Where #152 introduced -Protocol offering Modern Authentication (OpenID Connect next to existing WS-Federation/WS-Trust) implementation on .NET 4.8 (Windows PowerShell 5.1) and .NET6+ (PowerShell 7.3+) along the happy path.
This issue tries to validate edge cases of misconfiguration up till token refresh.
[X] Authentication over System Browser, so Authorization Code Flow with Proof Key for Code Exchange (PKCE), will give you 60 seconds. Any slower and you will see the New-IShSession/Test-IShSession cmdlets respond with TaskCanceledException exception stating Browser login canceled after 60 seconds.
[x] Authentication over Client Credentials Flow with non-existing -ClientId will error out with GetTokensOverClientCredentialsAsync Access Error[invalid_client]; either invalid ClientId/ClientSecret combination or expired ClientSecret.. Please make sure you activate a client/secret on your Access Management User Profile (ISHAM).
[x] Authentication over Client Credentials Flow with expired -ClientId/-ClientSecret combination will error out with GetTokensOverClientCredentialsAsync Access Error[invalid_client]; either invalid ClientId/ClientSecret combination or expired ClientSecret.. Please recycle expired client/secret on your Access Management User Profile (ISHAM).
[x] Authentication over Client Credentials Flow with valid -ClientId/-ClientSecret combination, but not mapped in the CMS to a User Profile over FISHEXTERNALID will [-14] The access is denied because no profile match was found. 0. Please make sure that the client (which you can find on the Access Management User Profile) is added in Organize Space on one CMS User Profile in the comma-seperated External Id field.
[X] Authentication over Client Credentials Flow with valid -ClientId/-ClientSecret combination, and mapped in the CMS to a User Profile over FISHEXTERNALID which is disabled will error out with [-6] Your account has been disabled. Please see your system administrator.. Please make sure in Organize Space that the one CMS User Profile holding the client in the External Id field is an enabled profile.
[X] Authentication over either Client Credentials or System Browser was succesful but the Access Token expired. You do not need to create a New-IShSession, every cmdlet will attempt to get a token (either refresh or re-logon if required) based on the cmdlets (implicit) -IShSession parameter.
[X] Using New-IshSession parameter -PSCredential on 14SP4/14.0.4 or earlier works like before, as it means username/password authentication over protocol WcfSoapWithWsTrust. However, using -PSCredential on 15/15.0.0 means that you are using protocol WcfSoapOverOpenIdConnect, so expecting a client/secret. If you then provide username/password, you will get error GetTokensOverClientCredentialsAsync Access Error[invalid_client]. Note that you can force by adding -Protocol WcfSoapWithWsTrust to the New-IshSession cmdlet.
[x] Be consistent in the usage of AccessToken and BearerToken, prefer AccessToken as much as possible
[x] Get-Help updates required for example... $ishSessionA = New-IshSession -WsBaseUrl "https://example.com/ISHWSPROD/" -PSCredential "Admin" --> -PSCredential Admin only works for -Protocol WcfSoapWithWsTrust so it is an outdated sample ... all New-IshSession should be reviewed.
Where #152 introduced
-Protocoloffering Modern Authentication (OpenID Connect next to existing WS-Federation/WS-Trust) implementation on .NET 4.8 (Windows PowerShell 5.1) and .NET6+ (PowerShell 7.3+) along the happy path.This issue tries to validate edge cases of misconfiguration up till token refresh.
New-IShSession/Test-IShSessioncmdlets respond withTaskCanceledExceptionexception statingBrowser login canceled after 60 seconds.-ClientIdwill error out withGetTokensOverClientCredentialsAsync Access Error[invalid_client]; either invalid ClientId/ClientSecret combination or expired ClientSecret.. Please make sure you activate a client/secret on your Access Management User Profile (ISHAM).-ClientId/-ClientSecretcombination will error out withGetTokensOverClientCredentialsAsync Access Error[invalid_client]; either invalid ClientId/ClientSecret combination or expired ClientSecret.. Please recycle expired client/secret on your Access Management User Profile (ISHAM).-ClientId/-ClientSecretcombination, but not mapped in the CMS to a User Profile overFISHEXTERNALIDwill[-14] The access is denied because no profile match was found. 0. Please make sure that the client (which you can find on the Access Management User Profile) is added in Organize Space on one CMS User Profile in the comma-seperated External Id field.-ClientId/-ClientSecretcombination, and mapped in the CMS to a User Profile overFISHEXTERNALIDwhich is disabled will error out with[-6] Your account has been disabled. Please see your system administrator.. Please make sure in Organize Space that the one CMS User Profile holding the client in the External Id field is an enabled profile.New-IShSession, every cmdlet will attempt to get a token (either refresh or re-logon if required) based on the cmdlets (implicit)-IShSessionparameter.New-IshSessionparameter-PSCredentialon 14SP4/14.0.4 or earlier works like before, as it means username/password authentication over protocolWcfSoapWithWsTrust. However, using-PSCredentialon 15/15.0.0 means that you are using protocolWcfSoapOverOpenIdConnect, so expecting a client/secret. If you then provide username/password, you will get errorGetTokensOverClientCredentialsAsync Access Error[invalid_client]. Note that you can force by adding-Protocol WcfSoapWithWsTrustto theNew-IshSessioncmdlet.-PSCredential Adminonly works for-Protocol WcfSoapWithWsTrustso it is an outdated sample ... all New-IshSession should be reviewed.