Can't use the tool with a refresh-token

[hugo-syn]

I'm having trouble using the tool with a refresh token generated by roadtx. Here is the generation part:

$ roadtx auth -c 2e307cd5-5d2d-4499-b656-a97de9f52708 -r msgraph --device-code
Requesting token for resource https://graph.microsoft.com/                                                           
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code CA99TXDLZ to authenticate.
Tokens were written to .roadtools_auth

I get a refresh token and an access token. Then I try to feed this to maestro:

PS C:\Users\user\Documents> .\Maestro.exe -d test2.db get access-token -c 2e307cd5-5d2d-4499-b656-a97de9f52708 --reauth --tenant-id ... --refresh-token '1.Aa[...]CRE'
2024-11-08 15:30:19.331 UTC - [INFO]    Execution started
2024-11-08 15:30:19.440 UTC - [INFO]    Using database file: C:\Users\userr\Documents\test2.db
2024-11-08 15:30:19.644 UTC - [INFO]    Requesting access token from /oauth2/v2.0/token endpoint with refreshToken for scope: .default
2024-11-08 15:30:20.331 UTC - [ERROR]   An exception occurred!

2024-11-08 15:30:20.331 UTC - [ERROR]     Exception type: KeyNotFoundException

2024-11-08 15:30:20.331 UTC - [ERROR]     Message: The given key was not present in the dictionary.

2024-11-08 15:30:20.347 UTC - [INFO]    Completed execution in 00:00:01.0354386

I don't know why it fails, but I have an access token in the DB:

PS C:\Users\user\Documents> .\Maestro.exe -d test2.db show access-tokens
2024-11-08 15:30:29.519 UTC - [INFO]    Execution started
2024-11-08 15:30:29.597 UTC - [INFO]    Using database file: C:\Users\user\Documents\test2.db
[
  {
    "_id": "Yjh7gBPyVPs/WpcJeYCqXyG0nfry8BEP3kFMg3I/OgM=",
    "Audience": "00000003-0000-0000-c000-000000000000",
    "ClientId": "2e307cd5-5d2d-4499-b656-a97de9f52708",
    "Jwt": {},
    "NotBefore": "2024-11-08T17:25:20+01:00",
    "ObjectId": "redacted",
    "Scope": "Application.Read.All AuditLog.Read.All DeviceManagementApps.ReadWrite.All DeviceManagementConfiguration.ReadWrite.All DeviceManagementManagedDevices.PrivilegedOperations.All DeviceManagementManagedDevices.ReadWrite.All DeviceManagementRBAC.ReadWrite.All DeviceManagementServiceConfig.ReadWrite.All Directory.AccessAsUser.All email Group.ReadWrite.All Mail.Send openid Policy.Read.All Policy.ReadWrite.ConditionalAccess profile Reports.Read.All User.ReadWrite.All WindowsUpdates.ReadWrite.All",
    "UserPrincipalName": "redacted@tenant.onmicrosoft.com",
    "Expiry": "2024-11-08T18:44:46+01:00",
    "Requested": "2024-11-08T17:25:20+01:00",
    "TenantId": "redacted",
    "Type": "Access Token",
    "Value": "eyJ0[...]YQ4w"
  }
]

As you can see I have the scope DeviceManagementConfiguration.ReadWrite.All required by maestro.

However, I can't list devices:

PS C:\Users\user\Documents> .\Maestro.exe -d test.db get intune devices
2024-11-08 15:33:16.550 UTC - [INFO]    Execution started
2024-11-08 15:33:16.628 UTC - [INFO]    Using database file: C:\Users\user\Documents\test.db
2024-11-08 15:33:16.784 UTC - [INFO]    No valid JWTs with the required scope DeviceManagementConfiguration.ReadWrite.All found in the database
2024-11-08 15:33:16.784 UTC - [INFO]    No valid refresh tokens found in the database
2024-11-08 15:33:16.784 UTC - [INFO]    No valid PRT cookies found in the database
2024-11-08 15:33:16.784 UTC - [INFO]    Requesting authorize URL from: https://intune.microsoft.com/signin/idpRedirect.js
2024-11-08 15:33:16.940 UTC - [INFO]    Requesting nonce from https://login.microsoftonline.com/common/oauth2/token
2024-11-08 15:33:17.456 UTC - [INFO]    Requesting PRT cookie with nonce for this user/device from LSA/CloudAP via COM
2024-11-08 15:33:17.456 UTC - [INFO]    Using supplied nonce: AwA[...]AA
2024-11-08 15:33:17.472 UTC - [WARNING] No PRT found for this device+user
2024-11-08 15:33:17.472 UTC - [ERROR]   No x-ms-RefreshTokenCredential PRT cookies were found for this user
2024-11-08 15:33:17.472 UTC - [ERROR]   Failed to authenticate
2024-11-08 15:33:17.472 UTC - [ERROR]   Failed to obtain an access token
2024-11-08 15:33:17.472 UTC - [INFO]    Completed execution in 00:00:00.9482720

I also tried to put my refresh token in the db with .\Maestro.exe -d test2.db store refresh-token ... and I get the same error.

I'm probably doing something wrong, I tried to play with all the options, but I can't list devices can you spot what's wrong in my commands ?

Thanks :)

[hugo-syn]

Also when I use my access token directly it doesn't work with maestro but it works with curl:

 .\Maestro.exe get intune devices --access-token 'eyJ[...]z1Q' -v 4
2024-11-08 16:38:13.894 UTC - [INFO]    Execution started
2024-11-08 16:38:14.019 UTC - [DEBUG]   Database option not used, skipping storage of this Jwt
2024-11-08 16:38:14.019 UTC - [INFO]    Requesting devices from Intune
2024-11-08 16:38:14.034 UTC - [INFO]    Requesting IntuneDevices from Microsoft Graph
2024-11-08 16:38:14.050 UTC - [VERBOSE] Sending GET request to: https://graph.microsoft.com/beta/deviceManagement/manageddevices?$select=Id,DeviceName,managedDeviceName,managementState,enrolledDateTime,lastSyncDateTime,configurationManagerClientEnabledFeatures,model,operatingSystem,skuFamily,osVersion,joinType,azureADRegistered,deviceEnrollmentType,azureADDeviceId,deviceRegistrationState,userId,userPrincipalName,userDisplayName,enrolledByUserPrincipalName,usersLoggedOn
2024-11-08 16:38:14.190 UTC - [WARNING] Received 401 (Unauthorized) status code from: https://graph.microsoft.com/beta/deviceManagement/manageddevices?$select=Id,DeviceName,managedDeviceName,managementState,enrolledDateTime,lastSyncDateTime,configurationManagerClientEnabledFeatures,model,operatingSystem,skuFamily,osVersion,joinType,azureADRegistered,deviceEnrollmentType,azureADDeviceId,deviceRegistrationState,userId,userPrincipalName,userDisplayName,enrolledByUserPrincipalName,usersLoggedOn
{
  "error": {
    "code": "InvalidAuthenticationToken",
    "message": "Access token is empty.",
    "innerError": {
      "date": "2024-11-08T17:38:15",
      "request-id": "4f4fe7ce-9bcf-4308-ba51-b720ec51a944",
      "client-request-id": "4f4fe7ce-9bcf-4308-ba51-b720ec51a944"
    }
  }
}
{"error":{"code":"InvalidAuthenticationToken","message":"Access token is empty.","innerError":{"date":"2024-11-08T17:38:15","request-id":"4f4fe7ce-9bcf-4308-ba51-b720ec51a944","client-request-id":"4f4fe7ce-9bcf-4308-ba51-b720ec51a944"}}}
2024-11-08 16:38:14.331 UTC - [ERROR]   An exception occurred!
2024-11-08 16:38:14.331 UTC - [ERROR]     Exception type: JsonReaderException
2024-11-08 16:38:14.331 UTC - [ERROR]     Message: Unexpected character encountered while parsing value: A. Path '', line 0, position 0.
2024-11-08 16:38:14.331 UTC - [DEBUG]     Stack Trace:

$ curl -s -H "Authorization: Bearer $accessToken" 'https://graph.microsoft.com/beta/deviceManagement/manageddevices\?$select\=Id,DeviceName,managedDeviceName,managementState,enrolledDateTime,lastSyncDateTime,configurationManagerClientEnabledFeatures,model,operatingSystem,skuFamily,osVersion,joinType,azureADRegistered,deviceEnrollmentType,azureADDeviceId,deviceRegistrationState,userId,userPrincipalName,userDisplayName,enrolledByUserPrincipalName,usersLoggedOn' | jq | head            
{
  "@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/managedDevices",
  "@odata.count": 2,
  "value": [
    {
      "id": "id...",
      "userId": "",
      "deviceName": "WKS",
      "ownerType": "personal",
      "managedDeviceOwnerType": "personal",

[Mayyhem]

@hugo-syn thank you for capturing all these details! I'm updating the token manipulation functions next and will update this issue as soon as they're fixed.

[Mayyhem]

Sorry for the delay @hugo-syn -- I took a lot of time off over the holidays but I'm back at it. The portions of the issue where you couldn't supply an access or refresh token at the command line should be fixed in main now.

I'm still working on the issues related to database storage and retrieval and will post an update once those have been addressed. Thanks again for your report and patience!

[hugo-syn]

Thank you very much I'll test it on my next engagement then !