Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid characters in password: Authentification fails with AADSTS90023: Invalid STS request #320

Closed
andreas-j-hauser opened this issue Feb 9, 2021 · 0 comments
Closed

Invalid characters in password: Authentification fails with AADSTS90023: Invalid STS request #320

andreas-j-hauser opened this issue Feb 9, 2021 · 0 comments
Labels
enhancement

Comments

@andreas-j-hauser
Copy link
Contributor

andreas-j-hauser commented Feb 9, 2021
edited
Loading

If I use the package to login on my companies tenant on the cloud Sharepoint I got the error AADSTS90023: Invalid STS request. If I repeat the login request with an dummy password like topsecret I got the message: AADSTS50126: Error validating credentials due to invalid username or password.

I use version 2.3.1 of the Office365-REST-Python-Client and Python version 3.8.1.

My test code

from office365.runtime.auth.user_credential import UserCredential 
from office365.sharepoint.client_context import ClientContext import secret

tenant = 'foo-company'
username = '[email protected]'
password = 'password-&\'"<>'
site_url = f'https://{tenant}.sharepoint.com'

ctx = ClientContext(site_url).with_credentials(UserCredential(username, password))
web = ctx.web
ctx.load(web)
ctx.execute_query()
print("Web title: {0}".format(web.properties['Title']))

Reason

I debug the module code and I found out that reserved XML characters in the password are not escaped before it build into the XML data send to request an access token.

Payload send to https://login.microsoftonline.com/extSTS.srf in function _acquire_service_token()

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <s:Header>
      ....
      <o:UsernameToken>
        <o:Username>[email protected]</o:Username>
        <o:Password>password&'"<></o:Password>
      </o:UsernameToken>
      ...

I would expected

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <s:Header>
      ....
      <o:UsernameToken>
        <o:Username>[email protected]</o:Username>
        <o:Password>password&amp;&apos;&quot;&lt;&gt;</o:Password>
      </o:UsernameToken>
      ...

Workaround

Escape username/password before call with_credentials(). I find out that the function xml_escape(s_val) only escapes four of five characters.

Solution

Make two fixes in the file saml_token_provider.py:

  • escape XML characters for username and password before it would build into SAML.xml template
  • Add character ' to function xml_escape() to process all five reserved XML characters
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vgrem @andreas-j-hauser