Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create detector for Azure refresh tokens #2978

Merged
merged 1 commit into from
Feb 2, 2025
Merged

Create detector for Azure refresh tokens #2978

merged 1 commit into from
Feb 2, 2025
+691 −11

Conversation

rgmz
Copy link
Contributor

@rgmz rgmz commented Jun 16, 2024
edited
Loading

Description:

(This should only be merged after #2985.)

Azure refresh tokens are long-lived opaque tokens returned alongside access tokens1. They can remain valid for an indefinite period, and can be used to generate a new valid access token on behalf of the subject.

This detector can be tested by obtaining a live refresh token. I like using ROADtools:

# Obtain a token for Microsoft Office
# https://learn.microsoft.com/en-us/troubleshoot/azure/entra/entra-id/governance/verify-first-party-apps-sign-in
$ roadrecon auth --device-code -c d3590ed6-52b3-4102-aeff-aad2292ab01c -r msgraph
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code ABCDEFG123 to authenticate. 
Tokens were written to .roadtools_auth

This detector only works with refresh tokens created for public clients. If a client is confidential, the required tenant, id, and secret should trigger the service principal detector.

Checklist:

Footnotes

  1. https://learn.microsoft.com/en-us/azure/energy-data-services/how-to-generate-auth-token#get-an-auth-token-and-a-refresh-token

@rgmz rgmz requested review from a team as code owners June 16, 2024 23:33
@rgmz rgmz force-pushed the feat/azure-tokens branch 4 times, most recently from 502c15c to 8ccea30 Compare June 17, 2024 23:11
@rgmz rgmz mentioned this pull request Jun 18, 2024
Merged
2 tasks
@rgmz rgmz force-pushed the feat/azure-tokens branch from 8ccea30 to 75185d9 Compare June 21, 2024 02:56
@rgmz rgmz force-pushed the feat/azure-tokens branch 2 times, most recently from 1991146 to e0d92e6 Compare July 1, 2024 18:39
@rgmz rgmz force-pushed the feat/azure-tokens branch from e0d92e6 to f364ca6 Compare November 3, 2024 15:48
@rgmz rgmz requested a review from a team as a code owner November 3, 2024 15:48
@rgmz rgmz force-pushed the feat/azure-tokens branch 2 times, most recently from 54caf4c to 037c374 Compare November 11, 2024 19:23
@rgmz rgmz force-pushed the feat/azure-tokens branch from 037c374 to 339bb6b Compare November 20, 2024 14:09
@rgmz rgmz requested a review from a team as a code owner November 20, 2024 14:09
@rgmz rgmz force-pushed the feat/azure-tokens branch 3 times, most recently from c15da95 to e0521fe Compare November 20, 2024 23:00
rgmz
rgmz commented Nov 21, 2024
View reviewed changes
pkg/detectors/azure_entra/refreshtoken/refreshtoken.go Outdated Show resolved Hide resolved
pkg/detectors/azure_entra/refreshtoken/refreshtoken.go

func (Scanner) MaxSecretSize() int64 { return 2048 }

func (Scanner) StartOffset() int64 { return 4096 }
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ahrav In this case the token can be quite long (1000+) and the other fields can be either before or after it. What's the correct way to look +/- ~1024 on either side?

@rgmz rgmz force-pushed the feat/azure-tokens branch 2 times, most recently from 3df9330 to 97deeb7 Compare November 27, 2024 00:24
@rgmz rgmz force-pushed the feat/azure-tokens branch from 97deeb7 to 1562bfb Compare December 2, 2024 13:28
@ankushgoel27
Copy link
Contributor

the refresh token doesnt always start with 0.A. it could be 1.A

@rgmz rgmz force-pushed the feat/azure-tokens branch 6 times, most recently from 7d90dba to 946a07a Compare December 15, 2024 16:35
@rgmz rgmz force-pushed the feat/azure-tokens branch 3 times, most recently from 6c5d0b8 to 11bab1d Compare December 25, 2024 19:30
@rgmz rgmz force-pushed the feat/azure-tokens branch from 11bab1d to 6122116 Compare December 31, 2024 15:20
@rgmz rgmz force-pushed the feat/azure-tokens branch from 6122116 to de1c4cf Compare January 11, 2025 19:01
@rgmz rgmz force-pushed the feat/azure-tokens branch 2 times, most recently from 6dd68f4 to ed7179c Compare January 27, 2025 14:10
@rgmz rgmz force-pushed the feat/azure-tokens branch from ed7179c to a87c001 Compare January 29, 2025 02:22
@rgmz rgmz force-pushed the feat/azure-tokens branch from a87c001 to 934b13f Compare February 2, 2025 17:30
@ahrav ahrav merged commit 1f33957 into trufflesecurity:main Feb 2, 2025
13 checks passed
@rgmz rgmz deleted the feat/azure-tokens branch February 2, 2025 18:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ahrav ahrav ahrav approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rgmz @ankushgoel27 @ahrav