Product: PowerShell Universal
Version: 4.2.19
Scenario:
Local Identity: AppEndpointUser
This user has no Roles assigned.
Role: “AppEndpointUserRole”
I create an EndPoint that requires the “AppEndpointUserRole” Role to use it.
If I login as the user I can’t reach the end point as expected. No issue.
To grant access to the endpoint I generated a token which gives the Role “AppEndpointUserRole” and make the Invoke-RestAPI call using this token.
So using my Local Identity with this Token I can get to my Endpoint no issues, things run. However, the Endpoint connects to an external API which requires a secret. The secret requires the “AppEndpointUserRole”.
So even though I authenticated to the EndPoint as the user Identity: AppEndpointUser with the “AppEndpointUserRole” role inherited by the App Token usage. Once I am in the EndPoint it seems to look up Roles based on that Identity again and doesn’t take into account the App Token Roles inherited from token auth.
If I manually modify the Identity to have the “AppEndpointUserRole” I can then access the Secrets properly. However, at that point I feel like why did I make the token grant roles if those roles are required on the endpoint to use the secrets anyways.
My goal was to force the button to use the App Token to auto against the API. This makes it so that no other user should be able to use that API endpoint without using it via the App.
I also don’t want someone like say another admin to login as the AppEndpointUser and have access to the secrets that are meant just for that application for instance. So I was hoping by configuring the way that I have above it would prevent that but then I can’t seem to touch the secrets via endpoint token auth without the identity already having the role for the secrets.