Adding browser flow

Author: FriedrichWeinmann

MiniGraph/MiniGraph.psd1

@@ -4,7 +4,7 @@
 RootModule = 'MiniGraph.psm1'
 
 # Version number of this module.
-ModuleVersion = '1.2.7'
+ModuleVersion = '1.3.12'
 
 # Supported PSEditions
 # CompatiblePSEditions = @()
@@ -63,14 +63,15 @@ Description = 'Minimal query infrastructure for interacting with MS Graph'
 # Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export.
 FunctionsToExport = @(
 	'Connect-GraphAzure'
-    'Connect-GraphCertificate'
-    'Connect-GraphClientSecret'
-    'Connect-GraphCredential'
+	'Connect-GraphBrowser'
+	'Connect-GraphCertificate'
+	'Connect-GraphClientSecret'
+	'Connect-GraphCredential'
 	'Connect-GraphDeviceCode'
 	'Connect-GraphToken'
-    'Invoke-GraphRequest'
-    'Invoke-GraphRequestBatch'
-    'Set-GraphEndpoint'
+	'Invoke-GraphRequest'
+	'Invoke-GraphRequestBatch'
+	'Set-GraphEndpoint'
 )
 
 # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export.

MiniGraph/functions/Connect-GraphBrowser.ps1

@@ -0,0 +1,171 @@
+function Connect-GraphBrowser {
+	<#
+	.SYNOPSIS
+		Interactive logon using the Authorization flow and browser. Supports SSO.
+	
+	.DESCRIPTION
+		Interactive logon using the Authorization flow and browser. Supports SSO.
+
+		This flow requires an App Registration configured for the platform "Mobile and desktop applications".
+		Its redirect Uri must be "http://localhost"
+
+		On successful authentication
+	
+	.PARAMETER ClientID
+		The ID of the registered app used with this authentication request.
+	
+	.PARAMETER TenantID
+		The ID of the tenant connected to with this authentication request.
+	
+	.PARAMETER SelectAccount
+		As this flow supports single-sign-on, it will not prompt for anything if 
+	
+	.PARAMETER Scopes
+        Generally doesn't need to be changed from the default 'https://graph.microsoft.com/.default'
+
+	.PARAMETER LocalPort
+		The local port that should be redirected to.
+		In order to process the authentication response, we need to listen to a local web request on some port.
+		Usually needs not be redirected.
+		Defaults to: 8080
+
+	.PARAMETER Resource
+		The resource the token grants access to.
+		Generally doesn't need to be changed from the default 'https://graph.microsoft.com/'
+		Only needed when connecting to another service.
+
+	.PARAMETER Browser
+		The path to the browser to use for the authentication flow.
+		Provide the full path to the executable.
+		The browser must accept the url to open as its only parameter.
+		Defaults to Edge.
+	
+	.PARAMETER NoReconnect
+		Disables automatic reconnection.
+		By default, MiniGraph will automatically try to reaquire a new token before the old one expires.
+	
+	.EXAMPLE
+		PS C:\> Connect-GraphBrowser -ClientID '<ClientID>' -TenantID '<TenantID>'
+	
+		Connects to the specified tenant using the specified client, prompting the user to authorize via Browser.
+	#>
+	[CmdletBinding()]
+	param (
+		[Parameter(Mandatory = $true)]
+		[string]
+		$TenantID,
+
+		[Parameter(Mandatory = $true)]
+		[string]
+		$ClientID,
+
+		[switch]
+		$SelectAccount,
+
+		[string[]]
+		$Scopes = 'https://graph.microsoft.com/.default',
+
+		[int]
+		$LocalPort = 8080,
+
+		[Uri]
+		$Resource = 'https://graph.microsoft.com/',
+
+		[string]
+		$Browser = $script:browserPath,
+
+		[switch]
+		$NoReconnect
+	)
+	process {
+		Add-Type -AssemblyName System.Web
+
+		$redirectUri = "http://localhost:$LocalPort"
+		$actualScopes = foreach ($scope in $Scopes) {
+			if ($scope -like 'https://*/*') { $scope }
+			else { "{0}://{1}/{2}" -f $Resource.Scheme, $Resource.Host, $scope }
+		}
+
+		if (-not $NoReconnect) {
+			$actualScopes = @($actualScopes) + 'offline_access'
+		}
+
+		$uri = "https://login.microsoftonline.com/$TenantID/oauth2/v2.0/authorize?"
+		$state = Get-Random
+		$parameters = @{
+			client_id     = $ClientID
+			response_type = 'code'
+			redirect_uri  = $redirectUri
+			response_mode = 'query'
+			scope         = $Scopes -join ' '
+			state         = $state
+		}
+		if ($SelectAccount) {
+			$parameters.prompt = 'select_account'
+		}
+
+		$paramStrings = foreach ($pair in $parameters.GetEnumerator()) {
+			$pair.Key, ([System.Web.HttpUtility]::UrlEncode($pair.Value)) -join '='
+		}
+		$uriFinal = $uri + ($paramStrings -join '&')
+		Write-Verbose "Authorize Uri: $uriFinal"
+
+		$redirectTo = 'https://raw.githubusercontent.com/FriedrichWeinmann/MiniGraph/master/nothing-to-see-here.txt'
+		if ((Get-Random -Minimum 10 -Maximum 99) -eq 66) {
+			$redirectTo = 'https://www.youtube.com/watch?v=dQw4w9WgXcQ'
+		}
+		
+		# Start local server to catch the redirect
+		$http = [System.Net.HttpListener]::new()
+		$http.Prefixes.Add("$redirectUri/")
+		try { $http.Start() }
+		catch { Invoke-TerminatingException -Cmdlet $PSCmdlet -Message "Failed to create local http listener on port $LocalPort. Use -LocalPort to select a different port. $_" -Category OpenError }
+
+		# Execute in default browser
+		& $Browser $uriFinal
+
+		# Get Result
+		$task = $http.GetContextAsync()
+		$authorizationCode, $stateReturn, $sessionState = $null
+		try {
+			while (-not $task.IsCompleted) {
+				Start-Sleep -Milliseconds 200
+			}
+			$context = $task.Result
+			$context.Response.Redirect($redirectTo)
+			$context.Response.Close()
+			$authorizationCode, $stateReturn, $sessionState = $context.Request.Url.Query -split "&"
+		}
+		finally {
+			$http.Stop()
+			$http.Dispose()
+		}
+
+		if (-not $stateReturn) {
+			Invoke-TerminatingException -Cmdlet $PSCmdlet -Message "Authentication failed (see browser for details)" -Category AuthenticationError
+		}
+
+		if ($state -ne $stateReturn.Split("=")[1]) {
+			Invoke-TerminatingException -Cmdlet $PSCmdlet -Message "Received invalid authentication result. Likely returned from another flow redirecting to the same local port!" -Category InvalidOperation
+		}
+
+		$actualAuthorizationCode = $authorizationCode.Split("=")[1]
+
+		$body = @{
+			client_id    = $ClientID
+			scope        = $actualScopes -join " "
+			code         = $actualAuthorizationCode
+			redirect_uri = $redirectUri
+			grant_type   = 'authorization_code'
+		}
+		$uri = "https://login.microsoftonline.com/$TenantID/oauth2/v2.0/token"
+		try { $authResponse = Invoke-RestMethod -Method Post -Uri $uri -Body $body -ErrorAction Stop }
+		catch {
+			if ($_ -notmatch '"error":\s*"invalid_client"') { Invoke-TerminatingException -Cmdlet $PSCmdlet -ErrorRecord $_ }
+			Invoke-TerminatingException -Cmdlet $PSCmdlet -Message "The App Registration $ClientID has not been configured correctly. Ensure you have a 'Mobile and desktop applications' platform with redirect to 'http://localhost' configured (and not a 'Web' Platform). $_" -Category $_.CategoryInfo.Category
+		}
+		$script:token = $authResponse.access_token
+
+		Set-ReconnectInfo -BoundParameters $PSBoundParameters -NoReconnect:$NoReconnect -RefreshToken $authResponse.refresh_token
+	}
+}

MiniGraph/functions/Connect-GraphCertificate.ps1

@@ -15,6 +15,11 @@
     .PARAMETER ClientID
         The ClientID / ApplicationID of the application to connect as.
 
+	.PARAMETER Scopes
+		The scopes to request when connecting.
+		IN Application flows, this only determines the service for which to retrieve the scopes already configured on the App Registration.
+		Defaults to graph API.
+
 	.PARAMETER NoReconnect
 		Disables automatic reconnection.
 		By default, MiniGraph will automatically try to reaquire a new token before the old one expires.
@@ -46,6 +51,9 @@
 		[string]
 		$ClientID,
 
+		[string[]]
+		$Scopes = 'https://graph.microsoft.com/.default',
+
 		[switch]
 		$NoReconnect
 	)
@@ -73,7 +81,7 @@
 		client_id             = $ClientID
 		client_assertion      = $jwt
 		client_assertion_type = 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'
-		scope                 = 'https://graph.microsoft.com/.default'
+		scope                 = $Scopes -join ' '
 		grant_type            = 'client_credentials'
 	}
 	$header = @{

MiniGraph/functions/Invoke-GraphRequestBatch.ps1

@@ -1,6 +1,5 @@
-function Invoke-GraphRequestBatch
-{
-    <#
+function Invoke-GraphRequestBatch {
+	<#
     .SYNOPSIS
         Invoke a batch request against the graph API
     .DESCRIPTION
@@ -24,69 +23,56 @@
             $araCounter++
         }
     #>
-    param
-    (
-        [Parameter(Mandatory)]
-        [hashtable[]]
-        $Request
-    )
+	[CmdletBinding()]
+	param (
+		[Parameter(Mandatory = $true)]
+		[hashtable[]]
+		$Request
+	)
 
-    $batchSize = 20 # Currently hardcoded API limit
-    $counter = [pscustomobject] @{ Value = 0 }
-    $batches = $Request | Group-Object -Property { [math]::Floor($counter.Value++ / $batchSize) } -AsHashTable
+	$batchSize = 20 # Currently hardcoded API limit
+	$counter = [pscustomobject] @{ Value = 0 }
+	$batches = $Request | Group-Object -Property { [math]::Floor($counter.Value++ / $batchSize) } -AsHashTable
 
-    $batchResult = [System.Collections.ArrayList]::new()
+	foreach ($batch in ($batches.GetEnumerator() | Sort-Object -Property Key)) {
+		[array] $innerResult = try {
+			$jsonbody = @{requests = [array]$batch.Value } | ConvertTo-Json -Depth 42 -Compress
+            (MiniGraph\Invoke-GraphRequest -Query '$batch' -Method Post -Body $jsonbody -ErrorAction Stop).responses
+		}
+		catch {
+			Write-Error -Message "Error sending batch: $($_.Exception.Message)" -TargetObject $jsonbody
+			continue
+		}
 
-    foreach ($batch in ($batches.GetEnumerator() | Sort-Object -Property Key))
-    {
-        [array] $innerResult = try
-        {
-            $jsonbody = @{requests = [array]$batch.Value } | ConvertTo-Json -Depth 42 -Compress
-            (Invoke-GraphRequest -Query '$batch' -Method Post -Body $jsonbody -ErrorAction Stop).responses
-        }
-        catch [Microsoft.PowerShell.Commands.HttpResponseException]
-        {
-            Write-Error -Message "Error sending batch: $($_.Exception.Message)" -TargetObject $jsonbody
-        }
+		$throttledRequests = $innerResult | Where-Object status -EQ 429
+		$failedRequests = $innerResult | Where-Object { $_.status -ne 429 -and $_.status -in (400..499) }
+		$successRequests = $innerResult | Where-Object status -In (200..299)
 
-        $throttledRequests = $innerResult | Where-Object status -eq 429
-        $failedRequests = $innerResult | Where-Object { $_.status -ne 429 -and $_.status -in (400..499) }
-        $successRequests = $innerResult | Where-Object status -in (200..299)
+		foreach ($failedRequest in $failedRequests) {
+			Write-Error -Message "Error in batch request $($failedRequest.id): $($failedRequest.body.error.message)"
+		}
 
-        if ($successRequests)
-        {
-            $null = $batchResult.AddRange([array]$successRequests)
-        }
+		if ($successRequests) {
+			$successRequests
+		}
 
-        if ($throttledRequests)
-        {
-            $interval = ($throttledRequests.Headers | Sort-Object 'Retry-After' | Select-Object -Last 1).'Retry-After'
-            Write-Verbose -Message "Throttled requests detected, waiting $interval seconds before retrying"
+		if ($throttledRequests) {
+			$interval = ($throttledRequests.Headers | Sort-Object 'Retry-After' | Select-Object -Last 1).'Retry-After'
+			Write-Verbose -Message "Throttled requests detected, waiting $interval seconds before retrying"
 
-            Start-Sleep -Seconds $interval
-            $retry = $Request | Where-Object id -in $throttledRequests.id
+			Start-Sleep -Seconds $interval
+			$retry = $Request | Where-Object id -In $throttledRequests.id
 
-            if (-not $retry)
-            {
-                continue
-            }
-
-            try
-            {
-                $retriedResults = [array](Invoke-GraphRequestBatch -Name $Name -Request $retry -NoProgress -ErrorAction Stop).responses
-                $null = $batchResult.AddRange($retriedResults)
-            }
-            catch [Microsoft.PowerShell.Commands.HttpResponseException]
-            {
-                Write-Error -Message "Error sending retry batch: $($_.Exception.Message)" -TargetObject $retry
-            }
-        }
-
-        foreach ($failedRequest in $failedRequests)
-        {
-            Write-Error -Message "Error in batch request $($failedRequest.id): $($failedRequest.body.error.message)"
-        }
-    }
+			if (-not $retry) {
+				continue
+			}
 
-    $batchResult
-}
+			try {
+                (MiniGraph\Invoke-GraphRequestBatch -Name $Name -Request $retry -NoProgress -ErrorAction Stop).responses
+			}
+			catch {
+				Write-Error -Message "Error sending retry batch: $($_.Exception.Message)" -TargetObject $retry
+			}
+		}
+	}
+}

MiniGraph/internal/functions/Invoke-TerminatingException.ps1

@@ -23,6 +23,9 @@
 	.PARAMETER ErrorRecord
 		A full error record that was caught by the caller.
 		Use this when you want to rethrow an existing error.
+
+	.PARAMETER Target
+		The target of the exception.
 	
 	.EXAMPLE
 		PS C:\> Invoke-TerminatingException -Cmdlet $PSCmdlet -Message 'Unknown calling module'
@@ -44,7 +47,9 @@
 		$Category = [System.Management.Automation.ErrorCategory]::NotSpecified,
 
 		[System.Management.Automation.ErrorRecord]
-		$ErrorRecord
+		$ErrorRecord,
+
+		$Target
 	)
 
 	process{

MiniGraph/internal/scripts/variables.ps1

@@ -10,4 +10,7 @@ $script:lastConnect = @{
 	Command    = $null
 	Parameters = $null
 	Refresh    = $null
-}
+}
+
+# Used for Browser-Based interactive logon
+$script:browserPath = 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'