azure_ad_b2c_without_credentials.rb

require 'openid_connect'
require 'readline'

OpenIDConnect.debug!

tenant_domain_prefix = '<YOUR-TENANT-DOMAIN-PREFIX>'
tenant_uuid = '<YOUR-TENANT-UUID>'
client_id = '<YOUR-CLIENT-ID>'
client_secret = '<YOUR-CLIENT-SECRET>'
redirect_uri = '<YOUR-REDIRECT-URI>'
policy_id = '<YOUR-POLICY-ID>'
rs_application_id = '<YOUR-RS-APPLICATION-ID>'

issuer = "https://login.microsoftonline.com/#{tenant_uuid}/v2.0"

def scope_uris_for(*scopes)
  scopes.collect do |scope|
    File.join "https://#{tenant_domain_prefix}.onmicrosoft.com/", rs_application_id, scope
  end
end
scopes = scope_uris_for('<YOUR-SCOPE-1>', '<YOUR-SCOPE-2>')

def inspect_jwt(jwt)
  puts JSON.pretty_generate(jwt.header)
  puts '.'
  puts JSON.pretty_generate(jwt)
  puts
end

op_config = OpenIDConnect::Discovery::Provider::Config.discover!(issuer).tap do |config|
  # NOTE: p=policy_id is REQUIRED, and MUST be in query, not body.
  config.token_endpoint << "?p=#{policy_id}"
  config.authorization_endpoint << "?p=#{policy_id}"
  config.jwks_uri << "?p=#{policy_id}"
end
client = OpenIDConnect::Client.new(
  identifier: client_id,
  secret: client_secret,
  authorization_endpoint: op_config.authorization_endpoint,
  token_endpoint: op_config.token_endpoint,
  userinfo_endpoint: op_config.userinfo_endpoint,
  redirect_uri: redirect_uri
)
jwks = op_config.jwks

puts '# Requested Scopes'
puts scopes
puts

authorization_uri = client.authorization_uri(
  scope: scopes,
  nonce: SecureRandom.hex(8),
  # response_type: [:token, :id_token]
)

puts '# Redirecting to...'
puts authorization_uri
`open "#{authorization_uri}"`
puts

print 'code: ' and STDOUT.flush
code = Readline.readline.strip # NOTE: `gets` can't receive 1024+ bytes input
puts

client.authorization_code = code
response = client.access_token! :body

access_token = JSON::JWT.decode response.access_token, jwks
id_token = JSON::JWT.decode response.id_token, jwks

puts '# Access Token'
inspect_jwt access_token

puts '# ID Token'
inspect_jwt id_token