I’m trying to migrate an application from UD to PSU and i really need help regarding the authentication for endpoint.
My application only use the API and not the dashboard.
How it works in UD
User send in /api/login in PAssowrd his Azure Code from app registration
The endpoint check the users groups
The endpoint give some Roles ONE or MORE
The endpoint create a token for only one HOUR for this user with multiple Role by an object
User send the token for each call to be authenticated.
I don’t know how to rebuild this kind of architecture on PSU. What i understand :
App token can’t have multiple role
App token needs to be created before and not during the authentication for each user
The opendID connection is only used for DAshboard and not for API
What i succeed in PSU :
configure the openID with Azure to authenticate to PSU
retrieve some claims on roles.ps1 (don’t understand how to retrieve also group membershipping gor the user cos it’s not availabe on the claims retrieved)
DO you have some clue in order to help me ? thanks again.
Next, you could grant an app token without creating a new endpoint for it by calling the PSU endpoint: /v1/api/appToken/grant. Any authorized user can call this and it will generate a token for them with all of their roles included.
One problem is that there is not an option to set expiration so you may need a job to run through app tokens older than 1 hour and revoke them.
I can open an issue to enhance Grant-PSUAppToken becuase there isn’t any reason we couldn’t support multiple roles and this wuld give you some more control over the expiration of the token.
As for the other steps, you could use roles.ps1 to assign multiple roles to the user. You could either use role to claim mapping or setup custom role scripts: https://docs.powershelluniversal.com/config/security#role-to-claim-mapping ==> I’m not using the Dashboard and only API so i need to authenticate through API with openID connection.
I can open an issue to enhance Grant-PSUAppToken becuase there isn’t any reason we couldn’t support multiple roles and this wuld give you some more control over the expiration of the token. ==> For me Yes, we should be able to create tokens for multiple roles like UD. for Role it’s not related to Apptoken no ?
Maybe, we will also need to have like UD a New-UDAuthenticationMethod related to endpoint (to secure Login ou code for openid)
i just want to know if you created a issue regarding the multi value for Role in app token ?
And if you are able to create a route for authenticationmethod related to API like UD in order to send for example openid code and check in code the user permissions. Or may be you have an idea to use the authentication.ps1 already in place
As for the authentication method per API, it’s not something I had considered in the past but maybe something you could do with roles.ps1. You should have all the user claim information in the roles.ps1 scripts.
