Observations: Invoke-RestMethod and authentication¶
- Using both -WebSession and -SessionVariable in the same call is not supported and will generate an exception.
WebRequestSessionobject set by
-SessionVariablecontains a copy of the
-Credentialused and the
ibapauthcookie returned from Infoblox.
- When the session expires, the embedded credential will automatically be used to re-authenticate on the next call and update cookie in the session object.
- Instead of using
-SessionVariable, it is possible to pre-create a
WebRequestSessionobject with embedded credentials and use that with
-WebSessioninstead of making a separate call with
-SessionVariablefirst. It will automatically authenticate the same way it does if the login cookie had expired.
$session = New-Object Microsoft.PowerShell.Commands.WebRequestSession $session.Credentials = (Get-Credential).GetNetworkCredential() Invoke-RestMethod -Uri "http://example.com" -WebSession $session
- It is possible to use both
-WebSessionin the same call. If the
ibapauthcookie in the session object is still valid, that will be used even if the explicit credential object is a different user. If there is no cookie or the cookie is expired, the explicit credential object will override any credential embedded in the session object.
Because the functions in this module are largely just wrapping Invoke-RestMethod, all of the observations listed above apply to this module's functions that take the same parameters.
Observations: Disabling Certificate Validation¶
There is unfortunately no native support in
Invoke-RestMethod (or any related cmdlet) for per-call disabling of certificate validation. Validation logic is controlled globally at the .NET level on a per-session basis in System.Net.ServicePointManager. In order to mimic a per-call disable flag, we're essentially disabling cert validation globally just long enough to make our call to
Invoke-RestMethod and then setting it back to the default functionality.
ServicePointManager seems to cache the validation results for each base URL. The result is that for a short period of time (minutes), cert validation will continue to appear to be disabled when making calls against the same WAPI endpoint even though cert validation is technically turned back on.
There may be a way to shorten the cache duration by changing the value of ServicePointManager.MaxServicePointIdleTime. But even setting it to 0 doesn't remove the cached validation immediately. There's still a delay likely waiting for the idle object to be garbage collected.
For the time being, we're going to leave
MaxServicePointIdleTime alone as it's likely an extreme edge case that someone would need to disable cert validation for a single call and then turn it back on for the same WAPI endpoint in quick succession. Most of the people who care about this feature are running Infoblox with the default self-signed certificate and will just choose to always have certificate validation disabled.
UPDATE: The version of Invoke-RestMethod included in PowerShell Core 6.0 includes a -SkipCertificateCheck parameter which should resolve this issue at least for Core edition users. Hopefully Microsoft will back port those changes into Desktop edition eventually.