Support user specified permission on ResourceURI

.github/workflows/main_dixueweb0913.yml

@@ -0,0 +1,56 @@
+# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy
+# More GitHub Actions for Azure: https://github.com/Azure/actions
+
+name: Build and deploy Node.js app to Azure Web App - dixueweb0913
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Set up Node.js version
+        uses: actions/setup-node@v1
+        with:
+          node-version: '16.x'
+
+      - name: npm install, build, and test
+        run: |
+          npm install
+          npm run build --if-present
+          npm run test --if-present
+
+      - name: Upload artifact for deployment job
+        uses: actions/upload-artifact@v2
+        with:
+          name: node-app
+          path: .
+
+  deploy:
+    runs-on: ubuntu-latest
+    needs: build
+    environment:
+      name: 'Production'
+      url: ${{ steps.deploy-to-webapp.outputs.webapp-url }}
+
+    steps:
+      - name: Download artifact from build job
+        uses: actions/download-artifact@v2
+        with:
+          name: node-app
+
+      - name: 'Deploy to Azure Web App'
+        id: deploy-to-webapp
+        uses: azure/webapps-deploy@v2
+        with:
+          app-name: 'dixueweb0913'
+          slot-name: 'Production'
+          publish-profile: ${{ secrets.AZUREAPPSERVICE_PUBLISHPROFILE_7C582EB722D940F78A0850CF913C7D4D }}
+          package: .

src/Accounts/Accounts/ChangeLog.md

@@ -52,6 +52,7 @@
     - `DisplayBreakingChangeWarning`: Controls if warning messages for breaking changes are displayed or suppressed.
     - `EnableDataCollection`: When enabled, Azure PowerShell cmdlets send telemetry data to Microsoft to improve the customer experience.
 * Upgraded System.Reflection.DispatchProxy on Windows PowerShell [#17856]
+* Supported specifying scope in `-ResourceUrl` of `Get-AzAccessToken` [#14085]
 * Upgraded Azure.Identity to 1.6.0 and Azure.Core to 1.24.0
 
 ## Version 2.7.6

src/Accounts/Accounts/Token/GetAzureRmAccessToken.cs

@@ -12,19 +12,17 @@
 // limitations under the License.
 // ----------------------------------------------------------------------------------
 
-using System;
-using System.Collections.Generic;
-using System.Linq;
-using System.Management.Automation;
-using System.Text.Json;
-
 using Microsoft.Azure.Commands.Common.Authentication;
 using Microsoft.Azure.Commands.Common.Authentication.Abstractions;
 using Microsoft.Azure.Commands.Profile.Models;
 using Microsoft.Azure.Commands.ResourceManager.Common;
 using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
 using Microsoft.Azure.PowerShell.Authenticators;
 using Microsoft.WindowsAzure.Commands.Utilities.Common;
+using System;
+using System.Linq;
+using System.Management.Automation;
+using System.Text.Json;
 
 namespace Microsoft.Azure.Commands.Profile
 {
@@ -38,7 +36,7 @@ public class GetAzureRmAccessTokenCommand : AzureRMCmdlet
 
         [Parameter(ParameterSetName = ResourceUrlParameterSet,
             Mandatory = true,
-            HelpMessage = "Resource url for that you're requesting token, e.g. 'http://graph.windows.net/'.")]
+            HelpMessage = "Resource url for that you're requesting token, e.g. 'http://graph.windows.net/'. Permission can be appended.")]
         [ValidateNotNullOrEmpty]
         [Alias("Resource", "ResourceUri")]
         public string ResourceUrl { get; set; }

src/Accounts/Accounts/help/Get-AzAccessToken.md

@@ -8,7 +8,10 @@ schema: 2.0.0
 # Get-AzAccessToken
 
 ## SYNOPSIS
-Get raw access token. When using -ResourceUrl, please make sure the value does match current Azure environment. You may refer to the value of `(Get-AzContext).Environment`.
+Get raw access token. The format of `-ResourceUrl` concatenates a desired resource identifier with an 
+optional desired OAuth2 permission for that resource. Please make sure resource identifier matches current 
+Azure environment. You may refer to the value of `(Get-AzContext).Environment`. If permission is not 
+provided, `/.default` is appended automatically for all app-level permission.
 
 ## SYNTAX
 
@@ -83,7 +86,7 @@ Accept wildcard characters: False
 ```
 
 ### -ResourceUrl
-Resource url for that you're requesting token, e.g. 'https://graph.microsoft.com/'.
+Resource url for that you're requesting token, e.g. 'https://graph.microsoft.com/'. Permission can be appended.
 
 ```yaml
 Type: String

src/Accounts/Authenticators/AuthenticationHelpers.cs

@@ -12,55 +12,33 @@
 using Microsoft.Azure.Commands.Common.Authentication;
 using Microsoft.Azure.Commands.Common.Authentication.Abstractions;
 using Microsoft.Identity.Client;
+using System;
 
 namespace Microsoft.Azure.PowerShell.Authenticators
 {
     internal static class AuthenticationHelpers
     {
         internal const string PowerShellClientId = "1950a258-227b-4e31-a9cf-717495945fc2", 
-            EnableEbdMagicCookie = "site_id=501358&display=popup",
-            UserImpersonationScope = "{0}/user_impersonation",
             DefaultScope = "{0}/.default",
             AdfsScope = "{0}/openid";
 
         /// <summary>
-        /// Get the authority string given a tenant and environment
-        /// </summary>
-        /// <param name="environment">The Azure environment</param>
-        /// <param name="tenant">The tenant Id</param>
-        /// <returns>The authrotity string, from the AAD endpoint and tenant ID</returns>
-        internal static string GetAuthority(IAzureEnvironment environment, string tenant)
-        {
-            var tenantString = tenant ?? environment?.AdTenant ?? "organizations";
-            return $"{environment.ActiveDirectoryAuthority}{tenantString}";
-        }
-
-        /// <summary>
-        /// 
-        /// </summary>
-        /// <param name="showDialog"></param>
-        /// <returns></returns>
-        internal static Prompt GetPromptBehavior(string showDialog)
-        {
-            switch (showDialog)
-            {
-                case ShowDialog.Always:
-                    return Prompt.ForceLogin;
-                case ShowDialog.Never:
-                    return Prompt.NoPrompt;
-                default:
-                    return Prompt.SelectAccount;
-            }
-        }
-
-        /// <summary>
-        /// Get the scopes array for a given resource
+        /// Get the scopes array for a given resource. If resource URI doesn't contain permission, .default should be appended for all app-level permissions.
         /// </summary>
         /// <param name="onPremise">determines which scope to use</param>
         /// <param name="resource">which resource will be requested</param>
         /// <returns></returns>
         internal static string[] GetScope(bool onPremise, string resource)
         {
+
+            if(!string.IsNullOrEmpty(resource))
+            {
+                Uri uri = new Uri(resource);
+                if(!string.IsNullOrWhiteSpace(uri.AbsolutePath) && !"/".Equals(uri.AbsolutePath))
+                {
+                    return new string[] { resource };
+                }
+            }
             var scopeTemplate = onPremise ? AdfsScope : DefaultScope;
             return new string[] { string.Format(scopeTemplate, resource) };
         }