vgrem/Get-SPOAccessToken.ps1

## Get-SPOAccessToken.ps1
<#
.Synopsis
    Obtain an app-only access token from ACS.
.DESCRIPTION
    Retrieves an app-only access token from ACS to call the specified principal
    at the specified targetHost. The targetHost must be registered for target principal.  If specified realm is
    null, the "Realm" setting in web.config will be used instead
.EXAMPLE
   Get-SPOAccessToken -Url "https://contoso.sharepoint.com/_api/web" -ClientId "" -ClientSecret ""
#>
Function Get-SPOAccessToken([string]$ClientId,[string]$ClientSecret,[Uri]$WebUri){
    $SharePointPrincipal = "00000003-0000-0ff1-ce00-000000000000"
    $realm = GetRealmFromTargetUrl -TargetApplicationUri $WebUri
    $accessToken = GetAppOnlyAccessToken -ClientId $ClientId -ClientSecret $ClientSecret -TargetPrincipalName $SharePointPrincipal -TargetHost $WebUri.Authority -TargetRealm $realm
    return $accessToken.access_token
}

function GetRealmFromTargetUrl([Uri]$TargetApplicationUri)
{

   $url = $WebUrl + "/_vti_bin/client.svc"
   $headers = @{}
   $headers.Add('Authorization','Bearer')
   try {
       $response = Invoke-WebRequest -Uri $TargetApplicationUri -Headers $headers -Method Get
   }
   catch [Net.WebException] {
      $authResponseHeader = $_.Exception.Response.Headers["WWW-Authenticate"]
      #$bearerKey = "Bearer realm="
      $bearer = $authResponseHeader.Split(",")[0]
      $targetRealm = $bearer.Split("=")[1]
      return $targetRealm.Substring(1,$targetRealm.Length-2)
   }
   return $null
}


Function GetAppOnlyAccessToken([string]$ClientId,[string]$ClientSecret,[string]$TargetPrincipalName,[string]$TargetHost,[string]$TargetRealm)
{
    $resource = GetFormattedPrincipal -PrincipalName $TargetPrincipalName -HostName $TargetHost -Realm $TargetRealm
    $ClientId = GetFormattedPrincipal -PrincipalName $ClientId -Realm $TargetRealm
    $contentType = 'application/x-www-form-urlencoded'
    $stsUrl = GetSecurityTokenServiceUrl -Realm $TargetRealm
    $oauth2Request = CreateAccessTokenRequestWithClientCredentials -ClientId $ClientId -ClientSecret $ClientSecret -Scope $resource
    $oauth2Response = Invoke-RestMethod -Method Post -Uri $stsUrl -ContentType $contentType -Body $oauth2Request
    return $oauth2Response
}


Function GetSecurityTokenServiceUrl([string]$Realm)
{
   return "https://accounts.accesscontrol.windows.net/$Realm/tokens/OAuth/2"
}


Function CreateAccessTokenRequestWithClientCredentials([string]$ClientId,[string]$ClientSecret,[string]$Scope)
{
   $oauth2Request =  @{
     'grant_type' = 'client_credentials';
     'client_id' = $ClientId;
     'client_secret' = $ClientSecret;
     'scope' = $Scope;
     'resource' = $Scope
   }
   return $oauth2Request
}

function GetFormattedPrincipal([string]$PrincipalName, [string]$HostName, [string]$Realm)
{
   if ($HostName)
   {
       return "$PrincipalName/$HostName@$Realm"
   }
   return "$PrincipalName@$Realm"
}
	<#
	.Synopsis
	Obtain an app-only access token from ACS.
	.DESCRIPTION
	Retrieves an app-only access token from ACS to call the specified principal
	at the specified targetHost. The targetHost must be registered for target principal. If specified realm is
	null, the "Realm" setting in web.config will be used instead
	.EXAMPLE
	Get-SPOAccessToken -Url "https://contoso.sharepoint.com/_api/web" -ClientId "" -ClientSecret ""
	#>
	Function Get-SPOAccessToken([string]$ClientId,[string]$ClientSecret,[Uri]$WebUri){
	$SharePointPrincipal = "00000003-0000-0ff1-ce00-000000000000"
	$realm = GetRealmFromTargetUrl -TargetApplicationUri $WebUri
	$accessToken = GetAppOnlyAccessToken -ClientId $ClientId -ClientSecret $ClientSecret -TargetPrincipalName $SharePointPrincipal -TargetHost $WebUri.Authority -TargetRealm $realm
	return $accessToken.access_token
	}

	function GetRealmFromTargetUrl([Uri]$TargetApplicationUri)
	{

	$url = $WebUrl + "/_vti_bin/client.svc"
	$headers = @{}
	$headers.Add('Authorization','Bearer')
	try {
	$response = Invoke-WebRequest -Uri $TargetApplicationUri -Headers $headers -Method Get
	}
	catch [Net.WebException] {
	$authResponseHeader = $_.Exception.Response.Headers["WWW-Authenticate"]
	#$bearerKey = "Bearer realm="
	$bearer = $authResponseHeader.Split(",")[0]
	$targetRealm = $bearer.Split("=")[1]
	return $targetRealm.Substring(1,$targetRealm.Length-2)
	}
	return $null
	}


	Function GetAppOnlyAccessToken([string]$ClientId,[string]$ClientSecret,[string]$TargetPrincipalName,[string]$TargetHost,[string]$TargetRealm)
	{
	$resource = GetFormattedPrincipal -PrincipalName $TargetPrincipalName -HostName $TargetHost -Realm $TargetRealm
	$ClientId = GetFormattedPrincipal -PrincipalName $ClientId -Realm $TargetRealm
	$contentType = 'application/x-www-form-urlencoded'
	$stsUrl = GetSecurityTokenServiceUrl -Realm $TargetRealm
	$oauth2Request = CreateAccessTokenRequestWithClientCredentials -ClientId $ClientId -ClientSecret $ClientSecret -Scope $resource
	$oauth2Response = Invoke-RestMethod -Method Post -Uri $stsUrl -ContentType $contentType -Body $oauth2Request
	return $oauth2Response
	}


	Function GetSecurityTokenServiceUrl([string]$Realm)
	{
	return "https://accounts.accesscontrol.windows.net/$Realm/tokens/OAuth/2"
	}


	Function CreateAccessTokenRequestWithClientCredentials([string]$ClientId,[string]$ClientSecret,[string]$Scope)
	{
	$oauth2Request = @{
	'grant_type' = 'client_credentials';
	'client_id' = $ClientId;
	'client_secret' = $ClientSecret;
	'scope' = $Scope;
	'resource' = $Scope
	}
	return $oauth2Request
	}

	function GetFormattedPrincipal([string]$PrincipalName, [string]$HostName, [string]$Realm)
	{
	if ($HostName)
	{
	return "$PrincipalName/$HostName@$Realm"
	}
	return "$PrincipalName@$Realm"
	}