Versions Compared

Old Version 13

changes.mady.by.user Morgan Mackeson-Ellis

Saved on

compared with

New Version Current

changes.mady.by.user Morgan Mackeson-Ellis

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info
titleProfiles and Authentication

This page details how to setup Scripted Authentication, please review the parent topic for documentation on Profiles and Authentication before you begin. 

Enabling Scripted Authentication 

Scripted Authentication can be enabled for a connection by providing a command line to run in the 'Auth Script Command' field in the Connection Properties screen. This command will be triggered by RED when it needs to authenticate with this connection for the first time and then again whenever the 'Auth Expires After' minutes is exceeded.

Image Added


For the initial RED Login Screen you also have the option of supplying an Auth Script Command, this will be automatically populated if your selected RED Profile has previously stored this:

Image Added

Typical Script Based Authentication Workflow

When RED executes the 'Auth Script Command' this is the typical workflow: 

  1. RED UI
    1. Save Saves the current RED Profile to disk and provide provides access to this Profile file and the connection name requiring authentication via environment variables.
    2. Run Runs the 'Auth Script Command'
  2. Authentication Script
    1. Reads the RED Profile and retrieves any required Connection details from it.
    2. Perform Performs the required authentication workflow for the connection.
    3. Updates the RED Profile on disk with refreshed Auth Tokens, Expires After mins and other Auth Configuration values as required. 
  3. RED UI
    1. Merges the updated RED Profile file back into the in-memory Profile.
    2. Completes the authentication process for the connection.
    3. Resets the internal expiry for the connection based on 'Auth Expires After' mins. 

...

These are the minimum set that can be relied on in all cases, but the usual WSL_TGT_* and WSL_META_* variables will also be provided when the authentication process is initiated after RED login.

if available for the scenario. WSL_TGT_* vars are set to the context of the connection being authenticated to. If your script relies on other variables to be set it is best to fall back to extracting from the Profile file when these are not set in the environment and for some situations your script may also need to acquire attributes from the ODBC DSN itself.

Environment VariableValueDescription
WSL_TGT_CONNAME

The name of the connection being refreshed.

Not set for the Metadata Repository connection.

Determines which connection requires authentication and the node to update in the profile file.

When not set then authenticate the Metadata Repository which is at the root node of the profile. 

WSL_RED_PROFILEThe path to the RED Profile file.Used to read and then update the RED Profile file, as required, for the particular authentication flow
WSL_BINDIRThe path to the RED installation directory.Useful if your scripts utilize any RED command line tooling.

...

  • 0 = Success, this signals to RED that it should continue with the authentication attempt.
  • Non-Zero = Failure, this signals to RED that it should abort the current authentication attemptcurrently ignored by RED, meaning the authentication process will still be attempted, except from the RED Login where RED simply returns to the login page.

Script Output 

  • All Auth Script output streams are currently ignored by RED

...

The examples here use the following sample PowerShell project, which can be unzipped to a local directory on a system running RED.

ws_auth_v1.0.0.zip - MD5 hash of ws_auth_v1.0.0.zip: bbaf40e8adb558b4e834fa922478f560

In one of your connections in RED you can test the Scripted Authentication process by setting an Auth Script Command and a non-zero Auth Expires After setting, then browsing the connection to initiate the authentication process.

...

Parameters: 

  • AuthType - from:"Snowflake-MFA", "Snowflake-KeyPair", "Test-mode" [Default if not specified]

  • LogLevel - from:  "DEBUG", "INFO", "WARN", "ERROR", "FATAL" - Defaults to INFO

Logging:

This script produces logging based on the LogLevel setting, the log file will be created in the current user's temp directory with the name 'ws_auth.log'. This location can be found in Windows by typing %TEMP% in an explorer window.

Example script commands


Note

LogLevel

"DEBUG"

will

print

the

script

environment

variables

to

the

log

file

ws_auth.log

This

may

expose

passwords

in

plaint

text

therefore

DEBUG

should

not

be

set

in

production.

Tip

1-

The

script

path

in

these

commands

should

reflect

the

path

where

you

unpacked

the

ws_auth.zip

file.
2-

Ensure

you

also

set

an

initial

non-zero

value

for

the

Auth

Expires

After

setting.
3-

NOTE:

You

can

not

currently

change

a

connection

string

via

a

Profile

update,

therefore

connection

string

is

non-editable

in

these

Auth

UI's.

ws_auth Test-mode

Auth Script Command = 

Code Block
languagepowershell
titleAuth Script Command
PowerShell -ExecutionPolicy bypass -f "c:\temp\ws_auth\ws_auth.ps1" -AuthType "Test-mode" -LogLevel    "DEBUG"

When executed by RED's authentication process this mode produces a dialog which provides the ability to change all fields except Auth Configuration JSON.


ws_auth Snowflake-MFA

...

Code Block
languagepowershell
titleAuth Script Command
PowerShell -ExecutionPolicy bypass -f "c:\temp\ws_auth\ws_auth.ps1" -AuthType "Snowflake-MFA" -LogLevel    "DEBUG"

When executed by RED's authentication process this This mode produces a dialog which provides the ability to set a TOPT passcode and uses the Test ODBC functionality to establish an initial connection.

...

ws_auth Snowflake-KeyPair

Auth Script Command = 

Code Block
languagepowershell
titleAuth Script Command
PowerShell -ExecutionPolicy bypass -f "c:\temp\ws_auth\ws_auth.ps1" -AuthType "Snowflake-KeyPair" -LogLevel "DEBUG"

When executed by RED's authentication process this This mode produces a dialog which provides the ability to set a Key-Pair attributes and uses the 'Test on exit' functionality to establish an initial connection. 

...