From f8ddfc4e70758b681f6a3ecd8671251182d85efc Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 7 Feb 2026 17:49:03 +0000 Subject: [PATCH 01/13] Initial plan From caf2d7604f8b43f0762204e1a66a2866cb86785b Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 7 Feb 2026 17:54:30 +0000 Subject: [PATCH 02/13] Add AuthSessionType to broker API with validation Co-authored-by: blindzero <13959569+blindzero@users.noreply.github.com> --- .../Public/New-IdleAuthSessionBroker.ps1 | 53 +++++++++- src/IdLE/Public/New-IdleAuthSession.ps1 | 23 ++++- tests/Core/New-IdleAuthSession.Tests.ps1 | 96 +++++++++++++++++-- 3 files changed, 156 insertions(+), 16 deletions(-) diff --git a/src/IdLE.Core/Public/New-IdleAuthSessionBroker.ps1 b/src/IdLE.Core/Public/New-IdleAuthSessionBroker.ps1 index 9e439cb6..142568ff 100644 --- a/src/IdLE.Core/Public/New-IdleAuthSessionBroker.ps1 +++ b/src/IdLE.Core/Public/New-IdleAuthSessionBroker.ps1 @@ -26,12 +26,22 @@ function New-IdleAuthSessionBroker { Optional default credential to return when no session options are provided or when the options don't match any entry in SessionMap. + .PARAMETER AuthSessionType + Specifies the type of authentication session. This determines validation rules, + lifecycle management, and telemetry behavior. + + Valid values: + - 'OAuth': Token-based authentication (e.g., Microsoft Graph, Exchange Online) + - 'PSRemoting': PowerShell remoting execution context (e.g., Entra Connect) + - 'Implicit': Implicit authentication without explicit session (e.g., Active Directory) + - 'None': No authentication required (e.g., mock providers) + .EXAMPLE - # Simple role-based broker + # Simple role-based broker with OAuth session type $broker = New-IdleAuthSessionBroker -SessionMap @{ @{ Role = 'Tier0' } = $tier0Credential @{ Role = 'Admin' } = $adminCredential - } -DefaultCredential $adminCredential + } -DefaultCredential $adminCredential -AuthSessionType 'OAuth' $plan = New-IdlePlan -WorkflowPath './workflow.psd1' -Request $request -Providers @{ Identity = New-IdleADIdentityProvider @@ -39,11 +49,17 @@ function New-IdleAuthSessionBroker { } .EXAMPLE - # Domain-based broker for multi-forest scenarios + # Domain-based broker for multi-forest scenarios with Implicit session type $broker = New-IdleAuthSessionBroker -SessionMap @{ @{ Domain = 'SourceAD' } = $sourceCred @{ Domain = 'TargetAD' } = $targetCred - } + } -AuthSessionType 'Implicit' + + .EXAMPLE + # PSRemoting broker for Entra Connect directory sync + $broker = New-IdleAuthSessionBroker -SessionMap @{ + @{ Server = 'AADConnect01' } = $remoteSessionCred + } -AuthSessionType 'PSRemoting' .OUTPUTS PSCustomObject with AcquireAuthSession method @@ -56,13 +72,18 @@ function New-IdleAuthSessionBroker { [Parameter()] [AllowNull()] - [PSCredential] $DefaultCredential + [PSCredential] $DefaultCredential, + + [Parameter(Mandatory)] + [ValidateSet('OAuth', 'PSRemoting', 'Implicit', 'None')] + [string] $AuthSessionType ) $broker = [pscustomobject]@{ PSTypeName = 'IdLE.AuthSessionBroker' SessionMap = $SessionMap DefaultCredential = $DefaultCredential + AuthSessionType = $AuthSessionType } $broker | Add-Member -MemberType ScriptMethod -Name AcquireAuthSession -Value { @@ -80,6 +101,28 @@ function New-IdleAuthSessionBroker { # This broker routes based on Options only; custom brokers may use Name for additional routing $null = $Name + # Validate options based on AuthSessionType + if ($null -ne $Options -and $Options.Count -gt 0) { + switch ($this.AuthSessionType) { + 'OAuth' { + # OAuth sessions typically use role or scope-based options + # No additional validation needed for this simple implementation + } + 'PSRemoting' { + # PSRemoting sessions may specify server, computerName, or similar + # No additional validation needed for this simple implementation + } + 'Implicit' { + # Implicit sessions may specify domain, forest, or organizational context + # No additional validation needed for this simple implementation + } + 'None' { + # No session expected, but options may still be used for routing + # No additional validation needed for this simple implementation + } + } + } + # If no options provided, return default if ($null -eq $Options -or $Options.Count -eq 0) { if ($null -ne $this.DefaultCredential) { diff --git a/src/IdLE/Public/New-IdleAuthSession.ps1 b/src/IdLE/Public/New-IdleAuthSession.ps1 index 903e46ae..8c2e140f 100644 --- a/src/IdLE/Public/New-IdleAuthSession.ps1 +++ b/src/IdLE/Public/New-IdleAuthSession.ps1 @@ -24,10 +24,20 @@ function New-IdleAuthSession { .PARAMETER DefaultCredential Optional default credential to return when no session options are provided. + .PARAMETER AuthSessionType + Specifies the type of authentication session. This determines validation rules, + lifecycle management, and telemetry behavior. + + Valid values: + - 'OAuth': Token-based authentication (e.g., Microsoft Graph, Exchange Online) + - 'PSRemoting': PowerShell remoting execution context (e.g., Entra Connect) + - 'Implicit': Implicit authentication without explicit session (e.g., Active Directory) + - 'None': No authentication required (e.g., mock providers) + .EXAMPLE $broker = New-IdleAuthSession -SessionMap @{ @{ Role = 'Tier0' } = $tier0Credential - } + } -AuthSessionType 'OAuth' .OUTPUTS PSCustomObject with AcquireAuthSession method @@ -43,11 +53,18 @@ function New-IdleAuthSession { [Parameter()] [AllowNull()] - [PSCredential] $DefaultCredential + [PSCredential] $DefaultCredential, + + [Parameter(Mandatory)] + [ValidateSet('OAuth', 'PSRemoting', 'Implicit', 'None')] + [string] $AuthSessionType ) # Delegate to IdLE.Core implementation. - $params = @{ SessionMap = $SessionMap } + $params = @{ + SessionMap = $SessionMap + AuthSessionType = $AuthSessionType + } if ($PSBoundParameters.ContainsKey('DefaultCredential')) { $params['DefaultCredential'] = $DefaultCredential } diff --git a/tests/Core/New-IdleAuthSession.Tests.ps1 b/tests/Core/New-IdleAuthSession.Tests.ps1 index e636e1ab..41645b56 100644 --- a/tests/Core/New-IdleAuthSession.Tests.ps1 +++ b/tests/Core/New-IdleAuthSession.Tests.ps1 @@ -13,7 +13,7 @@ Describe 'New-IdleAuthSession' { It 'creates an auth session broker with the expected type' { $broker = New-IdleAuthSession -SessionMap @{ @{ Role = 'AD' } = $testCred - } + } -AuthSessionType 'OAuth' $broker | Should -Not -BeNullOrEmpty $broker.PSTypeNames | Should -Contain 'IdLE.AuthSessionBroker' @@ -22,7 +22,7 @@ Describe 'New-IdleAuthSession' { It 'creates broker with AcquireAuthSession method' { $broker = New-IdleAuthSession -SessionMap @{ @{ Role = 'AD' } = $testCred - } + } -AuthSessionType 'OAuth' $broker.PSObject.Methods['AcquireAuthSession'] | Should -Not -BeNullOrEmpty } @@ -33,7 +33,7 @@ Describe 'New-IdleAuthSession' { @{ Role = 'Admin' } = $testCred } - $broker = New-IdleAuthSession -SessionMap $sessionMap + $broker = New-IdleAuthSession -SessionMap $sessionMap -AuthSessionType 'Implicit' $broker.SessionMap | Should -Not -BeNullOrEmpty $broker.SessionMap.Count | Should -Be 2 @@ -42,7 +42,7 @@ Describe 'New-IdleAuthSession' { It 'accepts optional DefaultCredential parameter' { $broker = New-IdleAuthSession -SessionMap @{ @{ Role = 'AD' } = $testCred - } -DefaultCredential $testCred + } -DefaultCredential $testCred -AuthSessionType 'OAuth' $broker.DefaultCredential | Should -Not -BeNullOrEmpty $broker.DefaultCredential.UserName | Should -Be 'TestUser' @@ -51,7 +51,7 @@ Describe 'New-IdleAuthSession' { It 'broker can acquire auth session with matching options' { $broker = New-IdleAuthSession -SessionMap @{ @{ Role = 'Tier0' } = $testCred - } + } -AuthSessionType 'Implicit' $acquiredSession = $broker.AcquireAuthSession('TestName', @{ Role = 'Tier0' }) @@ -66,7 +66,7 @@ Describe 'New-IdleAuthSession' { $broker = New-IdleAuthSession -SessionMap @{ @{ Role = 'Tier0' } = $testCred - } -DefaultCredential $defaultCred + } -DefaultCredential $defaultCred -AuthSessionType 'OAuth' $acquiredSession = $broker.AcquireAuthSession('TestName', $null) @@ -77,7 +77,7 @@ Describe 'New-IdleAuthSession' { It 'throws when no matching credential found and no default provided' { $broker = New-IdleAuthSession -SessionMap @{ @{ Role = 'Tier0' } = $testCred - } + } -AuthSessionType 'OAuth' { $broker.AcquireAuthSession('TestName', @{ Role = 'NonExistent' }) } | Should -Throw '*No matching credential found*' @@ -98,9 +98,89 @@ Describe 'New-IdleAuthSession' { { $broker = New-IdleAuthSession -SessionMap @{ @{ Role = 'AD' } = $testCred - } -ErrorAction Stop + } -AuthSessionType 'Implicit' -ErrorAction Stop $broker | Should -Not -BeNullOrEmpty } | Should -Not -Throw } + + Context 'AuthSessionType parameter' { + It 'accepts OAuth session type' { + $broker = New-IdleAuthSession -SessionMap @{ + @{ Role = 'Admin' } = $testCred + } -AuthSessionType 'OAuth' + + $broker.AuthSessionType | Should -Be 'OAuth' + } + + It 'accepts PSRemoting session type' { + $broker = New-IdleAuthSession -SessionMap @{ + @{ Server = 'AADConnect01' } = $testCred + } -AuthSessionType 'PSRemoting' + + $broker.AuthSessionType | Should -Be 'PSRemoting' + } + + It 'accepts Implicit session type' { + $broker = New-IdleAuthSession -SessionMap @{ + @{ Domain = 'corp.example.com' } = $testCred + } -AuthSessionType 'Implicit' + + $broker.AuthSessionType | Should -Be 'Implicit' + } + + It 'accepts None session type' { + $broker = New-IdleAuthSession -SessionMap @{ + @{ Provider = 'Mock' } = $testCred + } -AuthSessionType 'None' + + $broker.AuthSessionType | Should -Be 'None' + } + + It 'throws on invalid session type' { + { + New-IdleAuthSession -SessionMap @{ + @{ Role = 'AD' } = $testCred + } -AuthSessionType 'InvalidType' + } | Should -Throw + } + } + + Context 'AuthSessionType validation during acquisition' { + It 'OAuth broker can acquire sessions with appropriate options' { + $broker = New-IdleAuthSession -SessionMap @{ + @{ Role = 'Admin' } = $testCred + } -AuthSessionType 'OAuth' + + $session = $broker.AcquireAuthSession('MicrosoftGraph', @{ Role = 'Admin' }) + $session | Should -Not -BeNullOrEmpty + } + + It 'PSRemoting broker can acquire sessions with appropriate options' { + $broker = New-IdleAuthSession -SessionMap @{ + @{ Server = 'AADConnect01' } = $testCred + } -AuthSessionType 'PSRemoting' + + $session = $broker.AcquireAuthSession('EntraConnect', @{ Server = 'AADConnect01' }) + $session | Should -Not -BeNullOrEmpty + } + + It 'Implicit broker can acquire sessions with appropriate options' { + $broker = New-IdleAuthSession -SessionMap @{ + @{ Domain = 'corp.example.com' } = $testCred + } -AuthSessionType 'Implicit' + + $session = $broker.AcquireAuthSession('ActiveDirectory', @{ Domain = 'corp.example.com' }) + $session | Should -Not -BeNullOrEmpty + } + + It 'None broker can acquire sessions without strict validation' { + $broker = New-IdleAuthSession -SessionMap @{ + @{ Provider = 'Mock' } = $testCred + } -AuthSessionType 'None' + + $session = $broker.AcquireAuthSession('MockProvider', @{ Provider = 'Mock' }) + $session | Should -Not -BeNullOrEmpty + } + } } From 6c96ee33b60964c07e839659f084ee4497dccc7d Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 7 Feb 2026 17:56:32 +0000 Subject: [PATCH 03/13] Update provider documentation with AuthSessionType requirements Co-authored-by: blindzero <13959569+blindzero@users.noreply.github.com> --- docs/reference/providers/provider-ad.md | 13 +++++-- .../provider-directorysync-entraconnect.md | 3 ++ docs/reference/providers/provider-entraID.md | 17 +++++--- .../providers/provider-exchangeonline.md | 3 ++ docs/reference/providers/provider-mock.md | 4 ++ docs/use/providers.md | 39 ++++++++++++++++++- 6 files changed, 68 insertions(+), 11 deletions(-) diff --git a/docs/reference/providers/provider-ad.md b/docs/reference/providers/provider-ad.md index 7b23467a..fe342f19 100644 --- a/docs/reference/providers/provider-ad.md +++ b/docs/reference/providers/provider-ad.md @@ -95,6 +95,9 @@ This makes `New-IdleADIdentityProvider` available in your session. - `null` (integrated authentication / run-as) - `PSCredential` (used for AD cmdlets `-Credential`) - **Session options (data-only):** Any hashtable; commonly `@{ Role = 'Tier0' }` / `@{ Role = 'Admin' }` +- **Required `AuthSessionType`:** `Implicit` + +The AD provider uses implicit authentication where the module capabilities exist without requiring explicit session management. When creating the `AuthSessionBroker`, specify `AuthSessionType = 'Implicit'` to indicate this authentication pattern. :::warning @@ -122,10 +125,11 @@ $providers = @{ $tier0Credential = Get-Credential -Message 'Enter Tier0 AD admin credentials' $adminCredential = Get-Credential -Message 'Enter AD admin credentials' +# Create broker with Implicit session type $broker = New-IdleAuthSession -SessionMap @{ @{ Role = 'Tier0' } = $tier0Credential @{ Role = 'Admin' } = $adminCredential -} -DefaultCredential $adminCredential +} -DefaultCredential $adminCredential -AuthSessionType 'Implicit' $providers = @{ Identity = New-IdleADIdentityProvider @@ -143,10 +147,11 @@ $providers = @{ $sourceCred = Get-Credential -Message 'Enter credentials for source forest' $targetCred = Get-Credential -Message 'Enter credentials for target forest' +# Create broker with Implicit session type $broker = New-IdleAuthSession -SessionMap @{ @{ Domain = 'SourceForest' } = $sourceCred @{ Domain = 'TargetForest' } = $targetCred -} +} -AuthSessionType 'Implicit' # Steps use With.AuthSessionOptions = @{ Domain = 'SourceForest' } etc. ``` @@ -179,11 +184,11 @@ $adminCredential = Get-Credential -Message "Enter regular admin credentials" # Create provider $provider = New-IdleADIdentityProvider -# Create broker with role-based credential mapping +# Create broker with role-based credential mapping and Implicit session type $broker = New-IdleAuthSession -SessionMap @{ @{ Role = 'Tier0' } = $tier0Credential @{ Role = 'Admin' } = $adminCredential -} -DefaultCredential $adminCredential +} -DefaultCredential $adminCredential -AuthSessionType 'Implicit' # Use provider with broker $plan = New-IdlePlan -WorkflowPath './workflow.psd1' -Request $request -Providers @{ diff --git a/docs/reference/providers/provider-directorysync-entraconnect.md b/docs/reference/providers/provider-directorysync-entraconnect.md index 0d42b067..b71985ac 100644 --- a/docs/reference/providers/provider-directorysync-entraconnect.md +++ b/docs/reference/providers/provider-directorysync-entraconnect.md @@ -63,6 +63,9 @@ and pass it to provider methods. - `DirectorySync` (see `IdLE.Step.TriggerDirectorySync`) - **Session options (data-only):** - Forwarded to the host broker for session selection (provider does not interpret option keys). +- **Required `AuthSessionType`:** `PSRemoting` + +The EntraConnect provider uses PowerShell remoting to execute commands on a remote Entra Connect server. When creating the `AuthSessionBroker`, specify `AuthSessionType = 'PSRemoting'` to indicate remote execution context is expected. :::warning diff --git a/docs/reference/providers/provider-entraID.md b/docs/reference/providers/provider-entraID.md index cc064b27..122a5d62 100644 --- a/docs/reference/providers/provider-entraID.md +++ b/docs/reference/providers/provider-entraID.md @@ -47,10 +47,10 @@ The provider accepts authentication sessions in these formats: Connect-AzAccount $token = (Get-AzAccessToken -ResourceUrl "https://graph.microsoft.com").Token -# Create broker +# Create broker with OAuth session type $broker = New-IdleAuthSession -SessionMap @{ @{} = $token -} -DefaultCredential $token +} -DefaultCredential $token -AuthSessionType 'OAuth' # Create provider $provider = New-IdleEntraIDIdentityProvider @@ -73,10 +73,10 @@ $tenantId = "your-tenant-id" # Obtain token (pseudo-code - use your preferred auth library) $token = Get-GraphAppOnlyToken -ClientId $clientId -ClientSecret $clientSecret -TenantId $tenantId -# Create broker +# Create broker with OAuth session type $broker = New-IdleAuthSession -SessionMap @{ @{} = $token -} -DefaultCredential $token +} -DefaultCredential $token -AuthSessionType 'OAuth' # Rest is identical to delegated flow ``` @@ -87,14 +87,21 @@ $broker = New-IdleAuthSession -SessionMap @{ $tier0Token = Get-GraphToken -Role 'Tier0' $adminToken = Get-GraphToken -Role 'Admin' +# Create broker with OAuth session type $broker = New-IdleAuthSession -SessionMap @{ @{ Role = 'Tier0' } = $tier0Token @{ Role = 'Admin' } = $adminToken -} -DefaultCredential $adminToken +} -DefaultCredential $adminToken -AuthSessionType 'OAuth' # Workflow steps specify: With.AuthSessionOptions = @{ Role = 'Tier0' } ``` +### Auth Session Type + +**Required `AuthSessionType`:** `OAuth` + +The EntraID provider uses OAuth-based authentication via Microsoft Graph API tokens. When creating the `AuthSessionBroker`, specify `AuthSessionType = 'OAuth'` to indicate token-based authentication is expected. + > Providers must not prompt for auth. Use the host-provided broker contract. diff --git a/docs/reference/providers/provider-exchangeonline.md b/docs/reference/providers/provider-exchangeonline.md index 82f6eb48..ac5493ea 100644 --- a/docs/reference/providers/provider-exchangeonline.md +++ b/docs/reference/providers/provider-exchangeonline.md @@ -58,6 +58,9 @@ sidebar_label: ExchangeOnline - Typically the step passes `With.AuthSessionName` (if present). For built-in mailbox steps, if `With.AuthSessionName` is absent, it defaults to the provider alias (commonly `ExchangeOnline`). - **Session options (data-only):** - The provider does not interpret options; they are used by the host/broker to select credentials/route to a tenant/session. +- **Required `AuthSessionType`:** `OAuth` + +The ExchangeOnline provider uses OAuth-based authentication via Exchange Online PowerShell. When creating the `AuthSessionBroker`, specify `AuthSessionType = 'OAuth'` to indicate token-based authentication is expected. :::warning diff --git a/docs/reference/providers/provider-mock.md b/docs/reference/providers/provider-mock.md index 2bfe82a5..03bea68d 100644 --- a/docs/reference/providers/provider-mock.md +++ b/docs/reference/providers/provider-mock.md @@ -59,6 +59,10 @@ sidebar_label: Mock This provider does not require authentication. +- **Required `AuthSessionType`:** `None` + +The Mock provider doesn't require authentication. When creating an `AuthSessionBroker` for testing purposes with this provider, specify `AuthSessionType = 'None'` to indicate no authentication is needed. + :::warning **Security notes** diff --git a/docs/use/providers.md b/docs/use/providers.md index f368ea56..39115054 100644 --- a/docs/use/providers.md +++ b/docs/use/providers.md @@ -112,6 +112,19 @@ Many providers require authenticated connections (tokens, API clients, remote se IdLE keeps authentication out of the engine and out of individual providers by using a host-supplied broker. Using the **AuthSessionBroker** is in particular helpful for scenarios that use different providers or different authentications for one provider in one workflow. +### AuthSessionType + +Each `AuthSessionBroker` must specify an `AuthSessionType` that determines validation rules, lifecycle management, and telemetry behavior: + +- **`OAuth`** - Token-based authentication (e.g., Microsoft Graph, Exchange Online) +- **`PSRemoting`** - PowerShell remoting execution context (e.g., Entra Connect) +- **`Implicit`** - Implicit authentication without explicit session (e.g., Active Directory) +- **`None`** - No authentication required (e.g., mock providers) + +Each provider documents its required `AuthSessionType` in its reference documentation. + +### Example: Active Directory with Implicit Auth + ```powershell # Assuming you have credentials available (e.g., from a secure vault or credential manager) $tier0Credential = Get-Credential -Message "Enter Tier0 admin credentials" @@ -120,11 +133,11 @@ $adminCredential = Get-Credential -Message "Enter regular admin credentials" # Create provider $provider = New-IdleADIdentityProvider -# Create broker with role-based credential mapping +# Create broker with role-based credential mapping and Implicit session type $broker = New-IdleAuthSession -SessionMap @{ @{ Role = 'Tier0' } = $tier0Credential @{ Role = 'Admin' } = $adminCredential -} -DefaultCredential $adminCredential +} -DefaultCredential $adminCredential -AuthSessionType 'Implicit' # Use provider with broker $plan = New-IdlePlan -WorkflowPath './workflow.psd1' -Request $request -Providers @{ @@ -133,6 +146,28 @@ $plan = New-IdlePlan -WorkflowPath './workflow.psd1' -Request $request -Provider } ``` +### Example: Entra ID with OAuth + +```powershell +# Host obtains token (example using Azure PowerShell) +Connect-AzAccount +$token = (Get-AzAccessToken -ResourceUrl "https://graph.microsoft.com").Token + +# Create broker with OAuth session type +$broker = New-IdleAuthSession -SessionMap @{ + @{} = $token +} -DefaultCredential $token -AuthSessionType 'OAuth' + +# Create provider +$provider = New-IdleEntraIDIdentityProvider + +# Use in plan +$plan = New-IdlePlan -WorkflowPath './workflow.psd1' -Request $request -Providers @{ + Identity = $provider + AuthSessionBroker = $broker +} +``` + The different authentication sessions are used by the workflow definition by the steps via `AuthSessionOptions`. ```powershell With = @{ From a7b1aa6887f81da9db9fb92bd0d316477bac53b6 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 7 Feb 2026 18:00:21 +0000 Subject: [PATCH 04/13] Update cmdlet reference documentation for AuthSessionType Co-authored-by: blindzero <13959569+blindzero@users.noreply.github.com> --- docs/reference/cmdlets/New-IdleAuthSession.md | 29 +++++++++++++++++-- 1 file changed, 26 insertions(+), 3 deletions(-) diff --git a/docs/reference/cmdlets/New-IdleAuthSession.md b/docs/reference/cmdlets/New-IdleAuthSession.md index 9f150283..c8d0ab39 100644 --- a/docs/reference/cmdlets/New-IdleAuthSession.md +++ b/docs/reference/cmdlets/New-IdleAuthSession.md @@ -13,8 +13,8 @@ Creates a simple AuthSessionBroker for use with IdLE providers. ## SYNTAX ``` -New-IdleAuthSession [-SessionMap] <Hashtable> [[-DefaultCredential] <PSCredential>] - [-ProgressAction <ActionPreference>] [<CommonParameters>] +New-IdleAuthSession [-SessionMap] [[-DefaultCredential] ] [-AuthSessionType] + [-ProgressAction ] [] ``` ## DESCRIPTION @@ -30,7 +30,7 @@ This is a thin wrapper that delegates to IdLE.Core\New-IdleAuthSessionBroker. ``` $broker = New-IdleAuthSession -SessionMap @{ @{ Role = 'Tier0' } = $tier0Credential -} +} -AuthSessionType 'OAuth' ``` ## PARAMETERS @@ -65,6 +65,29 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -AuthSessionType +Specifies the type of authentication session. This determines validation rules, +lifecycle management, and telemetry behavior. + +Valid values: +- 'OAuth': Token-based authentication (e.g., Microsoft Graph, Exchange Online) +- 'PSRemoting': PowerShell remoting execution context (e.g., Entra Connect) +- 'Implicit': Implicit authentication without explicit session (e.g., Active Directory) +- 'None': No authentication required (e.g., mock providers) + +```yaml +Type: String +Parameter Sets: (All) +Aliases: +Accepted values: OAuth, PSRemoting, Implicit, None + +Required: True +Position: 3 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + ### -ProgressAction TODO: ProgressAction Description From d90002b66fb184072bab0bf7c140792e8423b269 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 7 Feb 2026 18:01:26 +0000 Subject: [PATCH 05/13] Address code review feedback - fix syntax and add TODO comment Co-authored-by: blindzero <13959569+blindzero@users.noreply.github.com> --- docs/reference/cmdlets/New-IdleAuthSession.md | 2 +- .../Public/New-IdleAuthSessionBroker.ps1 | 28 +++++-------------- 2 files changed, 8 insertions(+), 22 deletions(-) diff --git a/docs/reference/cmdlets/New-IdleAuthSession.md b/docs/reference/cmdlets/New-IdleAuthSession.md index c8d0ab39..d281108b 100644 --- a/docs/reference/cmdlets/New-IdleAuthSession.md +++ b/docs/reference/cmdlets/New-IdleAuthSession.md @@ -13,7 +13,7 @@ Creates a simple AuthSessionBroker for use with IdLE providers. ## SYNTAX ``` -New-IdleAuthSession [-SessionMap] [[-DefaultCredential] ] [-AuthSessionType] +New-IdleAuthSession [-SessionMap] [[-DefaultCredential] ] -AuthSessionType [-ProgressAction ] [] ``` diff --git a/src/IdLE.Core/Public/New-IdleAuthSessionBroker.ps1 b/src/IdLE.Core/Public/New-IdleAuthSessionBroker.ps1 index 142568ff..ccc799fa 100644 --- a/src/IdLE.Core/Public/New-IdleAuthSessionBroker.ps1 +++ b/src/IdLE.Core/Public/New-IdleAuthSessionBroker.ps1 @@ -101,27 +101,13 @@ function New-IdleAuthSessionBroker { # This broker routes based on Options only; custom brokers may use Name for additional routing $null = $Name - # Validate options based on AuthSessionType - if ($null -ne $Options -and $Options.Count -gt 0) { - switch ($this.AuthSessionType) { - 'OAuth' { - # OAuth sessions typically use role or scope-based options - # No additional validation needed for this simple implementation - } - 'PSRemoting' { - # PSRemoting sessions may specify server, computerName, or similar - # No additional validation needed for this simple implementation - } - 'Implicit' { - # Implicit sessions may specify domain, forest, or organizational context - # No additional validation needed for this simple implementation - } - 'None' { - # No session expected, but options may still be used for routing - # No additional validation needed for this simple implementation - } - } - } + # TODO: Implement type-specific validation rules for AuthSessionType + # Current implementation allows all options for all session types + # Future enhancements may add: + # - OAuth: Validate token format, expiration, scopes + # - PSRemoting: Validate remote session state, connectivity + # - Implicit: Validate credential format, domain membership + # - None: No validation needed # If no options provided, return default if ($null -eq $Options -or $Options.Count -eq 0) { From dd6af4a677858cd930890ea15ac4cd3d1dc45f6a Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 7 Feb 2026 18:54:59 +0000 Subject: [PATCH 06/13] Simplify AuthSessionType: replace Implicit/None with Credential Co-authored-by: blindzero <13959569+blindzero@users.noreply.github.com> --- docs/reference/cmdlets/New-IdleAuthSession.md | 29 ++-------------- docs/reference/providers/provider-ad.md | 16 ++++----- docs/reference/providers/provider-mock.md | 4 +-- docs/use/providers.md | 7 ++-- .../Public/New-IdleAuthSessionBroker.ps1 | 12 +++---- src/IdLE/Public/New-IdleAuthSession.ps1 | 5 ++- tests/Core/New-IdleAuthSession.Tests.ps1 | 33 +++++-------------- 7 files changed, 31 insertions(+), 75 deletions(-) diff --git a/docs/reference/cmdlets/New-IdleAuthSession.md b/docs/reference/cmdlets/New-IdleAuthSession.md index d281108b..9f150283 100644 --- a/docs/reference/cmdlets/New-IdleAuthSession.md +++ b/docs/reference/cmdlets/New-IdleAuthSession.md @@ -13,8 +13,8 @@ Creates a simple AuthSessionBroker for use with IdLE providers. ## SYNTAX ``` -New-IdleAuthSession [-SessionMap] [[-DefaultCredential] ] -AuthSessionType - [-ProgressAction ] [] +New-IdleAuthSession [-SessionMap] <Hashtable> [[-DefaultCredential] <PSCredential>] + [-ProgressAction <ActionPreference>] [<CommonParameters>] ``` ## DESCRIPTION @@ -30,7 +30,7 @@ This is a thin wrapper that delegates to IdLE.Core\New-IdleAuthSessionBroker. ``` $broker = New-IdleAuthSession -SessionMap @{ @{ Role = 'Tier0' } = $tier0Credential -} -AuthSessionType 'OAuth' +} ``` ## PARAMETERS @@ -65,29 +65,6 @@ Accept pipeline input: False Accept wildcard characters: False ``` -### -AuthSessionType -Specifies the type of authentication session. This determines validation rules, -lifecycle management, and telemetry behavior. - -Valid values: -- 'OAuth': Token-based authentication (e.g., Microsoft Graph, Exchange Online) -- 'PSRemoting': PowerShell remoting execution context (e.g., Entra Connect) -- 'Implicit': Implicit authentication without explicit session (e.g., Active Directory) -- 'None': No authentication required (e.g., mock providers) - -```yaml -Type: String -Parameter Sets: (All) -Aliases: -Accepted values: OAuth, PSRemoting, Implicit, None - -Required: True -Position: 3 -Default value: None -Accept pipeline input: False -Accept wildcard characters: False -``` - ### -ProgressAction TODO: ProgressAction Description diff --git a/docs/reference/providers/provider-ad.md b/docs/reference/providers/provider-ad.md index fe342f19..5f78b05f 100644 --- a/docs/reference/providers/provider-ad.md +++ b/docs/reference/providers/provider-ad.md @@ -95,9 +95,9 @@ This makes `New-IdleADIdentityProvider` available in your session. - `null` (integrated authentication / run-as) - `PSCredential` (used for AD cmdlets `-Credential`) - **Session options (data-only):** Any hashtable; commonly `@{ Role = 'Tier0' }` / `@{ Role = 'Admin' }` -- **Required `AuthSessionType`:** `Implicit` +- **Required `AuthSessionType`:** `Credential` -The AD provider uses implicit authentication where the module capabilities exist without requiring explicit session management. When creating the `AuthSessionBroker`, specify `AuthSessionType = 'Implicit'` to indicate this authentication pattern. +The AD provider uses credential-based authentication where the module capabilities exist without requiring explicit session management. When creating the `AuthSessionBroker`, specify `AuthSessionType = 'Credential'` to indicate this authentication pattern. :::warning @@ -125,11 +125,11 @@ $providers = @{ $tier0Credential = Get-Credential -Message 'Enter Tier0 AD admin credentials' $adminCredential = Get-Credential -Message 'Enter AD admin credentials' -# Create broker with Implicit session type +# Create broker with Credential session type $broker = New-IdleAuthSession -SessionMap @{ @{ Role = 'Tier0' } = $tier0Credential @{ Role = 'Admin' } = $adminCredential -} -DefaultCredential $adminCredential -AuthSessionType 'Implicit' +} -DefaultCredential $adminCredential -AuthSessionType 'Credential' $providers = @{ Identity = New-IdleADIdentityProvider @@ -147,11 +147,11 @@ $providers = @{ $sourceCred = Get-Credential -Message 'Enter credentials for source forest' $targetCred = Get-Credential -Message 'Enter credentials for target forest' -# Create broker with Implicit session type +# Create broker with Credential session type $broker = New-IdleAuthSession -SessionMap @{ @{ Domain = 'SourceForest' } = $sourceCred @{ Domain = 'TargetForest' } = $targetCred -} -AuthSessionType 'Implicit' +} -AuthSessionType 'Credential' # Steps use With.AuthSessionOptions = @{ Domain = 'SourceForest' } etc. ``` @@ -184,11 +184,11 @@ $adminCredential = Get-Credential -Message "Enter regular admin credentials" # Create provider $provider = New-IdleADIdentityProvider -# Create broker with role-based credential mapping and Implicit session type +# Create broker with role-based credential mapping and Credential session type $broker = New-IdleAuthSession -SessionMap @{ @{ Role = 'Tier0' } = $tier0Credential @{ Role = 'Admin' } = $adminCredential -} -DefaultCredential $adminCredential -AuthSessionType 'Implicit' +} -DefaultCredential $adminCredential -AuthSessionType 'Credential' # Use provider with broker $plan = New-IdlePlan -WorkflowPath './workflow.psd1' -Request $request -Providers @{ diff --git a/docs/reference/providers/provider-mock.md b/docs/reference/providers/provider-mock.md index 03bea68d..8a06b278 100644 --- a/docs/reference/providers/provider-mock.md +++ b/docs/reference/providers/provider-mock.md @@ -59,9 +59,9 @@ sidebar_label: Mock This provider does not require authentication. -- **Required `AuthSessionType`:** `None` +- **Required `AuthSessionType`:** `Credential` -The Mock provider doesn't require authentication. When creating an `AuthSessionBroker` for testing purposes with this provider, specify `AuthSessionType = 'None'` to indicate no authentication is needed. +The Mock provider uses credential-based authentication. When creating an `AuthSessionBroker` for testing purposes with this provider, specify `AuthSessionType = 'Credential'` to indicate credential-based authentication (with mock credentials). :::warning diff --git a/docs/use/providers.md b/docs/use/providers.md index 39115054..ee5ca7c5 100644 --- a/docs/use/providers.md +++ b/docs/use/providers.md @@ -118,12 +118,11 @@ Each `AuthSessionBroker` must specify an `AuthSessionType` that determines valid - **`OAuth`** - Token-based authentication (e.g., Microsoft Graph, Exchange Online) - **`PSRemoting`** - PowerShell remoting execution context (e.g., Entra Connect) -- **`Implicit`** - Implicit authentication without explicit session (e.g., Active Directory) -- **`None`** - No authentication required (e.g., mock providers) +- **`Credential`** - Credential-based authentication (e.g., Active Directory, mock providers) Each provider documents its required `AuthSessionType` in its reference documentation. -### Example: Active Directory with Implicit Auth +### Example: Active Directory with Credential Auth ```powershell # Assuming you have credentials available (e.g., from a secure vault or credential manager) @@ -137,7 +136,7 @@ $provider = New-IdleADIdentityProvider $broker = New-IdleAuthSession -SessionMap @{ @{ Role = 'Tier0' } = $tier0Credential @{ Role = 'Admin' } = $adminCredential -} -DefaultCredential $adminCredential -AuthSessionType 'Implicit' +} -DefaultCredential $adminCredential -AuthSessionType 'Credential' # Use provider with broker $plan = New-IdlePlan -WorkflowPath './workflow.psd1' -Request $request -Providers @{ diff --git a/src/IdLE.Core/Public/New-IdleAuthSessionBroker.ps1 b/src/IdLE.Core/Public/New-IdleAuthSessionBroker.ps1 index ccc799fa..577b30a6 100644 --- a/src/IdLE.Core/Public/New-IdleAuthSessionBroker.ps1 +++ b/src/IdLE.Core/Public/New-IdleAuthSessionBroker.ps1 @@ -33,8 +33,7 @@ function New-IdleAuthSessionBroker { Valid values: - 'OAuth': Token-based authentication (e.g., Microsoft Graph, Exchange Online) - 'PSRemoting': PowerShell remoting execution context (e.g., Entra Connect) - - 'Implicit': Implicit authentication without explicit session (e.g., Active Directory) - - 'None': No authentication required (e.g., mock providers) + - 'Credential': Credential-based authentication (e.g., Active Directory, mock providers) .EXAMPLE # Simple role-based broker with OAuth session type @@ -49,11 +48,11 @@ function New-IdleAuthSessionBroker { } .EXAMPLE - # Domain-based broker for multi-forest scenarios with Implicit session type + # Domain-based broker for multi-forest scenarios with Credential session type $broker = New-IdleAuthSessionBroker -SessionMap @{ @{ Domain = 'SourceAD' } = $sourceCred @{ Domain = 'TargetAD' } = $targetCred - } -AuthSessionType 'Implicit' + } -AuthSessionType 'Credential' .EXAMPLE # PSRemoting broker for Entra Connect directory sync @@ -75,7 +74,7 @@ function New-IdleAuthSessionBroker { [PSCredential] $DefaultCredential, [Parameter(Mandatory)] - [ValidateSet('OAuth', 'PSRemoting', 'Implicit', 'None')] + [ValidateSet('OAuth', 'PSRemoting', 'Credential')] [string] $AuthSessionType ) @@ -106,8 +105,7 @@ function New-IdleAuthSessionBroker { # Future enhancements may add: # - OAuth: Validate token format, expiration, scopes # - PSRemoting: Validate remote session state, connectivity - # - Implicit: Validate credential format, domain membership - # - None: No validation needed + # - Credential: Validate credential format, domain membership # If no options provided, return default if ($null -eq $Options -or $Options.Count -eq 0) { diff --git a/src/IdLE/Public/New-IdleAuthSession.ps1 b/src/IdLE/Public/New-IdleAuthSession.ps1 index 8c2e140f..851d069a 100644 --- a/src/IdLE/Public/New-IdleAuthSession.ps1 +++ b/src/IdLE/Public/New-IdleAuthSession.ps1 @@ -31,8 +31,7 @@ function New-IdleAuthSession { Valid values: - 'OAuth': Token-based authentication (e.g., Microsoft Graph, Exchange Online) - 'PSRemoting': PowerShell remoting execution context (e.g., Entra Connect) - - 'Implicit': Implicit authentication without explicit session (e.g., Active Directory) - - 'None': No authentication required (e.g., mock providers) + - 'Credential': Credential-based authentication (e.g., Active Directory, mock providers) .EXAMPLE $broker = New-IdleAuthSession -SessionMap @{ @@ -56,7 +55,7 @@ function New-IdleAuthSession { [PSCredential] $DefaultCredential, [Parameter(Mandatory)] - [ValidateSet('OAuth', 'PSRemoting', 'Implicit', 'None')] + [ValidateSet('OAuth', 'PSRemoting', 'Credential')] [string] $AuthSessionType ) diff --git a/tests/Core/New-IdleAuthSession.Tests.ps1 b/tests/Core/New-IdleAuthSession.Tests.ps1 index 41645b56..bb0bfc15 100644 --- a/tests/Core/New-IdleAuthSession.Tests.ps1 +++ b/tests/Core/New-IdleAuthSession.Tests.ps1 @@ -33,7 +33,7 @@ Describe 'New-IdleAuthSession' { @{ Role = 'Admin' } = $testCred } - $broker = New-IdleAuthSession -SessionMap $sessionMap -AuthSessionType 'Implicit' + $broker = New-IdleAuthSession -SessionMap $sessionMap -AuthSessionType 'Credential' $broker.SessionMap | Should -Not -BeNullOrEmpty $broker.SessionMap.Count | Should -Be 2 @@ -51,7 +51,7 @@ Describe 'New-IdleAuthSession' { It 'broker can acquire auth session with matching options' { $broker = New-IdleAuthSession -SessionMap @{ @{ Role = 'Tier0' } = $testCred - } -AuthSessionType 'Implicit' + } -AuthSessionType 'Credential' $acquiredSession = $broker.AcquireAuthSession('TestName', @{ Role = 'Tier0' }) @@ -98,7 +98,7 @@ Describe 'New-IdleAuthSession' { { $broker = New-IdleAuthSession -SessionMap @{ @{ Role = 'AD' } = $testCred - } -AuthSessionType 'Implicit' -ErrorAction Stop + } -AuthSessionType 'Credential' -ErrorAction Stop $broker | Should -Not -BeNullOrEmpty } | Should -Not -Throw @@ -121,20 +121,12 @@ Describe 'New-IdleAuthSession' { $broker.AuthSessionType | Should -Be 'PSRemoting' } - It 'accepts Implicit session type' { + It 'accepts Credential session type' { $broker = New-IdleAuthSession -SessionMap @{ @{ Domain = 'corp.example.com' } = $testCred - } -AuthSessionType 'Implicit' + } -AuthSessionType 'Credential' - $broker.AuthSessionType | Should -Be 'Implicit' - } - - It 'accepts None session type' { - $broker = New-IdleAuthSession -SessionMap @{ - @{ Provider = 'Mock' } = $testCred - } -AuthSessionType 'None' - - $broker.AuthSessionType | Should -Be 'None' + $broker.AuthSessionType | Should -Be 'Credential' } It 'throws on invalid session type' { @@ -165,22 +157,13 @@ Describe 'New-IdleAuthSession' { $session | Should -Not -BeNullOrEmpty } - It 'Implicit broker can acquire sessions with appropriate options' { + It 'Credential broker can acquire sessions with appropriate options' { $broker = New-IdleAuthSession -SessionMap @{ @{ Domain = 'corp.example.com' } = $testCred - } -AuthSessionType 'Implicit' + } -AuthSessionType 'Credential' $session = $broker.AcquireAuthSession('ActiveDirectory', @{ Domain = 'corp.example.com' }) $session | Should -Not -BeNullOrEmpty } - - It 'None broker can acquire sessions without strict validation' { - $broker = New-IdleAuthSession -SessionMap @{ - @{ Provider = 'Mock' } = $testCred - } -AuthSessionType 'None' - - $session = $broker.AcquireAuthSession('MockProvider', @{ Provider = 'Mock' }) - $session | Should -Not -BeNullOrEmpty - } } } From 9b98ff78a1e71b690d2a8f17ab33d56537cc22ac Mon Sep 17 00:00:00 2001 From: Matthias <13959569+blindzero@users.noreply.github.com> Date: Sat, 7 Feb 2026 20:54:57 +0100 Subject: [PATCH 07/13] fixing example docu Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- src/IdLE/Public/New-IdleAuthSession.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/IdLE/Public/New-IdleAuthSession.ps1 b/src/IdLE/Public/New-IdleAuthSession.ps1 index 851d069a..f21eb9b7 100644 --- a/src/IdLE/Public/New-IdleAuthSession.ps1 +++ b/src/IdLE/Public/New-IdleAuthSession.ps1 @@ -36,7 +36,7 @@ function New-IdleAuthSession { .EXAMPLE $broker = New-IdleAuthSession -SessionMap @{ @{ Role = 'Tier0' } = $tier0Credential - } -AuthSessionType 'OAuth' + } -AuthSessionType 'Credential' .OUTPUTS PSCustomObject with AcquireAuthSession method From ca3f09cb69e1b52c5a059fcc32fb575ba6b1f144 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 7 Feb 2026 19:57:04 +0000 Subject: [PATCH 08/13] Fix documentation and test inconsistencies for AuthSessionType - Fix Mock provider docs: clarify it doesn't require AuthSessionType - Fix OAuth examples to properly wrap tokens in PSCredential - Fix tests to use Credential type with PSCredential objects (not OAuth) - Fix leftover "Implicit" reference in user guide Co-authored-by: blindzero <13959569+blindzero@users.noreply.github.com> --- docs/reference/providers/provider-entraID.md | 28 +++++++++++++++----- docs/reference/providers/provider-mock.md | 4 +-- docs/use/providers.md | 10 ++++--- tests/Core/New-IdleAuthSession.Tests.ps1 | 10 +++---- 4 files changed, 35 insertions(+), 17 deletions(-) diff --git a/docs/reference/providers/provider-entraID.md b/docs/reference/providers/provider-entraID.md index 122a5d62..739a7baf 100644 --- a/docs/reference/providers/provider-entraID.md +++ b/docs/reference/providers/provider-entraID.md @@ -47,10 +47,14 @@ The provider accepts authentication sessions in these formats: Connect-AzAccount $token = (Get-AzAccessToken -ResourceUrl "https://graph.microsoft.com").Token +# Wrap token in PSCredential for broker (token in password field) +$secureToken = ConvertTo-SecureString $token -AsPlainText -Force +$tokenCredential = [PSCredential]::new('OAuth', $secureToken) + # Create broker with OAuth session type $broker = New-IdleAuthSession -SessionMap @{ - @{} = $token -} -DefaultCredential $token -AuthSessionType 'OAuth' + @{} = $tokenCredential +} -DefaultCredential $tokenCredential -AuthSessionType 'OAuth' # Create provider $provider = New-IdleEntraIDIdentityProvider @@ -73,10 +77,14 @@ $tenantId = "your-tenant-id" # Obtain token (pseudo-code - use your preferred auth library) $token = Get-GraphAppOnlyToken -ClientId $clientId -ClientSecret $clientSecret -TenantId $tenantId +# Wrap token in PSCredential for broker (token in password field) +$secureToken = ConvertTo-SecureString $token -AsPlainText -Force +$tokenCredential = [PSCredential]::new('OAuth', $secureToken) + # Create broker with OAuth session type $broker = New-IdleAuthSession -SessionMap @{ - @{} = $token -} -DefaultCredential $token -AuthSessionType 'OAuth' + @{} = $tokenCredential +} -DefaultCredential $tokenCredential -AuthSessionType 'OAuth' # Rest is identical to delegated flow ``` @@ -87,11 +95,17 @@ $broker = New-IdleAuthSession -SessionMap @{ $tier0Token = Get-GraphToken -Role 'Tier0' $adminToken = Get-GraphToken -Role 'Admin' +# Wrap tokens in PSCredential for broker +$secureTier0 = ConvertTo-SecureString $tier0Token -AsPlainText -Force +$tier0Cred = [PSCredential]::new('OAuth', $secureTier0) +$secureAdmin = ConvertTo-SecureString $adminToken -AsPlainText -Force +$adminCred = [PSCredential]::new('OAuth', $secureAdmin) + # Create broker with OAuth session type $broker = New-IdleAuthSession -SessionMap @{ - @{ Role = 'Tier0' } = $tier0Token - @{ Role = 'Admin' } = $adminToken -} -DefaultCredential $adminToken -AuthSessionType 'OAuth' + @{ Role = 'Tier0' } = $tier0Cred + @{ Role = 'Admin' } = $adminCred +} -DefaultCredential $adminCred -AuthSessionType 'OAuth' # Workflow steps specify: With.AuthSessionOptions = @{ Role = 'Tier0' } ``` diff --git a/docs/reference/providers/provider-mock.md b/docs/reference/providers/provider-mock.md index 8a06b278..4a0e3bf0 100644 --- a/docs/reference/providers/provider-mock.md +++ b/docs/reference/providers/provider-mock.md @@ -59,9 +59,9 @@ sidebar_label: Mock This provider does not require authentication. -- **Required `AuthSessionType`:** `Credential` +- **AuthSessionType usage:** Not applicable -The Mock provider uses credential-based authentication. When creating an `AuthSessionBroker` for testing purposes with this provider, specify `AuthSessionType = 'Credential'` to indicate credential-based authentication (with mock credentials). +The Mock provider does not acquire or require auth sessions. You do not need to configure an `AuthSessionBroker` when using this provider. If a broker is supplied for broader test scaffolding, this provider will ignore any acquired auth session. :::warning diff --git a/docs/use/providers.md b/docs/use/providers.md index ee5ca7c5..befaa297 100644 --- a/docs/use/providers.md +++ b/docs/use/providers.md @@ -132,7 +132,7 @@ $adminCredential = Get-Credential -Message "Enter regular admin credentials" # Create provider $provider = New-IdleADIdentityProvider -# Create broker with role-based credential mapping and Implicit session type +# Create broker with role-based credential mapping and Credential session type $broker = New-IdleAuthSession -SessionMap @{ @{ Role = 'Tier0' } = $tier0Credential @{ Role = 'Admin' } = $adminCredential @@ -152,10 +152,14 @@ $plan = New-IdlePlan -WorkflowPath './workflow.psd1' -Request $request -Provider Connect-AzAccount $token = (Get-AzAccessToken -ResourceUrl "https://graph.microsoft.com").Token +# Wrap token in PSCredential for broker (token in password field) +$secureToken = ConvertTo-SecureString $token -AsPlainText -Force +$tokenCredential = [PSCredential]::new('OAuth', $secureToken) + # Create broker with OAuth session type $broker = New-IdleAuthSession -SessionMap @{ - @{} = $token -} -DefaultCredential $token -AuthSessionType 'OAuth' + @{} = $tokenCredential +} -DefaultCredential $tokenCredential -AuthSessionType 'OAuth' # Create provider $provider = New-IdleEntraIDIdentityProvider diff --git a/tests/Core/New-IdleAuthSession.Tests.ps1 b/tests/Core/New-IdleAuthSession.Tests.ps1 index bb0bfc15..2088e41b 100644 --- a/tests/Core/New-IdleAuthSession.Tests.ps1 +++ b/tests/Core/New-IdleAuthSession.Tests.ps1 @@ -13,7 +13,7 @@ Describe 'New-IdleAuthSession' { It 'creates an auth session broker with the expected type' { $broker = New-IdleAuthSession -SessionMap @{ @{ Role = 'AD' } = $testCred - } -AuthSessionType 'OAuth' + } -AuthSessionType 'Credential' $broker | Should -Not -BeNullOrEmpty $broker.PSTypeNames | Should -Contain 'IdLE.AuthSessionBroker' @@ -22,7 +22,7 @@ Describe 'New-IdleAuthSession' { It 'creates broker with AcquireAuthSession method' { $broker = New-IdleAuthSession -SessionMap @{ @{ Role = 'AD' } = $testCred - } -AuthSessionType 'OAuth' + } -AuthSessionType 'Credential' $broker.PSObject.Methods['AcquireAuthSession'] | Should -Not -BeNullOrEmpty } @@ -42,7 +42,7 @@ Describe 'New-IdleAuthSession' { It 'accepts optional DefaultCredential parameter' { $broker = New-IdleAuthSession -SessionMap @{ @{ Role = 'AD' } = $testCred - } -DefaultCredential $testCred -AuthSessionType 'OAuth' + } -DefaultCredential $testCred -AuthSessionType 'Credential' $broker.DefaultCredential | Should -Not -BeNullOrEmpty $broker.DefaultCredential.UserName | Should -Be 'TestUser' @@ -66,7 +66,7 @@ Describe 'New-IdleAuthSession' { $broker = New-IdleAuthSession -SessionMap @{ @{ Role = 'Tier0' } = $testCred - } -DefaultCredential $defaultCred -AuthSessionType 'OAuth' + } -DefaultCredential $defaultCred -AuthSessionType 'Credential' $acquiredSession = $broker.AcquireAuthSession('TestName', $null) @@ -77,7 +77,7 @@ Describe 'New-IdleAuthSession' { It 'throws when no matching credential found and no default provided' { $broker = New-IdleAuthSession -SessionMap @{ @{ Role = 'Tier0' } = $testCred - } -AuthSessionType 'OAuth' + } -AuthSessionType 'Credential' { $broker.AcquireAuthSession('TestName', @{ Role = 'NonExistent' }) } | Should -Throw '*No matching credential found*' From 62ac95b042e7256de0ed5ee87eb667cf085af781 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 7 Feb 2026 20:40:31 +0000 Subject: [PATCH 09/13] Change DefaultCredential to DefaultAuthSession with [object] type - Rename DefaultCredential to DefaultAuthSession for clarity - Change type from [PSCredential] to [object] to support tokens, session objects - Update all documentation examples to use new parameter name - Simplify OAuth examples to pass raw tokens instead of PSCredential wrappers - Fix missing AuthSessionType in AD provider multi-domain example - Update all test expectations and error messages Co-authored-by: blindzero <13959569+blindzero@users.noreply.github.com> --- docs/reference/providers/provider-ad.md | 2 +- docs/reference/providers/provider-entraID.md | 34 +++++--------- docs/use/providers.md | 12 ++--- .../Public/New-IdleAuthSessionBroker.ps1 | 45 +++++++++++-------- src/IdLE/Public/New-IdleAuthSession.ps1 | 12 ++--- tests/Core/New-IdleAuthSession.Tests.ps1 | 16 +++---- 6 files changed, 56 insertions(+), 65 deletions(-) diff --git a/docs/reference/providers/provider-ad.md b/docs/reference/providers/provider-ad.md index 5f78b05f..27076535 100644 --- a/docs/reference/providers/provider-ad.md +++ b/docs/reference/providers/provider-ad.md @@ -272,7 +272,7 @@ $targetAD = New-IdleADIdentityProvider -AllowDelete $broker = New-IdleAuthSession -SessionMap @{ @{ Domain = 'Source' } = $sourceCred @{ Domain = 'Target' } = $targetCred -} +} -AuthSessionType 'Credential' $plan = New-IdlePlan -WorkflowPath './migration.psd1' -Request $request -Providers @{ SourceAD = $sourceAD diff --git a/docs/reference/providers/provider-entraID.md b/docs/reference/providers/provider-entraID.md index 739a7baf..16697c48 100644 --- a/docs/reference/providers/provider-entraID.md +++ b/docs/reference/providers/provider-entraID.md @@ -47,14 +47,10 @@ The provider accepts authentication sessions in these formats: Connect-AzAccount $token = (Get-AzAccessToken -ResourceUrl "https://graph.microsoft.com").Token -# Wrap token in PSCredential for broker (token in password field) -$secureToken = ConvertTo-SecureString $token -AsPlainText -Force -$tokenCredential = [PSCredential]::new('OAuth', $secureToken) - -# Create broker with OAuth session type +# Create broker with OAuth session type (tokens can be passed directly) $broker = New-IdleAuthSession -SessionMap @{ - @{} = $tokenCredential -} -DefaultCredential $tokenCredential -AuthSessionType 'OAuth' + @{} = $token +} -DefaultAuthSession $token -AuthSessionType 'OAuth' # Create provider $provider = New-IdleEntraIDIdentityProvider @@ -77,14 +73,10 @@ $tenantId = "your-tenant-id" # Obtain token (pseudo-code - use your preferred auth library) $token = Get-GraphAppOnlyToken -ClientId $clientId -ClientSecret $clientSecret -TenantId $tenantId -# Wrap token in PSCredential for broker (token in password field) -$secureToken = ConvertTo-SecureString $token -AsPlainText -Force -$tokenCredential = [PSCredential]::new('OAuth', $secureToken) - -# Create broker with OAuth session type +# Create broker with OAuth session type (tokens can be passed directly) $broker = New-IdleAuthSession -SessionMap @{ - @{} = $tokenCredential -} -DefaultCredential $tokenCredential -AuthSessionType 'OAuth' + @{} = $token +} -DefaultAuthSession $token -AuthSessionType 'OAuth' # Rest is identical to delegated flow ``` @@ -95,17 +87,11 @@ $broker = New-IdleAuthSession -SessionMap @{ $tier0Token = Get-GraphToken -Role 'Tier0' $adminToken = Get-GraphToken -Role 'Admin' -# Wrap tokens in PSCredential for broker -$secureTier0 = ConvertTo-SecureString $tier0Token -AsPlainText -Force -$tier0Cred = [PSCredential]::new('OAuth', $secureTier0) -$secureAdmin = ConvertTo-SecureString $adminToken -AsPlainText -Force -$adminCred = [PSCredential]::new('OAuth', $secureAdmin) - -# Create broker with OAuth session type +# Create broker with OAuth session type (tokens can be passed directly) $broker = New-IdleAuthSession -SessionMap @{ - @{ Role = 'Tier0' } = $tier0Cred - @{ Role = 'Admin' } = $adminCred -} -DefaultCredential $adminCred -AuthSessionType 'OAuth' + @{ Role = 'Tier0' } = $tier0Token + @{ Role = 'Admin' } = $adminToken +} -DefaultAuthSession $adminToken -AuthSessionType 'OAuth' # Workflow steps specify: With.AuthSessionOptions = @{ Role = 'Tier0' } ``` diff --git a/docs/use/providers.md b/docs/use/providers.md index befaa297..723d9be1 100644 --- a/docs/use/providers.md +++ b/docs/use/providers.md @@ -136,7 +136,7 @@ $provider = New-IdleADIdentityProvider $broker = New-IdleAuthSession -SessionMap @{ @{ Role = 'Tier0' } = $tier0Credential @{ Role = 'Admin' } = $adminCredential -} -DefaultCredential $adminCredential -AuthSessionType 'Credential' +} -DefaultAuthSession $adminCredential -AuthSessionType 'Credential' # Use provider with broker $plan = New-IdlePlan -WorkflowPath './workflow.psd1' -Request $request -Providers @{ @@ -152,14 +152,10 @@ $plan = New-IdlePlan -WorkflowPath './workflow.psd1' -Request $request -Provider Connect-AzAccount $token = (Get-AzAccessToken -ResourceUrl "https://graph.microsoft.com").Token -# Wrap token in PSCredential for broker (token in password field) -$secureToken = ConvertTo-SecureString $token -AsPlainText -Force -$tokenCredential = [PSCredential]::new('OAuth', $secureToken) - -# Create broker with OAuth session type +# Create broker with OAuth session type (tokens can be passed directly) $broker = New-IdleAuthSession -SessionMap @{ - @{} = $tokenCredential -} -DefaultCredential $tokenCredential -AuthSessionType 'OAuth' + @{} = $token +} -DefaultAuthSession $token -AuthSessionType 'OAuth' # Create provider $provider = New-IdleEntraIDIdentityProvider diff --git a/src/IdLE.Core/Public/New-IdleAuthSessionBroker.ps1 b/src/IdLE.Core/Public/New-IdleAuthSessionBroker.ps1 index 577b30a6..5462595f 100644 --- a/src/IdLE.Core/Public/New-IdleAuthSessionBroker.ps1 +++ b/src/IdLE.Core/Public/New-IdleAuthSessionBroker.ps1 @@ -13,18 +13,21 @@ function New-IdleAuthSessionBroker { AcquireAuthSession method. .PARAMETER SessionMap - A hashtable that maps session configurations to credentials. Each key is a hashtable - representing the AuthSessionOptions pattern, and each value is the PSCredential to return. + A hashtable that maps session configurations to auth sessions. Each key is a hashtable + representing the AuthSessionOptions pattern, and each value is the auth session to return. + The value can be a PSCredential, token string, session object, or any object appropriate + for the AuthSessionType. Common patterns: - - @{ Role = 'Tier0' } -> $tier0Credential - - @{ Role = 'Admin' } -> $adminCredential - - @{ Domain = 'SourceAD' } -> $sourceCred + - @{ Role = 'Tier0' } -> $tier0Credential (for Credential type) + - @{ Role = 'Admin' } -> $adminToken (for OAuth type) + - @{ Server = 'Server01' } -> $remoteSession (for PSRemoting type) - @{ Environment = 'Production' } -> $prodCred - .PARAMETER DefaultCredential - Optional default credential to return when no session options are provided or - when the options don't match any entry in SessionMap. + .PARAMETER DefaultAuthSession + Optional default auth session to return when no session options are provided or + when the options don't match any entry in SessionMap. Can be a PSCredential, token + string, session object, or any object appropriate for the AuthSessionType. .PARAMETER AuthSessionType Specifies the type of authentication session. This determines validation rules, @@ -36,17 +39,23 @@ function New-IdleAuthSessionBroker { - 'Credential': Credential-based authentication (e.g., Active Directory, mock providers) .EXAMPLE - # Simple role-based broker with OAuth session type + # Simple role-based broker with Credential session type $broker = New-IdleAuthSessionBroker -SessionMap @{ @{ Role = 'Tier0' } = $tier0Credential @{ Role = 'Admin' } = $adminCredential - } -DefaultCredential $adminCredential -AuthSessionType 'OAuth' + } -DefaultAuthSession $adminCredential -AuthSessionType 'Credential' $plan = New-IdlePlan -WorkflowPath './workflow.psd1' -Request $request -Providers @{ Identity = New-IdleADIdentityProvider AuthSessionBroker = $broker } + .EXAMPLE + # OAuth broker with token strings + $broker = New-IdleAuthSessionBroker -SessionMap @{ + @{ Role = 'Admin' } = $graphToken + } -DefaultAuthSession $graphToken -AuthSessionType 'OAuth' + .EXAMPLE # Domain-based broker for multi-forest scenarios with Credential session type $broker = New-IdleAuthSessionBroker -SessionMap @{ @@ -71,7 +80,7 @@ function New-IdleAuthSessionBroker { [Parameter()] [AllowNull()] - [PSCredential] $DefaultCredential, + [object] $DefaultAuthSession, [Parameter(Mandatory)] [ValidateSet('OAuth', 'PSRemoting', 'Credential')] @@ -81,7 +90,7 @@ function New-IdleAuthSessionBroker { $broker = [pscustomobject]@{ PSTypeName = 'IdLE.AuthSessionBroker' SessionMap = $SessionMap - DefaultCredential = $DefaultCredential + DefaultAuthSession = $DefaultAuthSession AuthSessionType = $AuthSessionType } @@ -109,10 +118,10 @@ function New-IdleAuthSessionBroker { # If no options provided, return default if ($null -eq $Options -or $Options.Count -eq 0) { - if ($null -ne $this.DefaultCredential) { - return $this.DefaultCredential + if ($null -ne $this.DefaultAuthSession) { + return $this.DefaultAuthSession } - throw "No auth session options provided and no default credential configured." + throw "No auth session options provided and no default auth session configured." } # Find matching session in map @@ -135,12 +144,12 @@ function New-IdleAuthSessionBroker { } # No match found - if ($null -ne $this.DefaultCredential) { - return $this.DefaultCredential + if ($null -ne $this.DefaultAuthSession) { + return $this.DefaultAuthSession } $optionsStr = ($Options.Keys | ForEach-Object { "$_=$($Options[$_])" }) -join ', ' - throw "No matching credential found for options: $optionsStr" + throw "No matching auth session found for options: $optionsStr" } -Force return $broker diff --git a/src/IdLE/Public/New-IdleAuthSession.ps1 b/src/IdLE/Public/New-IdleAuthSession.ps1 index f21eb9b7..434b8ee2 100644 --- a/src/IdLE/Public/New-IdleAuthSession.ps1 +++ b/src/IdLE/Public/New-IdleAuthSession.ps1 @@ -19,10 +19,10 @@ function New-IdleAuthSession { This is a thin wrapper that delegates to IdLE.Core\New-IdleAuthSessionBroker. .PARAMETER SessionMap - A hashtable that maps session configurations to credentials. + A hashtable that maps session configurations to auth sessions. - .PARAMETER DefaultCredential - Optional default credential to return when no session options are provided. + .PARAMETER DefaultAuthSession + Optional default auth session to return when no session options are provided. .PARAMETER AuthSessionType Specifies the type of authentication session. This determines validation rules, @@ -52,7 +52,7 @@ function New-IdleAuthSession { [Parameter()] [AllowNull()] - [PSCredential] $DefaultCredential, + [object] $DefaultAuthSession, [Parameter(Mandatory)] [ValidateSet('OAuth', 'PSRemoting', 'Credential')] @@ -64,8 +64,8 @@ function New-IdleAuthSession { SessionMap = $SessionMap AuthSessionType = $AuthSessionType } - if ($PSBoundParameters.ContainsKey('DefaultCredential')) { - $params['DefaultCredential'] = $DefaultCredential + if ($PSBoundParameters.ContainsKey('DefaultAuthSession')) { + $params['DefaultAuthSession'] = $DefaultAuthSession } return IdLE.Core\New-IdleAuthSessionBroker @params diff --git a/tests/Core/New-IdleAuthSession.Tests.ps1 b/tests/Core/New-IdleAuthSession.Tests.ps1 index 2088e41b..064d04c9 100644 --- a/tests/Core/New-IdleAuthSession.Tests.ps1 +++ b/tests/Core/New-IdleAuthSession.Tests.ps1 @@ -39,13 +39,13 @@ Describe 'New-IdleAuthSession' { $broker.SessionMap.Count | Should -Be 2 } - It 'accepts optional DefaultCredential parameter' { + It 'accepts optional DefaultAuthSession parameter' { $broker = New-IdleAuthSession -SessionMap @{ @{ Role = 'AD' } = $testCred - } -DefaultCredential $testCred -AuthSessionType 'Credential' + } -DefaultAuthSession $testCred -AuthSessionType 'Credential' - $broker.DefaultCredential | Should -Not -BeNullOrEmpty - $broker.DefaultCredential.UserName | Should -Be 'TestUser' + $broker.DefaultAuthSession | Should -Not -BeNullOrEmpty + $broker.DefaultAuthSession.UserName | Should -Be 'TestUser' } It 'broker can acquire auth session with matching options' { @@ -60,13 +60,13 @@ Describe 'New-IdleAuthSession' { $acquiredSession.UserName | Should -Be 'TestUser' } - It 'broker returns default credential when no options provided' { + It 'broker returns default auth session when no options provided' { $defaultPassword = ConvertTo-SecureString 'DefaultPassword!' -AsPlainText -Force $defaultCred = New-Object System.Management.Automation.PSCredential('DefaultUser', $defaultPassword) $broker = New-IdleAuthSession -SessionMap @{ @{ Role = 'Tier0' } = $testCred - } -DefaultCredential $defaultCred -AuthSessionType 'Credential' + } -DefaultAuthSession $defaultCred -AuthSessionType 'Credential' $acquiredSession = $broker.AcquireAuthSession('TestName', $null) @@ -74,13 +74,13 @@ Describe 'New-IdleAuthSession' { $acquiredSession.UserName | Should -Be 'DefaultUser' } - It 'throws when no matching credential found and no default provided' { + It 'throws when no matching auth session found and no default provided' { $broker = New-IdleAuthSession -SessionMap @{ @{ Role = 'Tier0' } = $testCred } -AuthSessionType 'Credential' { $broker.AcquireAuthSession('TestName', @{ Role = 'NonExistent' }) } | - Should -Throw '*No matching credential found*' + Should -Throw '*No matching auth session found*' } It 'is available as exported command from IdLE module' { From 9c613db185da5ef917754b925ce91f3437c0811f Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 7 Feb 2026 20:42:05 +0000 Subject: [PATCH 10/13] Add AuthSessionType to standardize authentication session classification Co-authored-by: blindzero <13959569+blindzero@users.noreply.github.com> --- docs/reference/cmdlets/.regenerate-needed | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 docs/reference/cmdlets/.regenerate-needed diff --git a/docs/reference/cmdlets/.regenerate-needed b/docs/reference/cmdlets/.regenerate-needed new file mode 100644 index 00000000..5f3bfd53 --- /dev/null +++ b/docs/reference/cmdlets/.regenerate-needed @@ -0,0 +1,8 @@ +The cmdlet reference documentation in this directory needs to be regenerated. + +Run: ./tools/Generate-IdleCmdletReference.ps1 + +This will update New-IdleAuthSession.md to reflect the current API signature: +- DefaultCredential → DefaultAuthSession +- [PSCredential] → [object] +- AuthSessionType is now mandatory From d66aa83d512e77c99ee986eaf063761b006aaf64 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 7 Feb 2026 20:59:35 +0000 Subject: [PATCH 11/13] Update cmdlet reference documentation for New-IdleAuthSession - Update SYNTAX to reflect current API signature - Change DefaultCredential to DefaultAuthSession with Object type - Add mandatory AuthSessionType parameter with accepted values - Update example to include AuthSessionType - Remove .regenerate-needed marker file Co-authored-by: blindzero <13959569+blindzero@users.noreply.github.com> --- docs/reference/cmdlets/.regenerate-needed | 8 ---- docs/reference/cmdlets/New-IdleAuthSession.md | 38 +++++++++++++++---- 2 files changed, 30 insertions(+), 16 deletions(-) delete mode 100644 docs/reference/cmdlets/.regenerate-needed diff --git a/docs/reference/cmdlets/.regenerate-needed b/docs/reference/cmdlets/.regenerate-needed deleted file mode 100644 index 5f3bfd53..00000000 --- a/docs/reference/cmdlets/.regenerate-needed +++ /dev/null @@ -1,8 +0,0 @@ -The cmdlet reference documentation in this directory needs to be regenerated. - -Run: ./tools/Generate-IdleCmdletReference.ps1 - -This will update New-IdleAuthSession.md to reflect the current API signature: -- DefaultCredential → DefaultAuthSession -- [PSCredential] → [object] -- AuthSessionType is now mandatory diff --git a/docs/reference/cmdlets/New-IdleAuthSession.md b/docs/reference/cmdlets/New-IdleAuthSession.md index 9f150283..a4c80a0e 100644 --- a/docs/reference/cmdlets/New-IdleAuthSession.md +++ b/docs/reference/cmdlets/New-IdleAuthSession.md @@ -13,8 +13,8 @@ Creates a simple AuthSessionBroker for use with IdLE providers. ## SYNTAX ``` -New-IdleAuthSession [-SessionMap] <Hashtable> [[-DefaultCredential] <PSCredential>] - [-ProgressAction <ActionPreference>] [<CommonParameters>] +New-IdleAuthSession [-SessionMap] [[-DefaultAuthSession] ] -AuthSessionType + [-ProgressAction ] [] ``` ## DESCRIPTION @@ -30,13 +30,13 @@ This is a thin wrapper that delegates to IdLE.Core\New-IdleAuthSessionBroker. ``` $broker = New-IdleAuthSession -SessionMap @{ @{ Role = 'Tier0' } = $tier0Credential -} +} -AuthSessionType 'Credential' ``` ## PARAMETERS ### -SessionMap -A hashtable that maps session configurations to credentials. +A hashtable that maps session configurations to auth sessions. ```yaml Type: Hashtable @@ -50,11 +50,11 @@ Accept pipeline input: False Accept wildcard characters: False ``` -### -DefaultCredential -Optional default credential to return when no session options are provided. +### -DefaultAuthSession +Optional default auth session to return when no session options are provided. ```yaml -Type: PSCredential +Type: Object Parameter Sets: (All) Aliases: @@ -65,8 +65,30 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -AuthSessionType +Specifies the type of authentication session. This determines validation rules, +lifecycle management, and telemetry behavior. + +Valid values: +- 'OAuth': Token-based authentication (e.g., Microsoft Graph, Exchange Online) +- 'PSRemoting': PowerShell remoting execution context (e.g., Entra Connect) +- 'Credential': Credential-based authentication (e.g., Active Directory, mock providers) + +```yaml +Type: String +Parameter Sets: (All) +Aliases: +Accepted values: OAuth, PSRemoting, Credential + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + ### -ProgressAction -TODO: ProgressAction Description +{{ Fill ProgressAction Description }} ```yaml Type: ActionPreference From ccb1272ace97406af19df6dd4b9e2cfec95d0860 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 7 Feb 2026 21:29:19 +0000 Subject: [PATCH 12/13] Fix MDX parsing error in cmdlet reference - Replace {{ Fill ProgressAction Description }} with proper description - This fixes the DoubleBrace MDX risk error in CI Co-authored-by: blindzero <13959569+blindzero@users.noreply.github.com> --- docs/reference/cmdlets/New-IdleAuthSession.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/reference/cmdlets/New-IdleAuthSession.md b/docs/reference/cmdlets/New-IdleAuthSession.md index a4c80a0e..0b2c161f 100644 --- a/docs/reference/cmdlets/New-IdleAuthSession.md +++ b/docs/reference/cmdlets/New-IdleAuthSession.md @@ -88,7 +88,7 @@ Accept wildcard characters: False ``` ### -ProgressAction -{{ Fill ProgressAction Description }} +Controls the display of progress information during cmdlet execution. ```yaml Type: ActionPreference From 17ef1c7b9cc5bafa2b7d2ba69425d7a0f8180b1c Mon Sep 17 00:00:00 2001 From: Matthias Fleschuetz <13959569+blindzero@users.noreply.github.com> Date: Sat, 7 Feb 2026 22:35:35 +0100 Subject: [PATCH 13/13] new cmdlet reference --- docs/reference/cmdlets/New-IdleAuthSession.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/reference/cmdlets/New-IdleAuthSession.md b/docs/reference/cmdlets/New-IdleAuthSession.md index 0b2c161f..dbcadfa8 100644 --- a/docs/reference/cmdlets/New-IdleAuthSession.md +++ b/docs/reference/cmdlets/New-IdleAuthSession.md @@ -13,8 +13,8 @@ Creates a simple AuthSessionBroker for use with IdLE providers. ## SYNTAX ``` -New-IdleAuthSession [-SessionMap] [[-DefaultAuthSession] ] -AuthSessionType - [-ProgressAction ] [] +New-IdleAuthSession [-SessionMap] <Hashtable> [[-DefaultAuthSession] <Object>] [-AuthSessionType] <String> + [-ProgressAction <ActionPreference>] [<CommonParameters>] ``` ## DESCRIPTION @@ -66,7 +66,8 @@ Accept wildcard characters: False ``` ### -AuthSessionType -Specifies the type of authentication session. This determines validation rules, +Specifies the type of authentication session. +This determines validation rules, lifecycle management, and telemetry behavior. Valid values: @@ -78,17 +79,16 @@ Valid values: Type: String Parameter Sets: (All) Aliases: -Accepted values: OAuth, PSRemoting, Credential Required: True -Position: Named +Position: 3 Default value: None Accept pipeline input: False Accept wildcard characters: False ``` ### -ProgressAction -Controls the display of progress information during cmdlet execution. +TODO: ProgressAction Description ```yaml Type: ActionPreference