What is the correct usage of New-PWLogin with the -Token argument?

If you've got Connection Client open and logged in then don't use either UserName or Token in the login.

$loginSplat = @{
  DatasourceName        = 'server:dsn'
  BentleyIMS            = $true
  NonAdminLogin         = $true
}
New-PWLogin @loginSplat

that should work

Thank you for your answer Kevin van Haaren I can 'make it work'
But my question is how to correctly login with New-PWLogin using the -Token argument.

For instance, should one specify the user name or not.
What constitutes a valid token in this case?
Are there other arguments of New-PWLogin (besides -Password and -UseGui) that are not compatible with -Token?
Etc.

Maybe you can also speculate on why it fails in my case.

And also why the -Token argument exists in the first place.

Thank you for your help.

Not completely sure on any of those questions. I'm also not sure if the token it expects is the Get-OIDCToken token or one of the others. When I initially got IMS logins working I figured I needed the Token and tried to get it to work a bunch of different ways. None of them worked. When I figured out I didn't need it I gave up on it.

I'm not sure why it exists since I've never gotten it to work. Ideally I'd like to use it in a scheduled task on a machine where Connection Client isn't running but it's possible to generate a token that lets the process login with a logical account. Not sure if that is the intent though.

After your question i played with a bunch more options and still couldn't get it to work, except in one case. The one scenario where I got it to work was occasionally it worked if I did:

$token = Get-OIDCToken

New-PWLogin -DatasourceName 'server:dsn' -BentleyIMS -Token $token.id_token

But it turns out that sometimes the id_token property is null so the case above worked because I was doing -BentleyIMS without actually specifying a token.

if you do: get-command -Module pwps_dab -Name '*token*'

you'll see quite a few commands that get various token types. I tried man of them and couldn't get them to work.

ConvertFrom-EncodedToken
ConvertTo-EncodedToken
Get-ADFSToken
Get-AzureIOTToken
Get-EncodedLogicalToken
Get-OIDCToken
Get-PWConnectionClientToken
Get-PWConnectorToken
Get-PWDMServiceAccountToken
Get-PWNonFederatedLoginToken
Get-PWUserPasswordToken
Show-PWTokenFormatted
Update-OIDCToken

Ok, here's the deal.  For New-PWLogin, the Token parameter value will only be used if the -BentleyIMS parameter is specified.  The -Token can be  used to log in with IMS identities other than the one used to log in to the Connection Client.  These can be federated or non-federated but you have to supply a correctly token.  For instance, it cannot be encoded.   This is rather esoteric functionality.   

If you specifiy the -BenteyIMS parameter but not the -Token parameter New-PWLogin will, internally get a token from the Connection Client to log in with.  This is probably what you are looking for.

Hope this helps,

Mark Weisman | Bentley Systems

Thanks for your answer MWBSI 

My goal here is to login without the connection client.
Good to know that the connection client will interfere with the process. So I disconnected from it and tried again. But still no success :/

1) Although it was not answered explicitly, I assume that when using -BenteyIMS and -Token, the arg -UserName should *not* be provided. Great if you could confirm that.

2) When obtaining the token with:
$token = Get-OIDCToken
I assume that the value the -Token arg expects is $token.access_token and not $token.id_token as suggested by  Kevin van Haaren Great if that could be confirmed as well.

3) What do you mean by "it cannot be encoded." about the token? Can I pass $token.access_token to -Token? Else could you illustrate how to decode it?

You have no idea how time-consuming this detective work takes. Hopefully you can shed more light on this mystery.
Thanks again!