Product: PowerShell Universal
Version: 1.4.6
In trying to figure out who to properly authenticate with a secure endpoint, I noticed that I can run with an empty token.
Like this:
$headers = @{
“Authorization” = "Bearer "
}
Invoke-RestMethod -Uri “https://server.domain.com/endpoint)” -Method Get -Headers $headers
If I comment out the “-Headers $headers” section, I get a 401.
Is this a bug or by design?
I don’t see the same behavior. How is your endpoint defined? The endpoint I have has auth on but no roles defined.
PowerShell 7.4.6
PS C:\Users\adamr> Invoke-RestMethod -Uri 'http://localhost:5000/api/group' -Headers @{} -Method 'GET'
Invoke-RestMethod: Response status code does not indicate success: 401 (Unauthorized).
PS C:\Users\adamr> Invoke-RestMethod -Uri 'http://localhost:5000/api/group' -Headers @{ Authorization = "Bearer "} -Method 'GET'
Invoke-RestMethod: Response status code does not indicate success: 401 (Unauthorized).
PS C:\Users\adamr>
I’m running this from an App to test what I get back from PSU. The invoke-restmethod does fail when I run from an Automation script instead.
The security model is set to Permissive at the moment. I’d like to use Integrated if that bypasses using an apptoken to call an API. But it wasn’t working during my testing, so I turned it back to Permissive to try use a Run As account, but that didn’t work either…
Endpoint looks like this :
The following fails:
If I remove the # before the headers it returns the username info. I also tried adding “Bearer XXX” and that still worked.
The app does not have a run as account. Even if it did, it makes no difference. Whoami returns the service account that runs PSU, a gMSA account.
