Skip to content

Client Secrets authentication improvements#405

Draft
Foggy2 wants to merge 16 commits intoSCRT-HQ:mainfrom
Foggy2:Client-Secrets-Auth-Improvements
Draft

Client Secrets authentication improvements#405
Foggy2 wants to merge 16 commits intoSCRT-HQ:mainfrom
Foggy2:Client-Secrets-Auth-Improvements

Conversation

@Foggy2
Copy link
Contributor

@Foggy2 Foggy2 commented Jul 27, 2025

This should address issue #345.

I have refactored the authentication code making improvements to the use of Client Secrets authentication.

I am working on putting together some Pester tests for this but I think Pester v5 is needed for the best outcome here. I haven't used Pester before so I am starting to have a look at what would be involved with migrating the existing tests to the newer version. Until then though, I am submitting this so that I can get some feedback in the interim.

This PR is based on the changes submitted in PR #402 and #404. As such, I have submitted this in draft status until those PRs are resolved.

Let me know your thoughts or any areas for improvement.

Changes include:

  • Refactored Client Secrets Authentication
    • Flexible OAuth Scope Management:
      • The previous static list of OAuth Scopes is replaced by the new ClientSecretScopes configuration property. This property allows you to define a custom list of OAuth Scopes that are included in all authorization requests by default.
      • If a required OAuth scope is missing from ClientSecretScopes, PSGSuite will now incrementally request authorization for each additional scope as needed. This change enables all PSGSuite functions to be used with Client Secrets authentication.
      • Action Required: Update your Cloud Projects to include all OAuth Scopes you intend to use. To avoid individual authorization prompts for new scopes, add all necessary scopes to the ClientSecretScopes configuration property.
    • Per-Configuration OAuth Token Tracking:
      • Saved OAuth tokens are now tracked per PSGSuite configuration. This means you can use the same user account with multiple PSGSuite configurations, each with different authorized OAuth scopes.
      • Action Required: All existing OAuth tokens must be re-authorized. After updating, you'll be prompted to re-authorize PSGSuite to access your user account.
    • Updated OAuth Authorization Workflow:
      • PSGSuite now exclusively uses LocalServerCodeReceiver for user authorization prompts. This replaces the deprecated PromptCodeReceiver.
      • Requirement: A web browser must be installed on the local system for this method to work.
    • Enhanced Authorization Token Validation:
      • Authorization tokens are now validated to ensure they were issued for the user who initiated the authorization. This prevents commands from being executed against the wrong user account.
      • If a token is issued for an incorrect user, it will be revoked, and the command will fail. Previously, the token would be accepted regardless of the linked user.
      • To enable this validation, PSGSuite will always request the https://www.googleapis.com/auth/userinfo.email OAuth Scope when authorizing user accounts, regardless of the ClientSecretScopes configuration.
      • Action Required: Update all Cloud Projects to include the https://www.googleapis.com/auth/userinfo.email scope.
  • Added new functions:
    • Get-PSGSuiteScope: Returns the OAuth scopes used by PSGSuite.
    • Get-GSScope: Returns the OAuth scopes PSGSuite is authorized to access for a specified user when Client Secrets authentication is used.
    • Get-PSGSuiteAuthenticationMethod: Returns the name of the currently configured authentication method (e.g., Service-Account-JSON-Key, Service-Account-P12-Key, Client-Secrets-OAuth).
    • Grant-GSScope: Supports Client Secrets authentication only. Requests authorization for PSGSuite to access the specified OAuth scopes.
    • Revoke-GSScope: Supports Client Secrets authentication only. Revokes PSGSuite's authorization to access the specified OAuth scopes.
    • Revoke-GSToken: Supports Client Secrets authentication only. Revokes PSGSuite's authorization to access the specified user account.
    • Resolve-PSGSuiteScope: Resolves the provided OAuth scope identifiers to their corresponding OAuth scope values.
  • Added new parameter validation classes:
    • PSGSuiteValidServiceValues: Validates Google API service names (e.g., Google.Apis.Slides.v1.SlidesService).
    • PSGSuiteValidFunctionValues: Validates public PSGSuite function names (e.g., Get-GSPresentation).
    • PSGSuiteValidScopeValues: Validates OAuth scopes used by PSGSuite (e.g., https://www.googleapis.com/auth/drive).
    • PSGSuiteValidScopeIdentifierValues: Validates all values from PSGSuiteValidServiceValues, PSGSuiteValidFunctionValues, and PSGSuiteValidScopeValues.
  • Added ClientSecretScopes property to the module configuration schema. This property defines the default OAuth scopes requested during Client Secrets authentication.
  • Updated Set-PSGSuiteConfig, Export-PSGSuiteConfig and Get-GSDecryptedConfig with support for the ClientSecretScopes configuration property.
  • Refactored New-GoogleService moving the existing authentication code into new private functions New-ServiceAccountCredential and New-GoogleUserCredential for improved code re-usability.
  • Added template ci\templates\OAuthScopes.ps1 that scans the PSGSuite source directory to automatically generate:
    • Module\OAuthScopes.ps1 (containing $script:_PSGSuiteScopes used by Get-PSGSuiteScope)
    • Class\PSGSuiteValidServiceValues.ps1
    • Class\PSGSuiteValidFunctionValues.ps1
    • Class\PSGSuiteValidOAuthScopeValues.ps1
    • Class\PSGSuiteValidScopeIdentifierValues.ps1

Foggy2 and others added 16 commits June 7, 2025 12:07
@Foggy2
Added programmatic generation capabilities to the module build process
f678ac9
@Foggy2
Fixed path handling for templates in the template root directory.
b7102ce
@scrthq
Merge branch 'main' into programmatic-generation
4c9f45d
@Foggy2
Added programmatic generation capabilities to the module build process
61aa9df
@Foggy2
Fixed path handling for templates in the template root directory.
b924019
@Foggy2
Merge branch 'programmatic-generation' of https://github.com/Foggy2/P…
5a778e9 
…SGSuite into programmatic-generation
@Foggy2
Added -DebugBuild parameter to build.ps1
2b5791a
@Foggy2
Changed the template names added to all generated files to always be …
4f3f745 
…lowercase.
@Foggy2
Added -DebugBuild parameter to build.ps1
5ab52e9
@Foggy2
Merge branch 'build-debugging' of https://github.com/Foggy2/PSGSuite
2a4cabb 
…into build-debugging
@Foggy2
Adjusted build.ps1 to always copy source code for classes into the ps…
400f251 
…m1 file
@Foggy2
Added Get-PSGSuiteOAuthScope and ci\templates\OAuthScopes.ps1
9c89788
@Foggy2
Added class PSGSuiteValidClientSecretOAuthScopeValues and sorted cl…
1dcd968 
…ass values for easier change tracking
@Foggy2
Added ClientSecretOAuthScopes to the configuration schema
4c0408c
@Foggy2
Refactored Client Secrets authentication adding support for all OAuth…
4df7cee 
… scopes
@Foggy2
Cached credentials are cleared when loading a new config. Credentials…
656411e 
… are stored on disk in module directories.
This was referenced Aug 27, 2025
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@scrthq scrthq Awaiting requested review from scrthq scrthq will be requested when the pull request is marked ready for review scrthq is a code owner

@jgeron-suhsd jgeron-suhsd Awaiting requested review from jgeron-suhsd jgeron-suhsd will be requested when the pull request is marked ready for review jgeron-suhsd is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Foggy2 @scrthq