(Delphi DLL) Verify a Google JWT Using Google's Public Key

See more Google APIs Examples

Demonstrates how to verify a JWT that was signed using Google's RSA private key.

This example verifies the RSA signature. It also does the following:

• Checks to see if the time constraints ("nbf" and "exp") are valid.
• Recovers the original JOSE header.
• Recovers the original claims JSON.

Chilkat for Delphi Downloads Chilkat non-ActiveX DLL for Delphi Chilkat ActiveX DLL for Delphi * The examples here use the non-ActiveX DLL.

uses
    Winapi.Windows, Winapi.Messages, System.SysUtils, System.Variants, System.Classes, Vcl.Graphics,
    Vcl.Controls, Vcl.Forms, Vcl.Dialogs, Vcl.StdCtrls, Http, StringBuilder, PublicKey, Jwt, JsonObject;

...

procedure TForm1.Button1Click(Sender: TObject);
var
http: HCkHttp;
sbPubKeys: HCkStringBuilder;
success: Boolean;
token: PWideChar;
jwt: HCkJwt;
header: PWideChar;
json: HCkJsonObject;
kid: PWideChar;
jsonPubKeys: HCkJsonObject;
jsonKey: HCkJsonObject;
pubKey: HCkPublicKey;

begin
// This example assumes the Chilkat API to have been previously unlocked.
// See Global Unlock Sample for sample code.

http := CkHttp_Create();
sbPubKeys := CkStringBuilder_Create();

success := CkHttp_QuickGetSb(http,'https://www.googleapis.com/oauth2/v3/certs',sbPubKeys);
if (success = False) then
  begin
    Memo1.Lines.Add(CkHttp__lastErrorText(http));
    Exit;
  end;

Memo1.Lines.Add(CkStringBuilder__getAsString(sbPubKeys));

// Here are the keys:

// {
//   "keys": [
//     {
//       "e": "AQAB",
//       "n": "4bAT6C6EeX8Dspje3FrAXw-nnhNk04e1RmNa4kjc0CHf6Pk7ryARlwA-6YilyPABqQfYHx60s8oSnxvUVprFfQ2-Q8aAZO7bPKSxnoGlcKERL2oLNA4Msvc89N9Y5ycThZUplf_QC19e6jyYXN6Nz-UnJSCLrtQY8tVhhVRs61j4A2N_p-enAi-r704Qi1-v-DKV4eVRkClKViploo8NyjUaT9L4vbBssPCjyimJzsWnEe1fED5c4LnHeArYzA_FEn3JJotqDIz9t2VnvZNTMhizHEX4VnORlEWMEfR8n4CEHQx7PcQUOmfqyw08gWeXQl1-uTjtIGaE-sRIv9u_vQ",
//       "kty": "RSA",
//       "use": "sig",
//       "alg": "RS256",
//       "kid": "2af90e87be140c20038898a6efa11283dab6031d"
//     },
//     {
//       "n": "nzGsrziOYrMVYMpvUZOwkKNiPWcOPTYRYlDSdRW4UpAHdWPbPlyqaaphYhoMB5DXrVxI3bdvm7DOlo-sHNnulmAFQa-7TsQMxrZCvVdAbyXGID9DZYEqf8mkCV1Ohv7WY5lDUqlybIk1OSHdK7-1et0QS8nn-5LojGg8FK4ssLf3mV1APpujl27D1bDhyRb1MGumXYElwlUms7F9p9OcSp5pTevXCLmXs9MJJk4o9E1zzPpQ9Ko0lH9l_UqFpA7vwQhnw0nbh73rXOX2TUDCUqL4ThKU5Z9Pd-eZCEOatKe0mJTpQ00XGACBME_6ojCdfNIJr84Y_IpGKvkAEksn9w",
//       "use": "sig",
//       "kid": "87bbe0815b064e6d449cac999f0e50e72a3e4374",
//       "e": "AQAB",
//       "alg": "RS256",
//       "kty": "RSA"
//     }
//   ]
// }

// -------------------------------------------------------------------------------------------
// Replace this with your actual token.
// This sample token contains a kid that does not match any of the above Google public keys.
// -------------------------------------------------------------------------------------------
token := 'eyJhbGciOiJSUzI1NiIsImtpZCI6IjQyZmY5MGQ3ZDM0OGM5NzM4MWE3YzExOWVmMWY1MzI0ZWEzZjViZWIifQ.eyJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJzdWIiOiIxMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExIiwiaWF0IjoxNjExMTE1MTQzLCJleHAiOjE2MTEyMDE1NDMsImF1ZCI6IjQyOTc1NzExNTE0ODg0OSJ9.pLem5i0bx3M7lJYj7jKv2Nq7c07X5YpZz-x1uM5RniW-v4LsX-lKIVvOq2x3-WoPqkzLXJfP0kG0dx1uD2q1NfFQK60YwKH4FnFtB6INnUP1dRVpP9_pTTKyAE28I3s5Tay4PbPdrCl7ZLCIJzCfpCW1TiWeVoPjp5HgZKTBHdP_sEkN_yO5dQerQXAkFJkV3kNgF9jI3ayT-KPqOIH6GVoWXjHFDyA2EYgJPEFRo5WSe6XycJ85p5duwT-OoBcb_kJZG9PxYd91eHlPCzp8vGxzIb2dVROCBxyM8e8W0cd9v15hfmpg9R-eG9vCM5y63ZLChZLFeHFx0Pd7hvAqfKg';

jwt := CkJwt_Create();
header := CkJwt__getHeader(jwt,token);

Memo1.Lines.Add(header);

// Sample header:
// {"alg":"RS256","kid":"87bbe0815b064e6d449cac999f0e50e72a3e4374"}

// Load the public key matching the "kid" into a Chilkat public key object, then verify..

json := CkJsonObject_Create();
CkJsonObject_Load(json,header);
kid := CkJsonObject__stringOf(json,'kid');

Memo1.Lines.Add('kid = ' + kid);

jsonPubKeys := CkJsonObject_Create();
CkJsonObject_LoadSb(jsonPubKeys,sbPubKeys);

jsonKey := CkJsonObject_FindRecord(jsonPubKeys,'keys','kid',kid,True);
if (CkJsonObject_getLastMethodSuccess(jsonPubKeys) = False) then
  begin
    Memo1.Lines.Add('Did not find a matching public key based on the kid.');
    Exit;
  end;

Memo1.Lines.Add(CkJsonObject__emit(jsonKey));

// Load the matching public key into a Chilkat public key object.
pubKey := CkPublicKey_Create();
success := CkPublicKey_LoadFromString(pubKey,CkJsonObject__emit(jsonKey));
CkJsonObject_Dispose(jsonKey);
if (success = False) then
  begin
    Memo1.Lines.Add(CkPublicKey__lastErrorText(pubKey));
    Exit;
  end;

// ----------------------------------------------------------------------------------------
// Now we can validate the JWT using Google's public key as shown in this example:
// (Except we use the public key obtained as shown above instead of a public key loaded from a PEM file.
// 
// See Verify JWT Using an RSA Public Key

CkHttp_Dispose(http);
CkStringBuilder_Dispose(sbPubKeys);
CkJwt_Dispose(jwt);
CkJsonObject_Dispose(json);
CkJsonObject_Dispose(jsonPubKeys);
CkPublicKey_Dispose(pubKey);

end;