
[System.Collections.Hashtable]$script:OAuthTokens = @{}
$script:ProfileLocation = "$env:USERPROFILE\.google\credentials"

[System.String]$script:refresh_token = "refresh_token"
[System.String]$script:access_token = "access_token"
[System.String]$script:client_secret = "client_secret"
[System.String]$script:iss = "iss"
[System.String]$script:validity = "validity"
[System.String]$script:scope = "scope"
[System.String]$script:sub = "sub"

[System.String[]]$script:NoUrlScopes = @("", "", "", "profile", "email", "openid", "servicecontrol", "cloud-platform-service-control")
[System.String[]]$script:EncryptedProperties = @($script:access_token, $script:refresh_token, $script:client_secret)
[System.String[]]$script:Scopes = @(

#region Scopes

Function Convert-GoogleApiScopes {
            Converts the short name scopes used as parameter input to their full values.
            This cmdlet converts the short name scopes used as parameter input to their full values as required
            by access codes and JWTs.
        .PARAMETER Scopes
            The scopes to convert.
            $Scopes = @("compute", "")
            $NewScopes = $Scopes | Convert-GoogleApiScopes
            Converts the provided scopes to the scope names that usually begin with
            AUTHOR: Michael Haken
            LAST UPDATE: 1/27/2018

        [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true)]

    Begin {
        [System.String[]]$Temp = @()

    Process {
        $Temp += $Scopes

    End {
        [System.String[]]$FinalScopes = @()

        foreach ($Item in $Temp)
            if ($Item -notin $script:NoUrlScopes)
                $FinalScopes += "$Item"
            elseif ($Item -eq "cloud-platform-service-control")
                # cloud-platform is used both with a preceding url for some services and without for cloud service control APIs
                $FinalScopes += "cloud-platform"
                $FinalScopes += $Item

        Write-Output -InputObject $FinalScopes

Function Get-GoogleOAuth2ApiScopes {
            Gets a current set of available OAuth2 API scopes.
            This cmdlet retrieves the curent set of available OAuth2 API scopes. The format can either be in the short
            form used by the input parameters of the cmdlets in this module, or as their long full name as used in access
            code requests or JWT claim set construction.
        .PARAMETER UseShortNames
            Specifies that the output is the short names of the scopes as defined in this module.
            AUTHOR: Michael Haken
            LAST UPDATE: 1/27/2018


    Begin {

    Process {
        if ($UseShortNames)
            Write-Output -InputObject $script:Scopes
            Write-Output -InputObject (Convert-GoogleApiScopes -Scopes $script:Scopes)

    End {


#region Auth Code

Function Get-GoogleOAuth2Code {
            Gets an authorization code for specified scopes to be granted Google OAuth2 credentials.
            This cmdlet initiates the user approval for access to data and opens a browser window for the user to
            login and provide consent to the access. After approval, the browser will present an authorization code
            that should be pasted back into the prompt presented to the user. The code is sent out the pipeline, which
            should be supplied to Get-GoogleOAuth2Token in order to get Google OAuth2 bearer tokens.
        .PARAMETER ClientId
            The supplied client id for OAuth.
        .PARAMETER ClientSecret
            The supplied client secret for OAuth.
        .PARAMETER Email
            The user's GSuite/Google user email to provide as a login hint to the login and consent page.
        .PARAMETER Scope
            The scope or scopes to be authorized in the OAuth tokens.
        .PARAMETER AccessType
            Indicates the module can refresh access tokens when the user is not present at the browser. This value
            instructs the Google authorization server to return a refresh token and an access token the first time
            that the cmdlet exchages an authorization code for tokens. You should always specify "offline", which
            is the default.
        .PARAMETER ResponseType
            How the Google Authorization server returns the code:
            Setting to "token" instructs the Google Authorization Server to return the access token as a name=value
            pair in the hash (#) fragment of the URI to which the user is redirected after completing the authorization process.
            You must specify "online" as the AccessType with this setting and provide an actual redirect url.
            Setting to "code" instructs the Google Authorization Server to return the access code as an element in the web browser
            that can be copy and pasted into PowerShell.
            You should always specify "code" for this cmdlet, which is the default.
        .PARAMETER NoPrompt
            Indicates that the user receives no prompt in the web browser, which will likely result in a failed attempt or an access denied error. You
            shouldn't specify this parameter.
            $Code = Get-GoogleOAuth2Code -ClientId $Id -ClientSecret $Secret -Email -Scope ""
            Gets an authorization code for the user to be able to exchange it for a long-term access token with the ability to have
            read-only access to groups in GSuite through the Google Directory API.
            AUTHOR: Michael Haken
            LAST UPDATE: 1/12/2018

        [Parameter(Mandatory = $true)]


        [ValidateSet("online", "offline")]
        [System.String]$AccessType = "offline",

        [ValidateSet("code", "token")]
        [System.String]$ResponseType = "code",



    DynamicParam {
        $RuntimeParameterDictionary = New-Object -TypeName System.Management.Automation.RuntimeDefinedParameterDictionary

        $AttributeCollection = New-Object -TypeName System.Collections.ObjectModel.Collection[System.Attribute]

        $ParameterAttribute = New-Object -TypeName System.Management.Automation.PARAMETERAttribute
        $ParameterAttribute.Mandatory = $true

        $ValidateSetAttribute = New-Object -TypeName System.Management.Automation.ValidateSetAttribute($script:Scopes)

        $RuntimeParameter = New-Object -TypeName System.Management.Automation.RuntimeDefinedParameter("Scope", ([System.String[]]), $AttributeCollection)
        $RuntimeParameterDictionary.Add("Scope", $RuntimeParameter)

        return $RuntimeParameterDictionary

    Begin {
        # This redirect tells Google to display the authorization code in the web browser
        [System.String]$Redirect = [System.Uri]::EscapeUriString("urn:ietf:wg:oauth:2.0:oob")

    Process {

        $ClientId = [System.Uri]::EscapeUriString($ClientId)

        [System.String[]]$Scope = Convert-GoogleApiScopes -Scopes $PSBoundParameters["Scope"]

        [System.String]$Scopes = [System.Uri]::EscapeUriString($Scope -join ",")


        [System.String]$OAuth = "$ClientId&redirect_uri=$Redirect&scope=$Scopes&access_type=$AccessType&include_granted_scopes=true&response_type=$ResponseType&state=$StateVariable"

        if ($NoPrompt)
            $OAuth += "&prompt=none"

        if (-not [System.String]::IsNullOrEmpty($Email))
            $OAuth += "&login_hint=$([System.Uri]::EscapeUriString($Email))"
            $Code = ""

            # Get the redirect url
            [Microsoft.PowerShell.Commands.WebResponseObject]$RedirectResponse = Invoke-WebRequest -Uri $OAuth -Method Get -MaximumRedirection 0 -ErrorAction Ignore -UserAgent PowerShell -UseBasicParsing
            Write-Verbose -Message "Response Code: $($RedirectResponse.StatusCode)"

            # If the response is a redirect, that's what we expect
            if ($RedirectResponse.StatusCode.ToString().StartsWith("30"))
                [System.Uri]$Redirect = $RedirectResponse.Headers.Location

                Write-Verbose -Message "Redirect location: $Redirect"

                if ($NoWebBrowser)
                        [System.Collections.Hashtable]$Query = @{}
                        # Remove leading "?"
                        $Redirect.Query.Substring(1) -split "&" | ForEach-Object {
                            $Parts = $_ -split "="
                            $Query.Add($Parts[0], $Parts[1])
                        # Get the first page, it could be an account selection page, a password entry page, or a the consent page
                        [Microsoft.PowerShell.Commands.HtmlWebResponseObject]$SignInResponse = Invoke-WebRequest -Uri $Redirect -Method Get
                        $SignInResponse.ParsedHtml.GetElementById("Email").value = $Query["Email"]
                        [Microsoft.PowerShell.Commands.HtmlWebResponseObject]$NextResponse = Invoke-WebRequest -Uri $SignInResponse.Forms[0].Action -Body $SignInResponse.Forms[0] -Method Post
                        $StateWrapper = $NextResponse.ParsedHtml.GetElementById("state_wrapper").value
                        $SignInUrl = "$Org&as=$As&pageId=none&xsrfsign=$XSRF"
                        [Microsoft.PowerShell.Commands.HtmlWebResponseObject]$CodeResponse = Invoke-WebRequest -Uri $NextResponse.Forms[0].Action -Method Post
                        # Title looks like:
                        # Success state=<state_var>&amp;code=<oauth_code>&amp;scope=<scope_var>
                        $Title = $CodeResponse.ParsedHtml.GetElementsByTagName("title") | Select-Object -First 1 -ExpandProperty text
                        $Code = ($Title -ireplace "&amp", "") -split ";" | Where-Object {$_ -ilike "code=*" } | Select-Object -First 1
                        $Code = ($Code -split "=")[1]

                    Write-Warning -Message "No browser option isn't supported yet."
                    Write-Verbose -Message "Please open $Redirect in your browser"
                        # This will launch a web browser with the provided url
                        & start $Redirect

                        while ([System.String]::IsNullOrEmpty($Code))
                            $Code = Read-Host -Prompt "Enter authorization code from web browser"
                    catch [Exception]
                        if ($ErrorActionPreference -eq [System.Management.Automation.ActionPreference]::Stop)
                            Write-Error -Message "Could not open a web browser" -Exception $_.Exception -ErrorAction Stop
                        elseif ($ErrorActionPreference -ne [System.Management.Automation.ActionPreference]::SilentlyContinue)
                            Write-Warning -Message "Could not open a web browser: $($_.Exception.Message)"
                            Write-Verbose -Message "[ERROR] : Could not open a web browser: $($_.Exception.Message)"

                # This is where we normally return
                Write-Output -InputObject $Code
                Write-Error -Message $RedirectResponse.RawContent
        catch [System.Net.WebException] 
            [System.Net.WebException]$Ex = $_.Exception
            [System.Net.HttpWebResponse]$Response = [System.Net.HttpWebResponse]($Ex.Response)
            if ($Response -ne $null)
                [System.IO.Stream]$Stream = $Response.GetResponseStream()
                [System.IO.StreamReader]$Reader = New-Object -TypeName System.IO.StreamReader($Stream, [System.Text.Encoding]::UTF8)
                [System.String]$Content = $Reader.ReadToEnd()
                [System.Int32]$StatusCode = $Response.StatusCode.value__
                [System.String]$Message = "$StatusCode : $Content"
                $Message = $Ex.Message

            if ($ErrorActionPreference -eq [System.Management.Automation.ActionPreference]::Stop)
                [System.Web.HttpException]$NewEx = New-Object -TypeName System.Web.HttpException($Content, $StatusCode)
                Write-Error -Exception $NewEx -Category NotSpecified -ErrorId $StatusCode
            elseif ($ErrorActionPreference -ne [System.Management.Automation.ActionPreference]::SilentlyContinue)
                Write-Warning -Message $Message
                Write-Verbose -Message "[ERROR] : $Message"
        catch [Exception] 
            if ($ErrorActionPreference -eq [System.Management.Automation.ActionPreference]::Stop)
                Write-Error -Exception $_.Exception -ErrorAction Stop
            elseif ($ErrorActionPreference -ne [System.Management.Automation.ActionPreference]::SilentlyContinue)
                Write-Warning -Message $_.Exception.Message
                Write-Verbose -Message "[ERROR] : $($_.Exception.Message)"

    End {

Function Convert-GoogleOAuth2Code {
            Exchanges an OAuth2 code for an access token.
            This cmdlet exchanges an OAuth2 code for an access token and refresh token that can used
            to authenticate a user to Google APIs.
        .PARAMETER Code
            The one-time use authorization code received from Google.
        .PARAMETER ClientId
            The provided ClientId.
        .PARAMETER ClientSecret
            The provided ClientSecret.
        .PARAMETER GrantType
            The type of token being exchanged, in this case always authorization_code.
        .PARAMETER ProfileLocation
            The location where stored credentials are located. If this is not specified, the default location will be used.
        .PARAMETER Persist
            Indicates that the retrieved access tokens and client secret will be persisted on disk in an encrypted
            format using the Windows DPAPI as well as the local in-memory cache (also encrypted).
            $Code = Get-GoogleOAuth2Code -ClientId $Id -ClientSecret $Secret
            Convert-GoogleOAuth2Code -Code $Code -ClientId $Id -ClientSecret $Secret -Persist
            This example retrieves an authorization code and then exchanges it for long term access and refresh tokens. The token data and client
            secret are persisted to disk in an encrypted format.
            AUTHOR: Michael Haken
            LAST UPDATE: 1/17/2018

        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]

        [System.String]$GrantType = "authorization_code",



    Begin {
        $Base = ""
        $CodeRedirect = [System.Uri]::EscapeUriString("urn:ietf:wg:oauth:2.0:oob")

    Process {
        Write-Verbose -Message "Exchanging OAuth2 code for an access token."

        $Code = [System.Uri]::EscapeUriString($Code)
        $ClientId = [System.Uri]::EscapeUriString($ClientId)
        $ClientSecret = [System.Uri]::EscapeUriString($ClientSecret)
        $GrantType = "authorization_code"

        $Url = "$Base`?code=$Code&client_id=$ClientId&client_secret=$ClientSecret&redirect_uri=$CodeRedirect&grant_type=$GrantType"

            [Microsoft.PowerShell.Commands.WebResponseObject]$Response = Invoke-WebRequest -Uri $Url -Method Post -UserAgent PowerShell -UseBasicParsing

            Write-Verbose -Message $Response.Content

            [PSCustomObject]$Data = ConvertFrom-Json -InputObject $Response.Content

            # Update the cache and persisted data
            Set-GoogleOAuth2Profile -ClientId $ClientId -ClientSecret $ClientSecret -AccessToken $Data.access_token -RefreshToken $Data.refresh_token -ProfileLocation $ProfileLocation -Persist:$Persist
            [System.Collections.Hashtable]$Token = Get-GoogleOAuth2Profile -ClientId $ClientId -ProfileLocation $ProfileLocation
            Write-Output -InputObject $Token
        catch [System.Net.WebException] 
            [System.Net.WebException]$Ex = $_.Exception
            [System.Net.HttpWebResponse]$Response = [System.Net.HttpWebResponse]($Ex.Response)
            [System.IO.Stream]$Stream = $Ex.Response.GetResponseStream()
            [System.IO.StreamReader]$Reader = New-Object -TypeName System.IO.StreamReader($Stream, [System.Text.Encoding]::UTF8)
            [System.String]$Content = $Reader.ReadToEnd()
            [System.Int32]$StatusCode = $Response.StatusCode.value__
            [System.String]$Message = "$StatusCode : $Content"

            if ($ErrorActionPreference -eq [System.Management.Automation.ActionPreference]::Stop)
                [System.Web.HttpException]$NewEx = New-Object -TypeName System.Web.HttpException($Content, $StatusCode)
                Write-Error -Exception $NewEx -Category NotSpecified -ErrorId $StatusCode
            elseif ($ErrorActionPreference -ne [System.Management.Automation.ActionPreference]::SilentlyContinue)
                Write-Warning -Message $Message
                Write-Verbose -Message "[ERROR] : $Message"
        catch [Exception] 
            if ($ErrorActionPreference -eq [System.Management.Automation.ActionPreference]::Stop)
                Write-Error -Exception $_.Exception -ErrorAction Stop
            elseif ($ErrorActionPreference -ne [System.Management.Automation.ActionPreference]::SilentlyContinue)
                Write-Warning -Message $_.Exception.Message
                Write-Verbose -Message "[ERROR] : $($_.Exception.Message)"

    End {


#region Tokens

Function Request-GoogleOAuth2Token {
            Requests a token for the google OAuth2 service.
            This cmdlet wraps multiple ways to retrieve an access token. It can process the following methods
            1) Requesting a new authorization code and exchaning it for a token
            2) Receiving a currently valid authorization code and exchanging it for a token
            3) Receive a refresh token and client secret and exchange for a new access token
            4) Use a cached or persisted profile indicated by the client id. If the profile has a current access token,
                it is returned, if not, if the profile contains means to refresh or renew the access token, it performs that
                action and returns the new token, otherwise an exception is thrown.
            5) Receiving a currently valid JWT produced from GCP service account credentials and exchanging it for a token.
        .PARAMETER ClientId
            The OAuth client id or service account email to get an access token for.
        .PARAMETER Code
            A valid authorization code to exchange for a set of tokens.
            A valid base64 url encoded JWT produced from GCP service account credentials to exchange for an access token.
        .PARAMETER ClientSecret
            The client secret to be used with an authorization code or refresh token.
        .PARAMETER RefreshToken
            The refresh token to use to request a new access token.
        .PARAMETER Persist
            Indicates that the newly retrieved token(s) or refreshed token and associated client data like client secret
            are persisted to disk.
        .PARAMETER ProfileLocation
            The location where stored credentials are located. If this is not specified, the default location will be used.
            Request-GoogleOAuth2Token -ClientId "" -ClientSecret $Secret -Persist
            This example initiates the process of retrieving an authorization code and exchaning it for an access token that is
            persisted to disk.
            Request-GoogleOAuth2Token -ClientId "" -RefreshToken $RToken -ClientSecret $Secret -Persist
            This example retrieves a new access token from a provided refresh token and client secret and persists the results to disk.
            AUTHOR: Michael Haken
            LAST UPDATE: 1/12/2018

    [CmdletBinding(DefaultParameterSetName = "Get")]
        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true, ParameterSetName = "Code")]

        [Parameter(Mandatory = $true, ParameterSetName = "JWT")]

        [Parameter(Mandatory = $true, ParameterSetName = "Code")]
        [Parameter(Mandatory = $true, ParameterSetName = "Default")]
        [Parameter(Mandatory = $true, ParameterSetName = "RefreshFromToken")]

        [Parameter(Mandatory = $true, ParameterSetName = "RefreshFromToken")]



    DynamicParam {
        $RuntimeParameterDictionary = New-Object -TypeName System.Management.Automation.RuntimeDefinedParameterDictionary

        $AttributeCollection = New-Object -TypeName System.Collections.ObjectModel.Collection[System.Attribute]

        $ParameterAttribute = New-Object -TypeName System.Management.Automation.PARAMETERAttribute
        $ParameterAttribute.Mandatory = $true
        $ParameterAttribute.ParameterSetName = "Default"

        $ValidateSetAttribute = New-Object -TypeName System.Management.Automation.ValidateSetAttribute($script:Scopes)

        $RuntimeParameter = New-Object -TypeName System.Management.Automation.RuntimeDefinedParameter("Scope", ([System.String[]]), $AttributeCollection)
        $RuntimeParameterDictionary.Add("Scope", $RuntimeParameter)

        return $RuntimeParameterDictionary

    Begin {

    Process {
        switch ($PSCmdlet.ParameterSetName)
            "Default" {
                [System.String[]]$Scope = $PSBoundParameters["Scope"]
                $Temp = Get-GoogleOAuth2Code -ClientId $ClientId -Scope $Scope

                if ($Temp -eq $null)
                    throw "Could not get OAuth code."
                    $Code = $Temp

                $Token = Convert-GoogleOAuth2Code -Code $Code -ClientId $ClientId -ClientSecret $ClientSecret -ProfileLocation $ProfileLocation -Persist:$Persist
                Write-Output -InputObject $Token
            "Code" {
                $Token = Convert-GoogleOAuth2Code -Code $Code -ClientId $ClientId -ClientSecret $ClientSecret -ProfileLocation $ProfileLocation -Persist:$Persist
                Write-Output -InputObject $Token
            "RefreshFromToken" {
                $Token = Update-GoogleOAuth2Token -ClientId $ClientId -RefreshToken $RefreshToken -ClientSecret $ClientSecret -ProfileLocation $ProfileLocation -Persist:$Persist
                Write-Output -InputObject $Token
            "Get" {
                # Specify stop for the error action so that an exception is thrown in case
                # the token can't be renewed/refreshed, i.e. the refresh token or client secret is missing
                $Token = Get-GoogleOAuth2Token -ClientId $ClientId -ProfileLocation $ProfileLocation -Persist:$Persist -ErrorAction Stop
                Write-Output -InputObject $Token
            "JWT" {
                $Token = Convert-GoogleOAuth2JWT -JWT $JWT -ClientId $ClientId -ProfileLocation $ProfileLocation -Persist:$Persist
                Write-Output -InputObject $Token
            default {
                Write-Error -Message "Unknown parameter set $($PSCmdlet.ParameterSetName) for $($MyInvocation.MyCommand)." -ErrorAction Stop

    End {

Function Get-GoogleOAuth2Token {   
            Retrieves a current access token from the in-memory cache or local disk.
            This cmdlet retrieves the token set for the specified ClientId, either from the in-memory cache
            or the local disk if it is persisted. The access_token is analyzed to see if it is valid, and if not,
            it is automatically updated if a refresh token and client secret is present or if the client id
            specifies a service account profile, if the iss, scope, and client secret properties are present.
        .PARAMETER ClientId
            The key value the token set is stored as.
        .PARAMETER ProfileLocation
            The location where stored credentials are located. If this is not specified, the default location will be used.
        .PARAMETER Persist
            Specifies that if the access token needs to be refreshed during retrieval that the updated access token is persisted to disk.
            $Token = Get-GoogleOAuth2Token -ClientId $Id -Persist
            This example retrieves the stored tokens and client secret associated with the provided client Id and persists the updated
            access token if it needs to be refreshed.
            AUTHOR: Michael Haken
            LAST UPDATE: 1/18/2018

        [Parameter(Mandatory = $true, ValueFromPipeline = $true)]



    Begin {

    Process {
        Write-Verbose -Message "Getting OAuth2 token from cache."

        [System.Collections.Hashtable]$Token = Get-GoogleOAuth2Profile -ClientId $ClientId -ProfileLocation $ProfileLocation

        if ($Token -eq $null)
            Write-Error -Exception (New-Object -TypeName System.Collections.Generic.KeyNotFoundException("No stored tokens for profile $ClientId.")) -ErrorAction Stop

        if (-not $Token.ContainsKey($script:client_secret))
            Write-Error -Exception (New-Object -TypeName System.Collections.Generic.KeyNotFoundException("The stored token for profile $ClientId does not contain the required client_secret.")) -ErrorAction Stop

        Write-Verbose -Message "Cache contains profile information for $ClientId."

        switch ($Token["type"])
            "client" {
                # If the token contains an refresh token, we should check to see if we need to get
                # or renew the access token
                if ($Token.ContainsKey($script:refresh_token))
                    [System.Collections.Hashtable]$TokenToReturn = @{}

                    # If there's an access token and refresh token, let's make sure it's up to date
                    if ($Token.ContainsKey($script:access_token))
                        # Check the access token to see if it's expired, if it is, refresh, otherwise, return as is

                        [System.Boolean]$Expired = Test-IsGoogleOAuth2TokenExpired -AccessToken $Token[$script:access_token] -ErrorAction SilentlyContinue

                        if ($Expired)
                            Write-Verbose -Message "The current access token is expired, getting a new one."
                            # This will update the cache and persisted data store if necessary
                            $TokenToReturn = Update-GoogleOAuth2Token -RefreshToken $Token[$script:refresh_token] -ClientId $ClientId -ClientSecret $Token[$script:client_secret] -Persist:$Persist
                            Write-Verbose -Message "The current access token is valid."
                            # No need to do anything, use the token we found in the cache
                            $TokenToReturn = $Token
                        # The stored profile doesn't contain a current access_token, go ahead and request one with the
                        # refresh token
                        # Since there wasn't a persisted access_token, either on disk or in the cache, this will add that access_token to the
                        # cache so we can continue to use it later
                        $TokenToReturn = Update-GoogleOAuth2Token -RefreshToken $Token[$script:refresh_token] -ClientId $ClientId -ClientSecret $Token[$script:client_secret] -Persist:$Persist

                    Write-Output -InputObject $TokenToReturn
                elseif ($Token.ContainsKey($script:access_token))
                    # There's no refresh token, so just use this and hope it's not expired
                    if (-not (Test-IsGoogleOAuth2TokenExpired -AccessToken $Token[$script:access_token]))
                        Write-Output -InputObject $Token
                        Write-Error -Message "The stored access token is expired and there is no refresh token available." -ErrorAction Stop
                    # This shouldn't happen since the cmdlet to modify the profile requires at least 1 token to be set, but
                    # best to check it anyways, might have been edited manually
                    Write-Verbose -Message "No stored tokens found for $ClientId, removing it from the cache and persisted data store."
                    Remove-GoogleOAuth2Profile -ClientId $ClientId -ProfileLocation $ProfileLocation

                    Write-Error -Message "No stored tokens for profile $ClientId." -ErrorAction Stop
            "sa" {
                if ($Token.ContainsKey($script:access_token))
                    [System.Boolean]$Expired = Test-IsGoogleOAuth2TokenExpired -AccessToken $Token[$script:access_token] -ErrorAction SilentlyContinue

                    if ($Expired)
                        Write-Verbose -Message "The current access token is expired, getting a new one."

                        if ($Token.ContainsKey($script:scope) -and $Token.ContainsKey($script:iss) -and $Token.ContainsKey($script:client_secret))
                            [System.Collections.Hashtable]$JWTSplat = @{}
                            if ($Token.Contains($script:sub) -and -not [System.String]::IsNullOrEmpty($Token[$script:sub]))
                                $JWTSplat.Add("Subject", $Token[$script:sub])

                            if ($Token.Contains($script:validity))
                                $JWTSplat.Add("ValidityInSeconds", $Token[$script:validity])

                            [System.String]$NewJWT = New-GoogleServiceAccountJWT -ClientSecret $Token[$script:client_secret] -Issuer $Token[$script:iss] -Scope $Token[$script:scope] @JWTSplat
                            [System.Collections.Hashtable]$TokenFromJWT = Convert-GoogleOAuth2JWT -JWT $NewJWT -ClientId $ClientId -ProfileLocation $ProfileLocation -Persist:$Persist
                            Write-Output -InputObject $TokenFromJWT
                            Write-Error -Exception (New-Object -TypeName System.NotSupportedException("The stored profile does not have the required attributes to renew the expired access token for $ClientId.")) -ErrorAction Stop  
                        Write-Output -InputObject $Token
                    Write-Verbose "No stored access token for $ClientId"
                    if ($Token.ContainsKey($script:scope) -and $Token.ContainsKey($script:iss) -and $Token.ContainsKey($script:client_secret))
                        [System.Collections.Hashtable]$JWTSplat = @{}
                        if ($Token.Contains($script:sub) -and -not [System.String]::IsNullOrEmpty($Token[$script:sub]))
                            $JWTSplat.Add("Subject", $Token[$script:sub])

                        [System.String]$NewJWT = New-GoogleServiceAccountJWT -ClientSecret $Token[$script:client_secret] -Issuer $Token[$script:iss] -Scope $Token[$script:scope] @JWTSplat
                        [System.Collections.Hashtable]$TokenFromJWT = Convert-GoogleOAuth2JWT -JWT $NewJWT -ClientId $ClientId -ProfileLocation $ProfileLocation -Persist:$Persist
                        Write-Output -InputObject $TokenFromJWT
                        Write-Verbose -Message "No stored tokens or jwt properties found for $ClientId, removing it from the cache and persisted data store."
                        Remove-GoogleOAuth2Profile -ClientId $ClientId -ProfileLocation $ProfileLocation -Force


    End {

Function Update-GoogleOAuth2Token {
            Refreshes a Google OAuth2 access token that was retrieved with an authorization code.
            This cmdlet refreshes a Google OAuth2 access token. The access token should have been retrieved through an
            access code exchange and is refreshed with an associated refresh token. The refresh token can either be supplied
            as a parameter or can be stored in a cached or persisted profile.
            The updated token data is returned to pipeline regardless if the data is persisted or not. If the data is not persisted,
            the cache is still updated so the same session can access the new tokens.
        .PARAMETER RefreshToken
            The refresh token returned during the initial authorization code exchange. This token is passed to the Google OAuth
            API to retrieve a new access token.
        .PARAMETER ClientId
            The client id associated with the refresh token or that indicates the stored profile to use that contains a persisted
            refresh token.
        .PARAMETER ClientSecret
            The client secret to pass with refresh request.
        .PARAMETER GrantType
            The grant type for the refresh, this must be refresh_token, and is the only allowed, and default value, for this
        .PARAMETER ProfileLocation
            The location where stored credentials are located. If this is not specified, the default location will be used.
        .PARAMETER Persist
            Specifies that the updated access token will be persisted to disk. If this is specified when RefreshToken and ClientSecret
            are specified, they are also persisted to disk.
            Update-GoogleOAuth2Token -ClientId "" -Persist
            This updates the access token for the specified cached or stored profile. The renewed access token is persisted to disk. The
            profile indicated by the client id must have a refresh_token and client_secret stored in the profile, otherwise an exception
            is thrown.
            Update-GoogleOAuth2Token -ClientId "" `
                -RefreshToken $RToken `
                -ClientSecret $Secret `
            In this example, the access token is refreshed with the specified parameters and nothing from the cache or persisted
            profile store is used. However, the updated access token, refresh token, and client secret are persisted upon a
            successful request.
            AUTHOR: Michael Haken
            LAST UPDATE: 1/27/2018

    [CmdletBinding(DefaultParameterSetName = "Stored")]
        [Parameter(Mandatory = $true, ParameterSetName = "Token")]

        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true, ParameterSetName = "Token")]

        [Parameter(DontShow = $true)]
        [System.String]$GrantType = "refresh_token",



    Begin {
        [System.String]$Base = ""

    Process {
        Write-Verbose -Message "Updating the OAuth2 token for $ClientId."

        switch ($PSCmdlet.ParameterSetName)
            "Stored" {
                # Use currently stored or cached tokens
                $TokenData = Get-GoogleOAuth2Profile -ClientId $ClientId -ProfileLocation $ProfileLocation

                if ($TokenData.ContainsKey($script:refresh_token) -and $TokenData.ContainsKey($script:client_secret))
                    $ClientSecret = $TokenData[$script:client_secret]
                    $RefreshToken = $TokenData[$script:refresh_token]
                    Write-Error -Exception (New-Object -TypeName System.Collections.Generic.KeyNotFoundException("The specified profile $ClientId does not contain a refresh token and/or a client secret and cannot be refreshed.")) -ErrorAction Stop

            "Token" {
                # Do nothing
            default {
                Write-Error -Message "Unknown parameter set name $($PSCmdlet.ParameterSetName)." -ErrorAction Stop

        $ClientSecret = [System.Uri]::EscapeUriString($ClientSecret)
        $ClientId = [System.Uri]::EscapeUriString($ClientId)

        [System.String]$Url = "$Base`?client_id=$ClientId&client_secret=$ClientSecret&refresh_token=$RefreshToken&grant_type=$GrantType"

            [Microsoft.PowerShell.Commands.WebResponseObject]$Response = Invoke-WebRequest -Uri $Url -Method Post -UserAgent PowerShell -UseBasicParsing

            if ($Response.StatusCode -eq 200)
                # The request was successful, convert the JSON response data
                [PSCustomObject]$Token = (ConvertFrom-Json -InputObject $Response.Content)

                # Update the local cache with the updated access token, and also possibly the refresh token if it wasn't stored originally
                # with the profile, or the profile may not have existed at all
                Set-GoogleOAuth2Profile -AccessToken $Token.access_token -RefreshToken $RefreshToken -ClientSecret $ClientSecret -ClientId $ClientId -ProfileLocation $ProfileLocation -Persist:$Persist

                # Create the hash table with the returned token
                [System.Collections.Hashtable]$Temp = @{}

                foreach ($Property in ($Token | Get-Member -MemberType Properties | Select-Object -ExpandProperty Name))
                    $Temp.Add($Property, $Token.$Property)

                Write-Output -InputObject $Temp
                if ($ErrorActionPreference -eq [System.Management.Automation.ActionPreference]::Stop)
                    Write-Error -Message "There was a problem refreshing the token: $($Response.Content)" -ErrorAction Stop
                elseif ($ErrorActionPreference -ne [System.Management.Automation.ActionPreference]::SilentlyContinue)
                    Write-Warning -Message "There was a problem refreshing the token: $($Response.Content)"
                    Write-Verbose -Message "[ERROR] : There was a problem refreshing the token: $($Response.Content)"
        catch [System.Net.WebException] 
            [System.Net.WebException]$Ex = $_.Exception
            [System.Net.HttpWebResponse]$Response = [System.Net.HttpWebResponse]($Ex.Response)
            [System.IO.Stream]$Stream = $Ex.Response.GetResponseStream()
            [System.IO.StreamReader]$Reader = New-Object -TypeName System.IO.StreamReader($Stream, [System.Text.Encoding]::UTF8)
            [System.String]$Content = $Reader.ReadToEnd()
            [System.Int32]$StatusCode = $Response.StatusCode.value__
            [System.String]$Message = "$StatusCode : $Content"

            if ($ErrorActionPreference -eq [System.Management.Automation.ActionPreference]::Stop)
                [System.Web.HttpException]$NewEx = New-Object -TypeName System.Web.HttpException($Content, $StatusCode)
                Write-Error -Exception $NewEx -Category NotSpecified -ErrorId $StatusCode
            elseif ($ErrorActionPreference -ne [System.Management.Automation.ActionPreference]::SilentlyContinue)
                Write-Warning -Message $Message
                Write-Verbose -Message "[ERROR] : $Message"
        catch [Exception] 
            if ($ErrorActionPreference -eq [System.Management.Automation.ActionPreference]::Stop)
                Write-Error -Exception $_.Exception -ErrorAction Stop
            elseif ($ErrorActionPreference -ne [System.Management.Automation.ActionPreference]::SilentlyContinue)
                Write-Warning -Message $_.Exception.Message
                Write-Verbose -Message "[ERROR] : $($_.Exception.Message)"

    End {


#region JWT

Function Convert-GoogleOAuth2JWT {
            Converts a GCP service account JWT for an access token.
            This cmdlet takes a constructed JWT generated from a GCP Service Account credentials and exchanges
            it for an access token which can be used to authorize subsequent calls to Google APIs.
            The base64url encoded JWT generated from the GCP service account credentials.
        .PARAMETER ClientId
            The service account email address.
        .PARAMETER ProfileLocation
            The location where stored credentials are located. If this is not specified, the default location will be used.
        .PARAMETER Persist
            Indicates that the retrieved access token will be persisted on disk in an encrypted
            format using the Windows DPAPI as well as the local in-memory cache (also encrypted).
            $Token = Convert-GoogleOAuth2JWT -JWT $JWT -ClientId ""
            Converts the constructed JWT to a token object whose access token can be used to call other APIs.
            AUTHOR: Michael Haken
            LAST UPDATE: 1/27/2018

        [Parameter(Mandatory = $true)]
            $_.Split(".").Length -eq 3

        [Parameter(Mandatory = $true)]



    Begin {
        $BaseUrl = ""

    Process {
        $GrantType = [System.Uri]::EscapeUriString("urn:ietf:params:oauth:grant-type:jwt-bearer")
        [System.String[]]$JWTParts = $JWT.Split(".")
        # Make sure these are escaped if they weren't already
        for ($i = 0; $i -lt $JWTParts.Length; $i++)
            $JWTParts[$i] = Invoke-Base64UrlEscape -InputObject $JWTParts[$i]

        $Assertion = $JWTParts -join "."

        $Body = "grant_type=$GrantType&assertion=$Assertion"

        try {
            Write-Verbose -Message "POST Body: $Body"
            [Microsoft.PowerShell.Commands.WebResponseObject]$Response = Invoke-WebRequest -Uri $BaseUrl -Method Post -Body $Body -ErrorAction Stop -UserAgent PowerShell -UseBasicParsing

            [PSCustomObject]$Token = ConvertFrom-Json -InputObject ($Response.Content)

            [System.Collections.Hashtable]$TokenHashtable = @{}

            foreach ($Item in (Get-Member -InputObject $Token -MemberType Properties | Select-Object -ExpandProperty Name))
                $TokenHashtable.Add($Item, $Token.$Item)

            Set-GoogleOAuth2Profile -ServiceAccountEmail $ClientId -AccessToken $TokenHashtable[$script:access_token] -ProfileLocation $ProfileLocation -Persist:$Persist

            Write-Output -InputObject $TokenHashtable
        catch [System.Net.WebException] 
            [System.Net.WebException]$Ex = $_.Exception
            [System.Net.HttpWebResponse]$Response = [System.Net.HttpWebResponse]($Ex.Response)
            [System.IO.Stream]$Stream = $Ex.Response.GetResponseStream()
            [System.IO.StreamReader]$Reader = New-Object -TypeName System.IO.StreamReader($Stream, [System.Text.Encoding]::UTF8)
            [System.String]$Content = $Reader.ReadToEnd()
            [System.Int32]$StatusCode = $Response.StatusCode.value__
            [System.String]$Message = "$StatusCode : $Content"

            if ($ErrorActionPreference -eq [System.Management.Automation.ActionPreference]::Stop)
                [System.Web.HttpException]$NewEx = New-Object -TypeName System.Web.HttpException($Content, $StatusCode)
                Write-Error -Exception $NewEx -Category NotSpecified -ErrorId $StatusCode
            elseif ($ErrorActionPreference -ne [System.Management.Automation.ActionPreference]::SilentlyContinue)
                Write-Warning -Message $Message
                Write-Verbose -Message "[ERROR] : $Message"
        catch [Exception] 
            if ($ErrorActionPreference -eq [System.Management.Automation.ActionPreference]::Stop)
                Write-Error -Exception $_.Exception -ErrorAction Stop
            elseif ($ErrorActionPreference -ne [System.Management.Automation.ActionPreference]::SilentlyContinue)
                Write-Warning -Message $_.Exception.Message
                Write-Verbose -Message "[ERROR] $($_.Exception.Message)"

    End {

Function New-GoogleServiceAccountJWT {
            Creates a new JWT from a Google service account.
            This cmdlet creates a new JWT from Google service account credentials. The JWT can be used to gain
            an access token for subsequent API calls.
            The outputted JWT is a base64 url encoded string.
        .PARAMETER ClientSecret
            The RSA private key in PEM format associated with the service account.
        .PARAMETER Issuer
            The service account email address.
        .PARAMETER Audience
            The URL the JWT is sent to for exchange for an access token. You do not need to specify
            this parameter.
        .PARAMETER ValidityInSeconds
            The number of seconds between 1 and 3600 that the JWT (and subsequent access token) is valid.
        .PARAMETER Subject
            The email address of the user for which the application is requesting delegated access.
        .PARAMETER Scope
            A set of API scopes that the service account is requesting permission for.
            $JWT = New-GoogleServiceAccountJWT -ClientSecret $ClientSecret -Issuer $ClientId -Scope $Scopes -Subject $Email
            Creates a new JWT from the service account credentials that is used to get an access token.
            AUTHOR: Michael Haken
            LAST UPDATE: 1/27/2018

        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]

        [System.String]$Audience = "",

        [ValidateRange(1, 3600)]
        [System.Int32]$ValidityInSeconds = 3600,


    DynamicParam {
        $RuntimeParameterDictionary = New-Object -TypeName System.Management.Automation.RuntimeDefinedParameterDictionary

        $AttributeCollection = New-Object -TypeName System.Collections.ObjectModel.Collection[System.Attribute]

        $ParameterAttribute = New-Object -TypeName System.Management.Automation.PARAMETERAttribute
        $ParameterAttribute.Mandatory = $true

        $ValidateSetAttribute = New-Object -TypeName System.Management.Automation.ValidateSetAttribute($script:Scopes)

        $RuntimeParameter = New-Object -TypeName System.Management.Automation.RuntimeDefinedParameter("Scope", ([System.String[]]), $AttributeCollection)
        $RuntimeParameterDictionary.Add("Scope", $RuntimeParameter)

        return $RuntimeParameterDictionary

    Begin {
        # eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9
        [System.String]$JWTHeader = ConvertTo-Base64UrlEncoding -InputObject (ConvertTo-Json -InputObject @{"alg" = "RS256"; "typ" = "JWT"} -Compress)

    Process {
        [System.String[]]$Scope = Convert-GoogleApiScopes -Scopes $PSBoundParameters["Scope"]

        [System.Int64]$Now = ([System.TimeSpan](([System.DateTime]::UtcNow) - (New-Object -TypeName System.DateTime(1970, 1, 1, 0, 0, 0, [System.DateTimeKind]::Utc)))).TotalSeconds

        [System.Collections.Hashtable]$JWT = @{ $script:iss = $Issuer; $script:scope = $Scope -join " "; "aud" = $Audience; "iat" = $Now; "exp" = $Now + $ValidityInSeconds}
        if ($PSBoundParameters.ContainsKey("Subject") -and -not [System.String]::IsNullOrEmpty($Subject))
           $JWT.Add($script:sub, $Subject)

        $JWTClaimSet = ConvertTo-Base64UrlEncoding -InputObject (ConvertTo-Json -InputObject $JWT -Compress)

        [System.Byte[]]$SigningData = [System.Text.Encoding]::UTF8.GetBytes("$JWTHeader.$JWTClaimSet")

        [System.Security.Cryptography.RSACryptoServiceProvider]$RSA = ConvertFrom-PEM -PEM $ClientSecret
        [System.Byte[]]$Sig = $RSA.SignData($SigningData, [System.Security.Cryptography.HashAlgorithmName]::SHA256, [System.Security.Cryptography.RSASignaturePadding]::Pkcs1)

        [System.String]$JWTSignature = ConvertTo-Base64UrlEncoding -Bytes $Sig

        Write-Output -InputObject "$JWTHeader.$JWTClaimSet.$JWTSignature"

    End {


#region TokenInfo
Function Test-IsGoogleOAuth2TokenExpired {
            Tests whether the provided token or token in a stored profile is expired.
            This cmdlet tests a provided access token or an access token stored in a client profile to
            see whether it has expired.
            The cmdlet will by default return true if the ClientId does not exist or does not contain an access_token property. To throw
            an exception in these cases use -ErrorAction Stop.
        .PARAMETER AccessToken
            The token to test.
        .PARAMETER ClientId
            The id of the profile containing the access token to test. If the client profile does not
            contain an access token, this will return false, unless the ErrorActionPreference is set to
            stop, in which case an exception is thrown.
        .PARAMETER Buffer
            The number of seconds to buffer against the actual expiration. This defaults to 60, and can be between 1 and 60.
            For example, if the buffer is set to 30, and the token expires in 25 seconds from now, the cmdlet would report
            true for being expired. This helps ensure a token doesn't expire mid-request and isn't refreshed before being used.
        .PARAMETER ProfileLocation
            The location where stored credentials are located. If this is not specified, the default location will be used.
            $Expired = Test-IsGoogleOAuth2TokenExpired -AccessToken $Token
            Tests whether the token contained in the $Token variable is expired
                $Expired = Test-IsGoogleOAuth2TokenExpired -ClientId $Id -ErrorAction Stop
            catch [Exception]
                Write-Host $_.Exception.Message
            This example attempts to test the access token stored with the profile identified by $Id. If the profile
            is not found, or the profile doesn't contain an access token, an exception is thrown and caught in the
            catch statement.
            AUTHOR: Michael Haken
            LAST UPDATE: 1/27/2018

        [Parameter(Mandatory = $true, ParameterSetName = "Token")]
        [System.String]$AccessToken = [System.String]::Empty,

        [Parameter(Mandatory = $true, ParameterSetName = "ClientId")]


        [ValidateRange(1, 60)]
        [System.Int32]$Buffer = 60

    Begin {

    Process {
        switch ($PSCmdlet.ParameterSetName)
            "ClientId" {
                [System.Collections.Hashtable]$Token = Get-GoogleOAuth2Profile -ClientId $ClientId -ProfileLocation $ProfileLocation

                if (-not $Token.ContainsKey($script:access_token))
                    # This will end processing
                    if ($ErrorActionPreference -eq [System.Management.Automation.ActionPreference]::Stop)
                        Write-Error -Exception (New-Object -TypeName System.Collections.Generic.KeyNotFoundException("There was no access token to verify for $ClientId.")) -ErrorAction Stop
                    elseif ($ErrorActionPreference -ne [System.Management.Automation.ActionPreference]::SilentlyContinue)
                        Write-Warning -Message "There was no access token to verify for $ClientId."
                        Write-Verbose -Message "[ERROR] : There was no access token to verify for $ClientId."
                    $AccessToken = $Token[$script:access_token]

            "Token" {
                # Do nothing
            default {
                throw "Unknown parameter set $($PSCmdlet.ParameterSetName) for $($MyInvocation.MyCommand)."

        # This will only be null or empty if the stored item was empty
        if (-not [System.String]::IsNullOrEmpty($AccessToken))
                [PSCustomObject]$TokenDetails = Get-GoogleOAuth2TokenInfo -AccessToken $AccessToken -ErrorAction Stop

                [System.Int64]$Exp = $TokenDetails.exp

                [System.DateTime]$Epoch = New-Object -TypeName System.DateTime(1970, 1, 1, 0, 0, 0, [System.DateTimeKind]::Utc)
                [System.DateTime]$Expiration = $Epoch.AddSeconds($Exp)

                Write-Verbose -Message "The supplied access token expires $($Expiration.ToString("yyyy-MM-ddTHH:mm:ssZ"))."

                [System.DateTime]$Now = [System.DateTime]::UtcNow

                $ExpiredWithoutBuffer = $Now -gt $Expiration

                $ExpiredWithBuffer = $now -gt $Expiration.AddSeconds($Buffer)

                if (-not $ExpiredWithoutBuffer -and $ExpiredWithBuffer)
                    Write-Verbose -Message "Although the access token is not actually expired, it is within the specified buffer of expiration, so should be refreshed."

                Write-Output -InputObject $ExpiredWithBuffer
            catch [Exception]
                if ($ErrorActionPreference -eq [System.Management.Automation.ActionPreference]::Stop)
                    Write-Error -Exception $_.Exception -ErrorAction Stop
                elseif ($ErrorActionPreference -ne [System.Management.Automation.ActionPreference]::SilentlyContinue)
                    Write-Warning -Message $_.Exception.Message
                    Write-Verbose -Message $_.Exception.Message
                Write-Output -InputObject $true
            if ($ErrorActionPreference -eq [System.Management.Automation.ActionPreference]::Stop)
                Write-Error -Exception (New-Object -TypeName System.NullReferenceException("The access_token property for $ClientId was null or empty.")) -ErrorAction Stop
                Write-Verbose -Message "There was no stored access token, returning true by default."
                Write-Output -InputObject $true

    End {

Function Get-GoogleOAuth2TokenInfo {
            Retrieves information about an issued access token
            This cmdlet retrieves information about the access token provided or contained in the client
            profile. The information includes the following details:
            azp : # The ClientId
            aud : # The ClientId
            scope : # The requested scope in the auth code
            exp : 1515792549 # Expiration represented by seconds past the epoch (unix timestamp)
            expires_in : 3599 # Seconds from now the token expires in
            access_type : offline # The originally requested access type
        .PARAMETER ClientId
            The id of the profile to get info on. If the ClientId
        .PARAMETER AccessToken
            The token to retrieve details about.
        .PARAMETER ProfileLocation
            The location where stored credentials are located. If this is not specified, the default location will be used.
            $Details = Get-GoogleOAuth2TokenInfo -ClientId $Id
            Gets details on the access token stored with key $Id.
            AUTHOR: Michael Haken
            LAST UPDATE: 1/27/2018

        [Parameter(Mandatory = $true, ParameterSetName = "ClientId")]

        [Parameter(Mandatory = $true, ParameterSetName = "Token")]


    Begin {
        $Base = ""

    Process {

        switch ($PSCmdlet.ParameterSetName)
            "ClientId" {
                [System.Collections.Hashtable]$Token = Get-GoogleOAuth2Profile -ClientId $ClientId -ProfileLocation $ProfileLocation

                if (-not $Token.ContainsKey($script:access_token))
                    Write-Error -Exception (New-Object -TypeName System.NullReferenceException("There was no access token to verify for $ClientId.")) -ErrorAction Stop
                    $AccessToken = $Token[$script:access_token]

            "Token" {
                # Do nothing
            default {
                throw "Unknown parameter set $($PSCmdlet.ParameterSetName)."

        $Url = "$Base`?access_token=$AccessToken"

            [Microsoft.PowerShell.Commands.WebResponseObject]$Response = Invoke-WebRequest -Method Post -Uri $Url -UserAgent PowerShell -UseBasicParsing

            [PSCustomObject]$Data = ConvertFrom-Json -InputObject $Response.Content

            [System.Collections.Hashtable]$Temp = @{}

            foreach ($Property in ($Data | Get-Member -MemberType Properties | Select-Object -ExpandProperty Name))
                $Temp.Add($Property, $Data.$Property)

            Write-Output -InputObject $Temp
        catch [System.Net.WebException] 
            [System.Net.WebException]$Ex = $_.Exception
            [System.Net.HttpWebResponse]$Response = [System.Net.HttpWebResponse]($Ex.Response)
            [System.IO.Stream]$Stream = $Ex.Response.GetResponseStream()
            [System.IO.StreamReader]$Reader = New-Object -TypeName System.IO.StreamReader($Stream, [System.Text.Encoding]::UTF8)
            [System.String]$Content = $Reader.ReadToEnd()
            [System.Int32]$StatusCode = $Response.StatusCode.value__
            [System.String]$Message = "$StatusCode : $Content"

            if ($ErrorActionPreference -eq [System.Management.Automation.ActionPreference]::Stop)
                [System.Web.HttpException]$NewEx = New-Object -TypeName System.Web.HttpException($Content, $StatusCode)
                Write-Error -Exception $NewEx -Category NotSpecified -ErrorId $StatusCode
            elseif ($ErrorActionPreference -ne [System.Management.Automation.ActionPreference]::SilentlyContinue)
                Write-Warning -Message $Message
                Write-Verbose -Message "[ERROR] : $Message"
        catch [Exception] 
            if ($ErrorActionPreference -eq [System.Management.Automation.ActionPreference]::Stop)
                Write-Error -Exception $_.Exception -ErrorAction Stop
            elseif ($ErrorActionPreference -ne [System.Management.Automation.ActionPreference]::SilentlyContinue)
                Write-Warning -Message $_.Exception.Message
                Write-Verbose -Message "[ERROR] : $($_.Exception.Message)"

    End {


#region Profile

Function Get-GoogleOAuth2Profile {
            Retrieves details about a cached profile or lists all available profiles.
            This cmdlet gets the tokens associated with a specific profile or lists all available profiles. Because the token data is encrypted
            using the Windows DPAPI, only token data that was stored by the current user can be successfully decrypted.
            If a specified ClientId is not found in the cache, persisted credentials are synced from disk into the cache and then it is checked again.
            If a ClientId is not specified, the cache is synced from disk and then all Ids found in the cache are returned.
            This cmdlet will only throw an exception if a ClientId is specified and not found and -ErrorAction is set to Stop, otherwise, the cmdlet
            will return null.
        .PARAMETER ClientId
            The Id of the stored profile to retrieve. If this is not specified, a list of cached profiles is returned.
        .PARAMETER ProfileLocation
            The location where stored credentials are located. If this is not specified, the default location will be used.
            $Profiles = Get-GoogleOAuth2Profile
            Retrieves a list of profiles cached on the system
            $TokenData = Get-GoogleOAuth2Profile -ClientId $Id
            Gets the unencrypted token data associated with the profile stored with Id $Id. If $Id is not found, $TokenData will be $null.
            System.Collections.Hashtable or System.String[]
            AUTHOR: Michael Haken
            LAST UPDATE: 1/17/2018

    [OutputType([System.Collections.Hashtable], [System.String[]])]
        [Parameter(ValueFromPipeline = $true)]


    Begin {
        Function Convert-SecureStringToString {
                [Parameter(Position = 0, ValueFromPipeline = $true, Mandatory = $true)]

            Begin {


            Process {
                [System.String]$PlainText = [System.String]::Empty
                [System.IntPtr]$IntPtr = [System.IntPtr]::Zero

                    $IntPtr = [System.Runtime.InteropServices.Marshal]::SecureStringToGlobalAllocUnicode($SecureString)     
                    $PlainText = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($IntPtr)   
                    if ($IntPtr -ne $null -and $IntPtr -ne [System.IntPtr]::Zero) 

                Write-Output -InputObject $PlainText

            End {


        if ([System.String]::IsNullOrEmpty($ProfileLocation)) 
            $ProfileLocation = $script:ProfileLocation

        # If the client specified a specific client id, look for its data
        if ($PSBoundParameters.ContainsKey("ClientId"))
            # If the cache doesn't have the client id, sync the persisted data
            if (-not $script:OAuthTokens.ContainsKey($ClientId))
                Sync-GoogleOAuth2ProfileCache -ProfileLocation $ProfileLocation

            # Check again to see if syncing the persisted data loaded it
            if ($script:OAuthTokens.ContainsKey($ClientId))
                [System.Collections.Hashtable]$Temp = @{}

                # Need to call GetEnumerator() on a Hastable to iterate its entries
                foreach ($Property in $script:OAuthTokens[$ClientId].GetEnumerator())
                    if ($Property.Name -in $script:EncryptedProperties)
                        $Temp.Add($Property.Name, (Convert-SecureStringToString -SecureString (ConvertTo-SecureString -String $Property.Value)))
                        $Temp.Add($Property.Name, $Property.Value)

                Write-Output -InputObject $Temp
                if ($ErrorActionPreference -eq [System.Management.Automation.ActionPreference]::Stop)
                    # No need to write output since this will be a terminating error
                    Write-Error -Exception (New-Object -TypeName System.Collections.Generic.KeyNotFoundException("The specified profile $ClientId could not be found.")) -ErrorAction Stop
                    Write-Verbose -Message "The specified profile $ClientId could not be found."
                    Write-Output -InputObject $null
            # Sync whatever's stored on disk first
            Sync-GoogleOAuth2ProfileCache -ProfileLocation $ProfileLocation

            # Then return the ClientIds that are used as the key identifiers in the cache
            Write-Output -InputObject ([System.String[]]($script:OAuthTokens.GetEnumerator() | Select-Object -ExpandProperty Name))

    End {

Function Set-GoogleOAuth2Profile {
            Sets the data in a profile.
            This cmdlet sets data for a specified ClientId profile. The profiles support both OAuth Clients and Service Account
            based credentials. For client credentials, you must specify either an access token or refresh token. If you specify
            a refresh token, you should also specify the client secret so the token can be refreshed.
            For a service account, you can store either an existing access token, or the service account private key and
            details to construct a JWT which can be exchanged for an access token.
        .PARAMETER ClientId
            The profile Id to store the data with, this can be an OAuth2 Client Profile or a Service Account ClientId.
        .PARAMETER ClientSecret
            The provided client secret associated with the ClientId. This can be the OAuth2 provided client secret or a private key
            from a service account.
        .PARAMETER AccessToken
            The access token to store in the profile.
        .PARAMETER RefreshToken
            The refresh token to store in the profile when using client based OAuth.
        .PARAMETER ServiceAccount
            Specifies that the client id and access token provided are for a service account.
        .PARAMETER Issuer
            The email address of the service account.
        .PARAMETER Scope
            An collection of permissions that the application requests
        .PARAMETER ProfileLocation
            The location where stored credentials are located. If this is not specified, the default location will be used.
        .PARAMETER Persist
            Specifies if the data should be persisted to disk in an encrytped format or only maintained in the local cache (also encrypted).
            Set-GoogleOAuth2Profile -ClientId $Id -ClientSecret $Secret -AccessToken $Token -RefreshToken $RToken -Persist
            This example stores the client secret, current access token, and refresh token to the local cache and persists them to disk.
            Set-GoogleOAuth2Profile -ClientId $Id -ClientSecret $Secret -RefreshToken $RToken -Persist
            This example stores the client secret and refresh token to the local cache and persists them to disk. Because only a refresh token
            is stored, the next time the token in this profile is accessed, a new access token will be retrieved with the stored refresh token.
            AUTHOR: Michael Haken
            LAST UPDATE: 1/17/2018

    [CmdletBinding(DefaultParameterSetName = "client")]
        [Parameter(Mandatory = $true, ParameterSetName = "client")]

        [Parameter(ParameterSetName = "client")]
        [Parameter(ParameterSetName = "sa", Mandatory = $true)]

        [Parameter(ParameterSetName = "client")]
        [Parameter(ParameterSetName = "sa_access_token", Mandatory = $true)]
        [Parameter(ParameterSetName = "sa")]

        [Parameter(ParameterSetName = "client")]

        [Parameter(ParameterSetName = "sa", Mandatory = $true)]
        [Parameter(ParameterSetName = "sa_access_token", Mandatory = $true)]

        [Parameter(ParameterSetName = "sa", DontShow = $true)]
        [System.String]$Audience = "",

        [Parameter(ParameterSetName = "sa")]

        [Parameter(ParameterSetName = "sa")]
        [ValidateRange(1, 3600)]



    DynamicParam {
        $RuntimeParameterDictionary = New-Object -TypeName System.Management.Automation.RuntimeDefinedParameterDictionary

        $AttributeCollection = New-Object -TypeName System.Collections.ObjectModel.Collection[System.Attribute]

        $ParameterAttribute = New-Object -TypeName System.Management.Automation.PARAMETERAttribute
        $ParameterAttribute.Mandatory = $true
        $ParameterAttribute.ParameterSetName = "sa"

        $ValidateSetAttribute = New-Object -TypeName System.Management.Automation.ValidateSetAttribute($script:Scopes)

        $RuntimeParameter = New-Object -TypeName System.Management.Automation.RuntimeDefinedParameter("Scope", ([System.String[]]), $AttributeCollection)
        $RuntimeParameterDictionary.Add("Scope", $RuntimeParameter)

        return $RuntimeParameterDictionary

    Begin {

    Process {        
        if ($PSCmdlet.ParameterSetName -ilike "sa*")
            $ClientId = $ServiceAccountEmail

        Write-Verbose -Message "Setting profile $ClientId."

        if ([System.String]::IsNullOrEmpty($ProfileLocation)) 
            $ProfileLocation = $script:ProfileLocation

        # Create the profile store if it doesn't exist
        if (-not (Test-Path -Path $ProfileLocation))
            New-Item -Path $ProfileLocation -ItemType File -Force | Out-Null

        # Make sure the cache is loaded so that updates to what's stored in the cache are kept in sync
        # with what's on disk
        if ($Persist)
            Sync-GoogleOAuth2ProfileCache -ProfileLocation $ProfileLocation

        # This will hold the data supplied by the parameters for the token information to store
        # Use a hashtable so it's easy to check property existence
        [System.Collections.Hashtable]$Profile = @{}

        if ($PSBoundParameters.ContainsKey("ClientSecret"))
            if ($PSCmdlet.ParameterSetName -eq "sa")
                $ClientSecret = $ClientSecret.Replace("\n", "").Replace("\r", "").Replace("`r", "").Replace("`n", "")

            $Profile.Add($script:client_secret, (ConvertFrom-SecureString -SecureString (ConvertTo-SecureString -String $ClientSecret -AsPlainText -Force)))

        # Mandatory so we know what type of credentials these are
        if ($PSCmdlet.ParameterSetName -ilike "sa*")
            $Profile.Add("type", "sa")
            $Profile.Add("type", "client")

        switch ($PSCmdlet.ParameterSetName)
            "sa_access_token" {
                if ($PSBoundParameters.ContainsKey("AccessToken"))
                    $Profile.Add($script:access_token, (ConvertFrom-SecureString -SecureString (ConvertTo-SecureString -String $AccessToken -AsPlainText -Force)))

            "sa" {
                [System.String[]]$Scope = $PSBoundParameters["Scope"]

                $Profile.Add($script:scope, $Scope)
                $Profile.Add($script:iss, $ServiceAccountEmail)
                if (-not [System.String]::IsNullOrEmpty($Subject))
                    $Profile.Add($script:sub, $Subject)

                if ($PSBoundParameters.ContainsKey("AccessToken"))
                    $Profile.Add($script:access_token, (ConvertFrom-SecureString -SecureString (ConvertTo-SecureString -String $AccessToken -AsPlainText -Force)))

                if ($PSBoundParameters.ContainsKey("ValidityInSeconds"))
                    $Profile.Add($script:validity, $ValidityInSeconds)

            "client" {

                if (-not $PSBoundParameters.ContainsKey("AccessToken") -and -not $PSBoundParameters.ContainsKey("RefreshToken"))
                    Write-Error -Exception (New-Object -TypeName System.ArgumentException("At least AccessToken or RefreshToken must be specified for the Set-GoogleOAuth2Profile cmdlet when specifying OAuth client information.")) -ErrorAction Stop

                if ($PSBoundParameters.ContainsKey("AccessToken"))
                    $Profile.Add($script:access_token, (ConvertFrom-SecureString -SecureString (ConvertTo-SecureString -String $AccessToken -AsPlainText -Force)))
                if ($PSBoundParameters.ContainsKey("RefreshToken"))
                    $Profile.Add($script:refresh_token, (ConvertFrom-SecureString -SecureString (ConvertTo-SecureString -String $RefreshToken -AsPlainText -Force)))

            default {
                Write-Error -Message "Unknown parameter set $($PSCmdlet.ParameterSetName)." -ErrorAction Stop

        # If the profile already exists in the cache, update the information, don't worry about checking to see if it's
        # different since it's not a big penalty to rewrite to memory
        if ($script:OAuthTokens.ContainsKey($ClientId))
            foreach ($Property in $Profile.GetEnumerator())
                if ($script:OAuthTokens[$ClientId].ContainsKey($Property.Name))
                    $script:OAuthTokens[$ClientId][$Property.Name] = $Property.Value
                    $script:OAuthTokens[$ClientId].Add($Property.Name, $Property.Value)
            $script:OAuthTokens.Add($ClientId, $Profile)

        # If the profile is being persisted, merge it with the saved profile data
        if ($Persist)
            # Let's make sure the tokens were different before we decide to write something back to disk
            [System.Boolean]$ChangeOccured = $false

            [PSCustomObject]$ProfileData = [PSCustomObject]@{}

            [System.String]$Content = Get-Content -Path $ProfileLocation -Raw -ErrorAction SilentlyContinue

            # This will load the persisted data from disk into the cache object
            if (-not [System.String]::IsNullOrEmpty($Content))
                [PSCustomObject]$ProfileData = ConvertFrom-Json -InputObject $Content

            # This could happen if the credential file just contains whitespace and no content
            # Use this approach since the ProfileData is a PSCustomObject
            if ($ProfileData -ne $null -and (Get-Member -InputObject $ProfileData -Name $ClientId -MemberType Properties) -ne $null) 
                Write-Verbose -Message "The profile $ClientId may be overwritten with new data."
                # Go through each property in the profile and compare it against the stored profile data to see if we
                # need to add or update fields
                foreach ($Property in ($Profile.GetEnumerator() | Select-Object -ExpandProperty Name))
                    if (($ProfileData.$ClientId | Get-Member -Name $Property -MemberType Properties) -ne $null)
                        if ($Property -iin $script:EncryptedProperties)
                            # Since the DPAPI uses a time factor to generate the encryption, the encrypted data is different
                            # each time the encryption is performed, convert the encrypyted string to a secure string
                            # in order to compare them successfully
                            if (
                                [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR((ConvertTo-SecureString -String $ProfileData.$ClientId.$Property))) -ne
                                [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR((ConvertTo-SecureString -String $Profile[$Property])))
                                $ProfileData.$ClientId.$Property = $Profile[$Property]
                                # Note that an update actually happened
                                $ChangeOccured = $true
                            if ($ProfileData.$ClientId.$Property -ne $Profile["$Property"])
                                $ProfileData.$ClientId.$Property = $Profile[$Property]
                                # Note that an update actually happened
                                $ChangeOccured = $true
                        $ProfileData.$ClientId | Add-Member -MemberType NoteProperty -Name $Property -Value $Profile[$Property]
                        # Note that an update actually happened
                        $ChangeOccured = $true
                $ProfileData | Add-Member -MemberType NoteProperty -Name $ClientId -Value $Profile

                # Note that an update actually happened
                $ChangeOccured = $true

            # It's possible no updates were actually made to the existing data, only write to disk if a change
            # was made

            if ($ChangeOccured)
                Set-Content -Path $ProfileLocation -Value (ConvertTo-Json -InputObject $ProfileData) -Force

                Write-Verbose -Message "Successfully persisted profile data for $ClientId in $ProfileLocation."
                Write-Verbose -Message "No profile data changes occured for persisted data, nothing updated on disk."
        Write-Verbose -Message "Successfully created or updated the profile for $ClientId."

    End {

Function Remove-GoogleOAuth2Profile {
            Removes a cached and/or stored Google OAuth profile.
            This cmdlet will delete the cached and stored profile for the specified client id. If RevokeToken is specified, the set of tokens,
            including the refresh token will be invalidated.
        .PARAMETER ClientId
            The supplied client id for OAuth.
        .PARAMETER ProfileLocation
            The location where stored credentials are located. If this is not specified, the default location will be used.
        .PARAMETER RevokeToken
            This specifies that any tokens associated with this profile will be revoked permanently.
        .PARAMETER PassThru
            If this is specified, the deleted profile data is returned to the pipeline.
            Remove-GoogleOAuth2Profile -ClientId $Id
            Removes cached and persisted profile data for the id contained in the $Id variable. The user is prompted before the removal occurs.
            Remove-GoogleOAuth2Profile -ClientId $Id -RevokeToken -Force
            Removes cached and persisted profile data for the id contained in the $Id variable and invalidates all associated tokens that have been issued. The
            -Force parameter bypasses any confirmation.
            None or System.Collections.Hashtable
            The hashtable will contain either an access_token or refresh_token property or both.
            AUTHOR: Michael Haken
            LAST UPDATE: 1/12/2018

    [CmdletBinding(SupportsShouldProcess = $true, ConfirmImpact = "HIGH")]
        [Parameter(Mandatory = $true)]





    Begin {

    Process {
        Write-Verbose -Message "Removing profile $ClientId."

        if ([System.String]::IsNullOrEmpty($ProfileLocation)) 
            $ProfileLocation = $script:ProfileLocation

        # Do this before we delete it from the cache so we don't have to go to disk
        [System.Collections.Hashtable]$Profile = Get-GoogleOAuth2Profile -ClientId $ClientId -ProfileLocation $ProfileLocation -ErrorAction SilentlyContinue

        if ($script:OAuthTokens.ContainsKey($ClientId))
            Write-Verbose -Message "Not profile data for $ClientId found in the cache."

        [System.String]$Content = Get-Content -Path $ProfileLocation -Raw -ErrorAction SilentlyContinue

        # This will load the persisted data from disk into the cache object
        if (-not [System.String]::IsNullOrEmpty($Content))
            [PSCustomObject]$ProfileData = ConvertFrom-Json -InputObject $Content

            # The profile contains the clientId to remove
            if ($Profile -ne $null)
                $ConfirmMessage = "You are about to delete profile $ClientId. If you specified -RevokeToken, the REFRESH TOKEN will be revoked and you will need to submit a new authorization code to retrieve a new token."
                $WhatIfDescription = "Deleted profile $ClientId"
                $ConfirmCaption = "Delete Google OAuth2 Profile"

                if ($Force -or $PSCmdlet.ShouldProcess($WhatIfDescription, $ConfirmMessage, $ConfirmCaption))
                    if ($RevokeToken)
                        $Token = ""

                        if ($Profile.ContainsKey($script:access_token))
                            $Token = $Profile[$script:access_token]
                        elseif ($Profile.ContainsKey($script:refresh_token))
                            $Token = $Profile[$script:refresh_token]
                            Write-Warning -Message "RevokeToken was specified, but no tokens are associated with the profile $ClientId."

                        if (-not [System.String]::IsNullOrEmpty($Token))
                                [Microsoft.PowerShell.Commands.WebResponseObject]$Response = Invoke-WebRequest -Uri "$Token" -Method Post -UserAgent PowerShell -UseBasicParsing

                                if ($Response.StatusCode -ne 200)
                                    Write-Warning -Message "There was a problem revoking the access token associated with $ClientId."
                            catch [System.Net.WebException] 
                                [System.Net.WebException]$Ex = $_.Exception
                                [System.Net.HttpWebResponse]$Response = [System.Net.HttpWebResponse]($Ex.Response)
                                [System.IO.Stream]$Stream = $Ex.Response.GetResponseStream()
                                [System.IO.StreamReader]$Reader = New-Object -TypeName System.IO.StreamReader($Stream, [System.Text.Encoding]::UTF8)
                                [System.String]$Content = $Reader.ReadToEnd()
                                [System.Int32]$StatusCode = $Response.StatusCode.value__
                                [System.String]$Message = "$StatusCode : $Content"

                                if ($ErrorActionPreference -eq [System.Management.Automation.ActionPreference]::Stop)
                                    [System.Web.HttpException]$NewEx = New-Object -TypeName System.Web.HttpException($Content, $StatusCode)
                                    Write-Error -Exception $NewEx -Category NotSpecified -ErrorId $StatusCode
                                elseif ($ErrorActionPreference -ne [System.Management.Automation.ActionPreference]::SilentlyContinue)
                                    Write-Warning -Message $Message
                                    Write-Verbose -Message "[ERROR] : $Message"
                            catch [Exception] 
                                if ($ErrorActionPreference -eq [System.Management.Automation.ActionPreference]::Stop)
                                    Write-Error -Exception $_.Exception
                                elseif ($ErrorActionPreference -ne [System.Management.Automation.ActionPreference]::SilentlyContinue)
                                    Write-Warning -Message $_.Exception.Message
                                    Write-Verbose -Message "[ERROR] : $($_.Exception.Message)"

                    # This returns void, so do it first, then pass the ProfileData variable

                    $Value = ""

                    if (($ProfileData | Get-Member -MemberType Properties | Select-Object -ExpandProperty Name).Count -gt 0)
                        $Value = (ConvertTo-Json -InputObject $ProfileData)

                    if ([System.String]::IsNullOrEmpty($Value))
                        Clear-Content -Path $ProfileLocation -Force
                        Set-Content -Path $ProfileLocation -Value $Value -Force

                    Write-Verbose -Message "Successfully removed profile $ClientId."

                    if ($PassThru) 
                        Write-Output -InputObject $Profile
                Write-Error -Message "No profile matching $ClientId in $ProfileLocation."
            Write-Verbose -Message "No persisted profile data found in $ProfileLocation."

    End {

Function Sync-GoogleOAuth2ProfileCache {
            Syncs the stored profile data with the in memory cache.
            This cmdlet loads the data stored in local credential file into the in-memory cache of credentials.
            You typically will not need to call this cmdlet, the other cmdlets that use the profile data will call this on your behalf.
        .PARAMETER ProfileLocation
            The location where stored credentials are located. If this is not specified, the default location will be used.
            This syncs the locally stored profile data to the in-memory cache.
            AUTHOR: Michael Haken
            LAST UPDATE: 1/12/2018


    Begin {

    Process {
        if ([System.String]::IsNullOrEmpty($ProfileLocation)) 
            $ProfileLocation = $script:ProfileLocation

        [System.Boolean]$AddedToCache = $false

        Write-Verbose -Message "Syncing data from $ProfileLocation into local cache."

        [System.String]$Content = Get-Content -Path $ProfileLocation -Raw -ErrorAction SilentlyContinue

        # This will load the persisted data from disk into the cache object
        if (-not [System.String]::IsNullOrEmpty($Content))
            [PSCustomObject]$ProfileData = ConvertFrom-Json -InputObject $Content

            # Iterate each key value in the PSCustomObject which represents a ClientId
            foreach ($Property in ($ProfileData | Get-Member -MemberType NoteProperty | Select-Object -ExpandProperty Name)) 
                # If the module cache of profiles doesn't contain a token for the persisted client id, add it
                if (-not $script:OAuthTokens.ContainsKey($Property))
                    Write-Verbose -Message "Adding data for $Property into local cache from disk."
                    $AddedToCache = $true

                    $script:OAuthTokens.Add($Property, @{})
                $ProfileDataProperties = ($ProfileData.$Property | Get-Member -MemberType NoteProperty | Select-Object -ExpandProperty Name)

                foreach ($Token in $ProfileDataProperties)
                    # Add the token values to the cache
                    if ($script:OAuthTokens[$Property].ContainsKey($Token))
                        if ($script:OAuthTokens[$Property][$Token] -ne $ProfileData.$Property.$Token)
                            Write-Verbose -Message "Updating property $Token in profile $Property."
                            $script:OAuthTokens[$Property][$Token] = $ProfileData.$Property.$Token
                            $AddedToCache = $true
                        Write-Verbose -Message "Adding property $Token to profile $Property."
                        $script:OAuthTokens[$Property].Add($Token, $ProfileData.$Property.$Token)
                        $AddedToCache = $true

                # Remove any existing properties in the profile cache that were not persisted to disk
                foreach ($Prop in $script:OAuthTokens[$Property].GetEnumerator())
                    if ($Prop.Name -inotin $ProfileDataProperties)
                        Write-Verbose -Message "Removing property $($Prop.Name) from profile $Property."

            if (-not $AddedToCache)
                Write-Verbose -Message "No updates required to the profile cache."
            Write-Verbose -Message "No persisted profile data found in $ProfileLocation."

    End {
