internal/functions/invoke-aadauthentication.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123

<#
    .SYNOPSIS
        Authenticate against Azure Active Directory (AAD)
         
    .DESCRIPTION
        Authenticate against Azure Active Directory (AAD) and retrieve a token
         
    .PARAMETER Resource
        The resource / URL you want the authentication to be valid for
         
    .PARAMETER GrantType
        The type of grant you want the authentication request to be
         
        Valid options (non-validated):
        authorization_code
        refresh_token
        password
        client_credentials
         
    .PARAMETER ClientId
        The Azure Registered Application Id / Client Id obtained while creating a Registered App inside the Azure Portal
         
    .PARAMETER ClientSecret
        The secret obtained when you created a secret in relation to the Registered Application from the Azure Portal
         
    .PARAMETER Username
        The username of the account that you want to impersonate
         
    .PARAMETER Password
        The password of the account that you want to impersonate
         
    .PARAMETER Scope
        The scope value to apply to the authentication request
         
    .PARAMETER AuthProviderUri
        The URI / URL for the Authentication Provider you want to authenticate against
         
        Default value is "https://login.microsoftonline.com/common/oauth2"
         
    .EXAMPLE
        PS C:\> Invoke-AadAuthentication -Resource "https://lcsapi.lcs.dynamics.com" -GrantType "password" -ClientId "9b4f4503-b970-4ade-abc6-2c086e4c4929" -Username claire@contoso.com -Password "pass@word1" -Scope openid
         
        This will create a http authentication request against the default AuthProviderUri ("https://login.microsoftonline.com/common/oauth2").
        The request will be for the Resource "https://lcsapi.lcs.dynamics.com".
        The GrantType will be "password".
        The ClientId will "9b4f4503-b970-4ade-abc6-2c086e4c4929".
        The Username is claire@contoso.com, and the Password is "pass@word1".
        The Scope is "openid"
         
    .NOTES
        Tags: Authentication, AAD, Azure Active Directory, Grant, ClientId
         
        Author: Mötz Jensen (@Splaxi)
#>


function Invoke-AadAuthentication {
    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingPlainTextForPassword", "")]
    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingUserNameAndPassWordParams", "")]
    [CmdletBinding()]
    [OutputType('System.String')]
    param (
        [Parameter(Mandatory = $true, Position = 1)]
        [string] $Resource,

        [Parameter(Mandatory = $true, Position = 2)]
        [string] $GrantType,

        [Parameter(Mandatory = $false, Position = 3)]
        [string] $ClientId,

        [Parameter(Mandatory = $false, Position = 4)]
        [string] $ClientSecret,

        [Parameter(Mandatory = $false, Position = 5)]
        [string] $Username,

        [Parameter(Mandatory = $false, Position = 6)]
        [string] $Password,

        [Parameter(Mandatory = $false, Position = 7)]
        [string] $Scope,

        [Parameter(Mandatory = $false, Position = 8)]
        [string] $AuthProviderUri = "https://login.microsoftonline.com/common/oauth2/token"
    )

    Invoke-TimeSignal -Start

    $parms = @{}
    $parms.resource = [System.Web.HttpUtility]::UrlEncode($Resource)
    $parms.grant_type = [System.Web.HttpUtility]::UrlEncode($GrantType)
    
    if (-not ($ClientId -eq "")) {$parms.client_id = [System.Web.HttpUtility]::UrlEncode($ClientId)}

    if (-not ($ClientSecret -eq "")) {$parms.client_secret = [System.Web.HttpUtility]::UrlEncode($ClientSecret)}

    if (-not ($Username -eq "")) {$parms.username = [System.Web.HttpUtility]::UrlEncode($Username)}

    if (-not ($Password -eq "")) {$parms.password = [System.Web.HttpUtility]::UrlEncode($Password)}

    if (-not ($Scope -eq "")) {$parms.scope = [System.Web.HttpUtility]::UrlEncode($Scope)}

    $body = (Convert-HashToArgStringSwitch -InputObject $parms -KeyPrefix "&" -ValuePrefix "=") -join ""

    $body = $body.Substring(1)

    Write-PSFMessage -Level Verbose -Message "Authenticating against Azure Active Directory (AAD)." -Target $body

    try {
        $requestParams = @{Method = "Post"; ContentType = "application/x-www-form-urlencoded";
                    Body = $body}

        $Authorization = Invoke-RestMethod $AuthProviderUri @requestParams
    }
    catch {
        Write-PSFMessage -Level Host -Message "Something went wrong while working against Azure Active Directory (AAD)" -Exception $PSItem.Exception -Target $body
        Stop-PSFFunction -Message "Stopping because of errors" -StepsUpward 1
        return
    }

    $Authorization.access_token
}