Read header functionality

[robertfshort]

I've been toying around with how to do authorization through the http header as opposed to using client certs.

So lets assume I want to invoke-rest method thusly: $encodedAuth=[system.convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes("$key"+":"+"$auth")) Invoke-RestMethod -Uri 'https://local.domain.com:8080/EndPoint/routes' -method 'get' -headers @{authorization="$encodedAuth"}

I can read that back inside restPS with $encodedAuth=$script:Request.headers['authorization'] and decode it with $decodedAuth=[System.Text.Encoding]::ASCII.GetString([system.convert]::fromBase64String($encodedAuth))

This could be used to add an additional option for authorization, but beyond that, if there are any headers optionally to be sent over this is the method for reading them.

[jpsider]

Have you looked at my example scripts in the bin directory? https://github.com/jpsider/RestPS/blob/master/RestPS/bin/Invoke-VerifyUserAuth.ps1

[jpsider]

I think I was lazy and just use basic auth or plain text but it could easily be updated to what you have.

[robertfshort]

I think you're missing the point. A: we can pass data to the rest server via headers. B: We can use that data to authenticate without the need for client certs. This is important, as there can be a use case where I'm not going to bother setting up client certs in order to access the rest api on the server.

[jpsider]

Crap! I forgot the password check first verifies a certificate. Yes, you are right. I guess I could just add a 'Basic' Auth type and only use a Username/Password check.

[jpsider]

Question, would you be storing the encoded passwords in a file? If I code up an example I want it to be useful, so understanding how you will compare the user provided password to your list/system of record would be useful. @robertfshort

[robertfshort]

To start with yes, but eventually I may stick it all into a DB of some sort.

[jpsider]

I just deployed version '7.0.16' to the PowerShell Gallery. It included a basic auth option.

Start-RestPSListener -RoutesFilePath $env:SystemDrive/RestPS/customRoutes.ps1 -VerificationType VerifyBasicAuth

Give it a shot, and let me know if it works for you. It does not do any decoding, I assume that the user pwd coming in and the user pwd stored are both encoded the same. Open to suggestions.

[jpsider]

Have you given is a shot?

[jpsider]

I made an additional change with 7.0.18 that prevents the client cert check that could have been causing you additional issues.

[accc703]

Hi I am using RestPS and would like to use VerifyBasicAuth function.

I traced the code in Invoke-VerifyBasicAuth.ps1 and found that the $UserToCheck still relies on $script:Subject. Does it means still client certificate required?

Or should it be more straightforward, by decrypt the Authorization header, and compare the user and password in Get-RestUserAuth.ps1?

Thank you.

[jpsider]

You make a valid point. The purpose of the VerifyBasicAuth was to remove the need for a certificate. The code needs to be updated to focus only on the Authorization header.