Scripted Authentication can be enabled for a connection by providing a command line to run in the 'Auth Script Command' field. This command will be triggered by RED when it needs to authenticate with this connection for the first time and then again whenever the 'Auth Expires After' minutes is exceeded.

Typical Script Based Authentication Workflow

When RED executes the 'Auth Script Command' this is the typical workflow: 

1. RED UI
   1. Save the current RED Profile to disk and provide access to this Profile file and the connection name requiring authentication via environment variables.
   2. Run the 'Auth Script Command'
2. Authentication Script
   1. Reads the RED Profile and retrieves any required Connection details from it.
   2. Perform the required authentication workflow for the connection.
   3. Updates the RED Profile on disk with refreshed Auth Tokens, Expires After mins and other Auth Configuration values as required. 
3. RED UI
   1. Merges the updated RED Profile file back into memory.
   2. Completes the authentication process for the connection.
   3. Resets the internal expiry for the connection based on 'Auth Expires After' mins. 

Auth Script Environment Variables

RED will set the following Environment Variables for the Auth Script Command execution.

These are the minimum set that can be relied on, but the usual WSL_TGT_* and WSL_META_* variables will also be provided if available for the scenario. WSL_TGT_* vars are set to the context of the connection being authenticated to. If your script relies on other variables to be set it is best to fall back to extracting from the Profile file when these are not set in the environment.

Auth Script Output Protocol

RED relies on Exit Code only, it is expected the script will report any errors to the user interactively or via it's own logging mechanisms.

Exit Codes

• 0 = Success, this signals to RED that it should continue with the authentication attempt.
• Non-Zero = Failure, this signals to RED that it should abort the current authentication attempt.

Script Output 

• All Auth Script output streams are currently ignored by RED

Auth Script Command Usage - PowerShell Examples

The examples here use the following sample PowerShell project, which can be unzipped to a local directory on a system running RED.

ws_auth.zip

In one of your connections in RED you can test the Scripted Authentication process by setting an Auth Script Command and a non-zero Auth Expires After setting, then browsing the connection to initiate the authentication process.

The sample PowerShell based authentication project has a main script and a set of modules, the main script can be extended with your own authentication types as required.

Script name and parameters

Name:

• ws_auth.ps1

Parameters: 

• AuthType - from: "Snowflake-MFA", "Snowflake-KeyPair", "Test-mode" [Default if not specified]

• LogLevel - from:  "DEBUG", "INFO", "WARN", "ERROR", "FATAL" - Defaults to INFO

Logging:

This script produces logging based on the LogLevel setting, the log file will be created in the current user's temp directory with the name 'ws_auth.log'. This location can be found in Windows by typing %TEMP% in an explorer window.

Example script commands

LogLevel "DEBUG" will print the script environment variables to the log file ws_auth.log
This may expose passwords in plaint text therefore DEBUG should not be set in production.

1- The script path in these commands should reflect the path where you unpacked the ws_auth.zip file.
2- Ensure you also set an initial non-zero value for the Auth Expires After setting.
3- NOTE: You can not currently change a connection string via a Profile update,
   therefore connection string is non-editable in these Auth UI's.

ws_auth Test-mode

Auth Script Command = 

PowerShell -ExecutionPolicy bypass -f "c:\temp\ws_auth\ws_auth.ps1" -AuthType "Test-mode" -LogLevel "DEBUG"

When executed by RED's authentication process this mode produces a dialog which provides the ability to change all possible fields.