functions/oAuth/New-EXRJWTToken.ps1

function New-EXRJWTToken
{
    [CmdletBinding()]
    param (
        [Parameter(Position = 1, Mandatory = $false)]
        [string]
        $CertFileName,

        [Parameter(Position = 2, Mandatory = $false)]
        [System.Security.Cryptography.X509Certificates.X509Certificate2]
        $Certificate,
        
        [Parameter(Position = 3, Mandatory = $true)]
        [string]
        $TenantId,
        
        [Parameter(Position = 4, Mandatory = $true)]
        [string]
        $ClientId,
        
        [Parameter(Position = 5, Mandatory = $true)]
        [Int32]
        $ValidateForMinutes,
        
        [Parameter(Mandatory = $false)]
        [Security.SecureString]
        $password
    )
    Begin
    {
        
        $date1 = Get-Date -Date "01/01/1970"
        $date2 = (Get-Date).ToUniversalTime().AddMinutes($ValidateForMinutes)
        $date3 = (Get-Date).ToUniversalTime().AddMinutes(-5)
        $exp = [Math]::Round((New-TimeSpan -Start $date1 -End $date2).TotalSeconds, 0)
        $nbf = [Math]::Round((New-TimeSpan -Start $date1 -End $date3).TotalSeconds, 0)
        $exVal = [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable
        if(![String]::IsNullOrEmpty($CertFileName)){
            $Certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList $CertFileName, $password, $exVal
        }        
        $x5t = [System.Convert]::ToBase64String($Certificate.GetCertHash())
        $jti = [System.Guid]::NewGuid().ToString()
        $headerAssertion = @"
{
     "alg": "RS256",
     "x5t": "$x5t"
}
"@

        $payLoadAssertion += @"
{
    "aud": "https://login.windows.net/$TenantId/oauth2/token",
    "exp": $exp,
    "iss": "$ClientId",
    "jti": "$jti",
    "nbf": $nbf,
    "sub": "$ClientId"
}
"@

        $encodedHeader = [System.Convert]::ToBase64String([System.Text.UTF8Encoding]::UTF8.GetBytes($headerAssertion)).Replace('=', '').Replace('+', '-').Replace('/', '_')
        $encodedPayLoadAssertion = [System.Convert]::ToBase64String([System.Text.UTF8Encoding]::UTF8.GetBytes($payLoadAssertion)).Replace('=', '').Replace('+', '-').Replace('/', '_')
        $JWTOutput = $encodedHeader + "." + $encodedPayLoadAssertion
        $SigBytes = [System.Text.UTF8Encoding]::UTF8.GetBytes($JWTOutput)
        $rsa = $Certificate.PrivateKey;
        $sha256 = [System.Security.Cryptography.SHA256]::Create()
        $hash = $sha256.ComputeHash([System.Text.Encoding]::UTF8.GetBytes($encodedHeader + '.' + $encodedPayLoadAssertion));
        $sigform = New-Object System.Security.Cryptography.RSAPKCS1SignatureFormatter($rsa);
        $sigform.SetHashAlgorithm("SHA256");
        $sig = [System.Convert]::ToBase64String($sigform.CreateSignature($hash)).Replace('=', '').Replace('+', '-').Replace('/', '_')
        $JWTOutput = $encodedHeader + '.' + $encodedPayLoadAssertion + '.' + $sig
        Write-Output ($JWTOutput)
        
    }
}