Skip to content

Commit 54a3a08

Browse files
committed
api auth save and get changes
1 parent fad627f commit 54a3a08

2 files changed

Lines changed: 80 additions & 51 deletions

File tree

Modules/CIPPCore/Public/Authentication/Get-CippApiAuth.ps1

Lines changed: 55 additions & 34 deletions
Original file line numberDiff line numberDiff line change
@@ -4,53 +4,74 @@ function Get-CippApiAuth {
44
[string]$FunctionAppName
55
)
66

7-
$AuthSettings = $null
7+
if ($env:CIPPNG) {
8+
$AuthSettings = $null
89

9-
# When the auth config is available as an env var, use it directly (no ARM call needed)
10-
if ($env:CIPPNG -and $env:WEBSITE_AUTH_V2_CONFIG_JSON) {
11-
$AuthSettings = $env:WEBSITE_AUTH_V2_CONFIG_JSON | ConvertFrom-Json -ErrorAction SilentlyContinue
12-
}
10+
# When the auth config is available as an env var, use it directly (no ARM call needed)
11+
if ($env:WEBSITE_AUTH_V2_CONFIG_JSON) {
12+
$AuthSettings = $env:WEBSITE_AUTH_V2_CONFIG_JSON | ConvertFrom-Json -ErrorAction SilentlyContinue
13+
}
14+
15+
# Fall back to reading via ARM REST
16+
if (-not $AuthSettings) {
17+
$SubscriptionId = Get-CIPPAzFunctionAppSubId
18+
try {
19+
$uri = "https://management.azure.com/subscriptions/$SubscriptionId/resourceGroups/$RGName/providers/Microsoft.Web/sites/$($FunctionAppName)/config/authsettingsV2/list?api-version=2020-06-01"
20+
$response = New-CIPPAzRestRequest -Uri $uri -Method POST -ErrorAction Stop
21+
$AuthSettings = $response.properties
22+
} catch {
23+
Write-Warning "Failed to get auth settings via REST: $($_.Exception.Message)"
24+
}
25+
}
26+
27+
if ($AuthSettings) {
28+
$AAD = $AuthSettings.identityProviders.azureActiveDirectory
29+
$Issuer = $AAD.registration.openIdIssuer ?? ''
30+
$AllowedApps = @($AAD.validation.defaultAuthorizationPolicy.allowedApplications)
31+
32+
# When SSO EasyAuth is in use, filter out its clientId — the frontend only tracks API clients
33+
$SSOClientId = $AAD.registration.clientId
34+
if ($SSOClientId) {
35+
$AllowedApps = @($AllowedApps | Where-Object { $_ -ne $SSOClientId })
36+
}
1337

14-
# Fall back to reading via ARM REST
15-
if (-not $AuthSettings) {
38+
$ExtractedTenantId = $Issuer -replace 'https://sts.windows.net/', '' -replace 'https://login.microsoftonline.com/', '' -replace '/v2.0', ''
39+
$TenantId = if ($ExtractedTenantId -eq 'common') { $env:TenantID } else { $ExtractedTenantId }
40+
41+
[PSCustomObject]@{
42+
ApiUrl = "https://$($env:WEBSITE_HOSTNAME)"
43+
TenantID = $TenantId
44+
ClientIDs = $AllowedApps
45+
Enabled = $AAD.enabled
46+
}
47+
} else {
48+
throw 'No auth settings found'
49+
}
50+
} else {
1651
$SubscriptionId = Get-CIPPAzFunctionAppSubId
52+
1753
try {
54+
# Get auth settings via REST
1855
$uri = "https://management.azure.com/subscriptions/$SubscriptionId/resourceGroups/$RGName/providers/Microsoft.Web/sites/$($FunctionAppName)/config/authsettingsV2/list?api-version=2020-06-01"
1956
$response = New-CIPPAzRestRequest -Uri $uri -Method POST -ErrorAction Stop
2057
$AuthSettings = $response.properties
2158
} catch {
2259
Write-Warning "Failed to get auth settings via REST: $($_.Exception.Message)"
2360
}
24-
}
2561

26-
# Fallback to env var if ARM failed
27-
if (-not $AuthSettings -and $env:WEBSITE_AUTH_V2_CONFIG_JSON) {
28-
$AuthSettings = $env:WEBSITE_AUTH_V2_CONFIG_JSON | ConvertFrom-Json -ErrorAction SilentlyContinue
29-
}
30-
31-
if ($AuthSettings) {
32-
$AAD = $AuthSettings.identityProviders.azureActiveDirectory
33-
$Issuer = $AAD.registration.openIdIssuer ?? ''
34-
$AllowedApps = @($AAD.validation.defaultAuthorizationPolicy.allowedApplications)
35-
36-
# When SSO EasyAuth is in use, filter out its clientId — the frontend only tracks API clients
37-
if ($env:CIPPNG) {
38-
$SSOClientId = $AAD.registration.clientId
39-
if ($SSOClientId) {
40-
$AllowedApps = @($AllowedApps | Where-Object { $_ -ne $SSOClientId })
41-
}
62+
if (!$AuthSettings -and $env:WEBSITE_AUTH_V2_CONFIG_JSON) {
63+
$AuthSettings = $env:WEBSITE_AUTH_V2_CONFIG_JSON | ConvertFrom-Json -ErrorAction SilentlyContinue
4264
}
4365

44-
$ExtractedTenantId = $Issuer -replace 'https://sts.windows.net/', '' -replace 'https://login.microsoftonline.com/', '' -replace '/v2.0', ''
45-
$TenantId = if ($ExtractedTenantId -eq 'common') { $env:TenantID } else { $ExtractedTenantId }
46-
47-
[PSCustomObject]@{
48-
ApiUrl = "https://$($env:WEBSITE_HOSTNAME)"
49-
TenantID = $TenantId
50-
ClientIDs = $AllowedApps
51-
Enabled = $AAD.enabled
66+
if ($AuthSettings) {
67+
[PSCustomObject]@{
68+
ApiUrl = "https://$($env:WEBSITE_HOSTNAME)"
69+
TenantID = $AuthSettings.identityProviders.azureActiveDirectory.registration.openIdIssuer -replace 'https://sts.windows.net/', '' -replace '/v2.0', ''
70+
ClientIDs = $AuthSettings.identityProviders.azureActiveDirectory.validation.defaultAuthorizationPolicy.allowedApplications
71+
Enabled = $AuthSettings.identityProviders.azureActiveDirectory.enabled
72+
}
73+
} else {
74+
throw 'No auth settings found'
5275
}
53-
} else {
54-
throw 'No auth settings found'
5576
}
5677
}

Modules/CIPPCore/Public/Authentication/Set-CippApiAuth.ps1

Lines changed: 25 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -92,21 +92,30 @@ function Set-CippApiAuth {
9292
Write-Information '[ApiAuth] Updated EasyAuth successfully'
9393
}
9494
} else {
95-
# Full overwrite path (no SSO EasyAuth config to preserve)
95+
# Resolve subscription ID via helper (managed identity environment assumed for ARM).
9696
$SubscriptionId = Get-CIPPAzFunctionAppSubId
97-
$BaseUri = "https://management.azure.com/subscriptions/$SubscriptionId/resourceGroups/$RGName/providers/Microsoft.Web/sites/$FunctionAppName"
9897

99-
$getUri = "$BaseUri/config/authsettingsV2/list?api-version=2020-06-01"
100-
$AuthSettings = New-CIPPAzRestRequest -Uri $getUri -Method POST
98+
# Get auth settings via ARM REST (managed identity)
99+
$getUri = "https://management.azure.com/subscriptions/$SubscriptionId/resourceGroups/$RGName/providers/Microsoft.Web/sites/$($FunctionAppName)/config/authsettingsV2/list?api-version=2020-06-01"
100+
$resp = New-CIPPAzRestRequest -Uri $getUri -Method 'GET'
101+
$AuthSettings = $resp | Select-Object -ExpandProperty Content -ErrorAction SilentlyContinue
102+
if ($AuthSettings -is [string]) { $AuthSettings = $AuthSettings | ConvertFrom-Json }
103+
else { $AuthSettings = $resp }
101104

102105
Write-Information "AuthSettings: $($AuthSettings | ConvertTo-Json -Depth 10)"
103106

104-
$AllowedAudiences = foreach ($ClientId in $ClientIds) { "api://$ClientId" }
107+
# Set allowed audiences
108+
$AllowedAudiences = foreach ($ClientId in $ClientIds) {
109+
"api://$ClientId"
110+
}
111+
105112
if (!$AllowedAudiences) { $AllowedAudiences = @() }
106113
if (!$ClientIds) { $ClientIds = @() }
107114

115+
# Set auth settings
116+
108117
if (($ClientIds | Measure-Object).Count -gt 0) {
109-
$AuthSettings.properties.identityProviders | Add-Member -MemberType NoteProperty -Name 'azureActiveDirectory' -Value @{
118+
$AuthSettings.properties.identityProviders.azureActiveDirectory = @{
110119
enabled = $true
111120
registration = @{
112121
clientId = $ClientIds[0] ?? $ClientIds
@@ -118,30 +127,29 @@ function Set-CippApiAuth {
118127
allowedApplications = @($ClientIds)
119128
}
120129
}
121-
} -Force
130+
}
122131
} else {
123-
#Replaced with add-member -force
124-
$AuthSettings.properties.identityProviders | Add-Member -MemberType NoteProperty -Name 'azureActiveDirectory' -Value @{
132+
$AuthSettings.properties.identityProviders.azureActiveDirectory = @{
125133
enabled = $false
126134
registration = @{}
127135
validation = @{}
128-
} -Force
136+
}
129137
}
130138

131-
$AuthSettings.properties | Add-Member -MemberType NoteProperty -Name 'globalValidation' -Value @{
139+
$AuthSettings.properties.globalValidation = @{
132140
unauthenticatedClientAction = 'Return401'
133-
} -Force
134-
$AuthSettings.properties | Add-Member -MemberType NoteProperty -Name 'login' -Value @{
141+
}
142+
$AuthSettings.properties.login = @{
135143
tokenStore = @{
136144
enabled = $true
137145
tokenRefreshExtensionHours = 72
138146
}
139-
} -Force
147+
}
140148

141149
if ($PSCmdlet.ShouldProcess('Update auth settings')) {
142-
$putUri = "$BaseUri/config/authsettingsV2?api-version=2020-06-01"
143-
$Body = $AuthSettings | ConvertTo-Json -Depth 20
144-
$null = New-CIPPAzRestRequest -Uri $putUri -Method PUT -Body $Body -ContentType 'application/json'
150+
# Update auth settings via ARM REST
151+
$putUri = "https://management.azure.com/subscriptions/$SubscriptionId/resourceGroups/$RGName/providers/Microsoft.Web/sites/$($FunctionAppName)/config/authsettingsV2?api-version=2020-06-01"
152+
$null = New-CIPPAzRestRequest -Uri $putUri -Method 'PUT' -Body $AuthSettings -ContentType 'application/json'
145153
}
146154

147155
if ($PSCmdlet.ShouldProcess('Update allowed tenants')) {

0 commit comments

Comments
 (0)