EntraIDAccessToken

2.15.0

Private/Get-EntraIDAzureDevOpsFederatedCredentialAccessToken.ps1

                                function Get-EntraIDAzureDevOpsFederatedCredentialAccessToken {

    [CmdletBinding(DefaultParameterSetName = "default")]

    Param(

        [Parameter(Mandatory = $true)]

        $AccessTokenProfile,

        [Parameter(Mandatory = $false, ParameterSetName = "resource")]

        [String] $Resource = $null,

        [Parameter(Mandatory = $false, ParameterSetName = "scope")]

        [String] $Scope = $null

    )

    Process {

        $OIDCToken = $null

        if(![String]::ISNullOrEmpty($ENV:SYSTEM_ACCESSTOKEN)) {

            $OIDCToken = Invoke-RestMethod `

                        -Uri "$($ENV:SYSTEM_OIDCREQUESTURI)?api-version=7.1&serviceConnectionId=$($ENV:AZURESUBSCRIPTION_SERVICE_CONNECTION_ID)" `

                        -Method Post `

                        -Headers @{

                            Authorization  = "Bearer $ENV:SYSTEM_ACCESSTOKEN"

                            'Content-Type' = 'application/json'

                        } | Select-Object -ExpandProperty oidcToken

        } else {

            Write-Warning "Please add SYSTEM_ACCESSTOKEN in order for Azure DevOps to work with Federated Workload Identity for long running tasks"

            $OIDCToken = $ENV:idToken

        }

        if ($Scope -or $AccessTokenProfile.Scope) {

            $body = @{

                client_id             = $AccessTokenProfile.ClientId

                scope                 = [String]::IsNullOrEmpty($Scope) ? $AccessTokenProfile.Scope: $Scope

                grant_type            = "client_credentials"

                client_assertion_type = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"

                client_assertion      = $OIDCToken

            }

            Write-Verbose "Getting access token (v2/scope) for '$($body.scope)' using Azure DevOps Federated Workload Identity for client_id $($AccessTokenProfile.ClientId)"

            # Get token

            Invoke-RestMethod -Method Post -Uri "https://login.microsoftonline.com/$($AccessTokenProfile.TenantId)/oauth2/v2.0/token" -Body $body

        }

        else {

            $body = @{

                client_id             = $AccessTokenProfile.ClientId

                resource              = [String]::IsNullOrEmpty($Resource) ? $AccessTokenProfile.Resource : $Resource

                grant_type            = "client_credentials"

                client_assertion_type = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"

                client_assertion      = $OIDCToken

            }

            Write-Verbose "Getting access token (v1/resource) for '$($body.resource)' using Azure DevOps Federated Workload Identity for client_id $($AccessTokenProfile.ClientId)"

            # Get token

            Invoke-RestMethod -Method Post -Uri "https://login.microsoftonline.com/$($AccessTokenProfile.TenantId)/oauth2/token" -Body $body -ErrorAction Stop

        }        

    }

}