Self Service App Tokens

Hey All, I’ve been fiddling with this a bit and cant seem to get my head to the right space, or am missing something.

I want to give users access to self generate an AppToken for the roles they are in, I have managed to do it via a Script that uses the direct api and an apptoken that is an admin, but then anyone who can access the script (by role) needs access to the variable and they could then do admin stuff if they think hard enough.

What I’ve tried:

• Using Grant-PSUAppToken -Integrated - makes a token, but the key is not returned in strict mode
• I found this one: https://www.youtube.com/watch?v=BWp_zlQ-qEA&t=335s , but in the interface when I go there there is no Add New App Token button
• I tried to create a role, give the role permission to security.tokens/* then make a system token with that role - 403

Has anyone done this sort of self service process so a user can generate a token for the roles they are a member of?

I’ve seen others use their identity provider (e.g azure) for the JWT tokens, so that users can then use their azure identity to generate tokens that can be used to authenticate against the PSU API’s, that seems like it might be a better way than trying to create the mechanism yourself?

Using external bearer (JWT) tokens with PowerShell Universal - Announcements - Ironman Software Forums

Thanks , thats good food for thought - that last example of using JWT just for the endpoint auth and saml for login could be one I could have at, but I will need to work out how to do that with Okta

Using external bearer (JWT) tokens with PowerShell Universal < This link shows the steps to configure with Okta

Awesome find, thanks soo much trying now