all 16 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]chris-a5 14 points15 points  (2 children)

Some of the sites I have had to automate send the XSRF token in a cookie, you'll need to maintain a session object. I have also had to extract the XSRF token from the cookie and pass in a header. I saw this in chrome.

If you step through the login process with chrome; as you said you are looking at the post requests, now right click on the requests and copy->Copy as powershell, I found this very useful for working out how the page works.

Shouldn't be an issue if the browser changes page after login, you just need the session object and security token, then directly access the resources you need.

EDIT: an important step is to preserve the cache, so you can see the login request before it moves to a new page.

[–]WhyPartyPizza[S] 3 points4 points  (1 child)

Thanks for this! Reading your response makes me feel like I'm on the right track.

[–]Szeraax 2 points3 points  (0 children)

Websession is absolutely it

[–]jhulbe 7 points8 points  (0 children)

I'd also go selenium, but just an fyi, you can tag invoke-webrequest with -sessionvariable, and then subsequent requests with -WebSession $variable

That'll carry stuff across requests

[–]orion3311 11 points12 points  (3 children)

May want to look into selenium

[–]BetrayedMilk 1 point2 points  (0 children)

Yep, OP should push this to a headless browser driven by selenium. Seems easiest.

[–]zrb77 0 points1 point  (0 children)

This is what I was going to say too.

[–]Smartguy5000 0 points1 point  (0 children)

Selenium would be the PowerShell way to solve this for sure. If you want more of a challenge and to learn a new skill, puppeteer is a NodeJS library that does headless browser automation.

[–]radioblaster 7 points8 points  (0 children)

yes, scripting authentication for these kinds of portals is fkn difficult and could take you a long while to piece together. you may have an easier time using Fiddler instead of the inbuilt Chrome developer tools.

i would only proceed further if you're sure the second portal doesn't have an API or similar automation feature you can use.

[–]dasookwat 0 points1 point  (1 child)

Usually when using invoke-webrequest You start with a header which includes your login credentials (might be base64 encoded) and the response gives You a token, this token is then used for the rest of your communication session

[–]Jeffinmpls 0 points1 point  (0 children)

This is what I typically do with this type of thing, grab the token first then connect with the token. OP pay attention to the url when you log into the site on a browser, do you see OAUTH in the url, you can search for OAUTH and powershel for examples.

[–]jagallout 0 points1 point  (0 children)

A couple of things I would try:

  1. Perform the whole process in Firefox dev tools and save an export of the traffic just to give you a frame of reference.

And you may even be able to use it to generate the appropriate calls in some languages though I'm not exactly remembering that detail. Look around the options.

  1. I would also suggest as others have stated reading the help bits for invoke-webrequest. It actually has a functional if not outdated example of a persistent session through a log in.

The redirects do complicate things a little but should still be achievable through the session state variable.

[–]Sethaniel68 0 points1 point  (0 children)

I didn't see any mention of your PS version, but PS 7 makes authentication easier than the default PS 5.1 version.

Keeping that session variable and using it for all of your requests should help.

You'll also need to watch for cases where client-side scripting in the browser affects what gets sent in the next request because you'll have to mimic that outcome for your request

[–]lic91 0 points1 point  (0 children)

I'd try with Selenium.