Overview
This article offers some additional tips and a sample PowerShell script for the official documentation Configuring OAuth Authentication for Application Accounts.
Please note that scripting is not part of standard support. The script is just meant to provide another way to test the authentication, if you prefer to use it. Be aware that all scripts are run at your own risk.
Solution
Does this work together with Login Service?
Yes. Just leave the M-Files Login Service as the default authentication configuration. The x-authconfig header tells the REST API to use the configuration given in the name, so the configuration for the technical credentials does not need to be the default configuration.
Audience and TechnicalCredentialAudience
Audience and TechnicalCredentialAudience are commonly set without the api:// prefix. Only set the prefix if you use a custom URI in the application ID URI (as is described in the configuration guide, but this seems to be a common mistake).
Rule of thumb: if it looks like a GUID, do not set the api:// prefix.
For example:
"Audience": "7fc8b4d8-69f0-4386-9e18-f48444ba042b"
"TechnicalCredentialAudience": "7fc8b4d8-69f0-4386-9e18-f48444ba042b"
Sample PowerShell script
The following PowerShell script is based on the samples in the configuration guide. Note that this example does not use backticks to indicate the command continues on the next line.
The script fetches the Oauth token, then makes a REST GET request to get view data, and outputs that to the terminal.
You can also add Write-Output commands to help with debugging, for example, to show the Oauth token value before it is passed to the REST request.
Save the following script as a .PS1 file and add the correct values for the variables at the beginning, and you should be good to go.
***********************************
#Variables
$tenantId = "" # API application tenant ID
$clientId = "" # Client ID
$apiIdUri = "" # API application ID URI, without api:// prefix as it is the default GUID, not custom URL
$clientSecret = "" # Application secret
$networkAddress = "" # vault DNS
$vaultGuid = "" # vault GUID inside curly braces {}
$pluginName = "" # Federated authentication configuration name, for example "Technical Credentials"
$AccountName = "" #the name of the login account in the format "domain\user"
# Fetch Oauth token
$authResponse = curl -X POST "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token" -H 'Content-Type: application/x-www-form-urlencoded' -d "client_id=$clientId" -d "grant_type=client_credentials" -d "scope=$apiIdUri/.default" -d "client_secret=$clientSecret"
# Create PowerShell object from the JSON token
$authObject = $authResponse | ConvertFrom-Json
#Grab the access token part
$authToken = $authObject.access_token
# Get views from vault using the Oauth token
$callResponse = curl -X GET "https://$networkAddress/REST/views/items" -H "Authorization: Bearer $authToken" -H "X-Vault: $vaultGuid" -H "X-AuthConfig: $pluginName" -H "X-ExtraAuthData: AuthType=Client;UpdateMetadata=true;AccountName=$accountName"
# Write response to the terminal
Write-Output $callResponse
***********************************
