ez-token - OAuth2 Token Generator

Pronunciation: ez as in easy — because getting an OAuth2 token should be.

A fast, developer-friendly CLI tool for generating OAuth2 Access Tokens against Microsoft Entra ID (Azure AD) and Auth0. Supports both interactive browser login (PKCE) and machine-to-machine (Client Credentials) flows.

Built for developers who need quick, secure access to tokens for API testing, Postman, or local development — without hardcoding secrets or manually crafting URLs.

Features

• Interactive Login — Opens your system browser to log in safely via PKCE
• Machine-to-Machine — Fetch tokens for services and scripts using Client Credentials
• Secure — Uses PKCE (Proof Key for Code Exchange), never stores client secrets
• Multi-Provider — Supports Microsoft Entra ID and Auth0
• Profiles — Manage multiple environments (e.g. prod, dev, graph) with ease
• Clipboard Integration — Automatically copies the token to your clipboard on success
• Configurable — Save provider settings once, never type them again

Installation

Prerequisites

• Rust & Cargo installed

Install from Crates.io (Recommended)

The easiest way to install ez-token is via Cargo:

cargo install ez-token --locked

Build from Source

git clone https://github.com/your-org/ez-token
cd ez-token
cargo install --path .

You can now use the ez-token binary from anywhere.

Commands Overview

Tip: Append --help to any command (e.g. ez-token m2m --help) to see all available arguments directly in your terminal.

Supported Providers

Usage

1. Interactive Login (PKCE)

Opens your system browser to authenticate. The token is copied to your clipboard on success.

If no --provider is passed and no profile is configured, you will be prompted to select one interactively using arrow keys.

# Fully interactive — prompts for provider and all missing values
ez-token login
 
# Microsoft Entra ID
ez-token login \
  --provider microsoft \
  --tenant-id "common" \
  --client-id "YOUR_CLIENT_ID" \
  --scopes "User.Read"
 
# Auth0
ez-token login \
  --provider auth0 \
  --domain "my-org.eu.auth0.com" \
  --client-id "YOUR_CLIENT_ID" \
  --audience "api://ez-token" \
  --scopes "read:ez"
 
# Override the redirect port (default: 3000)
ez-token login --port 3001

2. Machine-to-Machine (Client Credentials)

Fetches a token using a client secret — no browser required. Designed for scripts, CI/CD pipelines, and service-to-service calls.

# Microsoft Entra ID
ez-token m2m \
  --provider microsoft \
  --tenant-id "YOUR_TENANT_ID" \
  --client-id "YOUR_CLIENT_ID" \
  --scopes "api://YOUR_API/.default"
 
# Auth0 (requires a dedicated M2M application — see setup below)
ez-token m2m \
  --provider auth0 \
  --domain "my-org.eu.auth0.com" \
  --client-id "YOUR_M2M_CLIENT_ID" \
  --audience "api://ez-token" \
  --scopes "read:ez"

Note: The client secret is never saved to disk. It is always prompted securely if not passed via --client-secret.

Note: Microsoft M2M scopes must use the .default suffix — e.g. api://my-api/.default. Auth0 M2M scopes are explicit — e.g. read:ez.

3. Configuration Profiles (Recommended)

Save your settings so you don't have to re-enter them every time.

# Microsoft — default profile
ez-token config set \
  --provider microsoft \
  --tenant-id "common" \
  --client-id "YOUR_CLIENT_ID" \
  --scopes "User.Read"
 
# Microsoft — named profile
ez-token --profile prod config set \
  --provider microsoft \
  --tenant-id "guid-prod-tenant-id" \
  --client-id "guid-prod-client-id" \
  --scopes "api://my-api/.default"
 
# Auth0 — named profile
ez-token --profile auth0-dev config set \
  --provider auth0 \
  --domain "my-org.eu.auth0.com" \
  --client-id "YOUR_CLIENT_ID" \
  --audience "api://ez-token" \
  --scopes "read:ez"

4. Using Profiles

# Uses the default profile
ez-token login
 
# Uses a named profile
ez-token --profile prod login
ez-token --profile auth0-dev login
 
# M2M with a named profile
ez-token --profile prod m2m

5. Manage Configuration

# List all saved profiles
ez-token config list
 
# Show the default profile
ez-token config show
 
# Show a specific profile
ez-token --profile auth0-dev config show

Identity Provider Setup

Microsoft Entra ID — Interactive Login (PKCE)

1. Register an application in the Azure Portal
2. Under Authentication, add a platform: select Mobile and desktop applications
3. Add the redirect URI: http://localhost:3000/callback
   • If using a custom port: http://localhost:{PORT}/callback
4. Enable Allow public client flows

Microsoft Entra ID — Machine-to-Machine (Client Credentials)

1. Register an application in the Azure Portal
2. Under Certificates & secrets, create a Client secret and copy the value
3. Under API permissions, add the required Application permissions (not Delegated)
4. Grant Admin consent for the permissions
5. Use api://YOUR_API_CLIENT_ID/.default as the scope

Auth0 — Interactive Login (PKCE)

1. Register an application in the Auth0 Dashboard
2. Application Type → set to Native
3. Under Allowed Callback URLs add: http://localhost:3000/callback
   • If using a custom port: http://localhost:{PORT}/callback
4. Under Advanced Settings → OAuth:
   • Token Endpoint Authentication Method → None
   • Non-Verifiable Callback URI End-User Confirmation → off
5. Create an API under APIs with an identifier (e.g. api://ez-token)
6. Add your scopes under the API (e.g. read:ez)
7. Under Applications → your app → APIs, authorize your app and select the required scopes

Auth0 — Machine-to-Machine (Client Credentials)

Auth0 requires a separate dedicated M2M application for Client Credentials — a Native app used for PKCE cannot use the Client Credentials grant type simultaneously.

1. Go to Applications → Create Application
2. Choose Machine to Machine
3. Select your API (e.g. ez-token.test) and grant the required scopes (e.g. read:ez)
4. Under Advanced Settings → Grant Types, ensure Client Credentials is checked
5. Copy the Client ID and Client Secret from the application's Settings
6. Use these credentials with ez-token m2m --provider auth0

Note: Auth0 scopes are explicit per request (e.g. read:ez), unlike Microsoft where .default grants all pre-consented permissions automatically.

Configuration File

Configuration is stored automatically using your OS's standard config directory:

Run ez-token config show to see the exact path on your system.

Known Behavior & Troubleshooting

Auth0 — Silent scope dropping

Auth0 does not reject unknown or invalid scopes by default — it silently drops them and issues a token with only the valid scopes. If you receive a token but it's missing expected permissions, verify:

• The scope exists on your API
• Your application is authorized for that scope

Auth0 — Browser shows error page instead of redirecting

Auth0 may show its own error page instead of redirecting back to ez-token when the authorization request fails before the redirect can happen. In this case the spinner will hang indefinitely until it times out (120 seconds).

Common causes:

• Invalid audience — the --audience value does not match an API identifier registered in your Auth0 tenant
• Application Type is not set to Native — go to Applications → your app → Settings
• Callback URL mismatch — http://localhost:3000/callback must be listed exactly in Allowed Callback URLs

If the error page persists, copy the error details shown in the browser and verify your Auth0 application configuration manually in the dashboard.

Auth0 — Authentication times out

If the spinner hangs after opening the browser, it means the callback was never received. This typically happens when Auth0 shows its own error page instead of redirecting. See above.

Microsoft — Wrong scope format for M2M

If you see AADSTS650053 errors, you are using delegated scopes (e.g. User.Read) for an M2M flow. Microsoft M2M requires application scopes using the .default suffix — e.g. api://YOUR_API/.default.

License

Licensed under the Apache License, Version 2.0. See LICENSE for details.