Setup POSTMAN to get Azure access tokens automatically for you

Introduction Postman is an HTTP request tool that is very handy for developing and testing your Azure requests. This is the Postman website: https://learning.getpostman.com/ Postman does make it easy to setup authentication and acquire access tokens but it normally is a multi-step process. The purpose of this blog post is to show you how you can setup Postman to automatically handle authentication for you so you don’t have to go…

Read More

Using jwt.io to verify the signature of a JWT token

Introduction In an asymmetric algorithm, a JWT token is signed with an Identity Provider’s private key. To verify the signature of the token, one will need to have a matching public key. This post will cover how to use the JWT tool at https://jwt.io/ to verify the signature of an signed Azure AD token (either access or id token). Note: You should only validate the token intended for your own…

Read More

Capturing Python web traffic with Fiddler

Update 4/15/2019 – added GraphRbacManagementClient section Introduction: Capturing encrypted HTTPS web traffic in Python with Fiddler can be tricky mainly because Python uses its own trusted certificate store instead of the OS’s certificate store and in certain scenario, python does not use proxy by default.  This post will cover how to capture SSL traffic using Fiddler for a few different scenario: ADAL for Python: The problem with this case is…

Read More

How to filter Fiddler capture traffic using host name and process name

This post discusses a couple of ways to filter Fiddler traffic based on domain names (or host names) and client process(es): Note that before using filter you should make sure Fiddler is configured to capture all processes.  This is indicated at the bottom left corner of Fiddler window.  That area is clickable to change the selection. Filter traffic using Fiddler’s built-in filter feature: From Fiddler’s right pane –> Filters tab…

Read More

Capture http(s) traffic with Http Fiddler

1 – Download the Fiddler 4 application and install it on the machine used to reproduce the problem (if you have not already).  Go to http://www.telerik.com/download/fiddler 2 – Enable the option to  decrypt HTTPS traffic: Tools -> Options -> Https -> select ‘decrypt HTTPS Traffic’ (you may be prompted to install the Fiddler certificate – make sure to select Yes) Ensure this option is checked when collecting the trace as…

Read More

Using Postman to call the Microsoft Graph API using Authorization Code Flow

Introduction This article will help guide you through utilizing Postman to call a Microsoft Graph Call using the authorization code flow. This is part of a 5 part blog on accessing the Microsoft Graph API utilizing grant types : authorization code, implicit flow, client credentials, password, and refresh token flow. We will be utilizing the same Microsoft Graph call to reduce extraneous details on having to include setting up and…

Read More

Tracing All Network Machine Traffic Using MITMProxy for Mac OSX

Introduction This article is meant to help you configure your Mac OS X to be able to track all your network traffic using MITMProxy. This is a free and open source alternative to Fiddler, Charles, and other network tracing alternatives for Linux/mac OS X systems. Also in addition MITMProxy is a more robust system that gives the user more configurability and programmability as there is a Python API for MITMProxy…

Read More