OIDC redirect taking a long time

Awesome! It does include the fix and I’m glad it’s much faster.

1 Like

Hey @adam

I am trying to update the roles script above to utilize Get/Set-PSUCache, but am receiving this error when the policy script runs:

2022-02-24 15:07:02.257 -05:00 [ERR] The method or operation is not implemented.

I created a test script to verify it is working normally and it did set the cache correctly. If I set the policy script to use the cache: scope, it does work.

Update:

Looks like you cannot use server-wide cache in the management api…

This cmdlet can only be called within APIs, dashboards and scripts. You cannot access the server-wide cache through the PowerShell Universal Management API.

The other way I came up with is to store the groupobject id in the $env:UAPath location and then remove them nightly, something like that.

New-PSURole -Name "Administrator" -Description "Administrators can manage settings of UA, create and edit any entity within UA and view all the entities within UA." -Policy {
    param(
        $User
    )
        
    if ($User.Claims.type -eq '_claim_names') {
        Try {
            $CacheKey = "$($User.Identity.Name)_Claims"
            $Path = Join-Path -Path $env:UAPath -ChildPath "Logins\$($CacheKey).txt"
            if (Test-Path -Path $Path) {
                $GroupObjectId = Get-Content -Path $Path
                $GroupObjectId -eq '<objectid>'
                return
            }
            $AppSettings = Get-Content -Path "$env:UAPath\appsettings.json" |ConvertFrom-Json
            $ClientId = $AppSettings.Authentication.OIDC.ClientID
            $ClientSecret = $AppSettings.Authentication.OIDC.ClientSecret
            $TenantId = ($User.Claims |Where-Object type -eq 'http://schemas.microsoft.com/identity/claims/tenantid').value
            $UserId = ($User.Claims |Where-Object type -eq 'http://schemas.microsoft.com/identity/claims/objectidentifier').value
            $Params = @{
                Uri = "https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token"
                Body = @{
                    'client_id' = $ClientId
                    'client_secret' = $ClientSecret
                    'scope' = 'https://graph.microsoft.com/.default'
                    'grant_type' = 'client_credentials'
                }
                Method = 'Post'
                ContentType = 'application/x-www-form-urlencoded'
                ErrorAction = 'Stop'
            }
            $Token = Invoke-RestMethod @Params |Select-Object -ExpandProperty access_token
            $Params = @{
                Uri = "https://graph.microsoft.com/v1.0/$TenantId/users/$UserId/getMemberObjects"
                Headers = @{
                    Authorization = "Bearer $Token"
                }
                Method = 'Post'
                ContentType = 'application/json'
                Body = (@{
                    securityEnabledOnly = $false
                } |ConvertTo-Json)
            }
            $GroupObjectId = (Invoke-RestMethod @Params).value
            ($GroupObjectId |Out-String) |New-Item -Path $Path -Force
            $GroupObjectId -eq '<objectid>'
        }
        Catch {
            throw $_
        }
        Finally {
            Get-ChildItem -Path $Path -ErrorAction Stop |Remove-Item
        }
    }
    else {
        $User.HasClaim('groups', '<objectid>')
    }
}

I’ll open an issue for this. We should be able to support the cache in role scripts.

1 Like