From 1fbef85967f7f3b95e1a9a695c74611cf2b8c579 Mon Sep 17 00:00:00 2001
From: Erwin van Hunen <erwin.van.hunen@outlook.com>
Date: Thu, 5 Dec 2024 16:18:20 +0100
Subject: [PATCH] Added -ListPermissionScopes parameter

---
 CHANGELOG.md                        |  1 +
 documentation/Get-PnPAccessToken.md | 45 +++++++++++++++++++-
 src/Commands/Base/GetAccessToken.cs | 64 ++++++++++++++++++-----------
 3 files changed, 85 insertions(+), 25 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5a278650d..ec9e274ef 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -45,6 +45,7 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 - Added `-Batch` parameter to `Invoke-PnPGraphMethod` cmdlet to allow adding request in a batch.
 - Added `-List` parameter to `Get-PnPFolderItem`, `Get-PnPFileInFolder` and `Get-PnPFolderInFolder` which allows them to work with a document library containing more than 5,000 items [#4611](https://github.com/pnp/powershell/pull/4611)
 - Added `Start-PnPTraceLog`, `Stop-PnPTraceLog` and `Get-PnPTraceLog` cmdlets to handle tracelogging. Removed `Set-PnPTraceLog` cmdlet.
+- Added `-ListPermissionScopes` parameter on `Get-PnPAccessToken` cmdlet to list the current permission scopes on the current access token.
 
 ### Changed
 
diff --git a/documentation/Get-PnPAccessToken.md b/documentation/Get-PnPAccessToken.md
index 79f3acb76..fee72d04d 100644
--- a/documentation/Get-PnPAccessToken.md
+++ b/documentation/Get-PnPAccessToken.md
@@ -15,12 +15,33 @@ If a Resource Type Name or Resource URL is specified, it will fetch the access t
 
 ## SYNTAX
 
+### Graph Token
+
+```powershell
+Get-PnPAccessToken [-ResourceTypeName] [-Decoded] [-Scopes] [-Connection <PnPConnection>]
+```
+
+### Specific resource by type
+
+```powershell
+Get-PnPAccessToken -ResourceTypeName <ResourceTypeName> [-Decoded] [-Scopes] [-Connection <PnPConnection>]
+```
+
+### Specific resource by URL
+
 ```powershell
-Get-PnPAccessToken [-ResourceTypeName] [-ResourceUrl] [-Decoded] [-Scopes] [-Connection <PnPConnection>]
+Get-PnPAccessToken -ResourceUrl <String> [-Decoded] [-Scopes] [-Connection <PnPConnection>]
 ```
 
+### List Permission Scopes in current access token
+
+```powershell
+Get-PnPAccessToken -ListPermissionScopes [-ResourceTypeName <String>]
+```
+
+
 ## DESCRIPTION
-Gets the OAuth 2.0 Access Token.
+Returns the OAuth 2.0 Access Token.
 
 ## EXAMPLES
 
@@ -59,6 +80,13 @@ Get-PnPAccessToken -ResourceUrl "https://management.azure.com/.default"
 
 Gets the OAuth 2.0 Access Token to consume the SharePoint APIs and perform CSOM operations.
 
+### EXAMPLE 6
+```powershell
+Get-PnPAccessToken -ListPermissionScopes
+```
+
+Lists the current permission scopes for the Microsoft Graph API on the access token. Specify -ResourceTypeName to list permissions for other resource types, like SharePoint.
+
 ## PARAMETERS
 
 ### -ResourceTypeName
@@ -132,6 +160,19 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -ListPermissionScopes
+If specified the current permission scopes on the access token will be listed
+
+```yaml
+Type: SwitchParameter
+Parameters Set: List Permission Scopes
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ## RELATED LINKS
 
 [Microsoft 365 Patterns and Practices](https://aka.ms/m365pnp)
\ No newline at end of file
diff --git a/src/Commands/Base/GetAccessToken.cs b/src/Commands/Base/GetAccessToken.cs
index b28fc5aeb..e4b930e5f 100644
--- a/src/Commands/Base/GetAccessToken.cs
+++ b/src/Commands/Base/GetAccessToken.cs
@@ -6,39 +6,51 @@
 
 namespace PnP.PowerShell.Commands.Base
 {
-    [Cmdlet(VerbsCommon.Get, "PnPAccessToken", DefaultParameterSetName = ResourceTypeParam)]
-    [OutputType(typeof(Microsoft.IdentityModel.JsonWebTokens.JsonWebToken), ParameterSetName = [ResourceTypeParam_Decoded, ResourceUrlParam_Decoded])]
-    [OutputType(typeof(string), ParameterSetName = [ResourceTypeParam, ResourceUrlParam])]
+    [Cmdlet(VerbsCommon.Get, "PnPAccessToken", DefaultParameterSetName = ParameterSet_ResourceTypeName)]
+    [OutputType(typeof(Microsoft.IdentityModel.JsonWebTokens.JsonWebToken), ParameterSetName = [ParameterSet_TypeNameDecoded, ParameterSet_ResourceUrlDecoded])]
+    [OutputType(typeof(string), ParameterSetName = [ParameterSet_ResourceTypeName, ParameterSet_ResourceUrl])]
     public class GetPnPAccessToken : PnPGraphCmdlet
     {
-        private const string ResourceTypeParam = "Resource Type Name";
-        private const string ResourceUrlParam = "Resource Url";
-        private const string ResourceTypeParam_Decoded = "Resource Type Name (decoded)";
-        private const string ResourceUrlParam_Decoded = "Resource Url (decoded)";
+        private const string ParameterSet_ResourceTypeName = "Resource Type Name";
+        private const string ParameterSet_ResourceUrl = "Resource Url";
+        private const string ParameterSet_TypeNameDecoded = "Resource Type Name (decoded)";
+        private const string ParameterSet_ResourceUrlDecoded = "Resource Url (decoded)";
+        private const string ParameterSet_ListScopes = "List Permission Scopes";
+
+
+        [Parameter(Mandatory = false, ParameterSetName = ParameterSet_ResourceTypeName)]
+        [Parameter(Mandatory = false, ParameterSetName = ParameterSet_TypeNameDecoded)]
+        [Parameter(Mandatory = false, ParameterSetName = ParameterSet_ListScopes)]
 
-        [Parameter(Mandatory = false, ParameterSetName = ResourceTypeParam)]
-        [Parameter(Mandatory = false, ParameterSetName = ResourceTypeParam_Decoded)]
         public ResourceTypeName ResourceTypeName = ResourceTypeName.Graph;
 
-        [Parameter(Mandatory = true, ParameterSetName = ResourceUrlParam)]
-        [Parameter(Mandatory = true, ParameterSetName = ResourceUrlParam_Decoded)]
+        [Parameter(Mandatory = true, ParameterSetName = ParameterSet_ResourceUrl)]
+        [Parameter(Mandatory = true, ParameterSetName = ParameterSet_ResourceUrlDecoded)]
+        [Parameter(Mandatory = false, ParameterSetName = ParameterSet_ListScopes)]
+
         [ValidateNotNullOrEmpty]
         public string ResourceUrl;
 
-        [Parameter(Mandatory = true, ParameterSetName = ResourceTypeParam_Decoded)]
-        [Parameter(Mandatory = true, ParameterSetName = ResourceUrlParam_Decoded)]
+        [Parameter(Mandatory = true, ParameterSetName = ParameterSet_TypeNameDecoded)]
+        [Parameter(Mandatory = true, ParameterSetName = ParameterSet_ResourceUrlDecoded)]
         public SwitchParameter Decoded;
 
-        [Parameter(Mandatory = false, ParameterSetName = ResourceTypeParam)]
-        [Parameter(Mandatory = false, ParameterSetName = ResourceTypeParam_Decoded)]
-        [Parameter(Mandatory = false, ParameterSetName = ResourceUrlParam)]
-        [Parameter(Mandatory = false, ParameterSetName = ResourceUrlParam_Decoded)]
+        [Parameter(Mandatory = false, ParameterSetName = ParameterSet_ResourceTypeName)]
+        [Parameter(Mandatory = false, ParameterSetName = ParameterSet_TypeNameDecoded)]
+        [Parameter(Mandatory = false, ParameterSetName = ParameterSet_ResourceUrl)]
+        [Parameter(Mandatory = false, ParameterSetName = ParameterSet_ResourceUrlDecoded)]
+        [Parameter(Mandatory = false, ParameterSetName = ParameterSet_ListScopes)]
+
         public string[] Scopes = ["AllSites.FullControl"];
+
+        [Parameter(Mandatory = false, ParameterSetName = ParameterSet_ListScopes)]
+        public SwitchParameter ListPermissionScopes;
+
         protected override void ExecuteCmdlet()
         {
             string accessTokenValue = null;
 
-            if (ParameterSetName == ResourceTypeParam || ParameterSetName == ResourceTypeParam_Decoded)
+            if (ParameterSetName == ParameterSet_ResourceTypeName || ParameterSetName == ParameterSet_TypeNameDecoded)
             {
                 switch (ResourceTypeName)
                 {
@@ -59,7 +71,7 @@ protected override void ExecuteCmdlet()
                         break;
                 }
             }
-            else if (ParameterSetName == ResourceUrlParam || ParameterSetName == ResourceUrlParam_Decoded)
+            else if (ParameterSetName == ParameterSet_ResourceUrl || ParameterSetName == ParameterSet_ResourceUrlDecoded)
             {
                 accessTokenValue = TokenHandler.GetAccessToken(this, ResourceUrl, Connection);
             }
@@ -74,14 +86,20 @@ protected override void ExecuteCmdlet()
             {
                 WriteError(new PSArgumentException("Unable to retrieve access token"), ErrorCategory.InvalidResult);
             }
-
-            if (Decoded.IsPresent)
+            if (ListPermissionScopes.IsPresent)
             {
-                WriteObject(new Microsoft.IdentityModel.JsonWebTokens.JsonWebToken(accessTokenValue));
+                WriteObject(TokenHandler.ReturnScopes(accessTokenValue));
             }
             else
             {
-                WriteObject(accessTokenValue);
+                if (Decoded.IsPresent)
+                {
+                    WriteObject(new Microsoft.IdentityModel.JsonWebTokens.JsonWebToken(accessTokenValue));
+                }
+                else
+                {
+                    WriteObject(accessTokenValue);
+                }
             }
         }
     }