psfalcon icon indicating copy to clipboard operation
psfalcon copied to clipboard
verified publisher icon CrowdStrike

[ BUG ] `Revoke-FalconToken` error when token is successfully revoked

Open blahdidbert opened this issue 11 months ago • 2 comments

Describe the bug As requested on Reddit... I have a Juypter Notebook set up using Microsoft's Polyglot Notebooks extension to run the commands in PWSH in a Juypter Notebook.

When running the Revoke-Token command there is an error that happens; however, the error is "incorrect" in that it does what it is supposed to.

To Reproduce

Create notebook. Install PSFalcon on the system or in the user path. Run commands to obtain a falcon token, test to validate the token is good, revoke the token.

Expected behavior I am assuming the error shouldn't be there when revoking a token if it was successful. Or rather if there is another error it should be more verbose about what it is.

Environment (please complete the following information):

  • OS: Windows 11
  • PowerShell 7.4.5
  • VSCode 1.96.2
  • Polyglot Notebooks extension 2024.11.0
  • Juypter Notebooks extension 1.0.5568010
  • PSFalcon (including 2.2.8)

Additional context As you can see here, the commands are run in order and the error happens. When you re-test the Token, it is indeed revoked.

image image

Transcript content If possible, please include a PowerShell transcript.

**********************
PowerShell transcript start
Start time: 20250107173113
Username: blahdidbert
RunAs User: blahdidbert
Configuration Name: 
Machine: systemname (Microsoft Windows NT 10.0.22631.0)
Host Application: C:\Users\blahdidbert\.nuget\packages\microsoft.dotnet-interactive\1.0.556801\tools\net8.0\any\Microsoft.DotNet.Interactive.App.dll [vscode] stdio --working-dir c:\Users\blahdidbert\Documents\Workspace\blahdidbert\Jupyter_Notebooks\PSFalcon
Process ID: 32396
PSVersion: 7.4.5
PSEdition: Core
GitCommitId: 7.4.5
OS: Microsoft Windows 10.0.22631
Platform: Win32NT
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1, 6.0, 7.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
WSManStackVersion: 3.0
**********************
Transcript started, output file is C:\Users\blahdidbert\Documents\PowerShell_transcript.systemname.XyKS_Mec.20250107173113.txt

PSVersion      : Core [7.4.5]
ModuleVersion  : v2.2.8 {d893eb9f-f6bb-4a40-9caf-aaff0e42acd1}
ModulePath     : C:\Users\blahdidbert\Documents\PowerShell\Modules\PSFalcon\2.2.8
UserModulePath : C:\Users\blahdidbert\.nuget\packages\microsoft.dotnet-interactive\1.0.556801\tools\net
                 8.0\any\Modules;C:\Users\blahdidbert\Documents\PowerShell\Modules;C:\Program Files\Pow
                 erShell\Modules;c:\users\blahdidbert\.nuget\packages\microsoft.dotnet-interactive\1.0.
                 556801\tools\net8.0\any\runtimes\win\lib\net8.0\Modules;C:\Program
                 Files\WindowsPowerShell\Modules;C:\windows\system32\WindowsPowerShell\v1.0\Modules
UserHome       : C:\Users\blahdidbert
UserAgent      : crowdstrike-psfalcon/2.2.8

VERBOSE: 17:31:13 [ApiClient.Invoke] POST https://api.crowdstrike.com/oauth2/revoke
VERBOSE: 17:31:13 [ApiClient.Invoke] Accept=application/json, ContentType=application/x-www-form-urlencoded, Authorization=basic <removed>
VERBOSE: 17:31:13 [ApiClient.Invoke] token=<removed>
VERBOSE: 17:31:13 [ApiClient.Invoke] 500: InternalServerError
VERBOSE: 17:31:13 [ApiClient.Invoke] Server=nginx, Date=Tue, 07 Jan 2025 22:31:13 GMT, X-Content-Type-Options=nosniff, X-Cs-Traceid=62e63c48-eccc-4d1d-a9e4-8cd79b430af2, X-Ratelimit-Limit=300, X-Ratelimit-Remaining=297, Strict-Transport-Security=max-age=31536000; includeSubDomains, Connection=keep-alive
VERBOSE: 17:31:13 [Write-Result] query_time=1.71E-07, powered_by=crowdstrike-api-gateway, trace_id=62e63c48-eccc-4d1d-a9e4-8cd79b430af2
Write-Result: C:\Users\blahdidbert\Documents\PowerShell\Modules\PSFalcon\2.2.8\public\oauth2.ps1:252
Line |
 252 |        Write-Result $Request
     |        ~~~~~~~~~~~~~~~~~~~~~
     | {"code":500,"message":"Internal Server Error: Please provide trace-id='62e63c48-eccc-4d1d-a9e4-8cd79b430af2' to support"}
Write-Result: C:\Users\blahdidbert\Documents\PowerShell\Modules\PSFalcon\2.2.8\public\oauth2.ps1:252
Line |
 252 |        Write-Result $Request
     |        ~~~~~~~~~~~~~~~~~~~~~
     | {"code":500,"message":"Internal Server Error: Please provide
     | trace-id='62e63c48-eccc-4d1d-a9e4-8cd79b430af2' to support"}

**********************
PowerShell transcript end
End time: 20250107173113
**********************

blahdidbert avatar Jan 07 '25 22:01 blahdidbert

That error is coming back from the API and doesn't offer much detail that I could use to enhance any PSFalcon-generated error message. Looking at the trace ID, it seems like the server had an issue passing the revocation request internally.

Is it possible that the token revocation request fails because it's happening so quickly after the token request is made? Maybe one of the resources in the path doesn't know that the token is available to revoke yet. Could you try adding in a pause of ~10 seconds before Revoke-FalconToken and see if the error still occurs?

bk-cs avatar Jan 08 '25 00:01 bk-cs

I added a Start-Sleep - Seconds 30 just to give it a little more time to sync and I still get the error.

image

blahdidbert avatar Jan 08 '25 21:01 blahdidbert