Merge pull request #78 from microsoftgraph/po/ExposeScopes

Return Login Context WIth Cumulative Scopes.

Author: peombwa

src/Authentication/Authentication/Cmdlets/ConnectGraph.cs

@@ -6,8 +6,10 @@ namespace Microsoft.Graph.PowerShell.Authentication.Cmdlets
     using Microsoft.Graph.Auth;
     using Microsoft.Graph.PowerShell.Authentication.Helpers;
     using Microsoft.Graph.PowerShell.Authentication.Models;
+    using Microsoft.Identity.Client;
     using System;
     using System.Collections.Generic;
+    using System.Linq;
     using System.Management.Automation;
     using System.Net.Http;
     using System.Threading;
@@ -38,7 +40,7 @@ public class ConnectGraph : PSCmdlet
 
         protected override void BeginProcessing()
         {
-            validateParameters();
+            ValidateParameters();
             base.BeginProcessing();
         }
 
@@ -72,13 +74,15 @@ protected override void ProcessRecord()
                 authConfig.CertificateName = CertificateName;
             }
 
-            // Save auth config to session state.
-            SessionState.PSVariable.Set(Constants.GraphAuthConfigId, authConfig);
-
             try
             {
                 // Gets a static instance of IAuthenticationProvider when the client app hasn't changed. 
                 IAuthenticationProvider authProvider = AuthenticationHelpers.GetAuthProvider(authConfig);
+                IClientApplicationBase clientApplication = null;
+                if (ParameterSetName == Constants.UserParameterSet)
+                    clientApplication = (authProvider as DeviceCodeProvider).ClientApplication;
+                else
+                    clientApplication = (authProvider as ClientCredentialProvider).ClientApplication;
 
                 // Incremental scope consent without re-instanciating the auth provider. We will use a static instance.
                 GraphRequestContext graphRequestContext = new GraphRequestContext();
@@ -97,11 +101,23 @@ protected override void ProcessRecord()
                         }
                     }
                 };
-                HttpRequestMessage httpRequestMessage = new HttpRequestMessage(HttpMethod.Get, "https://graph.microsoft.com/v1.0/me");
-                httpRequestMessage.Properties.Add(typeof(GraphRequestContext).ToString(), graphRequestContext);
 
                 // Trigger consent.
+                HttpRequestMessage httpRequestMessage = new HttpRequestMessage(HttpMethod.Get, "https://graph.microsoft.com/v1.0/me");
+                httpRequestMessage.Properties.Add(typeof(GraphRequestContext).ToString(), graphRequestContext);
                 authProvider.AuthenticateRequestAsync(httpRequestMessage).GetAwaiter().GetResult();
+
+                var accounts = clientApplication.GetAccountsAsync().GetAwaiter().GetResult();
+                var account = accounts.FirstOrDefault();
+
+                JwtPayload jwtPayload = JwtHelpers.DecodeToObject<JwtPayload>(httpRequestMessage.Headers.Authorization?.Parameter);
+                authConfig.Scopes = jwtPayload?.Scp?.Split(' ') ?? jwtPayload?.Roles;
+                authConfig.TenantId = jwtPayload?.Tid ?? account?.HomeAccountId?.TenantId;
+                authConfig.AppName = jwtPayload?.AppDisplayname;
+                authConfig.Account = jwtPayload?.Upn ?? account?.Username;
+
+                // Save auth config to session state.
+                SessionState.PSVariable.Set(Constants.GraphAuthConfigId, authConfig);
             }
             catch (AuthenticationException authEx)
             {
@@ -116,16 +132,14 @@ protected override void ProcessRecord()
             }
 
             WriteObject("Welcome To Microsoft Graph!");
-            // WriteObject(File.ReadAllText(".\\Art\\WelcomeText.txt"));
-            // WriteObject(File.ReadAllText(".\\Art\\GRaphText.txt"));
         }
 
         protected override void StopProcessing()
         {
             base.StopProcessing();
         }
 
-        private void validateParameters()
+        private void ValidateParameters()
         {
             if (ParameterSetName == Constants.AppParameterSet)
             {

src/Authentication/Authentication/Cmdlets/GetMGContext.cs

@@ -0,0 +1,46 @@
+// ------------------------------------------------------------------------------
+//  Copyright (c) Microsoft Corporation.  All Rights Reserved.  Licensed under the MIT License.  See License in the project root for license information.
+// ------------------------------------------------------------------------------
+
+namespace Microsoft.Graph.PowerShell.Authentication.Cmdlets
+{
+    using Microsoft.Graph.Auth;
+    using Microsoft.Graph.PowerShell.Authentication.Helpers;
+    using Microsoft.Graph.PowerShell.Authentication.Models;
+    using System;
+    using System.Collections.Generic;
+    using System.Management.Automation;
+    using System.Net.Http;
+    using System.Threading;
+    using System.Threading.Tasks;
+
+    [Cmdlet(VerbsCommon.Get, "MgContext", DefaultParameterSetName = Constants.UserParameterSet)]
+    [OutputType(typeof(AuthConfig))]
+    public class GetMGContext: PSCmdlet
+    {
+        protected override void BeginProcessing()
+        {
+            base.BeginProcessing();
+        }
+
+        protected override void ProcessRecord()
+        {
+            base.ProcessRecord();
+            // Get auth config from session state.
+            PSVariable graphAuthVariable = SessionState.PSVariable.Get(Constants.GraphAuthConfigId);
+            AuthConfig authConfig = graphAuthVariable?.Value as AuthConfig;
+            Invoke<AuthConfig>();
+            WriteObject(authConfig as AuthConfig);
+        }
+
+        protected override void EndProcessing()
+        {
+            base.EndProcessing();
+        }
+
+        protected override void StopProcessing()
+        {
+            base.StopProcessing();
+        }
+    }
+}

src/Authentication/Authentication/ErrorConstants.cs

@@ -0,0 +1,18 @@
+// ------------------------------------------------------------------------------
+//  Copyright (c) Microsoft Corporation.  All Rights Reserved.  Licensed under the MIT License.  See License in the project root for license information.
+// ------------------------------------------------------------------------------
+namespace Microsoft.Graph.PowerShell.Authentication
+{
+    public static class ErrorConstants
+    {
+        internal static class Codes
+        {
+            internal const string InvalidJWT = "invalidJWT";
+        }
+
+        internal static class Message
+        {
+            internal const string InvalidJWT = "Invalid JWT access token.";
+        }
+    }
+}

src/Authentication/Authentication/Helpers/AuthenticationHelpers.cs

@@ -100,7 +100,7 @@ private static X509Certificate2 GetCertificateByThumbprint(string CertificateThu
                     .Find(X509FindType.FindByTimeValid, DateTime.Now, false)
                     .Find(X509FindType.FindByThumbprint, CertificateThumbprint, false);
 
-                if (unexpiredCerts == null)
+                if (unexpiredCerts.Count < 1)
                     throw new Exception($"{CertificateThumbprint} certificate was not found or has expired.");
 
                 // Only return current cert.

src/Authentication/Authentication/Helpers/JwtHelpers.cs

@@ -0,0 +1,64 @@
+// ------------------------------------------------------------------------------
+//  Copyright (c) Microsoft Corporation.  All Rights Reserved.  Licensed under the MIT License.  See License in the project root for license information.
+// ------------------------------------------------------------------------------
+
+namespace Microsoft.Graph.PowerShell.Authentication.Helpers
+{
+    using Microsoft.Graph.Auth;
+    using Microsoft.IdentityModel.Tokens;
+    using Newtonsoft.Json;
+    using Newtonsoft.Json.Linq;
+    using System;
+    using System.Collections.Generic;
+    using System.IdentityModel.Tokens.Jwt;
+    using System.Security.Claims;
+    using System.Text;
+
+    /// <summary>
+    /// A JwtHelpers class.
+    /// </summary>
+    internal static class JwtHelpers
+    {
+        /// <summary>
+        /// Decodes a JWT token by extracting claims from the payload.
+        /// </summary>
+        /// <param name="jwToken">A JWT string.</param>
+        internal static string Decode(string jwToken)
+        {
+            JwtSecurityTokenHandler jwtHandler = new JwtSecurityTokenHandler();
+            if (jwtHandler.CanReadToken(jwToken))
+            {
+                JwtSecurityToken token = jwtHandler.ReadJwtToken(jwToken);
+                JwtPayload jwtPayload = new JwtPayload(token.Claims);
+                return jwtPayload.SerializeToJson();
+            } else {
+                return null;
+            }
+        }
+
+        /// <summary>
+        /// Decodes a JWT token by extracting claims from the payload to an object of type T.
+        /// </summary>
+        /// <typeparam name="T">An object with properties of the JWT payload.</typeparam>
+        /// <param name="jwToken">A JWT string.</param>
+        internal static T DecodeToObject<T>(string jwtString)
+        {
+            try
+            {
+                string decodedJWT = Decode(jwtString);
+                if (decodedJWT == null)
+                    return default(T);
+                return JsonConvert.DeserializeObject<T>(decodedJWT);
+            }
+            catch (Exception ex)
+            {
+                throw new AuthenticationException(
+                        new Error
+                        {
+                            Code = ErrorConstants.Codes.InvalidJWT,
+                            Message = ErrorConstants.Message.InvalidJWT
+                        }, ex);
+            }
+        }
+    }
+}

src/Authentication/Authentication/Microsoft.Graph.Authentication.csproj

@@ -21,10 +21,11 @@
     <PreLoadAssemblies Include="$(RepoTools)lib\System.Security.Cryptography.ProtectedData.dll" />
   </ItemGroup>
   <ItemGroup>
-    <PackageReference Include="Microsoft.Graph.Auth" Version="1.0.0-preview.2" />
-    <PackageReference Include="Microsoft.Graph.Core" Version="1.18.0" />
-    <PackageReference Include="Microsoft.Identity.Client" Version="4.5.1" />
+    <PackageReference Include="Microsoft.Graph.Auth" Version="1.0.0-preview.3" />
+    <PackageReference Include="Microsoft.Graph.Core" Version="1.19.0" />
+    <PackageReference Include="Microsoft.Identity.Client" Version="4.8.0" />
     <PackageReference Include="PowerShellStandard.Library" Version="5.1.0" />
+    <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="5.6.0" />
     <PackageReference Include="System.Security.Cryptography.ProtectedData" Version="4.7.0" />
   </ItemGroup>
   <Target Name="CopyFiles" AfterTargets="Build">

src/Authentication/Authentication/Microsoft.Graph.Authentication.format.ps1xml

@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<Configuration>
+  <ViewDefinitions>
+    <View>
+      <Name>AuthConfigView</Name>
+      <ViewSelectedBy>
+        <TypeName>Microsoft.Graph.PowerShell.Authentication.Models.AuthConfig</TypeName>
+      </ViewSelectedBy>
+      <TableControl>
+        <TableHeaders>
+        </TableHeaders>
+        <TableRowEntries>
+          <TableRowEntry>
+            <TableColumnItems>
+              <TableColumnItem>
+                <PropertyName>AppName</PropertyName>
+              </TableColumnItem>
+              <TableColumnItem>
+                <PropertyName>AuthType</PropertyName>
+              </TableColumnItem>
+              <TableColumnItem>
+                <PropertyName>TenantId</PropertyName>
+              </TableColumnItem>
+              <TableColumnItem>
+                <PropertyName>Account</PropertyName>
+              </TableColumnItem>
+              <TableColumnItem>
+                <PropertyName>Scopes</PropertyName>
+              </TableColumnItem>
+            </TableColumnItems>
+          </TableRowEntry>
+        </TableRowEntries>
+      </TableControl>
+    </View>
+  </ViewDefinitions>
+</Configuration>

src/Authentication/Authentication/Microsoft.Graph.Authentication.nuspec

@@ -17,8 +17,8 @@
   </metadata>
   <files>
     <file src="Microsoft.Graph.Authentication.psd1" />
+    <file src="Microsoft.Graph.Authentication.format.ps1xml" />
     <file src="Microsoft.Graph.Authentication.psm1" />
-    <!--<file src="Graph.Authentication.psm1" />-->
     <!-- https://github.com/NuGet/Home/issues/3584 -->
     <file src="bin/Microsoft.Graph.Authentication.dll" target="bin" />
     <file src="bin/Microsoft.Graph.Authentication.deps.json" target="bin" />

src/Authentication/Authentication/Microsoft.Graph.Authentication.psd1

@@ -63,7 +63,7 @@ DotNetFrameworkVersion = '4.7.2'
 # TypesToProcess = @()
 
 # Format files (.ps1xml) to be loaded when importing this module
-# FormatsToProcess = @()
+FormatsToProcess = './Microsoft.Graph.Authentication.Format.ps1xml'
 
 # Modules to import as nested modules of the module specified in RootModule/ModuleToProcess
 # NestedModules = @()
@@ -72,13 +72,13 @@ DotNetFrameworkVersion = '4.7.2'
 FunctionsToExport = '*'
 
 # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export.
-CmdletsToExport = 'Connect-Graph', 'Disconnect-Graph'
+CmdletsToExport = 'Connect-Graph', 'Disconnect-Graph', 'Get-MgContext'
 
 # Variables to export from this module
-VariablesToExport = '*'
+# VariablesToExport = @()
 
 # Aliases to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no aliases to export.
-AliasesToExport = '*'
+AliasesToExport = @()
 
 # DSC resources to export from this module
 # DscResourcesToExport = @()
@@ -95,7 +95,7 @@ PrivateData = @{
     PSData = @{
 
         # Tags applied to this module. These help with module discovery in online galleries.
-        Tags = 'Microsoft;Office365;Graph;PowerShell;GraphServiceClient;Outlook;OneDrive;AzureAD;GraphAPI;Productivity;SharePoint;Intune;SDK;'
+        Tags = 'Microsoft','Office365','Graph','PowerShell','Teams','Outlook','OneDrive','AzureAD','GraphAPI','Productivity','SharePoint','Intune','SDK'
 
         # A URL to the license for this module.
         LicenseUri = 'https://aka.ms/devservicesagreement'

src/Authentication/Authentication/Models/AuthConfig.cs

@@ -18,6 +18,8 @@ public class AuthConfig
         public string[] Scopes { get; set; }
         public AuthenticationType AuthType { get; set; }
         public string CertificateName { get; set; }
+        public string Account { get; set; }
+        public string AppName { get; set; }
 
         public AuthConfig()
         {