FalconPy gives 401 while using bearer token after Oauth2 auth.

[devkigauravpal]

Describe the bug
Unable to use Falconpy after successful authentication and getting bearer token
To Reproduce
Step 1 successfully generates token

authorization = FalconAuth.OAuth2(creds={
     'client_id': falcon_client_id,
     'client_secret': falcon_client_secret
})
try:
     token = authorization.token()['body']['access_token']
except:
     token = False
print("\n\n\n Token ==> " + token)

Step 2:

if token:
    falcon = FalconDetects.Detects(access_token=token)

    PARAMS = {
        'offset': 5,
        'limit': 5,
        'sort': 'max_severity|asc',
        'filter': '*',
        'q': ''
    }

    response = falcon.QueryDetects(parameters=PARAMS)
    print(response)

This returns 401

{'status_code': 401, 'headers': {'Server': 'nginx', 'Date': 'Thu, 15 Apr 2021 13:39:10 GMT', 'Content-Type': 'application/json', 'Content-Length': '232', 'Connection': 'keep-alive', 'X-Content-Type-Options': 'nosniff', 'X-Ratelimit-Limit': '15', 'X-Ratelimit-Remaining': '14', 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'}, 'body': {'meta': {'query_time': 1.27e-07, 'powered_by': 'crowdstrike-api-gateway', 'trace_id': '6b25ea5a-8389-4cdc-a20a-b2cb55b649d0'}, 'errors': [{'code': 401, 'message': 'access denied, invalid bearer token'}]}}

My API key has all read permission and write permission for Detection module. This thing works with CURL.
Expected behavior
It should be able to use same bearer token for all subsequent requests.
Environment (please complete the following information):

• OS: Mac OS catalina
• Python 3.7.0

[jshcodes]

Hi @devkigauravpal !

I'm working on trying to recreate this. In the interim, can you tell me if this occurs when you authenticate using credential authentication?

from falconpy import detects as FalconDetects

falcon = FalconDetects.Detects(creds={
     'client_id': falcon_client_id,
     'client_secret': falcon_client_secret
})

response = falcon.QueryDetects()
print(response)

[devkigauravpal]

Yes this works fine I get a long string as token.

[jshcodes]

Yes this works fine I get a long string as token.

Interesting. Credential authentication abstracts the token entirely. It will auto-refresh for you as well, so this might be easier for your code and gets you moving forward.

Meanwhile I'm going to investigate legacy authentication to see if there is something there. Would you be willing to pass me your non-working code (please sanitize any keys, etc.) so I can test it out from here?

[devkigauravpal]

I am using us-2 cluster hopefully it is not redirecting to default endpoint. I observed in Web UI/console this this broken at several places. So I click link it redirects me to default cluster and I get authentication prompt. Once I edit the URL and add us-2 to the URL it works. Might be the same issue with internal API calls by SDK.

[jshcodes]

That's a good point. I don't see a base_url specified in your code above. Are you passing the US-2 base URL to the Service Classes when you instantiate them?

from falconpy import detects as FalconDetects

falcon = FalconDetects.Detects(creds={
     'client_id': falcon_client_id,
     'client_secret': falcon_client_secret
}, base_url="https://api.us-2.crowdstrike.com")

response = falcon.QueryDetects()
print(response)

If you're using legacy authentication you'll need to make sure and use the base_url parameter when you create the OAuth2 object as well as the Detects object.

[devkigauravpal]

Ohh yeah I just tried that too

authorization = FalconAuth.OAuth2(creds={
     'client_id': falcon_client_id,
     'client_secret': falcon_client_secret
},base_url="https://api.us-2.crowdstrike.com")
try:
     token = authorization.token()['body']['access_token']
except:
     token = False
print("\n\n\n Token ==> " + token)

if token:
    falcon = FalconDetects.Detects(access_token=token,base_url="https://api.us-2.crowdstrike.com")
    PARAMS = {
        'offset': 5,
        'limit': 5,
        'sort': 'max_severity|asc',
        'filter': '*',
        'q': ''
    }
    response = falcon.QueryDetects(parameters=PARAMS)
    print(response)

Got response

Token ==> <redacted>dWQiOltdLCJjbGllbnRfaWQiOiIwZWFmOTNjMjJiNTc0YzVlYWFjMDVkZDA0ZDQxNTI1ZiIsImV4cCI6MTYxODU<redacted>
{'status_code': 400, 'headers': {'Server': 'nginx', 'Date': 'Fri, 16 Apr 2021 02:43:47 GMT', 'Content-Type': 'application/json', 'Content-Length': '171', 'Connection': 'keep-alive', 'Content-Encoding': 'gzip', 'Strict-Transport-Security': 'max-age=15724800; includeSubDomains, max-age=31536000; includeSubDomains', 'X-Cs-Region': 'us-2', 'X-Cs-Traceid': 'b6e426a3-069b-4f6b-8544-bc4f5ab69332', 'X-Ratelimit-Limit': '6000', 'X-Ratelimit-Remaining': '5999'}, 'body': {'meta': {'query_time': 0.000380623, 'powered_by': 'msa-api', 'trace_id': 'b6e426a3-069b-4f6b-8544-bc4f5ab69332'}, 'resources': [], 'errors': [{'code': 400, 'message': 'Invalid argument'}]}}

this time region is enforced X-Cs-Region': 'us-2'

[jshcodes]

This error is different. It's not complaining about your token being invalid, it's a 400: "Invalid argument", so I think the region issue is resolved with your specifying base_url.

I think this error is about the parameter dictionary payload.

Can you try this code instead?

authorization = FalconAuth.OAuth2(creds={
     'client_id': falcon_client_id,
     'client_secret': falcon_client_secret
},base_url="https://api.us-2.crowdstrike.com")
try:
     token = authorization.token()['body']['access_token']
except:
     token = False
print("\n\n\n Token ==> " + token)

if token:
    falcon = FalconDetects.Detects(access_token=token,base_url="https://api.us-2.crowdstrike.com")
    PARAMS = {
        'offset': 5,
        'limit': 5,
        'sort': 'max_severity.asc'
    }
    response = falcon.QueryDetects(parameters=PARAMS)
    print(response)

[devkigauravpal]

Ohh yeah, That gets me 200 OK.
Thanks this helps.
So to conclude the solution is when we instantiate the classes we have to explicitly pass base-url parameter. Right?

[jshcodes]

Ohh yeah, That gets me 200 OK.
Thanks this helps.
So to conclude the solution is when we instantiate the classes we have to explicitly pass base-url parameter. Right?

Correct. If you are using a Service Class on a CrowdStrike cloud that is not US-1, you need to specify the base_url.

To make things easier, you can also use credential or object authentication. This will allow you to only have to specify the base_url the one time.

Credential authentication

If you use this method, you can get by with only having to specify base_url the one time as you don't need to create an instance of the OAuth2 Service Class.

falcon = FalconDetects.Detects(creds={
     'client_id': falcon_client_id,
     'client_secret': falcon_client_secret
},base_url="https://api.us-2.crowdstrike.com")

Object authentication

Using this method creates the authorization object the one time, with the correct value for base_url. This value is then passed along to the Service Class with the authorization object.

authorization = FalconAuth.OAuth2(creds={
     'client_id': falcon_client_id,
     'client_secret': falcon_client_secret
},base_url="https://api.us-2.crowdstrike.com")

falcon = FalconDetects.Detects(auth_object=authorization)

[jshcodes]

Moving this conversation over to Discussions. 😄