This script can automatically retrieve OAuth2 grants (JSON Web Tokens (JWT)) from an Active Directory Federation Services (ADFS) server. These tokens subsequently can be automatically copied to the clipboard, or used in other tools. Very handy for automating retrieval of short-lived tokens.
The script can also 'brute-force' API endpoints, when passed a list of possible URLs. This might come in handy if you want to 'prefeed' the API endpoints that need authentication to your favourite proxy tool, e.g. Burp Suite or OWASP ZAP. By default it does a GET, POST, PUT and DELETE, with static values.
pip install {jwt,requests,pyperclip}
Grab a token from an endpoint (automatically logs in, receives a login cookie, requests an authorization token, and converts that to an authorization token for the requested application):
./apiborker.py --adfs-login="https://my.login.server/authorize" --adfs-code="https://my.login.server/authorize" --adfs-token="https://my.login.server/authorize" --resource="https://api.endpoint/authorize" --client-id=X-Y-Z --redirect-uri="X-Y-X" --username="USERNAME" --password="PASSWORD"
Re-use the login cookie (which usually has a longer expiry than codes), grab a token, and test some API calls contained in endpoints.txt:
./apiborker.py --cookie=COOKIE --adfs-code="https://my.login.server/authorize" --adfs-token="https://my.login.server/authorize" --resource="https://api.endpoint/authorize" --client-id=X-Y-Z --redirect-uri="X-Y-X" --username="USERNAME" --password="PASSWORD" --inputfile=endpoints.txt"
usage: apiborker.py [-h] [--adfs-code ADFS_CODE] [--adfs-token ADFS_TOKEN]
[--adfs-login ADFS_LOGIN] [--client-id CLIENT_ID]
[--clipboard] [--code CODE] [--cookie COOKIE]
[-i INPUTFILE] [--password PASSWORD]
[--redirect-uri REDIRECT_URI] [--resource RESOURCE]
[-t TOKEN] [-u URL] [--username USERNAME] [-v]
Retrieves JWT tokens and tests API requests
Copyright (C) 2016 Peter Mosmans [Radically Open Security]
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
optional arguments:
-h, --help show this help message and exit
--adfs-code ADFS_CODE
the authorization code URL
--adfs-token ADFS_TOKEN
the authorization token URL
--adfs-login ADFS_LOGIN
the ADFS login URL
--client-id CLIENT_ID
the client ID for ADFS
--clipboard copy the token as header to the clipboard
--code CODE the authorization code
--cookie COOKIE a valid ADFS (MSISauth) login cookie
-i INPUTFILE, --inputfile INPUTFILE
a file containing API endpoints
--password PASSWORD the password for login
--redirect-uri REDIRECT_URI
the redirect URI for ADFS
--resource RESOURCE the resource to request access to
-t TOKEN, --token TOKEN
the complete token in base64 encoded format
-u URL, --url URL the base URL for requests
--username USERNAME the username for login
-v, --verbose be more verbose
Script to perform various tests on an OAuth 2.0 implementation.
Currently only the conversion from code to token is supported.
usage: oauth2-tester.py [-h] [--debug] [-v] [--client-id CLIENT_ID]
[--redirect-uri REDIRECT_URI]
[--response-type RESPONSE_TYPE] [--scope SCOPE]
[--cookie COOKIE] [--code CODE] [--code-to-token]
[--token] [--token-name TOKEN_NAME] [--server URL]
[--resource URL] [--validate-token HTTP_STATUS_CODE]
[--proxy PROXY] [--verify]
oauth2-tester version 0.1 - Test script for OAuth 2.0 framework
Copyright (C) 2017 Peter Mosmans [Radically Open Security]
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
optional arguments:
-h, --help show this help message and exit
--debug Show debug information
-v, --verbose Be more verbose
--client-id CLIENT_ID
OAuth 2.0 client_id parameter
--redirect-uri REDIRECT_URI
OAuth 2.0 redirect_uri parameter
--response-type RESPONSE_TYPE
OAuth 2.0 response_type parameter
--scope SCOPE OAuth 2.0 comma separated scope parameter
--cookie COOKIE Cookie to send with the request(s)
--code CODE OAuth 2.0 code
--code-to-token Convert code to token
--token OAuth 2.0 token
--token-name TOKEN_NAME
OAuth 2.0 token name (default: token)
--server URL The authorization server endpoint
--resource URL The resource server endpoint
--validate-token HTTP_STATUS_CODE
Validate token against resource server
--proxy PROXY Proxy server
--verify Validate SSL x.509 certificate
Feedback always welcome. Enjoy!