5.0.6 - AppTokens not working on for New-PSUVariable and Get-PSUVariable

ironmansoftware / powershell-universal

Issue tracker for PowerShell Universal

https://powershelluniversal.com

35 stars 2 forks source link

5.0.6 - AppTokens not working on for New-PSUVariable and Get-PSUVariable #3757

Closed donlent closed 1 day ago

donlent commented 4 days ago

Version

5.0.6

Severity

High

Environment

msi

Steps to Reproduce

Sorry but no matter how I try, it just doesn't work as expected or documented:

$CredentialsUsername = "MyUser"
$CredentialsPassword = "MyPassword"

$Password = $CredentialsPassword | ConvertTo-SecureString -AsPlainText -Force
$PSCredential = [PSCredential]::new("$CredentialsUsername", $Password)

New-PSUVariable -ComputerName "$env:COMPUTERNAME" -Name $CredentialsName -Description $CredentialsDescription -Vault Database -Value $PSCredential -TrustCertificate -AppToken "myToken"

It will always result in a 401 error because he tries to create the Variable with the logged-on user in PSU and not using the AppToken.

Expected behavior

The AppToken should be honored over the logged-on user, if specified

Actual behavior

The AppToken is always ignored and has no effect

Additional Environment data

No response

Screenshots/Animations

No response

adamdriscoll commented 4 days ago

Are you using SAML2 for your authentication? We found an issue using app tokens with that enabled but it typically would present as a different error. That said, I can't actually reproduce this either. 😂

PS C:\Users\adamr> New-PSUVariable -Name 'Test2' -Value $Credential -AppToken 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9uYW1lIjoiYWRtaW4iLCJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9oYXNoIjoiMGJiODMwZTgtYWUzMi00NTk0LTljODctMDNhOThmMjg5NWM0Iiwic3ViIjoiUG93ZXJTaGVsbFVuaXZlcnNhbCIsImh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd3MvMjAwOC8wNi9pZGVudGl0eS9jbGFpbXMvcm9sZSI6IkFkbWluaXN0cmF0b3IiLCJuYmYiOjE3MjYyNDUxNTAsImV4cCI6MTcyODgzNzE1MCwiaXNzIjoiSXJvbm1hblNvZnR3YXJlIiwiYXVkIjoiUG93ZXJTaGVsbFVuaXZlcnNhbCJ9.efjdueY2vpxOrmoCLKngpj2qz8_Lfb1LcqIWrTMz-0Q' -Vault Database -ComputerName http://localhost:5000

Id                  : 3
Name                : Test2
Value               :
UserName            :
Password            :
Secret              : True
Vault               : Database
Type                : PSCredential
Description         :

donlent commented 4 days ago

LOL... I'm feeling quite a bit stupid today... 🤣 No, we're using standard form based auth for now. The user logs in with his user (non-admin obviously) and should be able to create PSCredential Variables with an Apptoken that has the permissions to do that.

Let me try that as well and I'll report back. Here as well, latest on Monday. :-)

Thanks for your patience and as always your will to help!

donlent commented 1 day ago

Hey @adamdriscoll OK that was a dumb one... 😅 The issue was related to having specified just -ComputerName "$env:COMPUTERNAME"

This seems to work if you're not using -AppToken. Otherwise the Commandlet expects a webaddress like http://localhost:5000

So I'll keep the issue open for you in case you want to fix that in your code that it behaves the same, otherwise feel free to close the issue. For me it's clear now and therefore there's no action needed on this one.

Ps. You could also put an example in the docs on how to do it and like that you could leave it as it is... ;-) Up to you.

Thanks, Don

adamdriscoll commented 1 day ago

Glad you have it working on your end. That said, you should be able to use the computer name. It just creates a URL like http://{ComputerName}:5000 locally. If you need to specify a port or something, then you would need a URL. I played around with it a bit and couldn't cause it to fail so there may still be an issue here but I'll close this for now and we can re-evaluate if it crops up again.