ironmansoftware / universal-automation

Universal Automation is the PowerShell-first automation platform.
https://ironmansoftware.com/universal-automation/
MIT License
25 stars 4 forks source link

JWT Authentication Doesn't work when configuring JWT Parameters #153

Closed adamdriscoll closed 4 years ago

adamdriscoll commented 4 years ago

If you set the JWT Parameters like signing key, etc, the JWT auth process will always return a 401.

adamdriscoll commented 4 years ago

Related: https://github.com/ironmansoftware/universal-automation/issues/144

adamdriscoll commented 4 years ago

FYI: @claudiospizzi I have this working in the latest build.

This is how I am starting my server.

$AppToken = Start-UAServer -Port 10000 -JwtSigningKey $SigningKey

$Cache:ComputerName = $ComputerName 

if ($null -eq $AppToken)
{
    $AppToken = (Enable-UAAuthentication -ComputerName $ComputerName -Force -SigningKey $SigningKey).Token
}

Connect-UAServer -ComputerName $ComputerName -AppToken $AppToken

This is how I'm configuring my auth policy to generate AppTokens.

$AuthPolicy = New-UDAuthorizationPolicy -Name "Policy" -Endpoint {
    param($ClaimsPrincipal)

    $UserName = $ClaimsPrincipal.Identity.Name 
    $Session:UserRole = ""

    $Identity = Get-UAIdentity -Name $UserName 
    if ($Identity -eq $null)
    {
        if ($UserName -eq 'OperatorFred')
        {
            $Role = Get-UARole -Name "Operator"
            $Identity = New-UAIdentity -Name $UserName -Role $Role
            $Session:UserRole = "Operator"
        }            
        elseif ($UserName -eq 'ReaderJane')
        {
            $Role = Get-UARole -Name "Reader"
            $Identity = New-UAIdentity -Name $UserName -Role $Role
            $Session:UserRole = "Reader"
        }
        else 
        {
            $Role = Get-UARole -Name "Administrator"
            $Identity = New-UAIdentity -Name $UserName -Role $Role
            $Session:UserRole = "Administrator"
        }

        $AppToken = (Grant-UAAppToken -Identity $Identity).Token
    }
    else 
    {
        $AppToken = (Get-UAAppToken -Identity $Identity).Token
        if ($null -eq $AppToken)
        {
            $AppToken = (Grant-UAAppToken -Identity $Identity).Token
        }
    }

    $Session:AppToken = $AppToken 

    $true
}

I will start posting nightly builds of UA so you can try this out. I'll let you know when they are available.

claudiospizzi commented 4 years ago

Hi Adam. I've used Grand-UAAppToken instead of Enable-UAAuthentication to create a system key. I've now moved to your solution there. It works as I can see at the moment.¨

Just one question: You are using the authorization policy instead of the authentication method. I've pushed everything into the authentication method including the app token generation and storing in the session. Is this bad behaviour?

adamdriscoll commented 4 years ago

Ok. That's good. Please let me know if that changes.

In terms of the auth method vs authorization policy, that should be fine in your case. The main reason I have the auth policy as the preferred method is that it works across authentication methods. I will update the documentation to account for the suggestion that you could use just the auth method if you are using forms-based authentication.