Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authentication: Basic AD Auth with -ASCredential "parameter Cannot validate argument on parameter 'Provider'." #1030

Closed
RichardWrinkle opened this issue Nov 15, 2022 · 5 comments · Fixed by #1167
Closed

Authentication: Basic AD Auth with -ASCredential "parameter Cannot validate argument on parameter 'Provider'." #1030

RichardWrinkle opened this issue Nov 15, 2022 · 5 comments · Fixed by #1167
Assignees
@Badgerati
Labels
bug 🐛
Milestone
2.9.0

Comments

@RichardWrinkle
Copy link

Hello,

When I enable the parameter "-AsCredential" on the New-PodeAuthScheme cmdlet, I get an error response that says the following:

 "Exception": null,
  "Url": "http://localhost:8080/info",
  "Status": {
    "Description": "Cannot validate argument on parameter 'Provider'. The argument \"\" does not belong to the set \"DirectoryServices,ActiveDirectory,OpenLDAP\" specified by the ValidateSet attribute. Supply an argument that is in the set and then try the command again.",
    "Code": 500
  }
}

Steps To Reproduce

Server Side Config:

Start-PodeServer {

    Enable-PodeSessionMiddleware -Duration 120 -Extend

    # attach to port 8080 for http
    Add-PodeEndpoint -Address localhost -Port 8080 -Protocol Http

    New-PodeAuthScheme -Basic -AsCredential | Add-PodeAuthWindowsAd -Name 'Login' -KeepCredential -ADModule -Fqdn $DomainController -DirectGroups

    Add-PodeRoute -Method Get -Path '/info' -Authentication 'Login' -ScriptBlock {

        $PodeUptimeInSeconds = (Get-PodeServerUptime) / 1000
        $ServerTime = Get-Date
        $ServerTimeUTC = $ServerTime.ToUniversalTime()
        $PodeStartTime = $ServerTime.AddSeconds(-$PodeUptimeInSeconds)

        Write-PodeJsonResponse -Depth 10 -value @{ 
            status          = "ok"
            uptimeInSeconds = $PodeUptimeInSeconds
            PodeStartTime   = $PodeStartTime
            ServerTime      = $ServerTime
            ServerTimeUTC   = $ServerTimeUTC
            responseid      = $ResponseID 
            data            = $WebEvent.Auth
        } -StatusCode 200
    }
}

Client Side Request:
I have tried two methods
1.) The first where I create the header with the PSCredential object:

$Credential = Get-Credential
$pair = "$($Credential.UserName):$($Credential.Password)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"
$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$headers.Add("Authorization", $basicAuthValue)

$response = Invoke-RestMethod 'http://localhost:8080/info' -Method 'GET' -Headers $headers
$response | ConvertTo-Json

2.) Where I just add the credential as a "-Credential" parameter to the Invoke-RestMethod cmdlet:

$Credential = Get-Credential
Invoke-Restmethod -method Get -Uri "http://localhost:8080/info" -Credential $Credential

Expected Behavior
User authentication should work with the provided PSCredential object and I get a response back with status code 200.

Platform
OS: Windows 10
Browser: [e.g. Chrome, Safari] N/A
Versions:
Pode: [e.g. Pode v1.7.3] 2.7.2
PowerShell: [e.g. PS6.2.1] 7.3.0
@Badgerati
Copy link
Owner

Hi @RichardWrinkle,

If you remove -AsCredential on New-PodeAuthScheme it'll work as expected. The switch was put in place for people building custom authentication methods, and needed a PSCredential object rather than the raw username/password. Since you're using the inbuilt WindowsAD authentication method there isn't much need for the -AsCredential switch on the scheme - unless you do have a need for it?

It should technically work though, so does need fixing.

@RichardWrinkle
Copy link
Author

@Badgerati - I am trying to automate a PS Script on a local machine where a user runs the script and it runs some functions that ultimately submits a request to Pode. If I was able to capture a PSCredential object when they run the script and then this could be passed to Pode for auth in the Invoke-RestMethod command. This may be possible in a different way, but I'm pretty new to Pode so I'm just trying to figure things out. Thanks!

@Badgerati
Copy link
Owner

Hi @RichardWrinkle,

You're first idea of setting the Authorization -Header on Invoke-RestMethod should work, it just needs -AsCredential to be removed from New-PodeAuthScheme 😄

@Badgerati Badgerati added this to the 2.8.0 milestone Dec 3, 2022
@Badgerati Badgerati moved this to Backlog in 🚀 Pode Roadmap Dec 3, 2022
@Badgerati Badgerati modified the milestones: 2.8.0, 2.8.1 Jan 27, 2023
@ili101
Copy link
Contributor

ili101 commented Mar 13, 2023

I think optimally -AsCredential should be the default and the parameter removed.
But this is a braking change so at you discretion
image

@Badgerati Badgerati modified the milestones: 2.8.1, 2.9.0 Jul 7, 2023
@Badgerati
Copy link
Owner

You're correct, it would be a breaking change. I've got a note written down for v3.0 to make the default be PSCredential for all auth types.

@Badgerati Badgerati self-assigned this Oct 12, 2023
Badgerati added a commit that referenced this issue Oct 12, 2023
@Badgerati
#1030: allow UsersFile, WindowsAd, and WindowsLocal auths work with -…
31c8670 
…AsCredential scheme switch
@Badgerati Badgerati mentioned this issue Oct 12, 2023
Merged
@github-project-automation github-project-automation bot moved this from Backlog to Done in 🚀 Pode Roadmap Oct 12, 2023
@Badgerati Badgerati mentioned this issue Oct 25, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Badgerati Badgerati

Labels
bug 🐛
Projects
🚀 Pode Roadmap
Status: Done
Milestone
2.9.0
3 participants
@Badgerati @ili101 @RichardWrinkle