Saving credentials indefinitely (for multiple tenants)

[ARAY]

Hi, first I would like to say amazing work. 

I have 13 different tenants each assigned 1 domain. They were set up this way because they are schools and needed to be set up this way to get e-rate funding. 

I am trying to write a powershell script that can run indefinitely without me having to relog in. This script needs to create user accounts in these 13 google tenants. I have been able to login and create users etc, using your library but my question is about authentication. 

1. When i user invoke-gshellscope manager and authenticate, I see this information is then stored in gShell_OAuth2.json. Does this authentication expire? If it does, do i have to manually redo the login? I need this script to run indefinitely, so I can't keep logging in for the script. 

2. Is it possible to store the credentials for multiple tenants in the gShell_OAuth2.json file? 

3. How can I approach storing the credentials for these 13 tenants so that I can have this script running that creates accounts in the separate tenants, without ever having to interact with the script? 

Thanks very much again for your hard work!

[Spencer Varney]

Hey Aray,

Glad you like it! Spread the word, add me on linked in, and uh, give peace and love to all, or something.

1) gShell is based on a Google library of code that automatically [should] renew auth tokens for you. So, once you log in and get it all set up and it works once, it should continue to work as long as something doesn't get revoked, deleted or otherwise messed up. You will however need to run this for each domain you want to use it on, for each API. So with 13 domains (awesome!) and 2 APIs, you'd have to authenticate 26 times.

One other easy way to do that is just to run a cmdlet from that API while specifying the GAuthID, and it'll launch the scope manager for you. Example:

Get-GAUser squid808 -GauthID Mydomain.com

2)  Yes, but I'd really really recommend doing it through gshell using the above mentioned methods. The dance with Google's servers to get those auth tokens and other information is NOT something you'd want to do by hand. gShell will take care of it all for you. I personally have three domains I manage, but I set it all up through either scope manager or just by calling the api cmdlets.

3) See above answers. That said, the json file that is created is both portable (not encrypted) and moveable (you can configure where gShell looks for the file by using Set-GShellSettings). So if you write your cmdlets on one computer and plan to run nightly scripts or something on another computer, you'll want to make sure the gShell on the automation computer has either been authenticated separately, or can find a copy of the json file. If you need the auth information to be more secure, you can similarly use Set-GShellSettings to change it from the json file to an binary .bin file that is tied to the user and computer that create it.

Note: I have scripts that run multiple times a day doing different work that are based on gshell, the main thing to keep in mind is that it's a wrapper of the google APIs targeted to one person - that's why it installs to the local user's folders and only stores credentials for one person by default. Unfortunately there is no good way around having to authenticate for each API for each domain, but think of it this way: for a giant magic admin wand you get to wield, it's a small price to pay :)

If you run in to any issues or anything, feel free to let me know or drop me a chat and I'll help out where I can.

Regards,

Spencer

--
You received this message because you are subscribed to the Google Groups "gshell-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gshell-discus...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[adam...@lshscosprings.com]

Thanks for the quick response Spencer.

So, I have gone through and successfully logged in for all 13 domains and have verified that i can get-gauser @ domain and I can get the user for the domain. That does work, as long as i keep the powershell window open.

When I open a new powershell window, the only domain for which i can get-gauser is the LAST domain i authenticated to. the other domains give a 403 Not authorized error.

The only domain that ever shows up in the gshell_oauth2.json file is the last domain I authenticated to. Once i invoke-gshellscopemanager and authenticate to a new domain, if i close and reopen powershell, that is now the only domain i can get-gauser for. If i want the other, I have to do it all again.

It would help me a great deal if you could provide me instructions on how to authenticate to 2 separate tenants, be able to close the powershell window, open it again and still be able to get-gauser on both of those domains without having to re-authenticate.

I have absolutely no problem with authenticating to the 13 tenants in the beginning, it's just that they do not stay authenticated when i do it.

[Spencer Varney]

Hey Adam,

So, that doesn't sound like things are working properly - sorry about that! The json file persists separately from and outside the instance of PowerShell (well, it should). Once gShell writes the data to it, it should stay there. The only catch is with more than one domain involved, normally one is the default domain and all others have to be specified with -GAuthId in the cmdlet calls.

Since this is not the intended behavior, I'd like your help to try and find out why data is being removed from your json file and when. 

In the name of troubleshooting, can you try to isolate when the data is being removed from your gShell_Oauth2.json file? Start with a blank slate (close powershell, remove or move the file, relaunch powershell), then add your first domain by calling Get-GAUser for a user in the domain and make sure you get the proper response. Check your json file (use something non-locking, like Notepad++), do you see the data for that domain? If you close PowerShell, does the info for the domain stay?

Continue adding the domains in this manner one by one, using the -GAuthId param to specify new domains (otherwise it'll just use the default). After you get a proper response for that domain, check the file, verify that all the other domains are there, as well as the new one. Then close powershell and check it again.

Like I said, I only have access to 3 domains and have not had any similar issues, so I'll need your help and patience in troubleshooting this. If you'd like to reach out to me directly via a chat to try and make things snappier, please feel free and I'll respond as soon as I can.

Regards,

Spencer