darrenjrobinson/MSGraph AuthCode with PKCE.ps1

## MSGraph AuthCode with PKCE.ps1
import-module PKCE
import-module JWTDetails

$clientID = '<your AAD clientID>'
$tenantID = '<your AAD tenantID'
$clientSecret = '<your AAD App Client Secret>'
$replyURL = 'https://localhost/'
$scopes = 'user.read.all'

Function Get-AuthCode {
    [cmdletbinding()]
    param(
        [Parameter(Mandatory = $true, ValueFromPipeline = $true)]
        [string]$url
    )

    Add-Type -AssemblyName System.Windows.Forms
    $form = New-Object -TypeName System.Windows.Forms.Form -Property @{Width = 440; Height = 640 }
    $web = New-Object -TypeName System.Windows.Forms.WebBrowser -Property @{Width = 420; Height = 600; Url = ($url -f ($Scope -join "%20")) }
    $DocComp = {
        $uri = $web.Url.AbsoluteUri
        if ($uri -match "error=[^&]*|code=[^&]*") { $form.Close() }
    }

    $web.ScriptErrorsSuppressed = $true
    $web.Add_DocumentCompleted($DocComp)
    $form.Controls.Add($web)
    $form.Add_Shown( { $form.Activate() })
    $form.ShowDialog() | Out-Null
    $queryOutput = [System.Web.HttpUtility]::ParseQueryString($web.Url.Query)

    $output = @{}
    foreach ($key in $queryOutput.Keys) {
        $output["$key"] = $queryOutput[$key]
    }
    return $output
}

$codeChallenge, $codeVerifier, $authResult = $null
$pkceCodes = New-PKCE
$codeChallenge = $pkceCodes.code_challenge
$codeVerifier = $pkceCodes.code_verifier
$state = $codeChallenge.Substring(0, 27)

$url = "https://login.microsoftonline.com/$($tenantID)/oauth2/v2.0/authorize?response_type=code&redirect_uri=$($replyURL)&client_id=$($clientID)&response_mode=query&scope=$($scopes)&state=$($state)&code_challenge=$($codeChallenge)&code_challenge_method=S256"

$authResult = Get-AuthCode -url $url

if ($authResult.code) {
    Write-Output "Received an authorization code."
    $authCode = $authResult.code
    $sessionState = $authResult.session_state

    if ($state = $sessionState) {
        $tokenParams = @{
            grant_type    = "authorization_code";
            client_id     = $clientID;
            client_secret = $clientSecret;
            code          = $authCode;
            code_verifier = $codeVerifier;
            tenant_id     = $tenantID;
            redirect_uri  = $replyURL;
        }

        $tokenResponse = Invoke-RestMethod -Method Post `
            -Uri "https://login.microsoftonline.com/$($tenantID)/oauth2/v2.0/token" `
            -Body $tokenParams -ContentType 'application/x-www-form-urlencoded'

        Get-JWTDetails $tokenResponse.access_token

        Invoke-RestMethod -Headers @{Authorization = "Bearer $($tokenResponse.access_token)" } `
            -Uri  'https://graph.microsoft.com/v1.0/users' `
            -Method Get
    }
    else {
        Write-Warning "Something isn't right. Returned Session State doesn't match what was sent"
        Write-Warning "Sent State: $($state) `nSession State: $($sessionState)"
    }
}
else {
    Write-Error $_
}
	import-module PKCE
	import-module JWTDetails

	$clientID = '<your AAD clientID>'
	$tenantID = '<your AAD tenantID'
	$clientSecret = '<your AAD App Client Secret>'
	$replyURL = 'https://localhost/'
	$scopes = 'user.read.all'

	Function Get-AuthCode {
	[cmdletbinding()]
	param(
	[Parameter(Mandatory = $true, ValueFromPipeline = $true)]
	[string]$url
	)

	Add-Type -AssemblyName System.Windows.Forms
	$form = New-Object -TypeName System.Windows.Forms.Form -Property @{Width = 440; Height = 640 }
	$web = New-Object -TypeName System.Windows.Forms.WebBrowser -Property @{Width = 420; Height = 600; Url = ($url -f ($Scope -join "%20")) }
	$DocComp = {
	$uri = $web.Url.AbsoluteUri
	if ($uri -match "error=[^&]\|code=[^&]") { $form.Close() }
	}

	$web.ScriptErrorsSuppressed = $true
	$web.Add_DocumentCompleted($DocComp)
	$form.Controls.Add($web)
	$form.Add_Shown( { $form.Activate() })
	$form.ShowDialog() \| Out-Null
	$queryOutput = [System.Web.HttpUtility]::ParseQueryString($web.Url.Query)

	$output = @{}
	foreach ($key in $queryOutput.Keys) {
	$output["$key"] = $queryOutput[$key]
	}
	return $output
	}

	$codeChallenge, $codeVerifier, $authResult = $null
	$pkceCodes = New-PKCE
	$codeChallenge = $pkceCodes.code_challenge
	$codeVerifier = $pkceCodes.code_verifier
	$state = $codeChallenge.Substring(0, 27)

	$url = "https://login.microsoftonline.com/$($tenantID)/oauth2/v2.0/authorize?response_type=code&redirect_uri=$($replyURL)&client_id=$($clientID)&response_mode=query&scope=$($scopes)&state=$($state)&code_challenge=$($codeChallenge)&code_challenge_method=S256"

	$authResult = Get-AuthCode -url $url

	if ($authResult.code) {
	Write-Output "Received an authorization code."
	$authCode = $authResult.code
	$sessionState = $authResult.session_state

	if ($state = $sessionState) {
	$tokenParams = @{
	grant_type = "authorization_code";
	client_id = $clientID;
	client_secret = $clientSecret;
	code = $authCode;
	code_verifier = $codeVerifier;
	tenant_id = $tenantID;
	redirect_uri = $replyURL;
	}

	$tokenResponse = Invoke-RestMethod -Method Post `
	-Uri "https://login.microsoftonline.com/$($tenantID)/oauth2/v2.0/token" `
	-Body $tokenParams -ContentType 'application/x-www-form-urlencoded'

	Get-JWTDetails $tokenResponse.access_token

	Invoke-RestMethod -Headers @{Authorization = "Bearer $($tokenResponse.access_token)" } `
	-Uri 'https://graph.microsoft.com/v1.0/users' `
	-Method Get
	}
	else {
	Write-Warning "Something isn't right. Returned Session State doesn't match what was sent"
	Write-Warning "Sent State: $($state) `nSession State: $($sessionState)"
	}
	}
	else {
	Write-Error $_
	}