{"id":14063437,"url":"https://github.com/alflokken/PSAuthClient","last_synced_at":"2025-07-29T15:33:14.087Z","repository":{"id":220669531,"uuid":"752249627","full_name":"alflokken/PSAuthClient","owner":"alflokken","description":"PowerShell OAuth2.0/OpenID Connect (OIDC) Client.","archived":false,"fork":false,"pushed_at":"2025-06-29T19:33:32.000Z","size":389,"stargazers_count":100,"open_issues_count":0,"forks_count":12,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-06-29T19:34:15.411Z","etag":null,"topics":["authentication","authorization","oauth2","oidc","openidconnect","powershell"],"latest_commit_sha":null,"homepage":"","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/alflokken.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-02-03T13:32:59.000Z","updated_at":"2025-06-25T12:02:07.000Z","dependencies_parsed_at":"2024-12-04T01:30:55.863Z","dependency_job_id":"e9d7c1ab-900b-4417-8ce1-e17402d00370","html_url":"https://github.com/alflokken/PSAuthClient","commit_stats":null,"previous_names":["alflokken/psauthclient"],"tags_count":6,"template":false,"template_full_name":null,"purl":"pkg:github/alflokken/PSAuthClient","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alflokken%2FPSAuthClient","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alflokken%2FPSAuthClient/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alflokken%2FPSAuthClient/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alflokken%2FPSAuthClient/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/alflokken","download_url":"https://codeload.github.com/alflokken/PSAuthClient/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alflokken%2FPSAuthClient/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":267709614,"owners_count":24131922,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-07-29T02:00:12.549Z","response_time":2574,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","authorization","oauth2","oidc","openidconnect","powershell"],"created_at":"2024-08-13T07:03:20.444Z","updated_at":"2025-07-29T15:33:14.069Z","avatar_url":"https://github.com/alflokken.png","language":"PowerShell","funding_links":[],"categories":["PowerShell"],"sub_categories":[],"readme":"# PSAuthClient\nPSAuthClient is a flexible PowerShell OAuth2.0/OpenID Connect (OIDC) Client.\n* Support for a [wide range of grants](#examples-of-openid-connect-oidc-and-oauth20-grants).\n* Uses [WebView2](https://learn.microsoft.com/en-us/microsoft-edge/webview2/) to support modern web experiences where interaction is required.\n* Includes [useful tools](#Tools) for decoding tokens and validating JWT signatures.\n\u003cbr\u003e\n\n![Auth client in use](docs/images/spotify_auth.gif)\n\n# Table of Contents\n- [Install](#install)\n- [Quick Start](#quick-start)\n- [Documentation](#documentation)\n- [Utilities included](#example-usage-of-additional-tools)\n- [OIDC and OAuth2.0 Grant Examples](#examples-of-different-openid-connect-oidc-and-oauth20-grants)\n- [Issues and Contributions](#issues-and-contributions)\n\n\n# Install\nEither install the module from PSGallery `Install-Module PSAuthClient -Scope:CurrentUser` or [download](https://github.com/alflokken/PSAuthClient/releases) and unzip to ‘$home\\Documents\\WindowsPowerShell\\Modules’.\n\n## Quick Start\nCheck out my blog post on getting started with PSAuthClient.\n* Using [OAuth2](https://alflokken.github.io/posts/powershell-oauth2-authentication/) with Spotify as the OAuth2.0 provider.\n* Using [OpenID Connect (OIDC)](https://alflokken.github.io/posts/powershell-oidc-authentication/) with Microsoft Graph as the OIDC provider.\n\n# Documentation\nSee links for function documentation, usage and examples.\n| Function | Description |\n| -------- | ----------- |\n| [Invoke-OAuth2AuthorizationEndpoint](/docs/Invoke-OAuth2AuthorizationEndpoint.md) | Launches an embedded WebView2 browser to perform the OAuth2.0/OIDC Authorization Code flow. Supports modern authentication features (SSO, Windows Hello, FIDO2). | \n| [Invoke-OAuth2DeviceAuthorizationEndpoint](/docs/Invoke-OAuth2DeviceAuthorizationEndpoint.md) | Initiates the Device Code flow by retrieving a user and device verification code from the authorization server that can be used to request tokens from the token endpoint. |\n| [Invoke-OAuth2TokenEndpoint](docs/Invoke-OAuth2TokenEndpoint.md) | Requests security tokens using various grant types: authorization code, device code, refresh token, client credentials, or JWT assertions.|\n| [Get-OidcConfigurationMetadata](docs/Get-OidcDiscoveryMetadata.md) | Retrieves OpenID Connect Discovery metadata (`.well-known/openid-configuration`). |\n| [ConvertFrom-JsonWebToken](docs/ConvertFrom-JsonWebToken.md) | Decodes a JWT and returns a PowerShell object. | \n| [Test-JsonWebTokenSignature](docs/Test-JsonWebTokenSignature.md) | Attempts to verify the JWT signature using the issuer’s published signing keys (via discovery metadata) or provided certificate/secret. | \n| [New-PkceChallenge](docs/New-PkceChallenge.md) | Generates a PKCE `code_verifier` and `code_challenge` pair for Authorization Code flows. | \n| [New-Oauth2JwtAssertion](docs/New-Oauth2JwtAssertion.md) | Builds and signs a JWT assertion using either a client certificate or HMAC secret, suitable for `private_key_jwt` or `client_secret_jwt` authentication methods.|\n| [Clear-WebView2Cache](docs/Clear-WebView2Cache.md) | Deletes the WebView2 User Data Folder to clear cached sessions and cookies. |\n\n\u003cbr\u003e\n\n## Example usage of additional tools\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eOIDC Discovery\u003c/b\u003e\u003c/summary\u003e\n\nRetrieve OpenID Connect Discovery metadata.\n```powershell\nGet-OidcDiscoveryMetadata \"https://login.microsoftonline.com/common\"\n\ntoken_endpoint : https://login.microsoftonline.com/common/oauth2/token\ntoken_endpoint_auth_methods_supported : {client_secret_post, private_key_jwt, client_secret_basic}\njwks_uri : https://login.microsoftonline.com/common/discovery/keys\nresponse_modes_supported : {query, fragment, form_post}\nsubject_types_supported : {pairwise}\nid_token_signing_alg_values_supported : {RS256}\nresponse_types_supported : {code, id_token, code id_token, token id_token}\nscopes_supported : {openid}\nissuer : https://sts.windows.net/{tenantid}/\nmicrosoft_multi_refresh_token : True\nauthorization_endpoint : https://login.microsoftonline.com/common/oauth2/authorize\ndevice_authorization_endpoint : https://login.microsoftonline.com/common/oauth2/devicecode\nhttp_logout_supported : True\nfrontchannel_logout_supported : True\nend_session_endpoint : https://login.microsoftonline.com/common/oauth2/logout\nclaims_supported : {sub, iss, cloud_instance_name, cloud_instance_host_name}\ncheck_session_iframe : https://login.microsoftonline.com/common/oauth2/checksession\nuserinfo_endpoint : https://login.microsoftonline.com/common/openid/userinfo\nkerberos_endpoint : https://login.microsoftonline.com/common/kerberos\ntenant_region_scope : \ncloud_instance_name : microsoftonline.com\ncloud_graph_host_name : graph.windows.net\nmsgraph_host : graph.microsoft.com\nrbac_url : https://pas.windows.net\n\n\n```\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eDecode JWT\u003c/b\u003e\u003c/summary\u003e\n\nConvert (decode) a JSON Web Token (JWT) to a PowerShell object.\n```powershell\nPS\u003e ConvertFrom-JsonWebToken \"ew0KICAidHlwIjogIkpXVCIsDQogICJhbGciOiAiUlMyNTYiDQp9.ew0KICAi...\"\n\nheader : @{typ=JWT; alg=RS256}\nexp : 1706784929\necho : Hello World!\nnbf : 1706784629\nsub : PSAuthClient\niss : https://example.org\njti : 27913c80-40d1-46a3-89d5-d3fb9f0d1e4e\niat : 1706784629\naud : PSAuthClient\nsignature : OHIxRGxuaXVLTjh4eXhRZ0VWYmZ3SHNlQ29iOUFBUVRMK1dqWUpWMEVXMD0\n\n\n\n```\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eValidate JWT Signature\u003c/b\u003e\u003c/summary\u003e\n\nAttempt to validate the signature of a JSON Web Token (JWT) by using the issuer discovery metadata to get the signing certificate. (If no signing certificate or secret was provided.)\n\n```powershell\nPS\u003e Test-JsonWebTokenSignature -jwtInput $jwt\nTrue\n```\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eBuild JWT Assertions\u003c/b\u003e\u003c/summary\u003e\n\nCreate and sign JWT Assertions using either a client_certificate (x509certificate2 or RSA Private key) or client_secret (for HMAC-based signature).\n\n```powershell\nPS\u003e New-Oauth2JwtAssertion -issuer \"test\" -subject \"test1\" -audience \"test2\" -jwtId \"123\" -customClaims @{ claim1 = \"test\" } -client_secret \"secret\"\n\nclient_assertion_jwt ew0KICAiYWxnIjogIlJTMjU2IiwNCiAgInR5cCI6ICJKV1QiDQp9.ew0KICAianRp...\nclient_assertion_type urn:ietf:params:oauth:client-assertion-type:jwt-bearer\nheader @{alg=RS256; typ=JWT}\npayload @{jti=123; claim1=test; aud=test2; exp=1706793151; nbf=170679285...}\n```\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eGenerate a PKCE Challenge\u003c/b\u003e\u003c/summary\u003e\n\nGenerate code_verifier and code_challenge for PKCE (authorization code flow).\n\n```powershell\nPS\u003e New-PkceChallenge\n\ncode_verifier Vpq2YXOsD~1DRM-jBPR6bt8R-3dWQAHNLVLUIDxh7SkWpOT3A0grpenqKne5rAHcVKsTi-ya8-lGBxJ0NS7zavdcFbfdN0yFQ5kYOFbWBh3\ncode_challenge TW-3r-6mxRWjhkkxmYOabLlwIQ0JkQ0ndxzOSLJvCoU\ncode_challenge_method S256\n```\n\n\u003c/details\u003e\n\n## Examples of different OpenID Connect (OIDC) and OAuth2.0 Grants\n\nOpenID Connect is an extension of OAuth2 that adds an identity layer to the authorization framework. This allows a client to verify the identity of the user and obtain basic profile information. OIDC grants contains 'openid' scope and the identity provider will return a 'id_token' with user information (claims). \n\n\u003cdetails\u003e\n\u003csummary\u003eParameters that are used (and modified) throughout the examples below.\u003c/summary\u003e\n\n```powershell\n$authorization_endpoint = \"https://login.microsoftonline.com/example.org/oauth2/v2.0/authorize\"\n$token_endpoint = \"https://login.microsoftonline.com/example.org/oauth2/v2.0/token\"\n\n$splat = @{\n client_id = \"5eda97cf-2963-41e9-bea0-b6ba2bbf8f99\"\n scope = \"user.read openid offline_access\"\n redirect_uri = \"https://login.microsoftonline.com/common/oauth2/nativeclient\"\n customParameters = @{ \n prompt = \"none\"\n }\n}\n```\n\u003cbr\u003e\n\u003c/details\u003e\n\u003cbr\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eAuthorization Code Grant with Proof Key for Code Exchange (PKCE)\u003c/b\u003e\u003c/summary\u003e\n\nExample\n```powershell\n$code = Invoke-OAuth2AuthorizationEndpoint -uri $authorization_endpoint @splat\n\nclient_id 5eda97cf-2963-41e9-bea0-b6ba2bbf8f99\ncode_verifier ig0Sly4Kdjc_e77Zsp5..PKi.TbqzSNz_CEKsamyPRI5~uRr4_\nnonce o180HoFS2k5y0gj.spbYos.IPUS8-SqSf4cx0Z7x\nredirect_uri https://login.microsoftonline.com/common/oauth2/nativeclient\ncode 0.AUcAjvFfm8BTokWLwpwMj2CyxiGBP5hz2ZpErJuc3chlhOUNAVw.AgABAAIAAAA...\n\n$token = Invoke-OAuth2TokenEndpoint -uri $token_endpoint @code\n\ntoken_type : Bearer\nscope : User.Read profile openid email\nexpires_in : 5340\next_expires_in : 5340\naccess_token : eyJ0eXAiOiJKV1QiLCJub25jZSI6IlhFMjJvBXRyVDBkQ1Z1cG7zbEFJQk1kU1RxLS5xQUppS3Fpbr...\nrefresh_token : 0.AUcAjvFfm8BTokWLwpwMj2CyxiGBP5hz2ZpErJuc3chlhOUNAVw.AgABAAEAAAAmoFfGtYxvRrNr...\nid_token : eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImtXYmthYTZxczh3c1RuQndpaU5ZT2hIYm...\nexpiry_datetime : 31.01.2024 14:11:08\n\n\n```\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eAuthorization Code Grant\u003c/b\u003e\u003c/summary\u003e\n\nExample\n```powershell\n$code = Invoke-OAuth2AuthorizationEndpoint -uri $authorization_endpoint @splat -usePkce:$false\n\nnonce UYhqAG~GLvZqGj4hnlTkYFJY9LVcS9TrWiq.8n8Vu\nredirect_uri https://login.microsoftonline.com/common/oauth2/nativeclient\nclient_id 5eda97cf-2963-41e9-bea0-b6ba2bbf8f99\ncode 0.AUcAjvFfm8BTokWLwpwMj2CyxiGBP5hz2ZpErJuc3chlhOUNAVw.AgABAAmoFfG...\n\n$token = Invoke-OAuth2TokenEndpoint -uri $token_endpoint @code\n\ntoken_type : Bearer\nscope : User.Read profile openid email\nexpires_in : 3848\next_expires_in : 3848\naccess_token : eyJ0eXAiOiJKV1QiLCJub62jZSI6ImhDRkwxMjVHdE85SmNqS0NWMFZQLWxTd2Z0Zm12LXFsV2VDR0...\nrefresh_token : 0.AUcAjvFfm8BTokWLwpwMkJCyxiGBP5hz2ZpErJuc3chlhOUNAVw.AgABAAEAAAAmoFfGtYxjHyNf...\nid_token : eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImtXYmthYTZxczh3c1RuQndpaU547ZT2hI...\nexpiry_datetime : 31.01.2024 14:05:18\n```\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eAuthorization Code Grant with Client Authentication (secret)\u003c/b\u003e\u003c/summary\u003e\n\nExample\n```powershell\n$splat.redirect_uri = \"https://localhost/web\"\n$code = Invoke-OAuth2AuthorizationEndpoint -uri $authorization_endpoint @splat \n\nclient_id 5eda97cf-2963-41e9-bea0-b6ba2bbf8f99\ncode_verifier jWe-ecfnqZ.weAxbb-qHiZ3oe7LZ-tEyWq~7UB9RcNfZn65Xq2zPO7-8rv-5tp24p...\nnonce HRBD6BuH9PQM2_Kmuqj6KTranVVcuL80fsEpll-9nppaZp0H3CQaYhaqQ2VqUV8\nredirect_uri https://localhost/web\ncode 0.AUcAjvFfm8BTokWLwpwMj2CyxiGBP5hz2ZpErJuc3chlhOUNAVw.AgABAAIAAAm...\n\n$token = Invoke-OAuth2TokenEndpoint -uri $token_endpoint @code -client_secret $client_secret\n\ntoken_type : Bearer\nscope : User.Read profile openid email\nexpires_in : 4069\next_expires_in : 4069\naccess_token : eyJ0eXAiOiJKG1QqLCJub25jZSI5IllOTzdpTmdXZnMtSmSSY1hpZk45bTdoa2E0WnNpWFY5ckswen...\nrefresh_token : 0.AUcAjvFfmC9TokWLwpwMj2CyxiGBP5hz2ZpRrJuc3chlhOUGAVw.AgABAAEAAAAmoFfGtYxvRrNf...\nid_token : eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImtXYmthYTZxczh3c1RuQndpaU5ZT2hIYm...\nexpiry_datetime : 31.01.2024 14:28:58\n```\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eRefresh Token Grant\u003c/b\u003e\u003c/summary\u003e\n\nExample\n```powershell\n$token = Invoke-OAuth2TokenEndpoint -uri $token_endpoint -refresh_token $token.refresh_token -client_id $splat.client_id -scope $splat.scope -nonce $code.nonce\n\ntoken_type : Bearer\nscope : User.Read profile openid email\nexpires_in : 3951\next_expires_in : 3951\naccess_token : eyJ0eXAiOiJKR1QiLCJsf52jZSI6IjdCbkI2VDc5OGJZVlh3ZHdIRWVOMGducUVKQVBEUnBPcTZhMm...\nrefresh_token : 0.AUcAjvFfm1BTokWLkjrMj3CyxiGBP5hz4ZpErJuc3chlhOUNAVw.AgABAAEAAAAmoFfGtDxvRrNa...\nid_token : eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImtXYmthYTZxczh3c1RuQndsapaU5ZT2hI...\nexpiry_datetime : 31.01.2024 14:16:56\n```\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eClient Credentials Grant (client_secret_basic)\u003c/b\u003e\u003c/summary\u003e\n\nExample\n```powershell\n$splat.Remove(\"customParameters\")\n$splat.scope = \".default\"\n$token = Invoke-OAuth2TokenEndpoint -uri $token_endpoint @splat -client_secret (Invoke-Cache -keyName \"PSC_Test-ClientSecret\") -client_auth_method client_secret_basic\n\ntoken_type : Bearer\nexpires_in : 3599\next_expires_in : 3599\naccess_token : eyJ0eXAiOiJKV1DiLCJub25jZSI3IjUtQjB0bXBSNHhzYWtJSW8wOFY5ejFGVGRTWDF5blZfalNVX2...\nexpiry_datetime : 31.01.2024 14:14:06\n```\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eClient Credentials Grant (client_secret_post)\u003c/b\u003e\u003c/summary\u003e\n\n```powershell\n$token = Invoke-OAuth2TokenEndpoint -uri $token_endpoint @splat -client_secret (Invoke-Cache -keyName \"PSC_Test-ClientSecret\" -asSecureString)\n\ntoken_type : Bearer\nexpires_in : 3599\next_expires_in : 3599\naccess_token : eyJ0eXAiOiJKV1QiGCJub25jZSI3ImtIeW5MWTNyUjdja0lZd1RTQWVSRi1yRnVYYUx0Y6VaU11NEF...\nexpiry_datetime : 31.01.2024 14:16:10\n```\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eClient Credentials Grant (client_secret_jwt)\u003c/b\u003e\u003c/summary\u003e\n\nExample\n```powershell\n# Microsoft Graph DOES NOT support client_secret_jwt, but if they did, this is how you would do it.\n$token = Invoke-OAuth2TokenEndpoint -uri $token_endpoint @splat -client_secret $client_secret -client_auth_method \"client_secret_jwt\"\n\nerror error_description\n----- -----------------\ninvalid_client AADSTS5002723: Invalid JWT token. No certificate SHA-1 thumbprint, certificate SH...\n\n```\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eClient Credentials Grant certificate (private_key_jwt)\u003c/b\u003e\u003c/summary\u003e\n\nExample\n```powershell\n$token = Invoke-OAuth2TokenEndpoint -uri $token_endpoint @splat -client_certificate \"Cert:\\CurrentUser\\My\\8ade399dddc5973e04e34ac19fe8f8759ba059b8\"\n\ntoken_type : Bearer\nexpires_in : 3599\next_expires_in : 3599\naccess_token : eyJ0eXAiOiJKV1QiLCJub21jZSI2InpBUjQ6UTBRc7dzYkcxOVJibQ032s2UUxrckZUcm9BYmwgdh0...\nexpiry_datetime : 31.01.2024 14:20:03\n\n```\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eImplicit Grant (OAuth2.0)\u003c/b\u003e\u003c/summary\u003e\n\nExample\n```powershell\n$splat.redirect_uri = \"https://localhost/spa\"\n$splat.scope = \"User.Read\"\n$token = Invoke-OAuth2AuthorizationEndpoint -uri $authorization_endpoint @splat -response_type \"token\" -usePkce:$false\n\nexpires_in 4371\nexpiry_datetime 31.01.2024 14:39:19\nscope User.Read profile openid email\nsession_state 5c044a56-543e-4bcc-a94f-d411ddec5a87\naccess_token eyJ0eXAiOiJKV1QiLCJkj76jZSI6InlaZzBmU1NGV1M1UmllaFRHc01jMWJkSFNIZ...\ntoken_type Bearer\n```\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eImplicit Grant (OIDC)\u003c/b\u003e\u003c/summary\u003e\n\nExample\n```powershell\n$token = Invoke-OAuth2AuthorizationEndpoint -uri $authorization_endpoint @splat -response_type \"token id_token\" -usePkce:$false\n\nnonce NtKwrnSuV7xQQiya.jNXF940RQkS0OMlTcQDCOOgJay8a2qi0.MO4KKX8xc-XWUa\nexpires_in 4949\nid_token eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImtXYmthYTZxczh3c1RuQ...\nexpiry_datetime 31.01.2024 14:46:35\nscope User.Read profile openid email\nsession_state 5c044a56-543e-4bcc-a94f-d411ddec5a87\naccess_token eyJ0eXAiOiJKV1QiLCJub51jZSI6Ik2saWhWbkdCMzNYUnI0VTF5VUVYLXA0Zkp6K...\ntoken_type Bearer\n```\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eHybrid Grant\u003c/b\u003e\u003c/summary\u003e\n\nExample\n```powershell\n$splat.scope = \"user.read openid offline_access\"\n$splat.redirect_uri = \"http://localhost\"\n$splat.usePkce = $true\n$token = Invoke-OAuth2AuthorizationEndpoint -uri $authorization_endpoint @splat -response_type \"code id_token\"\n\nnonce 7B61P-.ST87WdKZ9TPF~1a5sMkPs.atxj8sBCmY2mHHfEKRotmK37dxDl\ncode_verifier w6Fvr5LTkex0k.aRJhL9rZeEDNSO5sdc8zeQYlstYJuZ2K9ck2azZ~Luxeaw2CCSd...\nid_token eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImtXYmthYTZxczh3c1RuQ...\nclient_id 5eda97cf-2963-41e9-bea0-b6ba2bbf8f99\nsession_state 5c044a56-543e-4bcc-a94f-d411ddec5a87\nredirect_uri http://localhost\ncode 0.AUcAjvFfm8BTokWLwpwMj2CyxiGBP5hz2ZpErJuc3chlhOUNAVw.AgABAAAAAmo...\n\n$token.Remove(\"id_token\"); $token.Remove(\"session_state\")\n$tokens = Invoke-OAuth2TokenEndpoint -uri $token_endpoint @token\n\nnonce da1EE3-RRVJO.fFeCEw2TvG7hK46AWFWHJCOBeRfnJ6o\ncode_verifier ~4fYq2QcXlSIZN_vZ7pnKsO5VZ0Pq39hsdQOAziqDqsGNL-JGP~\nclient_id 5eda97cf-2963-41e9-bea0-b6ba2bbf8f99\nredirect_uri http://localhost\ncode 0.AUcAjvFfm8BTokWLwpwMj2CyxiGBP5hz2ZpErJuc3chlhOUNAVw.AgABAAIAAAA...\n```\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eImplicit Flow (by Form_Post)\u003c/b\u003e\u003c/summary\u003e\n\nExample\n```powershell\n$splat.redirect_uri = \"http://localhost:5001/\"\n$customParameters = @{ \n prompt = \"none\" # login, none, consent, select_account\n}\n$token = Invoke-OAuth2AuthorizationEndpoint -uri $authorization_endpoint @splat -response_type \"code id_token\" -response_mode \"form_post\"\n\nnonce iOJ6n7jBlYAL_TrYlFjfKwOsPklX1-4iR\ncode_verifier j1v4ZEjF4AE.lMfsQ36UzF6OoBp.zwuJ7Qkez9XQX~4lGo9pnxxtN.P4ulFhkwBaZ...\nid_token eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImtXYmthYTZxczh3c1RuQ...\nclient_id 5eda97cf-2963-41e9-bea0-b6ba2bbf8f99\nsession_state 5c044a56-543e-4bcc-a94f-d411ddec5a87\nredirect_uri http://localhost:5001/\ncode 0.AUcAjvFfm8BTokWLwpwMj2CyxiGBP5hz2ZpErJuc3chlhOUNAVw.AgABAAIAmoF...\n\n\n$token.Remove(\"id_token\"); $token.Remove(\"session_state\")\n$tokens = Invoke-OAuth2TokenEndpoint -uri $token_endpoint @token\n\ntoken_type : Bearer\nscope : User.Read profile openid email\nexpires_in : 4840\next_expires_in : 4840\naccess_token : eyJ0eXAiOiJKV1QiLCJub55jZSI6IlRsTFVNS5MyaEpscDNfNzKH75GXMXI0WndKMnlKJSJzFdzJEb...\nrefresh_token : 0.AUcAjvFfm8BTokSLwpwMj2CyxiGBP5kH76pErJuc3chlhOUNAVw.AgABAAEAPKIZ-AgDs_wSA9P9...\nid_token : eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImtXYmthYTZxczh3c1RuQndpaU5ZT2hIYm...\nexpiry_datetime : 31.01.2024 14:54:54\n```\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eDevice Code Grant\u003c/b\u003e\u003c/summary\u003e\n\nExample\n```powershell\n$deviceCode = Invoke-OAuth2DeviceAuthorizationEndpoint -uri \"https://login.microsoftonline.com/$tenantId/oauth2/v2.0/devicecode\" -client_id $splat.client_id -scope $splat.scope\n\nuser_code : L8EFTXRY3\ndevice_code : LAQABAAEAAAAmoFfGtYxvRrNriQdPKIZ-2b64dTFbGcmRF3rSBagHQGtBcyz0K_XV8ltq-nXz8Ks6...\nverification_uri : https://microsoft.com/devicelogin\nexpires_in : 900\ninterval : 5\nmessage : To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the co...\n\n# Pop interactive browser\nInvoke-WebView2 -uri \"https://microsoft.com/devicelogin\" -UrlCloseConditionRegex \"//appverify$\" -title \"Device Code Flow\" | Out-Null\n\n# After user-interaction has been completed.\n$token = Invoke-OAuth2TokenEndpoint -uri $token_endpoint -device_code $deviceCode.device_code -client_id $splat.client_id\n\ntoken_type : Bearer\nscope : User.Read profile openid email\nexpires_in : 5320\next_expires_in : 5320\naccess_token : eyJ0eXAiOiJKV1QiKH6Gb25jZSI5IjlzanppVWtNSlkR4WxfWjBRWFJRZUl4TEdyaDBad05TQ01sQ1...\nrefresh_token : 0.AUcAjvFfm8BlORWLwpwMj2CyxiGBP5hz2ZpErkU62chlhOUNAVw.AgABAAEAAAAmoFfGtYxvRrlK...\nid_token : eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImtXYmthYTZxczh3c1RuQndpaU5ZT2hIYm...\nexpiry_datetime : 31.01.2024 15:07:19\n\n\n```\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eResource Owner Password Flow (ROPC)\u003c/b\u003e\u003c/summary\u003e\nI did not bother to implement this flow, as its insecure and not recommended for use. Its fairly trivial to implement if you need it. See https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth-ropc for more information.\n\u003c/details\u003e\n\n## Issues and Contributions\nIf you encounter a bug or have a feature request, please [create an issue](https://github.com/alflokken/PSAuthClient/issues). I'm not actively seeking contributions. However, if you have an improvement in mind, please open an issue first to discuss it before submitting a pull request.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Falflokken%2FPSAuthClient","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Falflokken%2FPSAuthClient","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Falflokken%2FPSAuthClient/lists"}