AuthorizationPolicy and AuthorizedRole not working.

[gerane]

Version: 2.0.1

I am trying to get the Authorized Roles working with AzureAD, but they are either ignored or cause errors.

Here is the basic setup.

Example Setup Gist

New-UDPage

Example 1

If I do the following, no auth is respected. All users can access everything and login.

New-UDPage -Name "Home" -Icon home -AuthorizedRole Login -Content {

}

Example 2

If I do the following using AuthorizationPolicy and the string name of a policy, the server errors and returns only white pages.

New-UDPage -Name "Home" -Icon home -AuthorizationPolicy Login -Content {

}

Errors in logs

14:08:30 Microsoft.AspNetCore.Authorization.DefaultAuthorizationService Authorization failed.
14:08:30 Microsoft.AspNetCore.Authorization.DefaultAuthorizationService Authorization failed.
14:08:30 Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker Authorization failed for the request at filter 'Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter'.
14:08:30 Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker Authorization failed for the request at filter 'Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter'.
14:08:30 Microsoft.AspNetCore.Mvc.ChallengeResult Executing ChallengeResult with authentication schemes ().
14:08:30 Microsoft.AspNetCore.Mvc.ChallengeResult Executing ChallengeResult with authentication schemes ().
14:08:30 Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler AuthenticationScheme: Cookies was challenged.
14:08:30 Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler AuthenticationScheme: Cookies was challenged.
14:08:30 Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker Executed action UniversalDashboard.Controllers.DashboardController.Index (UniversalDashboard) in 79.5276ms
14:08:30 Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker Executed action UniversalDashboard.Controllers.DashboardController.Theme (UniversalDashboard) in 92.468ms
14:08:30 Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker Route matched with {action = "Index", controller = "Redirect", area = "", page = ""}. Executing action UniversalDashboard.Controllers.RedirectController.Index (UniversalDashboard)
14:08:31 Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker Route matched with {action = "Index", controller = "Redirect", area = "", page = ""}. Executing action UniversalDashboard.Controllers.RedirectController.Index (UniversalDashboard)
14:08:31 Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker Executing action method UniversalDashboard.Controllers.RedirectController.Index (UniversalDashboard) with arguments (401) - Validation state: Valid
14:08:31 Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker Executing action method UniversalDashboard.Controllers.RedirectController.Index (UniversalDashboard) with arguments (401) - Validation state: Valid
14:08:31 Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker Executed action method UniversalDashboard.Controllers.RedirectController.Index (UniversalDashboard), returned result Microsoft.AspNetCore.Mvc.PhysicalFileResult in 0.0739ms.
14:08:31 Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker Executed action method UniversalDashboard.Controllers.RedirectController.Index (UniversalDashboard), returned result Microsoft.AspNetCore.Mvc.PhysicalFileResult in 0.0724ms.
14:08:31 Microsoft.AspNetCore.Mvc.Infrastructure.PhysicalFileResultExecutor Executing Microsoft.AspNetCore.Mvc.PhysicalFileResult, sending file 'C:\Program Files\WindowsPowerShell\Modules\UniversalDashboard\2.0.1\net471\..\client/index.html' with download name '' ...
14:08:31 Microsoft.AspNetCore.Mvc.Infrastructure.PhysicalFileResultExecutor Executing Microsoft.AspNetCore.Mvc.PhysicalFileResult, sending file 'C:\Program Files\WindowsPowerShell\Modules\UniversalDashboard\2.0.1\net471\..\client/index.html' with download name '' ...
14:08:31 Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker Executed action UniversalDashboard.Controllers.RedirectController.Index (UniversalDashboard) in 49.4402ms
14:08:31 Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker Executed action UniversalDashboard.Controllers.RedirectController.Index (UniversalDashboard) in 69.0533ms

When AzureAD is challenged, the page isn't redirecting properly. Normally this would redirect to "/home", but when AuthorizationPolicy is used like this it redirects to a white page at "/"

14:08:32 Microsoft.AspNetCore.Mvc.ChallengeResult Executing ChallengeResult with authentication schemes (AzureAD).
14:08:33 Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler AuthenticationScheme: AzureADOpenID was challenged.
14:08:33 Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker Executed action UniversalDashboard.Controllers.AuthenticationController.SignIn (UniversalDashboard) in 500.4674ms
14:08:33 Microsoft.AspNetCore.Hosting.Internal.WebHost Request finished in 548.3859ms 302 
14:08:49 Microsoft.AspNetCore.Hosting.Internal.WebHost Request starting HTTP/1.1 POST http://localhost:10001/signin-oidc application/x-www-form-urlencoded 1928
14:08:49 Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler AuthenticationScheme: Cookies signed in.
14:08:49 Microsoft.AspNetCore.Hosting.Internal.WebHost Request finished in 198.9174ms 302 
14:08:49 Microsoft.AspNetCore.Hosting.Internal.WebHost Request starting HTTP/1.1 GET http://localhost:10001/signin  
14:08:49 Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker Route matched with {action = "SignIn", controller = "Authentication", area = "", page = ""}. Executing action UniversalDashboard.Controllers.AuthenticationController.SignIn (UniversalDashboard)
14:08:49 Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker Executing action method UniversalDashboard.Controllers.AuthenticationController.SignIn (UniversalDashboard) - Validation state: Valid
14:08:49 Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker Executed action method UniversalDashboard.Controllers.AuthenticationController.SignIn (UniversalDashboard), returned result Microsoft.AspNetCore.Mvc.RedirectResult in 1.1531ms.
14:08:49 Microsoft.AspNetCore.Mvc.Infrastructure.RedirectResultExecutor Executing RedirectResult, redirecting to /.

Then later you see there errors in the logs.

14:08:50 DashboardController Failed to evaluate authorization policy. The term '​' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

14:08:50 Microsoft.AspNetCore.Server.Kestrel Connection id "XXXXXXXXXXXX", Request id "XXXXXXXXXXXX:XXXXXXX": An unhandled exception was thrown by the application.

Example 3

If I do the following using AuthorizationPolicy and a policy object, the server has almost the same errors as above and returns only white pages.

New-UDPage -Name "Home" -Icon home -AuthorizationPolicy $LoginPolicy -Content {

}

Any use of AuthorizationPolicy leads to the errors and white screens. The logs for this example look the same as when using the string name instead of object, except the "DashboardController Failed to evaluate authorization policy" error was not present.

New-UDLoginPage

I can't seem to get any sort of Role to work with the New-UDLoginPage command. If I login with a user that isn't in the "APP_PSDashboard_UsersLogin_Allowed" group, they are able to login without issue.

$MicrosoftLogin = New-UDAuthenticationMethod -ClientId "blah" -Instance 'https://login.microsoftonline.com' -Domain 'blah' -TenantId 'blah'

$AuthorizationPolicy = New-UDAuthorizationPolicy -Name "Login" -Endpoint {
    param($User)
​
    $User.HasClaim("groups", "APP_PSDashboard_UsersLogin_Allowed")
}

New-UDLoginPage -AuthenticationMethod $MicrosoftLogin -AuthorizationPolicy $AuthorizationPolicy

When the page is in a broken state and viewing a white page, the view source body looks like the following.

<body>
    <div id="app" class="app">
        <div class="ud-dashboard">
            <div class="loadingWrapper" style="height: 100%; width: 100%; display: flex;">
                <div class="row" style="height: 90vh; min-height: 90vh; display: none;">
                    <div class="valign-wrapper center-align" style="height: 90vh;">
                        <div>
                            <h1>PowerShell Universal Dashboard</h1>
                           <div class="progress">
                                <div class="indeterminate"></div>
                            </div>
                        </div>
                    </div>
                </div>
            </div>
        </div>
    </div>
    <div class="hiddendiv common"></div>
</body>

[adamdriscoll]

@gerane - Sorry for not getting back sooner.

This works for me on the latest 2.1 build (which should be released in a couple days)

I had to use the group's ID; not the name.

$AuthenticationMethod = New-UDAuthenticationMethod -ClientId '<clientId>' -Instance https://login.microsoftonline.com -Domain <domain> -TenantId '<id>'

        $AuthorizationPolicy = New-UDAuthorizationPolicy -Name "Login" -Endpoint {
            param($User)

            $User.HasClaim("groups", "e1b6e95e-6241-4a1a-886d-d5fc0f606f99")
        }
        

        $LoginPage = New-UDLoginPage -AuthenticationMethod $AuthenticationMethod -AuthorizationPolicy $AuthorizationPolicy

        $dashboard = New-UDDashboard -Title "Test" -LoginPage $LoginPage -Pages @(
            New-UDPage -Name "Home" -Icon home -AuthorizationPolicy Login -Content {
                New-UDElement -Tag "div" -Content { "logged in"}
            }
        )

        $Server = Start-UDDashboard -Port 10001 -Dashboard $dashboard -AllowHttpForLogin

I was able to login as a user that was part of the group and logging in as a user that was not part of the group showed an error since i only had one page. I will fix that experience...

[adamdriscoll]

If you want to try the latest, grab it here; https://www.powershellgallery.com/packages/UniversalDashboard/2.1.0

[adamdriscoll]

Also, you check out what claims you have, you can put Wait-Debugger in your policy script block.

  $AuthorizationPolicy = New-UDAuthorizationPolicy -Name "Login" -Endpoint {
            param($User)

Wait-Debugger

            $User.HasClaim("groups", "e1b6e95e-6241-4a1a-886d-d5fc0f606f99")
        }
        

When you try to load the page, it will block and then you can use Get-Runspace and Debug-Runspace to check out the $User object.

[gerane]

@adamdriscoll When I try your example, I can't get it to work.

I just get a white page when going to localhost:10001, and if I manually type in localhost:10001/login it lets me login with azureAD, but then redirects me to localhost:10001 with an error "Cannot read property 'url' of undefined"

[gerane]

@adamdriscoll also, I get a 404 for your link

[adamdriscoll]

@gerane The latest is on the PowerShell Gallery: https://www.powershellgallery.com/packages/UniversalDashboard/2.1.0

Did you check the claims in the debugger? Maybe there is something I'm missing here....

[neossian]

I have the same issue using Version 2.1.0 using your code as a template - I have added wait-debugger to the authorization policy.

With -AllowHTTPForLogin I get the login screen but login keeps looping back to the login screen and never hits the Wait-debugger

With a -certificate I get the error "cannot read property of 'url' of underfined" shown by @gerane. No login page appears - this is true without any Authorization policy

[adamdriscoll]

This workings completely different in 2.7. Please reopen if you are still eperience this issue.