook will try to login.

[CurlyBytes]

Hi @cocoytech , do you have an example app I can test with?

This should already be supported, you can provide the login URL and the hook will try to login.

This is application is using single sign on, but 2 things matter:

• It is not a generic login form field, it will be redirect to and Authentication server(like Okta, Sailpoint, etc. Currently we are using Azure Active Directory)
• If ever we can manage to login with standard username or password using a script, the security on login is using Multifactor authentication, therefore to login the application we are not using username and password instead it will be using tenant Id, Client Id, Client secret, and even some of the Authentication service provide Scopes on it

[dicksnel]

@cocoytech so if I understand it correctly you would like a feature that:

• User provides OIDC issuer endpoint, Client Id, Client Secret, username and password in arguments
• Hook fetches a JWT token from OIDC
• Hook uses this token in the Authorization header and adds it to all ZAP requests

[CurlyBytes]

@dicksnel Exactly, thank you for this one sir, it would be valuable to us a nonprofit organization gearing to digital transformation

[JossSparkesAnswer]

@dicksnel I'm aware you're already working on this I'd just like to second that it would be very useful. Currently trying to do the same flow but getting the token from AWS Cognito. Thanks for the work, let me know if you need any testing done and I'd be happy to help.

I will list the curl request that can be used to get the token below if that is useful for you

curl --location --request POST $COGNITOURL \
--header 'x-amz-target: AWSCognitoIdentityProviderService.InitiateAuth' \
--header 'Content-Type: application/x-amz-json-1.1' \
--data-raw '{
    "AuthFlow": "USER_PASSWORD_AUTH",
    "ClientId": "'"$CLIENT_ID"'",
    "AuthParameters": {
        "USERNAME": "'"$USERNAME"'",
        "PASSWORD": "'"$PASSWORD"'"
    },
    "ClientMetadata": {}
}'

[dicksnel]

@JossSparkesAnswer I think it will get too complex to make a generic implementation for this. I'm thinking you could run the curl command before starting zap and then passing the response as a parameter to the docker run command. Then the auth plugin will parse the response and add the token to all requests.

Something like this:

response = curl xxx
docker run ... -z auth_token_response=$response

Can you post an example reponse that will be returned by Cognito?

[JossSparkesAnswer]

@JossSparkesAnswer I think it will get too complex to make a generic implementation for this. I'm thinking you could run the curl command before starting zap and then passing the response as a parameter to the docker run command. Then the auth plugin will parse the response and add the token to all requests.

Something like this:

response = curl xxx
docker run ... -z auth_token_response=$response

Can you post an example reponse that will be returned by Cognito?

@dicksnel that makes sense, this was what I was trying to originally achieve but could not figure out how to pass the code through. Being able to pass it through would probably solve all the Oauth2 issues. So the full bash command we use is

curl --location --request POST '$COGNITOURL'\
--header 'x-amz-target: AWSCognitoIdentityProviderService.InitiateAuth' \
--header 'Content-Type: application/x-amz-json-1.1' \
--data-raw '{
    "AuthFlow": "USER_PASSWORD_AUTH",
    "ClientId": "'"$CLIENT_ID"'",
    "AuthParameters": {
        "USERNAME": "'"$USERNAME"'",
        "PASSWORD": "'"$PASSWORD"'"
    },
    "ClientMetadata": {}
}' | jq '.AuthenticationResult.IdToken' | xargs

This spits out just the section after "Bearer" in the auth token e.g.

eyJraxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxxx

[dicksnel]

@JossSparkesAnswer in that case I could add an extra config parameter, for example auth.bearer_token=eyJrxxxx. Using this the authentication module will not attempt to perform authentication but will just force the token on each request. Would that resolve this for you?

[JossSparkesAnswer]

@dicksnel yeah I’m pretty sure that will work perfectly for my instance, thanks

[dicksnel]

@JossSparkesAnswer I just added the param auth.bearer_token. Could you give this a try? If you pass it a JWT token (eyJ...) it should force this token as the Authorization: Bearer on all requests.

The Docker image is still building when it is done you can pull it: https://hub.docker.com/r/ictu/zap2docker-weekly/tags?page=1&ordering=last_updated

[JossSparkesAnswer]

@dicksnel Thanks for the quick work!

It seems to not be working atm here. A little hard to debug but I think I may have a guess on the issue.

Our webpage is very dumb and the API in the back does all the work. So I pointed the target to the frontend e.g. "-t https://{url}/projects" and I presume the authorization header gets added there which is fine but it doesn't actually authorize anything

Typically then the API is called which needs the authorization header e.g. {apiURL}/project. I have included this in my auth.include with the base url and a wildcard after but I wonder if the authorization header is only being added to the target or if it is to all requests?

[dicksnel]

@JossSparkesAnswer auth.include was intended for this, but maybe there is a bug. I will try to setup a test environment and discover why it is not working.

[JossSparkesAnswer]

@dicksnel let me know if there is anything more I could do. I can send you debug logs I would just have to remove all sensitive data

[erno1978]

Hello @JossSparkesAnswer / @CurlyBytes We are currently reviewing if there's still a usecase for this repository because in the meanwhile, ZAP seems to have included the same functionality. Do you (still) have a specific reason to use this repostory instead of the "original ZAP"?

Sorry this answer took 2.5 years, but there's been a small shift in people working on this repository. :-)