Capturing authentication traffic using cirrus‐scope - himmelblau-idm/himmelblau GitHub Wiki

Capturing OAuth2 traffic when authenticating to Azure Entra ID is essential for debugging and resolving issues in the libhimmelblau library. By inspecting the detailed HTTP requests and responses exchanged during the authentication process, developers can identify discrepancies, such as malformed requests, unexpected status codes, or incorrect parameters. This comprehensive view helps pinpoint where errors occur, enabling targeted fixes and enhancements to improve the reliability and functionality of Himmelblau, ultimately leading to smoother integrations and user experiences.

This guide walks you through how to capture and inspect authentication traffic using the cirrus-scope diagnostic tool along with mitmproxy.

Step-by-Step Instructions

  1. Download cirrus-scope:

    Prebuilt binaries are available from the official Himmelblau downloads page:

    👉 https://himmelblau-idm.org/downloads.html

  2. Download mitmproxy:

    Download mitmproxy from their website, and extract the binaries.

    tar -xf mitmproxy-11.0.0-linux-x86_64.tar.gz

  3. Start mitmweb:

    Run the following command to start mitmweb:

    ./mitmweb

    This starts mitmweb and opens a web interface for monitoring HTTP and HTTPS traffic.

  4. Install the mitmproxy CA Certificate:

    On Ubuntu,

    sudo cp $HOME/.mitmproxy/mitmproxy-ca-cert.pem /usr/local/share/ca-certificates/mitmproxy.crt
sudo update-ca-certificates

    Or on Fedora,

    sudo cp $HOME/.mitmproxy/mitmproxy-ca-cert.pem /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust

    Or on openSUSE Leap,

    sudo cp $HOME/.mitmproxy/mitmproxy-ca-cert.pem /usr/share/pki/trust/anchors/mitmproxy.crt
sudo update-ca-certificates

  5. Access the Web Interface:

    Open your web browser and go to:

    http://127.0.0.1:8081/

    You should see the mitmweb dashboard for viewing captured traffic.

  6. Run cirrus-scope with Proxy Enabled:

    Run the desired test command from cirrus-scope, routing its traffic through mitmproxy by setting the HTTPS_PROXY environment variable.

    Example:

    HTTPS_PROXY=http://127.0.0.1:8080 cirrus-scope auth-test --name [email protected]

    You will be prompted to enter credentials interactively. You can add --debug for detailed logs:

    HTTPS_PROXY=http://127.0.0.1:8080 cirrus-scope auth-test --name [email protected] --debug

    Other available test commands include:

    • enrollment-test: Simulates device enrollment
    • refresh-token-acquire: Acquires new access tokens using a refresh token
    • provision-hello-key-test: Tests Hello for Business key provisioning

  7. Capture and Save the HAR File:

    • Go to the mitmweb dashboard in your web browser.
    • Click on the "File" drop down menu, then "Save".
    • Your browser will download a file called 'flows'

That's it! You have now captured and saved HTTP(S) traffic as a HAR file.

Search the contents of the file for your password, as it will be present. Remove this password before sharing the file.

If the authentication was successful, there will also be a valid access token and refresh token present. These should also be removed or obfuscated. Search the file for json keys such as 'refresh_token' and 'access_token'.