Public/Get-FODToken.ps1

function Get-FODToken
{
    <#
    .SYNOPSIS
        Gets a new FOD authentication token.
    .DESCRIPTION
        Connects to FOD using User or Client Credentials and prints the resultant authentication token and/or saves
        it in the PowerShell for FOD module configuration.
    .PARAMETER ApiUri
        FOD API Uri to use, e.g. https://api.ams.fortify.com.
    .PARAMETER GrantType
        The method of authentication: UsernamePassword (Resource Owner Password Credentials) or ClientCredentials.
        Defaults to 'UsernamePassword'.
    .PARAMETER Scope
        The API scope to use, required if UsernamePassword Credentials is used.
        Defaults to 'api-tenant'.
    .PARAMETER Credential
        The Credential object to be used, if empty you will be prompted for User and Password.
        If 'UsernamePassword' credentials are used enter your "tenant\username" details at the User prompt and
        your "password" at the Password prompt.
        If ClientCredentials are used enter your API Key and API Secret.
    .PARAMETER Print
        Prints the value of the authentication token to the output.
    .PARAMETER ForceCredential
        If specified and a Credential object has already been stored, this will ignore it and force the
        prompt for a new Credential object.
    .PARAMETER Proxy
        Proxy server to use.
        Optional.
    .PARAMETER ForceVerbose
        If specified, don't explicitly remove verbose output from Invoke-RestMethod
        *** WARNING ***
        This will expose your data in verbose output
    .EXAMPLE
        # Retrieve an authentication token using Client Credentials from https://api.emea.fortify.com
        Get-FODToken -GrantType ClientCredentials -ApiUrl https://api.emea.fortify.com
    .FUNCTIONALITY
        Fortify on Demand.
    #>

    [OutputType([String])]
    [cmdletbinding()]
    param (
        [Parameter()]
        [ValidateNotNullOrEmpty()]
        [ValidateScript({
            if (-not$_ -and -not$Script:PS4FOD.ApiUri) {
                throw 'Please supply a FOD Api Uri with Set-FODConfig.'
            } else {
                $true
            }
         })]
        [string]$ApiUri = $Script:PS4FOD.ApiUri,

        [Parameter()]
        [ValidateNotNullOrEmpty()]
        [ValidateSet('UsernamePassword', 'ClientCredentials')]
        [ValidateScript({
            if (-not$_ -and -not$Script:PS4FOD.GrantType) {
                throw 'Please supply a FOD GrantType with Set-FODConfig.'
            } else {
                $true
            }
        })]
        [string]$GrantType = $Script:PS4FOD.GrantType,

        [Parameter()]
        [ValidateNotNullOrEmpty()]
        [ValidateSet('api-tenant', 'start-scans', 'manage-apps', 'view-apps', 'manage-issues', 'view-issues',
            'manage-reports', 'view-reports', 'manage-users', 'view-users', 'manage-notifications',
            'view-tenant-data')]
        [ValidateScript({
            if (-not$_ -and -not$Script:PS4FOD.Scope) {
                throw 'Please supply a FOD Scope with Set-FODConfig.'
            } else {
                $true
            }
        })]
        [string]$Scope = $Script:PS4FOD.Scope,

        [Parameter()]
        [System.Management.Automation.PSCredential]
        [System.Management.Automation.Credential()]
        [ValidateNotNullOrEmpty()]
        [ValidateScript({
            if (-not$_ -and -not$Script:PS4FOD.Credential) {
                throw 'Please supply a Credential with Set-FODConfig.'
            } else {
                $true
            }
        })]
        $Credential = $Script:PS4FOD.Credential,

        [switch]$Print = $False,

        [switch]$ForceCredential = $False,

        [string]$Proxy = $Script:PS4FOD.Proxy,
        [switch]$ForceVerbose = $Script:PS4FOD.ForceVerbose
    )

    # Check parameters have values
    if ([string]::IsNullOrEmpty($ApiUri)) {
        throw 'Please supply a valid FOD API Uri with Set-FODConfig.'
    }
    if ([string]::IsNullOrEmpty($GrantType)) {
        throw 'Please supply a valid FOD GrantType with Set-FODConfig.'
    }
    if ([string]::IsNullOrEmpty($Scope)) {
        throw 'Please supply a valid FOD Scope with Set-FODConfig.'
    }
    if ($ForceCredential -or ($Credential -eq $null)) {
        $Credential = Get-Credential
    }

    $Params = @{
        ErrorAction = 'Stop'
    }
    if ($Proxy) {
        $Params['Proxy'] = $Proxy
    }
    if (-not$ForceVerbose) {
        $Params.Add('Verbose', $False)
    }
    if ($ForceVerbose) {
        $Params.Add('Verbose', $true)
    }
    Write-Verbose "Get-FODToken Bound Parameters: $( $PSBoundParameters | Remove-SensitiveData | Out-String )"
    $Body = @{
        scope = $Scope
    }
    if ($GrantType -eq 'UsernamePassword') {
        $Body.Add('grant_type', 'password')
        #$Body.Add('username', $Credential.UserName)
        #$Body.Add('password',[Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($Credential.Password)))
        $Body.Add('username', $Credential.GetNetworkCredential().UserName)
        $Body.Add('password', $Credential.GetNetworkCredential().Password)
    } elseif ($GrantType -eq 'ClientCredentials') {
        $Body.Add('grant_type', 'client_credentials')
        #$Body.Add('client_id', $Credential.UserName)
        #$Body.Add('client_secret',[Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($Credential.Password)))
        $Body.Add('client_id', $Credential.GetNetworkCredential().UserName)
        $Body.Add('client_secret', $Credential.GetNetworkCredential().Password)
    } else {
        # We shouldn't get here...
        throw "Unknown GrantType $GrantType"
    }

    $Uri = "$ApiUri/oauth/token"
    try {
        $Response = $null
        $Response = Invoke-RestMethod -Uri $Uri @Params -Method Post -Body $Body
    } catch {
        if ($_.ErrorDetails.Message -ne $null) {
            Write-Host $_.ErrorDetails
            # Convert the error-message to an object. (Invoke-RestMethod will not return data by-default if a 4xx/5xx status code is generated.)
            $_.ErrorDetails.Message | ConvertFrom-Json | Parse-FODError -Exception $_.Exception -ErrorAction Stop
        } else {
            Write-Error -Exception $_.Exception -Message "FOD API call failed: $_"
        }
    }
    # Check to see if we have confirmation that our API call failed.
    # (Responses with exception-generating status codes are handled in the "catch" block above - this one is for errors that don't generate exceptions)
    if ($Response -ne $null -and $Response.ok -eq $False) {
        $Response | Parse-FODError
    } elseif ($Response) {
        $Token = $Response.access_token
        if ($Print) {
            Write-Host $Token
        }
        Set-FODConfig -ApiUri $ApiUri -GrantType $GrantType -Scope $Scope -Token $Token
    }
    else {
        Write-Verbose "Something went wrong. `$Response is `$null"
    }
}