roadrecon: token audience checks

dirkjanm · Jan 23, 2025 · 5f87886 · 5f87886
1 parent 65d2138
commit 5f87886
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/roadrecon/roadtools/roadrecon/gather.py b/roadrecon/roadtools/roadrecon/gather.py
@@ -723,8 +723,17 @@ def main(args=None):
             dburl = 'sqlite:///' + args.database
     else:
         dburl = args.database
+    try:
+        _, tokendata = Authentication.parse_accesstoken(token['accessToken'])
+    except KeyError:
+        print('No access token found in tokenfile')
+        return
+    if tokendata['aud'] not in ('https://graph.windows.net', 'https://graph.windows.net/', '00000002-0000-0000-c000-000000000000'):
+        print(f"Wrong token audience, got {tokendata['aud']} but expected https://graph.windows.net")
+        print("Make sure to request a token with -r https://graph.windows.net")
+        return
 
-    headers['Authorization'] = '%s %s' % (token['tokenType'], token['accessToken'])
+    headers['Authorization'] = f"Bearer {token['accessToken']}"
 
     seconds = time.perf_counter()
     loop = asyncio.get_event_loop()