src/auth/V2AuthProvider.ps1
# Copyright 2019, Adam Edwards # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. . (import-script AuthProvider) . (import-script DeviceCodeAuthenticator) ScriptClass V2AuthProvider { $base = $null # TODO: Consider removing this store of app contexts, and making auth context # a part of the connection itself, since for v2 auth at least this is actually # what has been done through group id. At the very least we could move to # making group id the only key and do away with the multi-level hash table. $publicAppContexts = $null $confidentialAppContexts = $null function __initialize( $base ) { $this.base = $base $this.publicAppContexts = @{} $this.confidentialAppContexts = @{} } # The group id concept is really about associating auth context with a connnection so # we can look up the right authcontext for a connection. A better approach may be # to simply make the auth context part of the connection itself rather than part of # a store maintained here. function GetAuthContext($app, $authUri, $groupId, [securestring] $certificatePassword) { $isConfidential = $app |=> IsConfidential write-verbose "Searching for app context for appid '$($app.AppId)' and uri '$authUri' -- confidential:$isConfidential, groupid '$groupId'" $existingApp = $this |=> __GetAppContext $isConfidential $app.AppId $authUri $groupId if ( $existingApp ) { write-verbose ("Found existing app context with hashcode {0}" -f $existingApp.GetHashCode()) $existingApp } elseif ( $isConfidential ) { write-verbose "Confidential app context not found -- will create new context" $confidentialAppBuilder = [Microsoft.Identity.Client.ConfidentialClientApplicationBuilder]::Create($app.appid).WithAuthority($authUri).WithRedirectUri($app.RedirectUri) $secretCredential = ($app.secret |=> GetSecretData $certificatePassword) $confidentialApp = if ( $app.secret.type -eq [SecretType]::Certificate ) { $confidentialAppBuilder.WithCertificate($secretCredential).Build() } else { $confidentialAppBuilder.WithClientSecret($secretCredential).Build() } $this |=> __AddAppContext $true $app.AppId $authUri $confidentialApp $groupId $confidentialApp } else { write-verbose "Public app context not found -- will create new context" $publicApp = [Microsoft.Identity.Client.PublicClientApplicationBuilder]::Create($App.AppId).WithAuthority($authUri, $true).WithRedirectUri($app.RedirectUri).Build() $this |=> __AddAppContext $false $app.AppId $authUri $publicApp $groupId $publicApp } } function GetUserInformation($token) { $userId = $null $scopes = $null $userObjectId = $null if ( $token -and $token.Account ) { $userId = $token.Account.Username $scopes = $token.scopes $userObjectId = $token.uniqueid } [PSCustomObject]@{ userId = $userId scopes = $scopes userObjectId = $userObjectId } } function AcquireFirstUserToken($authContext, $scopes) { write-verbose 'V2 auth provider acquiring initial user token' $this |=> __AcquireTokenInteractive $authContext $scopes } function AcquireFirstUserTokenFromDeviceCode($authContext, $scopes) { write-verbose 'V2 auth provider acquiring initial user token using device code' $::.DeviceCodeAuthenticator |=> Authenticate $authContext.protocolcontext $scopes } function AcquireFirstAppToken($authContext, [securestring] $certificatePassword) { write-verbose 'V2 auth provider acquiring initial app token' $defaultScopeList = $this |=> __GetDefaultScopeList $authContext $authContext.protocolContext.AcquireTokenForClient([System.Collections.Generic.List[string]] $defaultScopeList).ExecuteAsync() } function AcquireFirstUserTokenConfidential($authContext, $scopes) { write-verbose 'V2 auth provider acquiring user token via confidential client' $scopeList = $::.ScopeHelper |=> QualifyScopes $scopes $authContext.GraphEndpointUri # Confidential user flow uses an authcode flow with a confidential rather than public client. # First, get the auth code for the user -- MSAL does not support this, but it does return the URI # that lets you get the authcode (presumably you're a web app sending that URI to a client # web browser and not using it to get credentials locally as in our case). Once you have the auth code, # MSAL *does* support an API that lets you get a user token from the auth code using a confidential # client that must present its credentials. # 1. Get the auth code URI $uriResult = $authContext.protocolContext.GetAuthorizationRequestUrl([string[]]$scopeList).ExecuteAsync() $authCodeUxUri = $uriResult.Result # 2. Use the URI to present a UX to the user via the URI to obtain credentials that # yield the authcode in a response $authCodeInfo = GetAuthCodeFromURIUserInteraction $authCodeUxUri # 3. Now use MSAL's confidential client to obtain the token from the auth code $authContext.protocolContext.AcquireTokenByAuthorizationCode([System.Collections.Generic.List[string]] $scopeList, $authCodeInfo.ResponseParameters.Code).ExecuteAsync() } function AcquireRefreshedToken($authContext, $token) { write-verbose 'V2 auth provider refreshing existing token' if ( $authContext.app.authtype -eq ([GraphAppAuthType]::AppOnly) ) { $defaultScopeList = $this |=> __GetDefaultScopeList $authContext @() $authContext.protocolContext.AcquireTokenForClient([System.Collections.Generic.List[string]] $defaultScopeList).ExecuteAsync() } else { $cachedAccount = $authContext.protocolContext.GetAccountsAsync().Result | select -first 1 $scopes = if ( $token ) { $token.scopes } else { @('.default') } $requestedScopesFromToken = $::.ScopeHelper |=> QualifyScopes $scopes $authContext.GraphEndpointUri | where { $_ -notin @('openid', 'profile', 'offline_access') } $cachedAccount = $authContext.protocolContext.GetAccountsAsync().Result | select -first 1 try { $authContext.protocolContext.AcquireTokenSilent([System.Collections.Generic.List[string]] $requestedScopesFromToken, $cachedAccount).ExecuteAsync() } catch [Microsoft.Identity.Client.MsalUiRequiredException] { write-verbose 'Acquire silent failed, retrying interactive' $this |=> __AcquireTokenInteractive $authContext @('.default') } } } function ClearToken($authContext, $token) { write-verbose 'V2 auth provider clearing existing token' $user = $token.account $userUpn = $token.account.username write-verbose "Clearing token for user '$userUpn'" $this |=> __RemoveCachedtoken $authContext $user $this |=> __RemoveAppContext ($authContext.app |=> IsConfidential) $authContext.app.appId $authContext.GraphEndpointUri $authContext.GroupId } function __RemoveCachedToken($authContext, $user) { $asyncRemoveResult = $authContext.protocolContext.RemoveAsync($user) $asyncRemoveResult.Wait() } function __AcquireTokenInteractive($authContext, $scopes) { write-verbose 'V2 auth provider acquiring interactive user token' if ( $scopes -eq $null -or $scopes.length -eq 0 ) { throw [ArgumentException]::new('No scopes specified for v2 auth protocol, at least one scope is required') } $scopeList = $::.ScopeHelper |=> QualifyScopes $scopes $authContext.GraphEndpointUri $authContext.protocolContext.AcquireTokenInteractive([System.Collections.Generic.List[string]] $scopeList).ExecuteAsync() } function __GetContextKey($appId, $groupId) { $key = $appId.tostring() if ( $groupId ) { $key += ':' + $groupId.tostring() } $key } function __AddAppContext([bool] $isConfidential, [Guid] $appId, [Uri] $authUri, $appContext, $groupId) { $authorities = if ( $isConfidential ) { $this.confidentialAppContexts } else { $this.publicAppContexts } if ( ! $authorities[$authUri] ) { $authorities[$authUri] = @{} } $contextKey = __GetContextKey $appId $groupId write-verbose "Adding app context with key '$contextKey'" $authorities[$authUri].Add($contextKey, $appContext) } function __GetAppContext([bool] $isConfidential, [Guid] $appId, [Uri] $authUri, $groupId) { $authorities = if ( $isConfidential ) { $this.confidentialAppContexts } else { $this.publicAppContexts } $authority = $authorities[$authUri] if ( $authority ) { $contextKey = __GetContextKey $appId $groupId write-verbose "Looking up app context with key '$contextKey'" $authority[$contextKey] } } function __RemoveAppContext([bool] $isConfidential, [Guid] $appId, [Uri] $authUri, $groupId) { $authorities = if ( $isConfidential ) { $this.confidentialAppContexts } else { $this.publicAppContexts } $authority = $authorities[$authUri] if ( $authority ) { $contextKey = __GetContextKey $appId $groupId write-verbose "Attempting to remove app context with contextid '$contextkey'" if ( $authority[$contextKey] ) { write-verbose "Context key '$contextkey' exists, removing app context for it" $authority.Remove($contextKey) if ( $authority.count -eq 0 ) { $authorities[$authUri].Remove } } } } function __GetDefaultScopeList($authContext) { $::.ScopeHelper |=> QualifyScopes @('.default') $authContext.GraphEndpointUri } function GetAuthCodeFromURIUserInteraction($authUxUri) { add-type -AssemblyName System.Windows.Forms $form = new-object -typename System.Windows.Forms.Form -property @{width=600;height=640} $browser = new-object -typeName System.Windows.Forms.WebBrowser -property @{width=560;height=640;url=$authUxUri } $resultUri = $null $authError = $null $completedBlock = { # Use set-variable to access a variable outside the scope of this block set-variable resultUri -scope 1 -value $browser.Url if ($resultUri -match "error=[^&]*|code=[^&]*") { $authError = $resultUri $form.Close() } } $browser.Add_DocumentCompleted($completedBlock) $browser.ScriptErrorsSuppressed = $true $form.Controls.Add($browser) $form.Add_Shown({$form.Activate()}) $form.ShowDialog() | out-null # The response mode for this uri is 'query', so we parse the query parameters # to get the result $queryParameters = [System.Web.HttpUtility]::ParseQueryString($resultUri.query) $queryResponseParameters = @{} $queryParameters.keys | foreach { $key = $_ $value = $queryParameters.Get($_) $queryResponseParameters[$key] = $value } $errorDescription = if ( $queryResponseParameters['error'] ) { $authError = $queryResponseParameters['error'] $queryResponseParameters['error_description'] } if ( $authError ) { throw ("Error obtaining authorization code: {0}: '{2}' - {1}" -f $authError, $errorDescription, $resultUri) } @{ ResponseUri = $resultUri ResponseParameters = $queryResponseParameters } } static { $__AuthLibraryLoaded = $false $scriptRoot = $null function __initialize($scriptRoot) { $this.scriptRoot = $scriptRoot } function InitializeProvider { if ( ! $this.__AuthLibraryLoaded ) { $libPath = join-path $this.scriptRoot ../../lib Import-Assembly Microsoft.Identity.Client -AssemblyRoot $libPath | out-null $this.__AuthLibraryLoaded = $true } } function RegisterProvider { $::.AuthProvider |=> RegisterProvider ([GraphAuthProtocol]::v2) $this } } } $::.V2AuthProvider |=> __initialize $psscriptroot |