public/Get-OktaJwt.ps1

Set-StrictMode -Version Latest

function Get-OktaJwt {
    [CmdletBinding()]
    [OutputType([string])]
    param (
        [string] $ClientId = $env:OKTA_CLIENT_ID,

        [string] $Issuer = $env:OKTA_ISSUER,

        [string] $RedirectUri = $env:OKTA_REDIRECT_URI,

        [string] $Username = $env:OKTA_USERNAME,

        [Alias("Pw")]
        [string] $ClientSecret = $env:OKTA_CLIENT_SECRET,

        [Alias("Password")]
        [securestring] $SecureClientSecret,

        [switch] $IdToken,

        [Parameter(Mandatory)]
        [string[]] $Scopes
    )

    $ErrorActionPreference = "Stop"
    if ($PSVersionTable.PSVersion.Major -lt 7) {
        Write-Warning "Currently this only works on PS 7 or higher"
        return
    }

    if ((!$ClientSecret -and !$SecureClientSecret) -or !$Issuer -or !$ClientId -or !$Username -or !$RedirectUri) {
        Write-Warning @"
Have Username: $([bool]$Username)
Have Secret: $($ClientSecret -or $SecureClientSecret)
Have Issuer: $([bool]$Issuer)
Have ClientId: $([bool]$ClientId)
Have RedirectUrl: $(!$Username -or $RedirectUri)
"@

        throw "Missing required parameter. See help."
    }
    if (!$RedirectUri.EndsWith("/")) {
        $RedirectUri = $RedirectUri + "/"
    }

    if ($SecureClientSecret) {
        # (from VSTeam)
        # Convert the securestring to a normal string
        # this was the one technique that worked on Mac, Linux and Windows
        $credential = New-Object System.Management.Automation.PSCredential $account, $SecurePersonalAccessToken
        $secret = $credential.GetNetworkCredential().Password
    } else {
        $secret = $ClientSecret
    }

    # Code derived from https://devforum.okta.com/t/unit-testing-and-implicit-flow/1210/4
    $body = @{
        username = $Username
        password = $secret
        options  = @{
            multiOptionalFactorEnroll = $true
            warnBeforePasswordExpired = $true
        }
    }

    $uri = New-Object 'System.Uri' -ArgumentList $Issuer
    $baseUri = New-Object 'System.Uri' -ArgumentList $uri.GetLeftPart("Authority")
    $sessionUri = New-Object 'System.Uri' -ArgumentList $baseUri, "api/v1/authn"
    $prevPref = $progressPreference
    $progressPreference = "silentlyContinue"
    try {
        $trans = Invoke-WebRequest -Uri $sessionUri -Method Post `
                        -Headers @{ 'Accept'            = 'application/json'
                                    'Content-Type'      = 'application/json'
                                } `
                        -Body (ConvertTo-Json $body) `
                        -MaximumRedirection 0
        $parms = @{}
        if ($PSVersionTable.PSVersion.Major -ge 7) {
            $parms['Depth'] = 10
        }
        $session = $trans.Content | ConvertFrom-Json @parms
    } catch {
        $e = $_
        try {
            if ($_.Exception.Response.StatusCode -eq 'Unauthorized') {
                Write-Warning "Unauthorzied response. Proabably base userName or password"
                return
            } else {
                throw $e
            }
        } catch {
            throw $e
        }
    } finally {
        $progressPreference = $prevPref
    }

    if (!$session) {
        Write-Warning "Didn't get session"
        return
    }
    $progressPreference = "silentlyContinue"
    try {
        $tokenUri = New-Object 'System.Uri' -ArgumentList $uri,($uri.PathAndQuery+"/v1/authorize?" +
                                                "response_type=$(ternary $IdToken 'id_token' 'token')&" +
                                                "scope=$($scopes -join '%20')&" +
                                                'state=TEST&' +
                                                'nonce=TEST&' +
                                                "client_id=$ClientId&" +
                                                "redirect_uri=$redirectUri&" +
                                                "sessionToken=$($session.sessionToken)")
        Write-Verbose "Token uri is $tokenUri"
        $null = Invoke-WebRequest $tokenUri -MaximumRedirection 2
    }
    catch {
        # expect 302 response
        Write-Verbose "Exception Type: $($_.GetType())"
        Write-Verbose "Exception & Stack: $_`n$($_.ScriptStackTrace)"

        $e = $_
        if (!($e | Get-Member -Name Exception) -or !($e.Exception | Get-Member -Name Response)) {
            Write-Warning "Got unexpected exception (expected 302)"
            throw $_
        }

        if ($e.Exception.Response.StatusCode -eq "Redirect") { #302
            Write-Verbose $e.Exception.Response.Headers.Location
            $q = [System.Web.HttpUtility]::ParseQueryString($e.Exception.Response.Headers.Location)
            Write-Verbose "Headers are: $($e.Exception.Response.Headers)"
            Write-Verbose "Headers.Location is: $($e.Exception.Response.Headers.Location)"
            if ($IdToken)
            {
                $token = $q["$redirectUri#id_token"]
            }
            else
            {
                $token = $q["$redirectUri#access_token"]
            }
            if (!$token) {
                Write-Warning "Didn't get token for $redirectUri and IdToken = $([bool]$IdToken)"
                foreach ($k in $q.AllKeys) {
                    Write-Warning " q[$k] = $($q[$k])"
                }
            }
            $token
        } else {
            Write-Warning "Didn't get redirect for JWT"
            Write-Warning $_
        }
    } finally {
        $progressPreference = $prevPref
    }
}

function Get-OktaAppJwt {
    [CmdletBinding()]
    [OutputType([string])]
    param (
        [string] $ClientId = $env:OKTA_CLIENT_ID,

        [string] $Issuer = $env:OKTA_ISSUER,

        [Alias("Pw")]
        [string] $ClientSecret = $env:OKTA_CLIENT_SECRET,

        [Alias("Password")]
        [securestring] $SecureClientSecret,

        [Parameter(Mandatory)]
        [string[]] $Scopes
    )

    $ErrorActionPreference = "Stop"

    $GrantType = "client_credentials"

    if ((!$ClientSecret -and !$SecureClientSecret) -or !$Issuer -or !$ClientId) {
        Write-Warning @"
Have Secret: $($ClientSecret -or $SecureClientSecret)
Have Issuer: $([bool]$Issuer)
Have ClientId: $([bool]$ClientId)
"@

        throw "Missing required parameter. See help."
    }

    if ($SecureClientSecret) {
        # (from VSTeam)
        # Convert the securestring to a normal string
        # this was the one technique that worked on Mac, Linux and Windows
        $credential = New-Object System.Management.Automation.PSCredential $account, $SecurePersonalAccessToken
        $secret = $credential.GetNetworkCredential().Password
    } else {
        $secret = $ClientSecret
    }

    $clientCreds = [System.Text.Encoding]::UTF8.GetBytes("${ClientId}:$secret");

    $oktaHeader = @{ Authorization = "Basic $([System.Convert]::ToBase64String($clientCreds))"
                    Accept = "application/json" }

    $body = "grant_type=$GrantType&scope=$($Scopes -join '%20')" # space-separated scopes

    $parms = @{}
    if ($PSVersionTable.PSVersion.Major -ge 7) {
        $parms['SkipHttpErrorCheck'] = $true
    }
    $jwt = ""
    Write-Verbose $body
    if (!($Issuer.EndsWith("/v1/token"))) {
        $Issuer = $Issuer + "/v1/token"
    }
    $prevPref = $progressPreference
    $progressPreference = "silentlyContinue"
    try {
        $result = Invoke-WebRequest $Issuer -Method Post -Body $body -ContentType "application/x-www-form-urlencoded" -Headers $oktaHeader @parms
        if ($result.StatusCode -ne 200)
        {
            Write-Warning "Couldn't get JWT"
            Write-Warning $result
        }
        else
        {
            $parms = @{}
            if ($PSVersionTable.PSVersion.Major -ge 7) {
                $parms['Depth'] = 5
            }
            $jwt = (ConvertFrom-Json $result.Content @parms).access_token
        }
        $jwt
    } finally {
        $progressPreference = $prevPref
    }
}