| <# | |
| .Synopsis | |
| Obtain an app-only access token from ACS. | |
| .DESCRIPTION | |
| Retrieves an app-only access token from ACS to call the specified principal | |
| at the specified targetHost. The targetHost must be registered for target principal. If specified realm is | |
| null, the "Realm" setting in web.config will be used instead | |
| .EXAMPLE | |
| Get-SPOAccessToken -Url "https://contoso.sharepoint.com/_api/web" -ClientId "" -ClientSecret "" | |
| #> | |
| Function Get-SPOAccessToken([string]$ClientId,[string]$ClientSecret,[Uri]$WebUri){ | |
| $SharePointPrincipal = "00000003-0000-0ff1-ce00-000000000000" | |
| $realm = GetRealmFromTargetUrl -TargetApplicationUri $WebUri | |
| $accessToken = GetAppOnlyAccessToken -ClientId $ClientId -ClientSecret $ClientSecret -TargetPrincipalName $SharePointPrincipal -TargetHost $WebUri.Authority -TargetRealm $realm | |
| return $accessToken.access_token | |
| } | |
| function GetRealmFromTargetUrl([Uri]$TargetApplicationUri) | |
| { | |
| $url = $WebUrl + "/_vti_bin/client.svc" | |
| $headers = @{} | |
| $headers.Add('Authorization','Bearer') | |
| try { | |
| $response = Invoke-WebRequest -Uri $TargetApplicationUri -Headers $headers -Method Get | |
| } | |
| catch [Net.WebException] { | |
| $authResponseHeader = $_.Exception.Response.Headers["WWW-Authenticate"] | |
| #$bearerKey = "Bearer realm=" | |
| $bearer = $authResponseHeader.Split(",")[0] | |
| $targetRealm = $bearer.Split("=")[1] | |
| return $targetRealm.Substring(1,$targetRealm.Length-2) | |
| } | |
| return $null | |
| } | |
| Function GetAppOnlyAccessToken([string]$ClientId,[string]$ClientSecret,[string]$TargetPrincipalName,[string]$TargetHost,[string]$TargetRealm) | |
| { | |
| $resource = GetFormattedPrincipal -PrincipalName $TargetPrincipalName -HostName $TargetHost -Realm $TargetRealm | |
| $ClientId = GetFormattedPrincipal -PrincipalName $ClientId -Realm $TargetRealm | |
| $contentType = 'application/x-www-form-urlencoded' | |
| $stsUrl = GetSecurityTokenServiceUrl -Realm $TargetRealm | |
| $oauth2Request = CreateAccessTokenRequestWithClientCredentials -ClientId $ClientId -ClientSecret $ClientSecret -Scope $resource | |
| $oauth2Response = Invoke-RestMethod -Method Post -Uri $stsUrl -ContentType $contentType -Body $oauth2Request | |
| return $oauth2Response | |
| } | |
| Function GetSecurityTokenServiceUrl([string]$Realm) | |
| { | |
| return "https://accounts.accesscontrol.windows.net/$Realm/tokens/OAuth/2" | |
| } | |
| Function CreateAccessTokenRequestWithClientCredentials([string]$ClientId,[string]$ClientSecret,[string]$Scope) | |
| { | |
| $oauth2Request = @{ | |
| 'grant_type' = 'client_credentials'; | |
| 'client_id' = $ClientId; | |
| 'client_secret' = $ClientSecret; | |
| 'scope' = $Scope; | |
| 'resource' = $Scope | |
| } | |
| return $oauth2Request | |
| } | |
| function GetFormattedPrincipal([string]$PrincipalName, [string]$HostName, [string]$Realm) | |
| { | |
| if ($HostName) | |
| { | |
| return "$PrincipalName/$HostName@$Realm" | |
| } | |
| return "$PrincipalName@$Realm" | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment