nov/azure_ad_b2c_without_credentials.rb

## azure_ad_b2c_without_credentials.rb
require 'openid_connect'
require 'readline'

OpenIDConnect.debug!

tenant_domain_prefix = '<YOUR-TENANT-DOMAIN-PREFIX>'
tenant_uuid = '<YOUR-TENANT-UUID>'
client_id = '<YOUR-CLIENT-ID>'
client_secret = '<YOUR-CLIENT-SECRET>'
redirect_uri = '<YOUR-REDIRECT-URI>'
policy_id = '<YOUR-POLICY-ID>'
rs_application_id = '<YOUR-RS-APPLICATION-ID>'

issuer = "https://login.microsoftonline.com/#{tenant_uuid}/v2.0"

def scope_uris_for(*scopes)
  scopes.collect do |scope|
    File.join "https://#{tenant_domain_prefix}.onmicrosoft.com/", rs_application_id, scope
  end
end
scopes = scope_uris_for('<YOUR-SCOPE-1>', '<YOUR-SCOPE-2>')

def inspect_jwt(jwt)
  puts JSON.pretty_generate(jwt.header)
  puts '.'
  puts JSON.pretty_generate(jwt)
  puts
end

op_config = OpenIDConnect::Discovery::Provider::Config.discover!(issuer).tap do |config|
  # NOTE: p=policy_id is REQUIRED, and MUST be in query, not body.
  config.token_endpoint << "?p=#{policy_id}"
  config.authorization_endpoint << "?p=#{policy_id}"
  config.jwks_uri << "?p=#{policy_id}"
end
client = OpenIDConnect::Client.new(
  identifier: client_id,
  secret: client_secret,
  authorization_endpoint: op_config.authorization_endpoint,
  token_endpoint: op_config.token_endpoint,
  userinfo_endpoint: op_config.userinfo_endpoint,
  redirect_uri: redirect_uri
)
jwks = op_config.jwks

puts '# Requested Scopes'
puts scopes
puts

authorization_uri = client.authorization_uri(
  scope: scopes,
  nonce: SecureRandom.hex(8),
  # response_type: [:token, :id_token]
)

puts '# Redirecting to...'
puts authorization_uri
`open "#{authorization_uri}"`
puts

print 'code: ' and STDOUT.flush
code = Readline.readline.strip # NOTE: `gets` can't receive 1024+ bytes input
puts

client.authorization_code = code
response = client.access_token! :body

access_token = JSON::JWT.decode response.access_token, jwks
id_token = JSON::JWT.decode response.id_token, jwks

puts '# Access Token'
inspect_jwt access_token

puts '# ID Token'
inspect_jwt id_token
	require 'openid_connect'
	require 'readline'

	OpenIDConnect.debug!

	tenant_domain_prefix = '<YOUR-TENANT-DOMAIN-PREFIX>'
	tenant_uuid = '<YOUR-TENANT-UUID>'
	client_id = '<YOUR-CLIENT-ID>'
	client_secret = '<YOUR-CLIENT-SECRET>'
	redirect_uri = '<YOUR-REDIRECT-URI>'
	policy_id = '<YOUR-POLICY-ID>'
	rs_application_id = '<YOUR-RS-APPLICATION-ID>'

	issuer = "https://login.microsoftonline.com/#{tenant_uuid}/v2.0"

	def scope_uris_for(*scopes)
	scopes.collect do \|scope\|
	File.join "https://#{tenant_domain_prefix}.onmicrosoft.com/", rs_application_id, scope
	end
	end
	scopes = scope_uris_for('<YOUR-SCOPE-1>', '<YOUR-SCOPE-2>')

	def inspect_jwt(jwt)
	puts JSON.pretty_generate(jwt.header)
	puts '.'
	puts JSON.pretty_generate(jwt)
	puts
	end

	op_config = OpenIDConnect::Discovery::Provider::Config.discover!(issuer).tap do \|config\|
	# NOTE: p=policy_id is REQUIRED, and MUST be in query, not body.
	config.token_endpoint << "?p=#{policy_id}"
	config.authorization_endpoint << "?p=#{policy_id}"
	config.jwks_uri << "?p=#{policy_id}"
	end
	client = OpenIDConnect::Client.new(
	identifier: client_id,
	secret: client_secret,
	authorization_endpoint: op_config.authorization_endpoint,
	token_endpoint: op_config.token_endpoint,
	userinfo_endpoint: op_config.userinfo_endpoint,
	redirect_uri: redirect_uri
	)
	jwks = op_config.jwks

	puts '# Requested Scopes'
	puts scopes
	puts

	authorization_uri = client.authorization_uri(
	scope: scopes,
	nonce: SecureRandom.hex(8),
	# response_type: [:token, :id_token]
	)

	puts '# Redirecting to...'
	puts authorization_uri
	`open "#{authorization_uri}"`
	puts

	print 'code: ' and STDOUT.flush
	code = Readline.readline.strip # NOTE: `gets` can't receive 1024+ bytes input
	puts

	client.authorization_code = code
	response = client.access_token! :body

	access_token = JSON::JWT.decode response.access_token, jwks
	id_token = JSON::JWT.decode response.id_token, jwks

	puts '# Access Token'
	inspect_jwt access_token

	puts '# ID Token'
	inspect_jwt id_token