Nested script cmdlet execution now requires specifying an app token explicitly

Something seems to have changed related to the security of a script called within another script. In 5.3.3, a parent script that uses Connect-PSUServer and specifies an app token as part of that cmdlet was able to execute other scripts (via Invoke-PSUScript) and those child scripts were able to access PSU cmdlets that require authentication (such as Get-PSUEventHubConnections) using the app token referenced in the parent script.

After upgrading PSU to 5.5.2, I now have to have the app token in the parent script and also specify an app token in the child script for any cmdlets that require authentication. It can be the same token in both locations, which is fine, but something seems to have changed to cause this new behavior.

@adam can you please clarify what was changed regarding this?

Product: PowerShell Universal
Version: 5.5.2

This likely has to with the change in 5.5 to add scope to Connect-PSUServer. It defaults to Process, which was the previous behavior, so this should not have required you to make changes to your scripts. I’ll open an issue for this and get it tracked down.

Thanks. It was easily worked-around by adding -AppToken <token> to the cmdlets within the child scripts being called, and I’m fine with leaving it like that if necessary, but if this is not the expected behavior let me know what other info you need from me (if any).

Thanks. I’ll let you know after I tried to reproduce it. I’ll update the issue with my findings.

Could you please tell me how you did this exactly?
I have been getting errors when using invoke-psuscript.
But only for non-admin members.

Error: Status(StatusCode=“Cancelled”, Detail=“Bad gRPC response. Invalid content-type value: text/html; charset=utf-8”)

Edit: Never mind i figured it out. Thank you for this suggestion.

Great. I was just about to reply.

Perhaps useful for those reading in the future, a bit more detail by Adam.
Only the last part hasn’t been answered but it provides a lot more context

image1579×649 119 KB

I’m not sure I understand which part wasn’t answered, but that’s the way it’s supposed to work. The bug in 5.5.2 causes the child processes to NOT receive the authentication of the parent process.

I was mostly referring to :

Blockquote
So, If I understand correctly, per process means: Once you call Connect-PSUServer -AppToken ... anywhere in your dashboard app (in a page, endpoint, etc.), all subsequent PSU cmdlets in that process (including those in other pages, scripts, or invoked scripts) will use that authentication context. this explaining why it works for the second invoke.

I was just wondering if my understanding was correct.

Ah. That seems correct.