
Create a new type of Authentication scheme.
Create a new type of Authentication scheme, which is used to parse the Request for user credentials for validating.
If supplied, will use the inbuilt Basic Authentication credentials retriever.
The Encoding to use when decoding the Basic Authorization header.
The Tag name used in the Authorization header, ie: Basic, Bearer, Digest.
If supplied, will use the inbuilt Form Authentication credentials retriever.
.PARAMETER UsernameField
The name of the Username Field in the payload to retrieve the username.
.PARAMETER PasswordField
The name of the Password Field in the payload to retrieve the password.
If supplied, will allow you to create a Custom Authentication credentials retriever.
.PARAMETER ScriptBlock
The ScriptBlock is used to parse the request and retieve user credentials and other information.
.PARAMETER ArgumentList
An array of arguments to supply to the Custom Authentication type's ScriptBlock.
The Name of an Authentication type - such as Basic or NTLM.
.PARAMETER Description
A short description for security scheme. CommonMark syntax MAY be used for rich text representation
The name of scope of the protected area.
The scheme type for custom Authentication types. Default is HTTP.
.PARAMETER Middleware
An array of ScriptBlocks for optional Middleware to run before the Scheme's scriptblock.
.PARAMETER PostValidator
The PostValidator is a scriptblock that is invoked after user validation.
If supplied, will use the inbuilt Digest Authentication credentials retriever.
If supplied, will use the inbuilt Bearer Authentication token retriever.
.PARAMETER ClientCertificate
If supplied, will use the inbuilt Client Certificate Authentication scheme.
The Application ID generated when registering a new app for OAuth2.
.PARAMETER ClientSecret
The Application Secret generated when registering a new app for OAuth2 (this is optional when using PKCE).
.PARAMETER RedirectUrl
An optional OAuth2 Redirect URL (default: <host>/oauth2/callback)
.PARAMETER AuthoriseUrl
The OAuth2 Authorisation URL to authenticate a User. This is optional if you're using an InnerScheme like Basic/Form.
The OAuth2 Token URL to acquire an access token.
An optional User profile URL to retrieve a user's details - for OAuth2
.PARAMETER UserUrlMethod
An optional HTTP method to use when calling the User profile URL - for OAuth2 (Default: Post)
.PARAMETER CodeChallengeMethod
An optional method for sending a PKCE code challenge when calling the Authorise URL - for OAuth2 (Default: S256)
If supplied, OAuth2 authentication will use PKCE code verifiers - for OAuth2
If supplied, will use the inbuilt OAuth2 Authentication scheme.
An optional array of Scopes for Bearer/OAuth2 Authentication. (These are case-sensitive)
If supplied, will use the inbuilt API key Authentication scheme.
The Location to find an API key: Header, Query, or Cookie. (Default: Header)
.PARAMETER LocationName
The Name of the Header, Query, or Cookie to find an API key. (Default depends on Location. Header/Cookie: X-API-KEY, Query: api_key)
.PARAMETER InnerScheme
An optional authentication Scheme (from New-PodeAuthScheme) that will be called prior to this Scheme.
.PARAMETER AsCredential
If supplied, username/password credentials for Basic/Form authentication will instead be supplied as a pscredential object.
If supplied, the token/key supplied for Bearer/API key authentication will be parsed as a JWT, and the payload supplied instead.
An optional Secret, used to sign/verify JWT signatures.
$basic_auth = New-PodeAuthScheme -Basic
$form_auth = New-PodeAuthScheme -Form -UsernameField 'Email'
$custom_auth = New-PodeAuthScheme -Custom -ScriptBlock { /* logic */ }

function New-PodeAuthScheme {
    [CmdletBinding(DefaultParameterSetName = 'Basic')]
        [Parameter(ParameterSetName = 'Basic')]

        [Parameter(ParameterSetName = 'Basic')]
        $Encoding = 'ISO-8859-1',

        [Parameter(ParameterSetName = 'Basic')]
        [Parameter(ParameterSetName = 'Bearer')]
        [Parameter(ParameterSetName = 'Digest')]

        [Parameter(ParameterSetName = 'Form')]

        [Parameter(ParameterSetName = 'Form')]
        $UsernameField = 'username',

        [Parameter(ParameterSetName = 'Form')]
        $PasswordField = 'password',

        [Parameter(ParameterSetName = 'Custom')]

        [Parameter(Mandatory = $true, ParameterSetName = 'Custom')]
                if (Test-PodeIsEmpty $_) {
                    throw 'A non-empty ScriptBlock is required for the Custom authentication scheme'

                return $true

        [Parameter(ParameterSetName = 'Custom')]

        [Parameter(ParameterSetName = 'Custom')]



        [Parameter(ParameterSetName = 'Custom')]
        [ValidateSet('ApiKey', 'Http', 'OAuth2', 'OpenIdConnect')]
        $Type = 'Http',


        [Parameter(ParameterSetName = 'Custom')]
        $PostValidator = $null,

        [Parameter(ParameterSetName = 'Digest')]

        [Parameter(ParameterSetName = 'Bearer')]

        [Parameter(ParameterSetName = 'ClientCertificate')]

        [Parameter(ParameterSetName = 'OAuth2', Mandatory = $true)]

        [Parameter(ParameterSetName = 'OAuth2')]

        [Parameter(ParameterSetName = 'OAuth2')]

        [Parameter(ParameterSetName = 'OAuth2')]

        [Parameter(ParameterSetName = 'OAuth2', Mandatory = $true)]

        [Parameter(ParameterSetName = 'OAuth2')]

        [Parameter(ParameterSetName = 'OAuth2')]
        [ValidateSet('Get', 'Post')]
        $UserUrlMethod = 'Post',

        [Parameter(ParameterSetName = 'OAuth2')]
        [ValidateSet('plain', 'S256')]
        $CodeChallengeMethod = 'S256',

        [Parameter(ParameterSetName = 'OAuth2')]

        [Parameter(ParameterSetName = 'OAuth2')]

        [Parameter(ParameterSetName = 'ApiKey')]

        [Parameter(ParameterSetName = 'ApiKey')]
        [ValidateSet('Header', 'Query', 'Cookie')]
        $Location = 'Header',

        [Parameter(ParameterSetName = 'ApiKey')]

        [Parameter(ParameterSetName = 'Bearer')]
        [Parameter(ParameterSetName = 'OAuth2')]

        [Parameter(ValueFromPipeline = $true)]

        [Parameter(ParameterSetName = 'Basic')]
        [Parameter(ParameterSetName = 'Form')]

        [Parameter(ParameterSetName = 'Bearer')]
        [Parameter(ParameterSetName = 'ApiKey')]

        [Parameter(ParameterSetName = 'Bearer')]
        [Parameter(ParameterSetName = 'ApiKey')]

    # default realm
    $_realm = 'User'

    # convert any middleware into valid hashtables
    $Middleware = @(ConvertTo-PodeMiddleware -Middleware $Middleware -PSSession $PSCmdlet.SessionState)

    # configure the auth scheme
    switch ($PSCmdlet.ParameterSetName.ToLowerInvariant()) {
        'basic' {
            return @{
                Name          = (Protect-PodeValue -Value $HeaderTag -Default 'Basic')
                Realm         = (Protect-PodeValue -Value $Realm -Default $_realm)
                ScriptBlock   = @{
                    Script         = (Get-PodeAuthBasicType)
                    UsingVariables = $null
                PostValidator = $null
                Middleware    = $Middleware
                InnerScheme   = $InnerScheme
                Scheme        = 'http'
                Arguments     = @{
                    Description  = $Description
                    HeaderTag    = (Protect-PodeValue -Value $HeaderTag -Default 'Basic')
                    Encoding     = (Protect-PodeValue -Value $Encoding -Default 'ISO-8859-1')
                    AsCredential = $AsCredential

        'clientcertificate' {
            return @{
                Name          = 'Mutual'
                Realm         = (Protect-PodeValue -Value $Realm -Default $_realm)
                ScriptBlock   = @{
                    Script         = (Get-PodeAuthClientCertificateType)
                    UsingVariables = $null
                PostValidator = $null
                Middleware    = $Middleware
                InnerScheme   = $InnerScheme
                Scheme        = 'http'
                Arguments     = @{}

        'digest' {
            return @{
                Name          = 'Digest'
                Realm         = (Protect-PodeValue -Value $Realm -Default $_realm)
                ScriptBlock   = @{
                    Script         = (Get-PodeAuthDigestType)
                    UsingVariables = $null
                PostValidator = @{
                    Script         = (Get-PodeAuthDigestPostValidator)
                    UsingVariables = $null
                Middleware    = $Middleware
                InnerScheme   = $InnerScheme
                Scheme        = 'http'
                Arguments     = @{
                    HeaderTag = (Protect-PodeValue -Value $HeaderTag -Default 'Digest')

        'bearer' {
            $secretBytes = $null
            if (![string]::IsNullOrWhiteSpace($Secret)) {
                $secretBytes = [System.Text.Encoding]::UTF8.GetBytes($Secret)

            return @{
                Name          = 'Bearer'
                Realm         = (Protect-PodeValue -Value $Realm -Default $_realm)
                ScriptBlock   = @{
                    Script         = (Get-PodeAuthBearerType)
                    UsingVariables = $null
                PostValidator = @{
                    Script         = (Get-PodeAuthBearerPostValidator)
                    UsingVariables = $null
                Middleware    = $Middleware
                Scheme        = 'http'
                InnerScheme   = $InnerScheme
                Arguments     = @{
                    Description = $Description
                    HeaderTag   = (Protect-PodeValue -Value $HeaderTag -Default 'Bearer')
                    Scopes      = $Scope
                    AsJWT       = $AsJWT
                    Secret      = $secretBytes

        'form' {
            return @{
                Name          = 'Form'
                Realm         = (Protect-PodeValue -Value $Realm -Default $_realm)
                ScriptBlock   = @{
                    Script         = (Get-PodeAuthFormType)
                    UsingVariables = $null
                PostValidator = $null
                Middleware    = $Middleware
                InnerScheme   = $InnerScheme
                Scheme        = 'http'
                Arguments     = @{
                    Description  = $Description
                    Fields       = @{
                        Username = (Protect-PodeValue -Value $UsernameField -Default 'username')
                        Password = (Protect-PodeValue -Value $PasswordField -Default 'password')
                    AsCredential = $AsCredential

        'oauth2' {
            if (($null -ne $InnerScheme) -and ($InnerScheme.Name -inotin @('basic', 'form'))) {
                throw "OAuth2 InnerScheme can only be one of either Basic or Form authentication, but got: $($InnerScheme.Name)"

            if (($null -eq $InnerScheme) -and [string]::IsNullOrWhiteSpace($AuthoriseUrl)) {
                throw 'OAuth2 requires an Authorise URL to be supplied'

            if ($UsePKCE -and !(Test-PodeSessionsEnabled)) {
                throw 'Sessions are required to use OAuth2 with PKCE'

            if (!$UsePKCE -and [string]::IsNullOrEmpty($ClientSecret)) {
                throw 'OAuth2 requires a Client Secret when not using PKCE'
            return @{
                Name          = 'OAuth2'
                Realm         = (Protect-PodeValue -Value $Realm -Default $_realm)
                ScriptBlock   = @{
                    Script         = (Get-PodeAuthOAuth2Type)
                    UsingVariables = $null
                PostValidator = $null
                Middleware    = $Middleware
                Scheme        = 'oauth2'
                InnerScheme   = $InnerScheme
                Arguments     = @{
                    Description = $Description
                    Scopes      = $Scope
                    PKCE        = @{
                        Enabled       = $UsePKCE
                        CodeChallenge = @{
                            Method = $CodeChallengeMethod
                    Client      = @{
                        ID     = $ClientId
                        Secret = $ClientSecret
                    Urls        = @{
                        Redirect  = $RedirectUrl
                        Authorise = $AuthoriseUrl
                        Token     = $TokenUrl
                        User      = @{
                            Url    = $UserUrl
                            Method = (Protect-PodeValue -Value $UserUrlMethod -Default 'Post')

        'apikey' {
            # set default location name
            if ([string]::IsNullOrWhiteSpace($LocationName)) {
                $LocationName = (@{
                        Header = 'X-API-KEY'
                        Query  = 'api_key'
                        Cookie = 'X-API-KEY'

            $secretBytes = $null
            if (![string]::IsNullOrWhiteSpace($Secret)) {
                $secretBytes = [System.Text.Encoding]::UTF8.GetBytes($Secret)

            return @{
                Name          = 'ApiKey'
                Realm         = (Protect-PodeValue -Value $Realm -Default $_realm)
                ScriptBlock   = @{
                    Script         = (Get-PodeAuthApiKeyType)
                    UsingVariables = $null
                PostValidator = $null
                Middleware    = $Middleware
                InnerScheme   = $InnerScheme
                Scheme        = 'apiKey'
                Arguments     = @{
                    Description  = $Description
                    Location     = $Location
                    LocationName = $LocationName
                    AsJWT        = $AsJWT
                    Secret       = $secretBytes

        'custom' {
            $ScriptBlock, $usingScriptVars = Convert-PodeScopedVariables -ScriptBlock $ScriptBlock -PSSession $PSCmdlet.SessionState

            if ($null -ne $PostValidator) {
                $PostValidator, $usingPostVars = Convert-PodeScopedVariables -ScriptBlock $PostValidator -PSSession $PSCmdlet.SessionState

            return @{
                Name          = $Name
                Realm         = (Protect-PodeValue -Value $Realm -Default $_realm)
                InnerScheme   = $InnerScheme
                Scheme        = $Type.ToLowerInvariant()
                ScriptBlock   = @{
                    Script         = $ScriptBlock
                    UsingVariables = $usingScriptVars
                PostValidator = @{
                    Script         = $PostValidator
                    UsingVariables = $usingPostVars
                Middleware    = $Middleware
                Arguments     = $ArgumentList

Create an OAuth2 auth scheme for Azure AD.
A wrapper for New-PodeAuthScheme and OAuth2, which builds an OAuth2 scheme for Azure AD.
The Directory/Tenant ID from registering a new app (default: common).
The Client ID from registering a new app.
.PARAMETER ClientSecret
The Client Secret from registering a new app (this is optional when using PKCE).
.PARAMETER RedirectUrl
An optional OAuth2 Redirect URL (default: <host>/oauth2/callback)
.PARAMETER InnerScheme
An optional authentication Scheme (from New-PodeAuthScheme) that will be called prior to this Scheme.
.PARAMETER Middleware
An array of ScriptBlocks for optional Middleware to run before the Scheme's scriptblock.
If supplied, OAuth2 authentication will use PKCE code verifiers.
New-PodeAuthAzureADScheme -Tenant 123-456-678 -ClientId some_id -ClientSecret
New-PodeAuthAzureADScheme -Tenant 123-456-678 -ClientId some_id -UsePKCE

function New-PodeAuthAzureADScheme {
        $Tenant = 'common',

        [Parameter(Mandatory = $true)]



        [Parameter(ValueFromPipeline = $true)]



    return New-PodeAuthScheme `
        -OAuth2 `
        -ClientId $ClientId `
        -ClientSecret $ClientSecret `
        -AuthoriseUrl "$($Tenant)/oauth2/v2.0/authorize" `
        -TokenUrl "$($Tenant)/oauth2/v2.0/token" `
        -UserUrl '' `
        -RedirectUrl $RedirectUrl `
        -InnerScheme $InnerScheme `
        -Middleware $Middleware `

Create an OAuth2 auth scheme for Twitter.
A wrapper for New-PodeAuthScheme and OAuth2, which builds an OAuth2 scheme for Twitter apps.
The Client ID from registering a new app.
.PARAMETER ClientSecret
The Client Secret from registering a new app (this is optional when using PKCE).
.PARAMETER RedirectUrl
An optional OAuth2 Redirect URL (default: <host>/oauth2/callback)
.PARAMETER Middleware
An array of ScriptBlocks for optional Middleware to run before the Scheme's scriptblock.
If supplied, OAuth2 authentication will use PKCE code verifiers.
New-PodeAuthTwitterScheme -ClientId some_id -ClientSecret
New-PodeAuthTwitterScheme -ClientId some_id -UsePKCE

function New-PodeAuthTwitterScheme {
        [Parameter(Mandatory = $true)]





    return New-PodeAuthScheme `
        -OAuth2 `
        -ClientId $ClientId `
        -ClientSecret $ClientSecret `
        -AuthoriseUrl '' `
        -TokenUrl '' `
        -UserUrl '' `
        -UserUrlMethod 'Get' `
        -RedirectUrl $RedirectUrl `
        -Middleware $Middleware `
        -Scope '', '' `

Adds a custom Authentication method for verifying users.
Adds a custom Authentication method for verifying users.
A unique Name for the Authentication method.
The authentication Scheme to use for retrieving credentials (From New-PodeAuthScheme).
.PARAMETER ScriptBlock
The ScriptBlock defining logic that retrieves and verifys a user.
.PARAMETER ArgumentList
An array of arguments to supply to the Custom Authentication's ScriptBlock.
The URL to redirect to when authentication fails.
.PARAMETER FailureMessage
An override Message to throw when authentication fails.
The URL to redirect to when authentication succeeds when logging in.
.PARAMETER Sessionless
If supplied, authenticated users will not be stored in sessions, and sessions will not be used.
.PARAMETER SuccessUseOrigin
If supplied, successful authentication from a login page will redirect back to the originating page instead of the FailureUrl.
New-PodeAuthScheme -Form | Add-PodeAuth -Name 'Main' -ScriptBlock { /* logic */ }

function Add-PodeAuth {
        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true, ValueFromPipeline = $true)]

        [Parameter(Mandatory = $true)]
                if (Test-PodeIsEmpty $_) {
                    throw 'A non-empty ScriptBlock is required for the authentication method'

                return $true







    # ensure the name doesn't already exist
    if (Test-PodeAuthExists -Name $Name) {
        throw "Authentication method already defined: $($Name)"

    # ensure the Scheme contains a scriptblock
    if (Test-PodeIsEmpty $Scheme.ScriptBlock) {
        throw "The supplied '$($Scheme.Name)' Scheme for the '$($Name)' authentication validator requires a valid ScriptBlock"

    # if we're using sessions, ensure sessions have been setup
    if (!$Sessionless -and !(Test-PodeSessionsEnabled)) {
        throw 'Sessions are required to use session persistent authentication'

    # check for scoped vars
    $ScriptBlock, $usingVars = Convert-PodeScopedVariables -ScriptBlock $ScriptBlock -PSSession $PSCmdlet.SessionState

    # add auth method to server
    $PodeContext.Server.Authentications.Methods[$Name] = @{
        Name           = $Name
        Scheme         = $Scheme
        ScriptBlock    = $ScriptBlock
        UsingVariables = $usingVars
        Arguments      = $ArgumentList
        Sessionless    = $Sessionless.IsPresent
        Failure        = @{
            Url     = $FailureUrl
            Message = $FailureMessage
        Success        = @{
            Url       = $SuccessUrl
            UseOrigin = $SuccessUseOrigin.IsPresent
        Cache          = @{}
        Merged         = $false
        Parent         = $null

    # if the scheme is oauth2, and there's no redirect, set up a default one
    if (($Scheme.Name -ieq 'oauth2') -and ($null -eq $Scheme.InnerScheme) -and [string]::IsNullOrWhiteSpace($Scheme.Arguments.Urls.Redirect)) {
        $path = '/oauth2/callback'
        $Scheme.Arguments.Urls.Redirect = $path
        Add-PodeRoute -Method Get -Path $path -Authentication $Name

Lets you merge multiple Authentication methods together, into a "single" Authentication method.
Lets you merge multiple Authentication methods together, into a "single" Authentication method.
You can specify if only One or All of the methods need to pass to allow access, and you can also
merge other merged Authentication methods for more advanced scenarios.
A unique Name for the Authentication method.
.PARAMETER Authentication
Multiple Autentication method Names to be merged.
How many of the Authentication methods are required to be valid, One or All. (Default: One)
.PARAMETER ScriptBlock
This is mandatory, and only used, when $Valid=All. A scriptblock to merge the mutliple users/headers returned by valid authentications into 1 user/header objects.
This scriptblock will receive a hashtable of all result objects returned from Authentication methods. The key for the hashtable will be the authentication names that passed.
The Default Authentication method to use as a fallback for Failure URLs and other settings.
.PARAMETER MergeDefault
The Default Authentication method's User details result object to use, when $Valid=All.
The URL to redirect to when authentication fails.
This will be used as fallback for the merged Authentication methods if not set on them.
.PARAMETER FailureMessage
An override Message to throw when authentication fails.
This will be used as fallback for the merged Authentication methods if not set on them.
The URL to redirect to when authentication succeeds when logging in.
This will be used as fallback for the merged Authentication methods if not set on them.
.PARAMETER Sessionless
If supplied, authenticated users will not be stored in sessions, and sessions will not be used.
This will be used as fallback for the merged Authentication methods if not set on them.
.PARAMETER SuccessUseOrigin
If supplied, successful authentication from a login page will redirect back to the originating page instead of the FailureUrl.
This will be used as fallback for the merged Authentication methods if not set on them.
Merge-PodeAuth -Name MergedAuth -Authentication ApiTokenAuth, BasicAuth -Valid All -ScriptBlock { ... }
Merge-PodeAuth -Name MergedAuth -Authentication ApiTokenAuth, BasicAuth -Valid All -MergeDefault BasicAuth
Merge-PodeAuth -Name MergedAuth -Authentication ApiTokenAuth, BasicAuth -FailureUrl 'http://localhost:8080/login'

function Merge-PodeAuth {
    [CmdletBinding(DefaultParameterSetName = 'ScriptBlock')]
        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]

        [ValidateSet('One', 'All')]
        $Valid = 'One',

        [Parameter(ParameterSetName = 'ScriptBlock')]


        [Parameter(ParameterSetName = 'MergeDefault')]






    # ensure the name doesn't already exist
    if (Test-PodeAuthExists -Name $Name) {
        throw "Authentication method already defined: $($Name)"

    # ensure all the auth methods exist
    foreach ($authName in $Authentication) {
        if (!(Test-PodeAuthExists -Name $authName)) {
            throw "Authentication method does not exist for merging: $($authName)"

    # ensure the merge default is in the auth list
    if (![string]::IsNullOrEmpty($MergeDefault) -and ($MergeDefault -inotin @($Authentication))) {
        throw "the MergeDefault Authentication '$($MergeDefault)' is not in the Authentication list supplied"

    # ensure the default is in the auth list
    if (![string]::IsNullOrEmpty($Default) -and ($Default -inotin @($Authentication))) {
        throw "the Default Authentication '$($Default)' is not in the Authentication list supplied"

    # set default
    if ([string]::IsNullOrEmpty($Default)) {
        $Default = $Authentication[0]

    # get auth for default
    $tmpAuth = $PodeContext.Server.Authentications.Methods[$Default]

    # check sessionless from default
    if (!$Sessionless) {
        $Sessionless = $tmpAuth.Sessionless

    # if we're using sessions, ensure sessions have been setup
    if (!$Sessionless -and !(Test-PodeSessionsEnabled)) {
        throw 'Sessions are required to use session persistent authentication'

    # check failure url from default
    if ([string]::IsNullOrEmpty($FailureUrl)) {
        $FailureUrl = $tmpAuth.Failure.Url

    # check failure message from default
    if ([string]::IsNullOrEmpty($FailureMessage)) {
        $FailureMessage = $tmpAuth.Failure.Message

    # check success url from default
    if ([string]::IsNullOrEmpty($SuccessUrl)) {
        $SuccessUrl = $tmpAuth.Success.Url

    # check success use origin from default
    if (!$SuccessUseOrigin) {
        $SuccessUseOrigin = $tmpAuth.Success.UseOrigin

    # deal with using vars in scriptblock
    if (($Valid -ieq 'all') -and [string]::IsNullOrEmpty($MergeDefault)) {
        if ($null -eq $ScriptBlock) {
            throw 'A Scriptblock for merging multiple authenticated users into 1 object is required When Valid is All'

        $ScriptBlock, $usingVars = Convert-PodeScopedVariables -ScriptBlock $ScriptBlock -PSSession $PSCmdlet.SessionState
    else {
        if ($null -ne $ScriptBlock) {
            Write-Warning -Message 'The Scriptblock for merged authentications, when Valid=One, will be ignored'

    # set parent auth
    foreach ($authName in $Authentication) {
        $PodeContext.Server.Authentications.Methods[$authName].Parent = $Name

    # add auth method to server
    $PodeContext.Server.Authentications.Methods[$Name] = @{
        Name            = $Name
        Authentications = @($Authentication)
        PassOne         = ($Valid -ieq 'one')
        ScriptBlock     = @{
            Script         = $ScriptBlock
            UsingVariables = $usingVars
        Default         = $Default
        MergeDefault    = $MergeDefault
        Sessionless     = $Sessionless.IsPresent
        Failure         = @{
            Url     = $FailureUrl
            Message = $FailureMessage
        Success         = @{
            Url       = $SuccessUrl
            UseOrigin = $SuccessUseOrigin.IsPresent
        Cache           = @{}
        Merged          = $true
        Parent          = $null

Gets an Authentication method.
Gets an Authentication method.
The Name of an Authentication method.
Get-PodeAuth -Name 'Main'

function Get-PodeAuth {
        [Parameter(Mandatory = $true)]

    # ensure the name exists
    if (!(Test-PodeAuthExists -Name $Name)) {
        throw "Authentication method not defined: $($Name)"

    # get auth method
    return $PodeContext.Server.Authentications.Methods[$Name]

Test if an Authentication method exists.
Test if an Authentication method exists.
The Name of the Authentication method.
if (Test-PodeAuthExists -Name BasicAuth) { ... }

function Test-PodeAuthExists {
        [Parameter(Mandatory = $true)]

    return $PodeContext.Server.Authentications.Methods.ContainsKey($Name)

Test and invoke an Authentication method to verify a user.
Test and invoke an Authentication method to verify a user. This will verify a user's credentials on the request.
When testing OAuth2 methods, the first attempt will trigger a redirect to the provider and $false will be returned.
The Name of the Authentication method.
.PARAMETER IgnoreSession
If supplied, authentication will be re-verified on each call even if a valid session exists on the request.
if (Test-PodeAuth -Name 'BasicAuth') { ... }
if (Test-PodeAuth -Name 'FormAuth' -IgnoreSession) { ... }

function Test-PodeAuth {
        [Parameter(Mandatory = $true)]


    # if the session already has a user/isAuth'd, then skip auth - or allow anon
    if (!$IgnoreSession -and (Test-PodeSessionsInUse) -and (Test-PodeAuthUser)) {
        return $true

    try {
        $result = Invoke-PodeAuthValidation -Name $Name
    catch {
        $_ | Write-PodeErrorLog
        return $false

    # did the auth force a redirect?
    if ($result.Redirected) {
        return $false

    # if auth failed, set appropriate response headers/redirects
    if (!$result.Success) {
        return $false

    # successful auth
    return $true

Adds the inbuilt Windows AD Authentication method for verifying users.
Adds the inbuilt Windows AD Authentication method for verifying users.
A unique Name for the Authentication method.
The Scheme to use for retrieving credentials (From New-PodeAuthScheme).
A custom FQDN for the DNS of the AD you wish to authenticate against. (Alias: Server)
(Unix Only) A custom NetBIOS domain name that is prepended onto usernames that are missing it (<Domain>\<Username>).
(Unix Only) An optional searchbase to refine the LDAP query. This should be the full distinguished name.
An array of Group names to only allow access.
An array of Usernames to only allow access.
The URL to redirect to when authentication fails.
.PARAMETER FailureMessage
An override Message to throw when authentication fails.
The URL to redirect to when authentication succeeds when logging in.
.PARAMETER ScriptBlock
Optional ScriptBlock that is passed the found user object for further validation.
.PARAMETER Sessionless
If supplied, authenticated users will not be stored in sessions, and sessions will not be used.
If supplied, groups will not be retrieved for the user in AD.
.PARAMETER DirectGroups
If supplied, only a user's direct groups will be retrieved rather than all groups recursively.
If supplied, and on Windows, OpenLDAP will be used instead (this is the default for Linux/MacOS).
If supplied, and on Windows, the ActiveDirectory module will be used instead.
.PARAMETER SuccessUseOrigin
If supplied, successful authentication from a login page will redirect back to the originating page instead of the FailureUrl.
.PARAMETER KeepCredential
If suplied pode will save the AD credential as a PSCredential object in $WebEvent.Auth.User.Credential
New-PodeAuthScheme -Form | Add-PodeAuthWindowsAd -Name 'WinAuth'
New-PodeAuthScheme -Basic | Add-PodeAuthWindowsAd -Name 'WinAuth' -Groups @('Developers')
New-PodeAuthScheme -Form | Add-PodeAuthWindowsAd -Name 'WinAuth' -NoGroups
New-PodeAuthScheme -Form | Add-PodeAuthWindowsAd -Name 'UnixAuth' -Server '' -Domain 'testdomain'

function Add-PodeAuthWindowsAd {
    [CmdletBinding(DefaultParameterSetName = 'Groups')]
        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true, ValueFromPipeline = $true)]




        [Parameter(ParameterSetName = 'Groups')]







        [Parameter(ParameterSetName = 'NoGroups')]

        [Parameter(ParameterSetName = 'Groups')]





    # ensure the name doesn't already exist
    if (Test-PodeAuthExists -Name $Name) {
        throw "Windows AD Authentication method already defined: $($Name)"

    # ensure the Scheme contains a scriptblock
    if (Test-PodeIsEmpty $Scheme.ScriptBlock) {
        throw "The supplied Scheme for the '$($Name)' Windows AD authentication validator requires a valid ScriptBlock"

    # if we're using sessions, ensure sessions have been setup
    if (!$Sessionless -and !(Test-PodeSessionsEnabled)) {
        throw 'Sessions are required to use session persistent authentication'

    # if AD module set, ensure we're on windows and the module is available, then import/export it
    if ($ADModule) {

    # set server name if not passed
    if ([string]::IsNullOrWhiteSpace($Fqdn)) {
        $Fqdn = Get-PodeAuthDomainName

        if ([string]::IsNullOrWhiteSpace($Fqdn)) {
            throw 'No domain server name has been supplied for Windows AD authentication'

    # set the domain if not passed
    if ([string]::IsNullOrWhiteSpace($Domain)) {
        $Domain = ($Fqdn -split '\.')[0]

    # if we have a scriptblock, deal with using vars
    if ($null -ne $ScriptBlock) {
        $ScriptBlock, $usingVars = Convert-PodeScopedVariables -ScriptBlock $ScriptBlock -PSSession $PSCmdlet.SessionState

    # add Windows AD auth method to server
    $PodeContext.Server.Authentications.Methods[$Name] = @{
        Name        = $Name
        Scheme      = $Scheme
        ScriptBlock = (Get-PodeAuthWindowsADMethod)
        Arguments   = @{
            Server         = $Fqdn
            Domain         = $Domain
            SearchBase     = $SearchBase
            Users          = $Users
            Groups         = $Groups
            NoGroups       = $NoGroups
            DirectGroups   = $DirectGroups
            KeepCredential = $KeepCredential
            Provider       = (Get-PodeAuthADProvider -OpenLDAP:$OpenLDAP -ADModule:$ADModule)
            ScriptBlock    = @{
                Script         = $ScriptBlock
                UsingVariables = $usingVars
        Sessionless = $Sessionless
        Failure     = @{
            Url     = $FailureUrl
            Message = $FailureMessage
        Success     = @{
            Url       = $SuccessUrl
            UseOrigin = $SuccessUseOrigin
        Cache       = @{}
        Merged      = $false
        Parent      = $null

Adds the inbuilt Session Authentication method for verifying an authenticated session is present on Requests.
Adds the inbuilt Session Authentication method for verifying an authenticated session is present on Requests.
A unique Name for the Authentication method.
The URL to redirect to when authentication fails.
.PARAMETER FailureMessage
An override Message to throw when authentication fails.
The URL to redirect to when authentication succeeds when logging in.
.PARAMETER ScriptBlock
Optional ScriptBlock that is passed the found user object for further validation.
.PARAMETER Middleware
An array of ScriptBlocks for optional Middleware to run before the Scheme's scriptblock.
.PARAMETER SuccessUseOrigin
If supplied, successful authentication from a login page will redirect back to the originating page instead of the FailureUrl.
Add-PodeAuthSession -Name 'SessionAuth' -FailureUrl '/login'

function Add-PodeAuthSession {
    [CmdletBinding(DefaultParameterSetName = 'Groups')]
        [Parameter(Mandatory = $true)]







    # if sessions haven't been setup, error
    if (!(Test-PodeSessionsEnabled)) {
        throw 'Sessions have not been configured'

    # ensure the name doesn't already exist
    if (Test-PodeAuthExists -Name $Name) {
        throw "Authentication method already defined: $($Name)"

    # if we have a scriptblock, deal with using vars
    if ($null -ne $ScriptBlock) {
        $ScriptBlock, $usingVars = Convert-PodeScopedVariables -ScriptBlock $ScriptBlock -PSSession $PSCmdlet.SessionState

    # create the auth scheme for getting the session
    $scheme = New-PodeAuthScheme -Custom -Middleware $Middleware -ScriptBlock {

        # 401 if sessions not used
        if (!(Test-PodeSessionsInUse)) {
            return @{
                Message = 'Sessions are not being used'
                Code    = 401

        # 401 if no authenticated user
        if (!(Test-PodeAuthUser)) {
            return @{
                Message = 'Session not authenticated'
                Code    = 401

        # return user
        return @($WebEvent.Session.Data.Auth)

    # add a custom auth method to return user back
    $method = {
        param($user, $options)
        $result = @{ User = $user }

        # call additional scriptblock if supplied
        if ($null -ne $options.ScriptBlock.Script) {
            $result = Invoke-PodeAuthInbuiltScriptBlock -User $result.User -ScriptBlock $options.ScriptBlock.Script -UsingVariables $options.ScriptBlock.UsingVariables

        # return user back
        return $result

    $scheme | Add-PodeAuth `
        -Name $Name `
        -ScriptBlock $method `
        -FailureUrl $FailureUrl `
        -FailureMessage $FailureMessage `
        -SuccessUrl $SuccessUrl `
        -SuccessUseOrigin:$SuccessUseOrigin `
        -ArgumentList @{
        ScriptBlock = @{
            Script         = $ScriptBlock
            UsingVariables = $usingVars

Remove a specific Authentication method.
Remove a specific Authentication method.
The Name of the Authentication method.
Remove-PodeAuth -Name 'Login'

function Remove-PodeAuth {
        [Parameter(Mandatory = $true, ValueFromPipeline = $true)]

    $null = $PodeContext.Server.Authentications.Methods.Remove($Name)

Clear all defined Authentication methods.
Clear all defined Authentication methods.

function Clear-PodeAuth {


Adds an authentication method as global middleware.
Adds an authentication method as global middleware.
The Name of the Middleware.
.PARAMETER Authentication
The Name of the Authentication method to use.
A Route path for which Routes this Middleware should only be invoked against.
.PARAMETER OADefinitionTag
An array of string representing the unique tag for the API specification.
This tag helps in distinguishing between different versions or types of API specifications within the application.
Use this tag to reference the specific API documentation, schema, or version that your function interacts with.
Add-PodeAuthMiddleware -Name 'GlobalAuth' -Authentication AuthName
Add-PodeAuthMiddleware -Name 'GlobalAuth' -Authentication AuthName -Route '/api/*'

function Add-PodeAuthMiddleware {
        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]



    $DefinitionTag = Test-PodeOADefinitionTag -Tag $OADefinitionTag

    if (!(Test-PodeAuthExists -Name $Authentication)) {
        throw "Authentication method does not exist: $($Authentication)"

    Get-PodeAuthMiddlewareScript |
        New-PodeMiddleware -ArgumentList @{ Name = $Authentication } |
        Add-PodeMiddleware -Name $Name -Route $Route

    Set-PodeOAGlobalAuth -DefinitionTag $DefinitionTag -Name $Authentication -Route $Route

Adds the inbuilt IIS Authentication method for verifying users passed to Pode from IIS.
Adds the inbuilt IIS Authentication method for verifying users passed to Pode from IIS.
A unique Name for the Authentication method.
An array of Group names to only allow access.
An array of Usernames to only allow access.
The URL to redirect to when authentication fails.
.PARAMETER FailureMessage
An override Message to throw when authentication fails.
The URL to redirect to when authentication succeeds when logging in.
.PARAMETER ScriptBlock
Optional ScriptBlock that is passed the found user object for further validation.
.PARAMETER Middleware
An array of ScriptBlocks for optional Middleware to run before the Scheme's scriptblock.
.PARAMETER Sessionless
If supplied, authenticated users will not be stored in sessions, and sessions will not be used.
If supplied, groups will not be retrieved for the user in AD.
.PARAMETER DirectGroups
If supplied, only a user's direct groups will be retrieved rather than all groups recursively.
If supplied, and on Windows, the ActiveDirectory module will be used instead.
If supplied, Pode will not at attempt to retrieve local User/Group information for the authenticated user.
.PARAMETER SuccessUseOrigin
If supplied, successful authentication from a login page will redirect back to the originating page instead of the FailureUrl.
Add-PodeAuthIIS -Name 'IISAuth'
Add-PodeAuthIIS -Name 'IISAuth' -Groups @('Developers')
Add-PodeAuthIIS -Name 'IISAuth' -NoGroups

function Add-PodeAuthIIS {
    [CmdletBinding(DefaultParameterSetName = 'Groups')]
        [Parameter(Mandatory = $true)]

        [Parameter(ParameterSetName = 'Groups')]








        [Parameter(ParameterSetName = 'NoGroups')]

        [Parameter(ParameterSetName = 'Groups')]




    # ensure we're on Windows!
    if (!(Test-PodeIsWindows)) {
        throw 'IIS Authentication support is for Windows only'

    # ensure the name doesn't already exist
    if (Test-PodeAuthExists -Name $Name) {
        throw "IIS Authentication method already defined: $($Name)"

    # if AD module set, ensure we're on windows and the module is available, then import/export it
    if ($ADModule) {

    # if we have a scriptblock, deal with using vars
    if ($null -ne $ScriptBlock) {
        $ScriptBlock, $usingVars = Convert-PodeScopedVariables -ScriptBlock $ScriptBlock -PSSession $PSCmdlet.SessionState

    # create the auth scheme for getting the token header
    $scheme = New-PodeAuthScheme -Custom -Middleware $Middleware -ScriptBlock {


        # fail if no header
        if (!(Test-PodeHeader -Name $header)) {
            return @{
                Message = "No $($header) header found"
                Code    = 401

        # return the header for validation
        $token = Get-PodeHeader -Name $header
        return @($token)

    # add a custom auth method to validate the user
    $method = Get-PodeAuthWindowsADIISMethod

    $scheme | Add-PodeAuth `
        -Name $Name `
        -ScriptBlock $method `
        -FailureUrl $FailureUrl `
        -FailureMessage $FailureMessage `
        -SuccessUrl $SuccessUrl `
        -Sessionless:$Sessionless `
        -SuccessUseOrigin:$SuccessUseOrigin `
        -ArgumentList @{
        Users        = $Users
        Groups       = $Groups
        NoGroups     = $NoGroups
        DirectGroups = $DirectGroups
        Provider     = (Get-PodeAuthADProvider -ADModule:$ADModule)
        NoLocalCheck = $NoLocalCheck
        ScriptBlock  = @{
            Script         = $ScriptBlock
            UsingVariables = $usingVars

Adds the inbuilt User File Authentication method for verifying users.
Adds the inbuilt User File Authentication method for verifying users.
A unique Name for the Authentication method.
The Scheme to use for retrieving credentials (From New-PodeAuthScheme).
A path to a users JSON file (Default: ./users.json)
An array of Group names to only allow access.
An array of Usernames to only allow access.
An optional secret if the passwords are HMAC SHA256 hashed.
The URL to redirect to when authentication fails.
.PARAMETER FailureMessage
An override Message to throw when authentication fails.
The URL to redirect to when authentication succeeds when logging in.
.PARAMETER ScriptBlock
Optional ScriptBlock that is passed the found user object for further validation.
.PARAMETER Sessionless
If supplied, authenticated users will not be stored in sessions, and sessions will not be used.
.PARAMETER SuccessUseOrigin
If supplied, successful authentication from a login page will redirect back to the originating page instead of the FailureUrl.
New-PodeAuthScheme -Form | Add-PodeAuthUserFile -Name 'Login'
New-PodeAuthScheme -Form | Add-PodeAuthUserFile -Name 'Login' -FilePath './custom/path/users.json'

function Add-PodeAuthUserFile {
        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true, ValueFromPipeline = $true)]




        [Parameter(ParameterSetName = 'Hmac')]







    # ensure the name doesn't already exist
    if (Test-PodeAuthExists -Name $Name) {
        throw "User File Authentication method already defined: $($Name)"

    # ensure the Scheme contains a scriptblock
    if (Test-PodeIsEmpty $Scheme.ScriptBlock) {
        throw "The supplied Scheme for the '$($Name)' User File authentication validator requires a valid ScriptBlock"

    # if we're using sessions, ensure sessions have been setup
    if (!$Sessionless -and !(Test-PodeSessionsEnabled)) {
        throw 'Sessions are required to use session persistent authentication'

    # set the file path if not passed
    if ([string]::IsNullOrWhiteSpace($FilePath)) {
        $FilePath = Join-PodeServerRoot -Folder '.' -FilePath 'users.json'
    else {
        $FilePath = Get-PodeRelativePath -Path $FilePath -JoinRoot -Resolve

    # ensure the user file exists
    if (!(Test-PodePath -Path $FilePath -NoStatus -FailOnDirectory)) {
        throw "The user file does not exist: $($FilePath)"

    # if we have a scriptblock, deal with using vars
    if ($null -ne $ScriptBlock) {
        $ScriptBlock, $usingVars = Convert-PodeScopedVariables -ScriptBlock $ScriptBlock -PSSession $PSCmdlet.SessionState

    # add Windows AD auth method to server
    $PodeContext.Server.Authentications.Methods[$Name] = @{
        Name        = $Name
        Scheme      = $Scheme
        ScriptBlock = (Get-PodeAuthUserFileMethod)
        Arguments   = @{
            FilePath    = $FilePath
            Users       = $Users
            Groups      = $Groups
            HmacSecret  = $HmacSecret
            ScriptBlock = @{
                Script         = $ScriptBlock
                UsingVariables = $usingVars
        Sessionless = $Sessionless
        Failure     = @{
            Url     = $FailureUrl
            Message = $FailureMessage
        Success     = @{
            Url       = $SuccessUrl
            UseOrigin = $SuccessUseOrigin
        Cache       = @{}
        Merged      = $false
        Parent      = $null

Adds the inbuilt Windows Local User Authentication method for verifying users.
Adds the inbuilt Windows Local User Authentication method for verifying users.
A unique Name for the Authentication method.
The Scheme to use for retrieving credentials (From New-PodeAuthScheme).
An array of Group names to only allow access.
An array of Usernames to only allow access.
The URL to redirect to when authentication fails.
.PARAMETER FailureMessage
An override Message to throw when authentication fails.
The URL to redirect to when authentication succeeds when logging in.
.PARAMETER ScriptBlock
Optional ScriptBlock that is passed the found user object for further validation.
.PARAMETER Sessionless
If supplied, authenticated users will not be stored in sessions, and sessions will not be used.
If supplied, groups will not be retrieved for the user.
.PARAMETER SuccessUseOrigin
If supplied, successful authentication from a login page will redirect back to the originating page instead of the FailureUrl.
New-PodeAuthScheme -Form | Add-PodeAuthWindowsLocal -Name 'WinAuth'
New-PodeAuthScheme -Basic | Add-PodeAuthWindowsLocal -Name 'WinAuth' -Groups @('Developers')
New-PodeAuthScheme -Form | Add-PodeAuthWindowsLocal -Name 'WinAuth' -NoGroups

function Add-PodeAuthWindowsLocal {
    [CmdletBinding(DefaultParameterSetName = 'Groups')]
        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true, ValueFromPipeline = $true)]

        [Parameter(ParameterSetName = 'Groups')]







        [Parameter(ParameterSetName = 'NoGroups')]


    # ensure we're on Windows!
    if (!(Test-PodeIsWindows)) {
        throw 'Windows Local Authentication support is for Windows only'

    # ensure the name doesn't already exist
    if (Test-PodeAuthExists -Name $Name) {
        throw "Windows Local Authentication method already defined: $($Name)"

    # ensure the Scheme contains a scriptblock
    if (Test-PodeIsEmpty $Scheme.ScriptBlock) {
        throw "The supplied Scheme for the '$($Name)' Windows Local authentication validator requires a valid ScriptBlock"

    # if we're using sessions, ensure sessions have been setup
    if (!$Sessionless -and !(Test-PodeSessionsEnabled)) {
        throw 'Sessions are required to use session persistent authentication'

    # if we have a scriptblock, deal with using vars
    if ($null -ne $ScriptBlock) {
        $ScriptBlock, $usingVars = Convert-PodeScopedVariables -ScriptBlock $ScriptBlock -PSSession $PSCmdlet.SessionState

    # add Windows Local auth method to server
    $PodeContext.Server.Authentications.Methods[$Name] = @{
        Name        = $Name
        Scheme      = $Scheme
        ScriptBlock = (Get-PodeAuthWindowsLocalMethod)
        Arguments   = @{
            Users       = $Users
            Groups      = $Groups
            NoGroups    = $NoGroups
            ScriptBlock = @{
                Script         = $ScriptBlock
                UsingVariables = $usingVars
        Sessionless = $Sessionless
        Failure     = @{
            Url     = $FailureUrl
            Message = $FailureMessage
        Success     = @{
            Url       = $SuccessUrl
            UseOrigin = $SuccessUseOrigin
        Cache       = @{}
        Merged      = $false
        Parent      = $null

Convert a Header/Payload into a JWT.
Convert a Header/Payload hashtable into a JWT, with the option to sign it.
A Hashtable containing the Header information for the JWT.
A Hashtable containing the Payload information for the JWT.
An Optional Secret for signing the JWT, should be a string or byte[]. This is mandatory if the Header algorithm isn't "none".
ConvertTo-PodeJwt -Header @{ alg = 'none' } -Payload @{ sub = '123'; name = 'John' }
ConvertTo-PodeJwt -Header @{ alg = 'hs256' } -Payload @{ sub = '123'; name = 'John' } -Secret 'abc'

function ConvertTo-PodeJwt {
        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]

        $Secret = $null

    # validate header
    if ([string]::IsNullOrWhiteSpace($Header.alg)) {
        throw 'No algorithm supplied in JWT Header'

    # convert the header
    $header64 = ConvertTo-PodeBase64UrlValue -Value ($Header | ConvertTo-Json -Compress)

    # convert the payload
    $payload64 = ConvertTo-PodeBase64UrlValue -Value ($Payload | ConvertTo-Json -Compress)

    # combine
    $jwt = "$($header64).$($payload64)"

    # convert secret to bytes
    if (($null -ne $Secret) -and ($Secret -isnot [byte[]])) {
        $Secret = [System.Text.Encoding]::UTF8.GetBytes([string]$Secret)

    # make the signature
    $sig = New-PodeJwtSignature -Algorithm $Header.alg -Token $jwt -SecretBytes $Secret

    # add the signature and return
    $jwt += ".$($sig)"
    return $jwt

Convert and return the payload of a JWT token.
Convert and return the payload of a JWT token, verifying the signature by default with support to ignore the signature.
The JWT token.
The Secret, as a string or byte[], to verify the token's signature.
.PARAMETER IgnoreSignature
Skip signature verification, and return the decoded payload.
ConvertFrom-PodeJwt -Token "eyJ0eXAiOiJKV1QiLCJhbGciOiJoczI1NiJ9.eyJleHAiOjE2MjI1NTMyMTQsIm5hbWUiOiJKb2huIERvZSIsInN1YiI6IjEyMyJ9.LP-O8OKwix91a-SZwVK35gEClLZQmsORbW0un2Z4RkY"

function ConvertFrom-PodeJwt {
    [CmdletBinding(DefaultParameterSetName = 'Secret')]
        [Parameter(Mandatory = $true)]

        [Parameter(ParameterSetName = 'Signed')]
        $Secret = $null,

        [Parameter(ParameterSetName = 'Ignore')]

    # get the parts
    $parts = ($Token -isplit '\.')

    # check number of parts (should be 3)
    if ($parts.Length -ne 3) {
        throw 'Invalid JWT supplied'

    # convert to header
    $header = ConvertFrom-PodeJwtBase64Value -Value $parts[0]
    if ([string]::IsNullOrWhiteSpace($header.alg)) {
        throw 'Invalid JWT header algorithm supplied'

    # convert to payload
    $payload = ConvertFrom-PodeJwtBase64Value -Value $parts[1]

    # get signature
    if ($IgnoreSignature) {
        return $payload

    $signature = $parts[2]

    # check "none" signature, and return payload if no signature
    $isNoneAlg = ($header.alg -ieq 'none')

    if ([string]::IsNullOrWhiteSpace($signature) -and !$isNoneAlg) {
        throw "No JWT signature supplied for $($header.alg)"

    if (![string]::IsNullOrWhiteSpace($signature) -and $isNoneAlg) {
        throw 'Expected no JWT signature to be supplied'

    if ($isNoneAlg -and ($null -ne $Secret) -and ($Secret.Length -gt 0)) {
        throw "Expected a signed JWT, 'none' algorithm is not allowed"

    if ($isNoneAlg) {
        return $payload

    # otherwise, we have an alg for the signature, so we need to validate it
    if (($null -ne $Secret) -and ($Secret -isnot [byte[]])) {
        $Secret = [System.Text.Encoding]::UTF8.GetBytes([string]$Secret)

    $sig = "$($parts[0]).$($parts[1])"
    $sig = New-PodeJwtSignature -Algorithm $header.alg -Token $sig -SecretBytes $Secret

    if ($sig -ne $parts[2]) {
        throw 'Invalid JWT signature supplied'

    # it's valid return the payload!
    return $payload

Validates JSON Web Tokens (JWT) claims.
Validates JSON Web Tokens (JWT) claims. Checks time related claims: 'exp' and 'nbf'.
Object containing JWT claims. Some of them are:
    - exp (expiration time)
    - nbf (not before)
Test-PodeJwt @{exp = 2696258821 }
Test-PodeJwt -Payload @{nbf = 1696258821 }

function Test-PodeJwt {
        [Parameter(Mandatory = $true)]

    $now = [datetime]::UtcNow
    $unixStart = [datetime]::new(1970, 1, 1, 0, 0, [DateTimeKind]::Utc)

    # validate expiry
    if (![string]::IsNullOrWhiteSpace($Payload.exp)) {
        if ($now -gt $unixStart.AddSeconds($Payload.exp)) {
            throw 'The JWT has expired'

    # validate not-before
    if (![string]::IsNullOrWhiteSpace($Payload.nbf)) {
        if ($now -lt $unixStart.AddSeconds($Payload.nbf)) {
            throw 'The JWT is not yet valid for use'

Automatically loads auth ps1 files
Automatically loads auth ps1 files from either a /auth folder, or a custom folder. Saves space dot-sourcing them all one-by-one.
Optional Path to a folder containing ps1 files, can be relative or literal.
Use-PodeAuth -Path './my-auth'

function Use-PodeAuth {

    Use-PodeFolder -Path $Path -DefaultPath 'auth'

Builds an OAuth2 scheme using an OpenID Connect Discovery URL.
Builds an OAuth2 scheme using an OpenID Connect Discovery URL.
The OpenID Connect Discovery URL, this must end with '/.well-known/openid-configuration' (if missing, it will be automatically appended).
A list of optional Scopes to use during the OAuth2 request. (Default: the supported list returned)
The Client ID from registering a new app.
.PARAMETER ClientSecret
The Client Secret from registering a new app (this is optional when using PKCE).
.PARAMETER RedirectUrl
An optional OAuth2 Redirect URL (Default: <host>/oauth2/callback)
.PARAMETER InnerScheme
An optional authentication Scheme (from New-PodeAuthScheme) that will be called prior to this Scheme.
.PARAMETER Middleware
An array of ScriptBlocks for optional Middleware to run before the Scheme's scriptblock.
If supplied, OAuth2 authentication will use PKCE code verifiers.
ConvertFrom-PodeOIDCDiscovery -Url '' -ClientId some_id -UsePKCE
ConvertFrom-PodeOIDCDiscovery -Url '' -ClientId some_id -UsePKCE

function ConvertFrom-PodeOIDCDiscovery {
        [Parameter(Mandatory = $true)]


        [Parameter(Mandatory = $true)]



        [Parameter(ValueFromPipeline = $true)]



    # get the discovery doc
    if (!$Url.EndsWith('/.well-known/openid-configuration')) {
        $Url += '/.well-known/openid-configuration'

    $config = Invoke-RestMethod -Method Get -Uri $Url

    # check it supports the code response_type
    if ($config.response_types_supported -inotcontains 'code') {
        throw "The OAuth2 provider does not support the 'code' response_type"

    # can we have an InnerScheme?
    if (($null -ne $InnerScheme) -and ($config.grant_types_supported -inotcontains 'password')) {
        throw "The OAuth2 provider does not support the 'password' grant_type required by using an InnerScheme"

    # scopes
    $scopes = $config.scopes_supported

    if (($null -ne $Scope) -and ($Scope.Length -gt 0)) {
        $scopes = @(foreach ($s in $Scope) {
                if ($s -iin $config.scopes_supported) {

    # pkce code challenge method
    $codeMethod = 'S256'
    if ($config.code_challenge_methods_supported -inotcontains $codeMethod) {
        $codeMethod = 'plain'

    return New-PodeAuthScheme `
        -OAuth2 `
        -ClientId $ClientId `
        -ClientSecret $ClientSecret `
        -AuthoriseUrl $config.authorization_endpoint `
        -TokenUrl $config.token_endpoint `
        -UserUrl $config.userinfo_endpoint `
        -RedirectUrl $RedirectUrl `
        -Scope $scopes `
        -InnerScheme $InnerScheme `
        -Middleware $Middleware `
        -CodeChallengeMethod $codeMethod `

Test whether the current WebEvent or Session has an authenticated user.
Test whether the current WebEvent or Session has an authenticated user. Returns true if there is an authenticated user.
.PARAMETER IgnoreSession
If supplied, only the Auth object in the WebEvent will be checked and the Session will be skipped.
if (Test-PodeAuthUser) { ... }

function Test-PodeAuthUser {

    # auth middleware
    if (($null -ne $WebEvent.Auth) -and $WebEvent.Auth.IsAuthenticated) {
        $auth = $WebEvent.Auth

    # session?
    elseif (!$IgnoreSession -and ($null -ne $WebEvent.Session.Data.Auth) -and $WebEvent.Session.Data.Auth.IsAuthenticated) {
        $auth = $WebEvent.Session.Data.Auth

    # null?
    if (($null -eq $auth) -or ($null -eq $auth.User)) {
        return $false

    return ($null -ne $auth.User)

Get the authenticated user from the WebEvent or Session.
Get the authenticated user from the WebEvent or Session. This is similar to calling $Webevent.Auth.User.
.PARAMETER IgnoreSession
If supplied, only the Auth object in the WebEvent will be used and the Session will be skipped.
$user = Get-PodeAuthUser

function Get-PodeAuthUser {

    # auth middleware
    if (($null -ne $WebEvent.Auth) -and $WebEvent.Auth.IsAuthenticated) {
        $auth = $WebEvent.Auth

    # session?
    elseif (!$IgnoreSession -and ($null -ne $WebEvent.Session.Data.Auth) -and $WebEvent.Session.Data.Auth.IsAuthenticated) {
        $auth = $WebEvent.Session.Data.Auth

    # null?
    if (($null -eq $auth) -or ($null -eq $auth.User)) {
        return $null

    return $auth.User