Authentication.ps1 not getting $secret:variable values?

Product: PowerShell Universal
Version: 3.5.3
Env: Windows VM, MSI, running as svc account

Finally getting around to setting up proper roles/claims authentication into dashboards (been having too much fun making useful endpoints with tokens!). However I’m not sure if it’s possible to load secret variables (via $secret:varname), regardless of type ([string]/[pscredential]) in authentication.ps1 - is this supposed to work? I can’t seem to get it going. E.g.:

authentication.ps1 contains this, snipped for brevity:

if ($Credential.UserName -eq $secret:EmergencyAdmin.UserName) {
    New-PSUAuthenticationResult -Success:$true -UserName 'Admin'
} else {
    Write-Host "'$($Credential.username)' != emergency local admin '$($secret:EmergencyAdmin.UserName)', continuing to domain authentication"
    ...domain authentication...

but the $secret var check NEVER works, and then in the authentication logs (at https://localhost/admin/security/authentication/1) I only see this:

'ExampleUsername' != emergency local admin '', continuing to domain authentication

So, are $secret variables supposed to be accessible by authentication.ps1? Is there anything I’m missing to enable this if it’s not a default?

I had been looking at Forms - Ironman Software which seems to use secret variables, and the there-linked video seems to show the same thing working, so not sure what I’m doing wrong.

I’ve tried saving secrets in both the built-in vault and PSUSecretStore - same results. The $secret:-scoped variable in question shows up fine in script executions otherwise, so I know the value is there - just doesn’t work during authentication.


Okay, looks like I needed to move login to a new environment where I could specify import of * variables. Did that and now it’s working as expected. Probably a good idea regardless. Perhaps this wasn’t necessary in the past, and I do wish it had been in the docs as a “hey, just in case…” but c’est la vie :slight_smile:

Oh, but I do notice that in the docs under Security this is noted as requiring manual edit to settings.ps1:

but it’s in the UI in Settings as a popup-menu selector now, too, which was nice to see!

I’d happily contribute PRs to the docs, if that’s an option?