send API credentials as POST body rather than in URL

[sup3rmark]

Some of your functions use the following line to get an oAuth token: Invoke-RestMethod -Method Post -Uri "$($oAuthURI)?grant_type=password&username=$($adminUSR)&password=$($adminPWD)"

I would recommend against including the username and password in the URL, as this would output the credentials to the console when run with verbose output enabled. Instead, you should pass the credentials over as the body of the request:

        $oAuthTokenBody = @{
            grant_type = "password"
            username = $adminUSR
            password = $adminPWD
        }
        $oauthToken = Invoke-RestMethod -Uri $oAuthURI -Method Post -Body $oAuthTokenBody

[410sean]

sailpoint updated their KB to say they no longer support password grant type on november 18th, 2019 https://community.sailpoint.com/t5/tkb/articlehistorypage/message-revision/79566:12 with @sup3rmark's advice i want to look into the sailpoint recommended options

[darrenjrobinson]

Thx Sean. I did see this end of last year, but didn't have the capacity at the time to re-work it. I'm updating the module in two parts, the first in response to this issue that was in this commit last week https://github.com/darrenjrobinson/powershell_module_identitynow/commit/7a6026c3a29fbc30017ea581f0f96ab9daa133bf . The second part is to switch from password to CLIENT_CREDENTIAL. What I'm deliberating about is storing the Refresh Token in the local Org settings, and attempting to use that for calls. That would also mean logic to determine how close to expiry of the Access Token we are prior to a call, and using the current AT, or renewing using the RT. Historically the IdentityNow Refresh Token flow didn't work, but hopefully they have that sorted out. The alternative is to always just get a new Access Token using the already implemented Post request, but changing from PASSWORD to CLIENT_CREDENTIAL. Thoughts?

On Tue, May 5, 2020 at 12:07 AM Sean McGovern notifications@github.com wrote:

sailpoint updated their KB to say they no longer support password grant type on november 18th, 2019

https://community.sailpoint.com/t5/tkb/articlehistorypage/message-revision/79566:12 with the initial advice i want to look into the sailpoint recommended options

— You are receiving this because you were assigned. Reply to this email directly, view it on GitHub https://github.com/darrenjrobinson/powershell_module_identitynow/issues/19#issuecomment-623485393, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAC55XM34S4GRQPBE3MPBSTRP3DZDANCNFSM4MSFEIPA .

[410sean]

i saw your suggestion just now after i took a shot at using refresh and client credential via personal access token. take a look at a branch https://github.com/410sean/powershell_module_identitynow/tree/Auth-function

i noticed with client credential + PAT i do not get back a refresh token but i avoid refreshing the access token until it is within a minute of expiring.

[darrenjrobinson]

I cleaned up the New, Get and added Remove-IdentityNowPersonalAccessToken in this commit https://github.com/darrenjrobinson/powershell_module_identitynow/pull/18/commits/ff95d98eb89e8d350851858a28e16ec846bca6e9

Thinking about the re-using the Access Token until it is withing a minute of expiring. Contemplating if we have that as configurable in the users profile settings?

[darrenjrobinson]

Updates included in release 1.1.0