Skip to content

Instantly share code, notes, and snippets.

@Apurer
Last active March 13, 2024 20:09
Show Gist options
  • Save Apurer/764ef757bdd17ff781296e2dc7714282 to your computer and use it in GitHub Desktop.
Save Apurer/764ef757bdd17ff781296e2dc7714282 to your computer and use it in GitHub Desktop.
function Generate-CodeVerifier {
$bytes = New-Object Byte[] 32
[System.Security.Cryptography.RandomNumberGenerator]::Create().GetBytes($bytes)
return [System.Convert]::ToBase64String($bytes) -replace '\+', '-' -replace '\/', '_' -replace '='
}
function Generate-CodeChallenge($verifier) {
$bytes = [System.Text.Encoding]::ASCII.GetBytes($verifier)
$hash = [System.Security.Cryptography.SHA256]::Create().ComputeHash($bytes)
return [System.Convert]::ToBase64String($hash) -replace '\+', '-' -replace '\/', '_' -replace '='
}
$clientId = "<Your-Client-ID-Here>"
$tenantId = "<Your-Tenant-ID-Here>" # Use "common" for multi-tenant apps
$redirectUri = "<Your-Redirect-URI>" # Must be URL encoded
$scope = "<Your-Scope-Here>" # Example: "https%3A%2F%2Fgraph.microsoft.com%2F.default"
$responseType = "code"
# Generate PKCE code verifier and challenge
$codeVerifier = Generate-CodeVerifier
$codeChallenge = Generate-CodeChallenge -verifier $codeVerifier
# Construct the authorization URL
$authorizationUrl = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/authorize?client_id=$clientId&response_type=$responseType&redirect_uri=$redirectUri&response_mode=query&scope=$scope&state=12345&code_challenge_method=S256&code_challenge=$codeChallenge"
# Open the authorization URL in the default web browser
Start-Process "chrome.exe" $authorizationUrl # Use "chrome.exe", "firefox.exe", etc., or remove the "chrome.exe" to use the default browser
Write-Host "Authorization URL: $authorizationUrl"
Write-Host "Code Verifier: $codeVerifier"
# Replace these variables with your actual values
$tenantId = "<Your-Tenant-ID>"
$clientID = "<Your-Client-ID>"
$clientSecret = "<Your-Client-Secret>" # Needed for web applications
$authorizationCode = "<Authorization-Code-You-Received>"
$redirectUri = "<Your-Redirect-URI>" # Must match the redirect URI used in the auth request
$tokenUrl = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"
$body = @{
client_id = $clientID
scope = "https://graph.microsoft.com/.default"
code = $authorizationCode
redirect_uri = $redirectUri
grant_type = "authorization_code"
client_secret = $clientSecret # For confidential clients. Omit for public clients like mobile/desktop apps.
}
$response = Invoke-RestMethod -Uri $tokenUrl -Method Post -Body $body -ContentType "application/x-www-form-urlencoded"
$accessToken = $response.access_token
$graphApiUrl = "https://graph.microsoft.com/v1.0/me"
# Prepare the header with the access token
$headers = @{
Authorization = "Bearer $accessToken"
}
# Execute the API request
$userInfo = Invoke-RestMethod -Uri $graphApiUrl -Headers $headers -Method Get
# Display the result
$userInfo
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment