0

My organisation is using Vouch Proxy to protect a subdomain. I'd like to be able use something like an oauth token to login, similar to the below.

I'm hoping that someone can use the link above to point me in the right direction.

Is there a way to create and retain a cookie in order to make UrlFetchApp requests?

GAS:

var token = ScriptApp.getOAuthToken();
var header = {"Authorization":"Bearer " + token};

var options = {
"method":"GET",
"headers": header,
"muteHttpExceptions": true
};

var url = 'url'

var response =UrlFetchApp.fetch(url, options);

Logger.log(response.getResponseCode()); //returns 200
Logger.log(response.getContentText()); // returns 'sign in with Google' HTML

EDIT

The following also returns the 'sign in with Google' HTML.

function fetchUrlWithCookie() {
  var url = 'https://vouch.oursites.com/login?url=https://private.oursites.com';
  var response = UrlFetchApp.fetch(url, {
    muteHttpExceptions: true,
    followRedirects: false,
    headers: {"Authorization":"Bearer " + ScriptApp.getOAuthToken()}
  });
  var cookie = response.getAllHeaders()['Set-Cookie']; //Get cookie from header 
  response = UrlFetchApp.fetch(url, {
    muteHttpExceptions: true,
    followRedirects: true,
    headers: {
      Cookie: cookie, //send the cookie we got as header
    },
  });
  Logger.log(response.getContentText());
}

I have also tried using basic auth with a less secure app password, with the same result.

TheMaster
  • 45,448
  • 6
  • 62
  • 85
redditor
  • 4,196
  • 1
  • 19
  • 40
  • Cookie is just a header. You can send any cookie as a header. See https://stackoverflow.com/questions/53660031 – TheMaster Oct 04 '21 at 13:26
  • @TheMaster I have edited my question with a code snippet. Perhaps I am not understanding how to effectively get the right detail in order to authenticate. – redditor Oct 04 '21 at 13:47
  • It's not a copy paste job. You need to understand what each line does&what vouch proxy does at each step. Having said that, On a preliminary skim, using browser oath against vouch proxy using [this library](https://github.com/googleworkspace/apps-script-oauth2) seem to be the likely way to get to the resource. Still, I can't find a way to access cookies from the "callback" Alternatively,You can try to recreate each step in their vouch proxy flow manually. Maybe create a issue in their github. [This issue](https://github.com/vouch/vouch-proxy/issues/362#issuecomment-780658345) seems relevant. – TheMaster Oct 04 '21 at 14:35

1 Answers1

2

Vouch Proxy dev here

I don't have enough Karma here to comment but I wanted to offer that this is a GitHub issue on the VP repo...

https://github.com/vouch/vouch-proxy/issues/432

We're close to finding a solution but are still gathering additional information.

bnf
  • 21
  • 1
  • `After the user authenticates with the IdP (with username and password or otherwise) the user is forwaded back to VP at which point VP issues its own token.` What exactly does VP look for to know that the user has logged in to google(idP)? If it's cookies we may be able to emulate authenticated google cookies with fetch from the server side. – TheMaster Oct 09 '21 at 06:45
  • VP hands off the Authn session to the IdP via the standard OAuth/OIDC flow which hinges on a nonce called the `state` variable. After successfulyl logging in at the IdP (Google) the user is forwarded back to VP with the `state` and a `code` that can used to exchange for a full token.. https://www.oauth.com/oauth2-servers/accessing-data/obtaining-an-access-token/ – bnf Oct 10 '21 at 07:39
  • So, if we somehow intercept `code` and `state`, we can get the jwt cookie from vp..Right? Or are there any other security checks like checking ``origin``? I guess I'm asking whether OP can intercept the oauth flow, seeing as has the required Google credentials. – TheMaster Oct 10 '21 at 09:07
  • [Identity token](https://developers.google.com/identity/sign-in/web/backend-auth) seems to be the most official way to do this. Do you or do you have any plans to support identity token? – TheMaster Oct 19 '21 at 10:04
  • @TheMaster VP has no support for Google's Identity Token and it is not on any roadmap. – bnf Oct 20 '21 at 20:31