Functions/Get-JwkCollection.ps1
function Get-JwkCollection { <# .SYNOPSIS Gets a collection of JSON Web Keys (JWKs) from a URI. .DESCRIPTION Gets a collection of JSON Web Keys (JWKs) from a well known openid configuration endpoint or URI containing only JSON Web Keys. .EXAMPLE $oidcUrl = 'https://accounts.google.com/.well-known/openid-configuration' Get-JwkCollection -Uri $oidcUrl Gets JSON Web Keys from google's well known openid configuration endpoint as objects. .EXAMPLE $jwkUrl = 'https://login.windows.net/common/discovery/keys' Get-JwkCollection -Uri $jwkUrl -AsJson Gets JSON Web Keys from Microsoft's JWK endpoint as JSON. .EXAMPLE $jwt = "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IjJ5Q3Zabms3azhXNjZ3UjJMWFI5V0Nzd2hBYyIsImtpZCI6IjJ5Q3Zabms3azhXNjZ3UjJMWFI5V0Nzd2hBYyJ9.eyJpYXQiOjE2MTgyNTAzODksIm5iZiI6MTYxODI1MDM4OSwiZXhwIjoxNjE4MjU1MTg5LCJzdWIiOiJ0b255In0.X-RZm-3Hto5U-8Q-Wp1ggqWTFPkO5-Cz9lzoKsH5-1RR9GOrGPuWn-bjIv1YJ46h5Bw-KpiX-dOS47TAq2A0BWdAwczLVA6pzha1WswkT_u3cO1_KSoOjD9qFLjCgk-ns7A48iXpNcOoPBFXgfx8G0rRK68sSnokJ7N2NH-YNUOjg3U7DNJ_-iz8WZ5dNlOvpDsTy0BHMX-lho18sUmakUNpadJr-oD7BXIp--Z57UERBFibppaoxseYRo3VfmhgHibTxP-39mcxU6sH9a99fEEt80hj4w6rZobRxZV-pFPS22B8TBAfVf8L9faMLaXmgV7xtQohqQZgL6oKdJzFPQ" $jwkUri = "https://app.mycompany.com/common/discovery/keys" Get-JwkCollection -Uri $jwkUri -AsJson | ForEach-Object { Test-JsonWebToken -JsonWebToken $jwt -HashAlgorithm SHA256 -JsonWebKey $_ -SkipExpirationCheck } Attempts to validate a JSON Web Token signature against a collection of JSON Web Keys in https://app.mycompany.com/common/discovery/keys. .INPUTS System.Uri .OUTPUTS System.String or System.Management.Automation.PSCustomObject .LINK https://tools.ietf.org/html/rfc7517 Test-JsonWebToken New-JsonWebKeySet #> [CmdletBinding()] [Alias('gjwkc')] [OutputType([String[]], [PSCustomObject[]])] Param ( [Parameter(Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true, Position = 0)][System.Uri]$Uri, [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $false, Position = 1)][Switch]$AsJson ) PROCESS { $jwks = @() $response = $null try { $response = Invoke-RestMethod -Method Get -Uri $Uri -ErrorAction Stop } catch { Write-Error -Exception $_.Exception -ErrorAction Stop } if ($null -eq $response.keys) { if ($null -ne $response.jwks_uri) { try { $jwkUri = [Uri]::new($response.jwks_uri) $response = Invoke-RestMethod -Method Get -Uri $jwkUri -ErrorAction Stop } catch { Write-Error -Exception $_.Exception -ErrorAction Stop } } else { $ArgumentException = New-Object -TypeName ArgumentException -ArgumentList ("Zero JSON Web Keys found at {0}" -f $Uri) Write-Error -Exception $ArgumentException -ErrorAction Stop } } foreach ($key in $response.keys) { if (($null -eq $key.kty) -or ($null -eq $key.n) -or ($null -eq $key.e)) { $ArgumentException = New-Object -TypeName ArgumentException -ArgumentList 'JSON Web Key schema validation failed. Ensure that a valid JWK is passed that contains the key type expressed as "kty", a public exponent as "e”, and modulus as "n" parameters per RFC 7517.' Write-Error -Exception $ArgumentException -ErrorAction Stop } else { if ($key.kty -eq "RSA") { if ($AsJson) { $jwks += ($key | ConvertTo-Json) } else { $jwks += $key } } else { $ArgumentException = New-Object -TypeName ArgumentException -ArgumentList 'Only RSA JSON Web Keys are supported at this time.' Write-Error -Exception $ArgumentException -ErrorAction Stop } } } return $jwks } } |