add support for parameter Resource

Author: erich-wang

src/Accounts/Accounts/Accounts.format.ps1xml

@@ -171,6 +171,35 @@
         </TableRowEntries>
       </TableControl>
     </View>
+    <View>
+      <Name>Microsoft.Azure.Commands.Profile.Models.PSAccessToken</Name>
+      <ViewSelectedBy>
+        <TypeName>Microsoft.Azure.Commands.Profile.Models.PSAccessToken</TypeName>
+      </ViewSelectedBy>
+      <ListControl>
+        <ListEntries>
+          <ListEntry>
+            <ListItems>
+              <ListItem>
+                <PropertyName>Token</PropertyName>
+              </ListItem>
+              <ListItem>
+                <PropertyName>ExpiresOn</PropertyName>
+              </ListItem>
+              <ListItem>
+                <PropertyName>Type</PropertyName>
+              </ListItem>
+              <ListItem>
+                <PropertyName>TenantId</PropertyName>
+              </ListItem>
+              <ListItem>
+                <PropertyName>UserId</PropertyName>
+              </ListItem>
+            </ListItems>
+          </ListEntry>
+        </ListEntries>
+      </ListControl>
+    </View>
     <View>
       <Name>Microsoft.Azure.Commands.Profile.Models.PSAzureSubscriptionPolicy</Name>
       <ViewSelectedBy>

src/Accounts/Accounts/Models/PSAccessToken.cs

@@ -0,0 +1,30 @@
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using System;
+
+namespace Microsoft.Azure.Commands.Profile.Models
+{
+    public class PSAccessToken
+    {
+        public string Token { get; set; }
+
+        public DateTimeOffset ExpiresOn { get; set; }
+
+        public string TenantId { get; set; }
+
+        public string UserId { get; set; }
+
+        public string Type { get; } = "Bearer";
+    }
+}

src/Accounts/Accounts/Token/GetAzureRmAccessToken.cs

@@ -14,117 +14,133 @@
 
 using System;
 using System.Collections.Generic;
-using System.Linq;
 using System.Management.Automation;
-using System.Net.Http;
-using System.Threading;
 
 using Microsoft.Azure.Commands.Common.Authentication;
 using Microsoft.Azure.Commands.Common.Authentication.Abstractions;
-using Microsoft.Azure.Commands.Common.Authentication.Models;
+using Microsoft.Azure.Commands.Profile.Models;
 using Microsoft.Azure.Commands.ResourceManager.Common;
 using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
+using Microsoft.Azure.PowerShell.Authenticators;
 
-namespace Microsoft.Azure.Commands.Profile.Token
+namespace Microsoft.Azure.Commands.Profile
 {
-    [Cmdlet(VerbsCommon.Get, AzureRMConstants.AzureRMPrefix + "AccessToken")]
-    [OutputType(typeof(string))]
+    [Cmdlet(VerbsCommon.Get, AzureRMConstants.AzureRMPrefix + "AccessToken", DefaultParameterSetName = KnownResourceNameParameterSet)]
+    [OutputType(typeof(PSAccessToken))]
     public class GetAzureRmAccessTokenCommand : AzureRMCmdlet
     {
-        private const string AuthorizationHeaderName = "Authorization";
-        private const string ResourceUriParameterSet = "ResourceUri";
+        private const string ResourceUrlParameterSet = "ResourceUrl";
         private const string KnownResourceNameParameterSet = "KnownResourceTypeName";
 
-        //TODO: Support ResourceUri directly
-        //[Parameter(ParameterSetName = ResourceUriParameterSet, Mandatory = false)]
-        //public string Resource { get; set; }
+        [Parameter(ParameterSetName = ResourceUrlParameterSet,
+            Mandatory = true,
+            HelpMessage = "Resource url for that you're requesting token, e.g. 'http://graph.windows.net/'.")]
+        [ValidateNotNullOrEmpty]
+        [Alias("Resource", "ResourceUri")]
+        public string ResourceUrl { get; set; }
 
         [Parameter(ParameterSetName = KnownResourceNameParameterSet,
             Mandatory = false,
-            HelpMessage = "Optional resouce type name, supported values: AadGraph, Analysis, Arm, Attest, DataLake, KeyVault, OperationInsights, Synapse. Default value is Arm if not specified.")]
+            HelpMessage = "Optional resouce type name, supported values: AadGraph, Analysis, Arm, Attestation, Batch, DataLake, KeyVault, OperationInsights, ResourceManager, Synapse. Default value is Arm if not specified.")]
         [PSArgumentCompleter(
             SupportedResourceNames.AadGraph,
             SupportedResourceNames.Analysis,
             SupportedResourceNames.Arm,
             SupportedResourceNames.Attest,
+            SupportedResourceNames.Batch,
             SupportedResourceNames.DataLake,
             SupportedResourceNames.KeyVault,
+            SupportedResourceNames.ManagedHsm,
             SupportedResourceNames.OperationInsights,
+            SupportedResourceNames.ResourceManager,
             SupportedResourceNames.Synapse
             )]
         public string ResourceTypeName { get; set; }
 
         //Use tenant in default context if not specified
+        //TODO: Should not specify TenantId for MSI, CloudShell(?)
         [Parameter(Mandatory = false, HelpMessage = "Optional Tenant Id. Use tenant id of default context if not specified.")]
         public string TenantId { get; set; }
 
         public override void ExecuteCmdlet()
         {
             base.ExecuteCmdlet();
 
-            string resourceId = null;
+            string resourceUrlOrId;
 
-            if (ResourceTypeName == null)
+            if (ParameterSetName == KnownResourceNameParameterSet)
             {
-                ResourceTypeName = SupportedResourceNames.Arm;
+                if (ResourceTypeName == null)
+                {
+                    ResourceTypeName = SupportedResourceNames.Arm;
+                }
+                if (!SupportedResourceNames.ResourceNameMap.ContainsKey(ResourceTypeName))
+                {
+                    throw new ArgumentException(Properties.Resources.InvalidResourceTypeName.FormatInvariant(ResourceTypeName), nameof(ResourceTypeName));
+                }
+                resourceUrlOrId = SupportedResourceNames.ResourceNameMap[ResourceTypeName];
             }
-            if (!SupportedResourceNames.ResourceNameMap.ContainsKey(ResourceTypeName))
+            else
             {
-                throw new ArgumentException(Properties.Resources.InvalidResourceTypeName.FormatInvariant(ResourceTypeName), nameof(ResourceTypeName));
+                resourceUrlOrId = ResourceUrl;
             }
 
-            resourceId = SupportedResourceNames.ResourceNameMap[ResourceTypeName];
-
-            resourceId = string.IsNullOrEmpty(resourceId) ? AzureEnvironment.Endpoint.ActiveDirectoryServiceEndpointResourceId : resourceId;
-
             IAzureContext context = DefaultContext;
-            if (!string.IsNullOrEmpty(TenantId) && !string.Equals(context.Tenant.Id, TenantId, StringComparison.OrdinalIgnoreCase))
+            if(TenantId == null)
             {
-                var profile = DefaultProfile as AzureRmProfile;
-                context = profile.Contexts.FirstOrDefault(c =>
-                    string.Equals(c.Value.Tenant.Id, TenantId, StringComparison.OrdinalIgnoreCase)).Value;
-                if (context == null)
-                {
-                    throw new ArgumentException(Properties.Resources.InvalidTenantId.FormatInvariant(TenantId), nameof(TenantId));
-                }
+                TenantId = context.Tenant?.Id;
             }
-            var credential = AzureSession.Instance.AuthenticationFactory.GetServiceClientCredentials(
-                context,
-                resourceId);
-            var requestMessage = new HttpRequestMessage();
-            credential.ProcessHttpRequestAsync(requestMessage, default(CancellationToken)).ConfigureAwait(false).GetAwaiter().GetResult();
-            if (requestMessage.Headers.Contains(AuthorizationHeaderName))
+
+            IAccessToken accessToken = AzureSession.Instance.AuthenticationFactory.Authenticate(
+                                context.Account,
+                                context.Environment,
+                                TenantId,
+                                null,
+                                ShowDialog.Never,
+                                null,
+                                null,
+                                resourceUrlOrId);
+
+            var result = new PSAccessToken()
             {
-                var token = requestMessage.Headers.GetValues(AuthorizationHeaderName)
-                    ?.FirstOrDefault()?.Substring("Bearer ".Length);
-                WriteObject(token);
-            }
+                Token = accessToken.AccessToken,
+                TenantId = TenantId,
+                UserId = accessToken.UserId,
+            };
+            result.ExpiresOn = (accessToken as MsalAccessToken)?.ExpiredOn ?? result.ExpiresOn;
+
+            WriteObject(result);
         }
 
         internal class SupportedResourceNames
         {
-            //TODO: Support 'Batch' and 'ManagedHsm', need to upate AzureEnvironmentExtensions.GetTokenAudience() to support more endpoints
-
             public const string Arm = "Arm";
             public const string AadGraph = "AadGraph";
+            public const string Batch = "Batch";
             public const string DataLake = "DataLake";
             public const string KeyVault = "KeyVault";
+            public const string ResourceManager = "ResourceManager"; //endpoint is same as Arm
 
             public const string Analysis = "Analysis";
-            public const string Attest = "Attest";
+            public const string Attest = "Attestation";
             public const string OperationInsights = "OperationInsights";
             public const string Synapse = "Synapse";
+            public const string ManagedHsm = "ManagedHsm";
 
             internal static Dictionary<string, string> ResourceNameMap = new Dictionary<string, string>()
             {
                 { Arm, AzureEnvironment.Endpoint.ActiveDirectoryServiceEndpointResourceId },
-                { AadGraph, AzureEnvironment.Endpoint.Graph}, //Only exception that not using xxxResourceId because of implementation of GetTokenAudience
-                { DataLake, AzureEnvironment.Endpoint.DataLakeEndpointResourceId},
-                { KeyVault, AzureEnvironment.Endpoint.AzureKeyVaultServiceEndpointResourceId},
-                { Analysis, AzureEnvironment.ExtendedEndpoint.AnalysisServicesEndpointResourceId},
+                { AadGraph, AzureEnvironment.Endpoint.GraphEndpointResourceId },
+                { Batch, AzureEnvironment.Endpoint.BatchEndpointResourceId },
+                { DataLake, AzureEnvironment.Endpoint.DataLakeEndpointResourceId },
+                { KeyVault, AzureEnvironment.Endpoint.AzureKeyVaultServiceEndpointResourceId },
+                { ResourceManager, AzureEnvironment.Endpoint.ActiveDirectoryServiceEndpointResourceId },
+
+                { Analysis, AzureEnvironment.ExtendedEndpoint.AnalysisServicesEndpointResourceId },
                 { Attest, AzureEnvironment.ExtendedEndpoint.AzureAttestationServiceEndpointResourceId },
-                { OperationInsights, AzureEnvironment.ExtendedEndpoint.OperationalInsightsEndpointResourceId},
-                { Synapse, AzureEnvironment.ExtendedEndpoint.AzureSynapseAnalyticsEndpointResourceId},
+                { OperationInsights, AzureEnvironment.ExtendedEndpoint.OperationalInsightsEndpointResourceId },
+                { Synapse, AzureEnvironment.ExtendedEndpoint.AzureSynapseAnalyticsEndpointResourceId },
+                { ManagedHsm, AzureEnvironment.ExtendedEndpoint.ManagedHsmServiceEndpointResourceId }
             };
         }
     }

src/Accounts/Accounts/help/Get-AzAccessToken.md

@@ -12,9 +12,16 @@ Get raw access token
 
 ## SYNTAX
 
-### KnownResourceTypeName
+### KnownResourceTypeName (Default)
 ```
-Get-AzAccessToken -ResourceTypeName <String> [-TenantId <String>] [-DefaultProfile <IAzureContextContainer>]
+Get-AzAccessToken [-ResourceTypeName <String>] [-TenantId <String>] [-DefaultProfile <IAzureContextContainer>]
+ [<CommonParameters>]
+```
+
+### ResourceUrl
+When using ResourceUrl, please make sure the value is correct for current Azure environment. You may refer to the value of `(Get-AzContext).Environment`.
+```
+Get-AzAccessToken -ResourceUrl <String> [-TenantId <String>] [-DefaultProfile <IAzureContextContainer>]
  [<CommonParameters>]
 ```
 
@@ -37,6 +44,13 @@ PS C:\> Get-AzAccessToken -ResourceTypeName AadGraph
 
 Get access token of AAD graph endpoint for current account
 
+### Example 3 Get raw access token for AAD graph endpoint
+```powershell
+PS C:\> Get-AzAccessToken -Resource "https://graph.windows.net/"
+```
+
+Get access token of AAD graph endpoint for current account
+
 ## PARAMETERS
 
 ### -DefaultProfile
@@ -55,13 +69,28 @@ Accept wildcard characters: False
 ```
 
 ### -ResourceTypeName
-Optional resouce type name, supported values: AadGraph, Analysis, Arm, Attest, DataLake, KeyVault, OperationInsights, Synapse. Default value is Arm if not specified.
+Optional resouce type name, supported values: AadGraph, Analysis, Arm, Attestation, Batch, DataLake, KeyVault, OperationInsights, ResourceManager, Synapse. Default value is Arm if not specified.
 
 ```yaml
 Type: System.String
 Parameter Sets: KnownResourceTypeName
 Aliases:
 
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResourceUrl
+Resource url for that you're requesting token, e.g. 'http://graph.windows.net/'.
+
+```yaml
+Type: System.String
+Parameter Sets: ResourceUrl
+Aliases: Resource, ResourceUri
+
 Required: True
 Position: Named
 Default value: None
@@ -75,6 +104,7 @@ Optional Tenant Id. Use tenant id of default context if not specified.
 ```yaml
 Type: System.String
 Parameter Sets: (All)
+Aliases:
 
 Required: False
 Position: Named

src/Accounts/Authenticators/MsalAccessToken.cs

@@ -39,7 +39,7 @@ public class MsalAccessToken : IAccessToken
 
         public IDictionary<string, string> ExtendedProperties { get; } = new ConcurrentDictionary<string, string>(StringComparer.OrdinalIgnoreCase);
 
-        private DateTimeOffset ExpiredOn { get; set; }
+        public DateTimeOffset ExpiredOn { get; set; }
 
         private readonly static TimeSpan ExpirationThreshold = TimeSpan.FromMinutes(5);