AzureAD/Authentication/Read-CKAccessToken.ps1

function Read-CKAccessToken {
    <#
    .SYNOPSIS
    A PowerShell script to pare an Azure AD access token in a JSON Web Signature (JWS) format.
     
    Author: Roberto Rodriguez (@Cyb3rWard0g)
    License: MIT
    Required Dependencies: None
    Optional Dependencies: None
 
    .DESCRIPTION
    Read-CKAccessToken is PowerShell script to pare an Azure AD access token in a JSON Web Signature (JWS) format to extract header and payload to access claims and calculate expiration context.
 
    .PARAMETER Token
    An access token in JWT format.
 
    .LINK
    https://www.rfc-editor.org/rfc/rfc7519
    https://developer.okta.com/blog/2020/12/21/beginners-guide-to-jwt
    https://stackoverflow.com/questions/39926104/what-format-is-the-exp-expiration-time-claim-in-a-jwt
 
    #>


    [cmdletbinding()]
    Param(
        [Parameter(Mandatory = $true)]
        [String] $Token
    )

    # Extract sections
    $Sections = $token.Split('.')
    if ($Sections.Count -ne 3){
        throw "Wrong number of sections"
    }

    # Extact Header and validate it is a valid JWT Token
    $Header = (ConvertFrom-B64ToString -B64String $Sections[0] | ConvertFrom-Json)
    if ($Header.typ -ne 'JWT'){
        throw "Not a JWT token"
    }

    # Extract Payload
    $Payload = (ConvertFrom-B64ToString -B64String $Sections[1] | ConvertFrom-Json)

    # Define Output
    $Output = [ordered]@{}
    $Header, $Payload | ForEach-Object { $_.psobject.properties | ForEach-Object{ $Output[$_.Name] = $_.Value }}

    # Add expiration metadata
    $now=(Get-Date).ToUniversalTime()
    $exp = ([DateTime]('1970,1,1')).AddSeconds($Payload.exp)
    $Output['has_expired'] = $($now -gt $exp)
    
    # Return Output
    [PsCustomobject]$Output
}