(C) Validate a Google ID Token

Demonstrates how to verify the signature of a Google id token.

Chilkat C/C++ Library Downloads
MS Visual C/C++ Linux/CentOS C/C++ Alpine Linux C/C++ MAC OS X C/C++	armhf/aarch64 C/C++ C++ Builder iOS C/C++ Android C/C++	Solaris C/C++ MinGW C/C++

#include <C_CkHttp.h>
#include <C_CkJsonObject.h>
#include <C_CkStringBuilder.h>
#include <C_CkRsa.h>
#include <C_CkPublicKey.h>

void ChilkatSample(void)
    {
    HCkHttp http;
    const char *jwkStr;
    HCkJsonObject json;
    BOOL success;
    HCkJsonObject jsonToken;
    HCkStringBuilder sbIdToken;
    const char *sig_b64Url;
    const char *headerPlusPayload;
    HCkRsa rsa;
    int numKeys;
    int i;
    HCkJsonObject jsonKey;
    HCkPublicKey pubKey;
    BOOL bVerified;

    // This example requires the Chilkat API to have been previously unlocked.
    // See Global Unlock Sample for sample code.

    http = CkHttp_Create();

    // First get the public key we'll be needing..
    jwkStr = CkHttp_quickGetStr(http,"https://www.googleapis.com/oauth2/v3/certs");
    if (CkHttp_getLastMethodSuccess(http) == FALSE) {
        printf("%s\n",CkHttp_lastErrorText(http));
        CkHttp_Dispose(http);
        return;
    }

    // We have the following:

    //     {
    //       "keys": [
    // 	{
    // 	  "kid": "e8732db06287515556213b80acbcfd08cfb302a9",
    // 	  "n": "4RIrO30287Wsq3gqXCMkUYMVAeI3H8...w2mbMNEBQ",
    // 	  "kty": "RSA",
    // 	  "e": "AQAB",
    // 	  "alg": "RS256",
    // 	  "use": "sig"
    // 	},
    // 	{
    // 	  "kid": "8462a71da4f6d611fc0fecf0fc4ba9c37d65e6cd",
    // 	  "e": "AQAB",
    // 	  "n": "xT_ngLZNmT5GBtJZeTB...Ft4gK0eoFi0d3l8bcw",
    // 	  "alg": "RS256",
    // 	  "use": "sig",
    // 	  "kty": "RSA"
    // 	}
    //       ]
    //     }

    json = CkJsonObject_Create();
    success = CkJsonObject_Load(json,jwkStr);

    // -------------------------------------------------

    // Load the following..

    //  {
    //   "access_token": "ya29.a0...0f",
    //   "expires_in": 3599,
    //   "scope": "openid https://www.googleapis.com/auth/userinfo.email",
    //   "token_type": "Bearer",
    //   "id_token": "eyJhb...o5nQ"
    // }

    jsonToken = CkJsonObject_Create();
    success = CkJsonObject_LoadFile(jsonToken,"qa_data/tokens/google_sample_id_token.json");
    if (success == FALSE) {
        printf("Failed to load the JSON file...\n");
        CkHttp_Dispose(http);
        CkJsonObject_Dispose(json);
        CkJsonObject_Dispose(jsonToken);
        return;
    }

    // Get the id_token;
    sbIdToken = CkStringBuilder_Create();
    success = CkStringBuilder_Append(sbIdToken,CkJsonObject_stringOf(jsonToken,"id_token"));

    // Get the signature in base64url format.
    // The header + payload remains in sbIdToken.
    sig_b64Url = CkStringBuilder_getAfterFinal(sbIdToken,".",TRUE);
    headerPlusPayload = CkStringBuilder_getAsString(sbIdToken);

    printf("%s\n",sig_b64Url);
    printf("%s\n",headerPlusPayload);

    // ---------------------------------------------

    // Try validating with each cert's public key.
    // Hopefully one will be the key that verifies.

    rsa = CkRsa_Create();
    CkRsa_putEncodingMode(rsa,"base64url");

    numKeys = CkJsonObject_SizeOfArray(json,"keys");
    i = 0;
    while (i < numKeys) {
        CkJsonObject_putI(json,i);
        jsonKey = CkJsonObject_ObjectOf(json,"keys[i]");
        pubKey = CkPublicKey_Create();
        success = CkPublicKey_LoadFromString(pubKey,CkJsonObject_emit(jsonKey));
        if (success == FALSE) {
            printf("%s\n",CkPublicKey_lastErrorText(pubKey));
            CkHttp_Dispose(http);
            CkJsonObject_Dispose(json);
            CkJsonObject_Dispose(jsonToken);
            CkStringBuilder_Dispose(sbIdToken);
            CkRsa_Dispose(rsa);
            CkPublicKey_Dispose(pubKey);
            return;
        }

        printf("%d\n",i);
        printf("%s\n",CkPublicKey_getPem(pubKey,TRUE));
        CkJsonObject_Dispose(jsonKey);

        success = CkRsa_ImportPublicKeyObj(rsa,pubKey);

        bVerified = CkRsa_VerifyStringENC(rsa,headerPlusPayload,"sha256",sig_b64Url);
        printf("bVerified = %d\n",bVerified);

        i = i + 1;
    }

    // The output is:

    // 0
    // -----BEGIN RSA PUBLIC KEY-----
    // MIIBCgKCAQEA4RIrO30287Wsq3gqXCMkUYMVAeI3H8LVE6IXR1krdFeGnZLiGUPw
    // cbkeVpXf3lmJdsStOg+jijces2DZCfPyIBiQuLYfxxmAZE6ErJ0QJFg1stwli2Pz
    // 9ncYhFoqi8pXr7kEzEJBTzX4thuw56ydbGsshSEznPXoerCJOc7UI2+n0wFCWQ4Y
    // LHbh/PrWt4vdadyUUUW/QpQHXQLdD8q/Qwqdj0O9zlJE7R6Elw2E9EqnHyIGu1hm
    // LxhqrTru1M18SUhONYbVskV/BCEdVKs//X96849HorWQDCAgVMWfGsdMVq55FAdJ
    // 680N5UmQDRynIZ4+PeNGN4S9iw2mbMNEBQIDAQAB
    // -----END RSA PUBLIC KEY-----
    // 
    // bVerified = True
    // 1
    // -----BEGIN RSA PUBLIC KEY-----
    // MIIBCgKCAQEAxT/ngLZNmT5GBdkLtJZjNeTB+8B5yWgrq/e5eMZ1hrZhcmLK+dSn
    // IkpOPV8/OekV67EnQ7I4II2rcNJnHGrGKZziXO3XN2gtUHE+mBJC99oULSbX/QwB
    // Kz7gC/IBPq9EuxTt6Oq6fPkVQ9DbRIgWJSEGBF/KRaNl3kyAlIZfpY7XgHyJTTv8
    // E7yAcYKPR+36gzdl+ps0sDLKzUuAtZNq8llK0u80z6AtAUIYwWdkEhM9upy6keKI
    // TasIxcsO7M6kZPINUSbh6t5VAm8FuqRmxpgg+9c9/GQSGd89InVypoVzWLQ+wOGg
    // 5G4H6JqIgtj0TRFt4gK0eoFi2U0d3l8bcwIDAQAB
    // -----END RSA PUBLIC KEY-----
    // 
    // bVerified = False


    CkHttp_Dispose(http);
    CkJsonObject_Dispose(json);
    CkJsonObject_Dispose(jsonToken);
    CkStringBuilder_Dispose(sbIdToken);
    CkRsa_Dispose(rsa);
    CkPublicKey_Dispose(pubKey);

    }