Rest API with SID groups auth

Universal Dashboard Universal Dashboard Help
1

Hi everyone !

I am working on an IIS Dashboard with Windows Authentication.
I am trying to Grant a JsonWebToken by the SID group number to the current user then he would access a REST API that create AD account.

I can’t get it working so im wondering if it’s possible ? If it is, can you please tell me if my code is wrong?
Because i have tried the SID group number mecanism with authorization policies and it worked, but this is not working with authentication for me.
Do i need to assign a role with it or …?

This is my Dashboard code :

Enable-UDLogging

$SIDAuthentication = New-UDAuthenticationMethod -Endpoint {
    param ($user)
    if ($user.Identity.Groups -contains "S-1-5-21-3863940255-3118300250-830854111-512"){
        $Session:Token = Grant-UDJsonWebToken -Identity "$user"
    }
}

$DashAuthentication = New-UDAuthenticationMethod -Windows

$LoginPage = New-UDLoginPage -AuthenticationMethod @($DashAuthentication, $SIDAuthentication) -PassThru

$dashboard = New-UDDashboard -Title "Hello, IIS" -Content {
    New-UDRow -Columns {
        New-UDColumn -Size 12 -Endpoint  {
            New-UDHeading -Text "Logged in as $user"
            New-UDInput -Title Account -Content{
                New-UDInputField -Type textbox -Name "nom" -Placeholder "Nom"
                New-UDInputField -Type textbox -Name "prenom" -Placeholder "Prenom"
            } -Endpoint {
                param(
                    $nom,
                    $prenom
                )
                Invoke-RestMethod -Uri "http://localhost:8081/api/login/account/$nom/$prenom" -Method Post -Headers @{Authorization = "Bearer $($Session:Token)"}
            }
        }
    }
} -LoginPage $LoginPage
Start-UDDashboard -Wait -Dashboard $dashboard -AllowHttpForLogin -AdminMode

Thanks by advance !

Lucas R

2

Hey guys, nothing on this ? :frowning:
Thanks !

3

You need to read up on this:
https://docs.universaldashboard.io/security/authentication/windows

Specially:
https://docs.universaldashboard.io/security/authentication/windows#claims-based-authorization-with-windows-authentication

I dont use Windows authentication.

5

Thanks for the feedback @McAndersDK !

So i changed my plans. I always have my Windows Auth on my Dashboard. But now i get all the current user Sid group numbers by the command : $ClaimsPrincipal.identity.groups.value.
So i store it in a variable $getSid and i passed it into the invoke-RestMethod.

In my API i check if the variable contains the sid i want and if it is the right sid number the API the action.

But when i tried the API gives me an error 404 not found and i don’t know why …

Dashboard Code :
$WinAuth = New-UDAuthenticationMethod -Windows

$LoginPage = New-UDLoginPage -AuthenticationMethod $WinAuth -PassThru

$dashboard = New-UDDashboard -Title "Hello, IIS" -Content {

    New-UDRow -Columns {

        New-UDColumn -Size 12 -Endpoint  {

            New-UDHeading -Text "Logged in as $user"

            New-UDInput -Title Account -Content{

                New-UDInputField -Type textbox -Name "nom" -Placeholder "Nom"

                New-UDInputField -Type textbox -Name "prenom" -Placeholder "Prenom"

            } -Endpoint {

                param(

                    $nom,

                    $prenom

                )

                $getSid = $ClaimsPrincipal.identity.groups.value

                Invoke-RestMethod -Uri "http://localhost:8081/api/account/$getSid/$nom/$prenom"

            }

        }

    }

} -LoginPage $LoginPage

Start-UDDashboard -Wait -Dashboard $dashboard -AllowHttpForLogin -AdminMode

Rest API code :

Enable-UDLogging

import-module @("ActiveDirectory", "UniversalDashboard")

$Endpoint = New-UDEndpoint -Url "/account/:getSid/:nom/:prenom" -Method POST -Endpoint {

    if ($getSid -contains "S-1-5-21-3863940255-3118300250-830854111-512") {

        $name = $nom + " " + $prenom

        New-ADUser -Surname $nom -GivenName $prenom -Name $name  

    }  

}

Start-UDRestApi -Endpoint @($Endpoint) -Port 8081

I can see the Sids in the API logs.

Capture
Capture1488×64 6.37 KB

So if someone know why this is not working…

Thanks for your time.