|
Chilkat • HOME • .NET Core C# • Android™ • AutoIt • C • C# • C++ • Chilkat2-Python • CkPython • Classic ASP • DataFlex • Delphi ActiveX • Delphi DLL • Go • Java • Lianja • Mono C# • Node.js • Objective-C • PHP ActiveX • PHP Extension • Perl • PowerBuilder • PowerShell • PureBasic • Ruby • SQL Server • Swift 2 • Swift 3,4,5... • Tcl • Unicode C • Unicode C++ • VB.NET • VBScript • Visual Basic 6.0 • Visual FoxPro • Xojo Plugin
(DataFlex) Validate the at_hash Claim of an ID TokenDemonstrates how to hash an access token to compare it with the at_hash claim of an ID token.
Use ChilkatAx-win32.pkg Procedure Test Handle hoJsonToken Boolean iSuccess Handle hoJwt String sIdToken String sJose Handle hoJsonHeader String sClaims Handle hoJsonClaims String sToken_to_hash String sToken_hash_expected Handle hoCrypt Handle hoBdHash Integer iSz String sToken_hash_computed String sTemp1 // This example requires the Chilkat API to have been previously unlocked. // See Global Unlock Sample for sample code. // This example uses a Google access_token + id_token that looks like this: // { // "access_token": "ya29.a0...0f", // "expires_in": 3599, // "scope": "openid https://www.googleapis.com/auth/userinfo.email", // "token_type": "Bearer", // "id_token": "eyJhb...o5nQ" // } Get Create (RefClass(cComChilkatJsonObject)) To hoJsonToken If (Not(IsComObjectCreated(hoJsonToken))) Begin Send CreateComObject of hoJsonToken End Get ComLoadFile Of hoJsonToken "qa_data/tokens/google_sample_id_token.json" To iSuccess If (iSuccess = False) Begin Showln "Failed to load the JSON file..." Procedure_Return End // Use Chilkat's JWT API to examine the id_token.. Get Create (RefClass(cComChilkatJwt)) To hoJwt If (Not(IsComObjectCreated(hoJwt))) Begin Send CreateComObject of hoJwt End Get ComStringOf Of hoJsonToken "id_token" To sIdToken // Extract the JOSE header.. Get ComGetHeader Of hoJwt sIdToken To sJose Get Create (RefClass(cComChilkatJsonObject)) To hoJsonHeader If (Not(IsComObjectCreated(hoJsonHeader))) Begin Send CreateComObject of hoJsonHeader End Get ComLoad Of hoJsonHeader sJose To iSuccess Set ComEmitCompact Of hoJsonHeader To False Get ComEmit Of hoJsonHeader To sTemp1 Showln sTemp1 // The JOSE header looks like this: // { // "alg": "RS256", // "kid": "e8799db06287515556213c80acbcfd022fb302a9", // "typ": "JWT" // } Get ComGetPayload Of hoJwt sIdToken To sClaims Get Create (RefClass(cComChilkatJsonObject)) To hoJsonClaims If (Not(IsComObjectCreated(hoJsonClaims))) Begin Send CreateComObject of hoJsonClaims End Get ComLoad Of hoJsonClaims sClaims To iSuccess Set ComEmitCompact Of hoJsonClaims To False Get ComEmit Of hoJsonClaims To sTemp1 Showln sTemp1 // The claims look like this: // { // "iss": "https://accounts.google.com", // "azp": "258999997753-5ni8lu5f15r7mno97d82f5lir9i9f6i1.apps.googleusercontent.com", // "aud": "258999997753-5ni8lu5f15r7mno97d82f5lir9i9f6i1.apps.googleusercontent.com", // "sub": "111787341816486547572", // "email": "somebody@gmail.com", // "email_verified": true, // "at_hash": "HYJZImlW3mUK-UfjRfXjKw", // "iat": 1615315968, // "exp": 1615319568 // } // The at_hash is the Access Token hash value. Its value is the base64url encoding of the // left-most half of the hash of the octets of the ASCII representation of the access_token value, // where the hash algorithm used is the hash algorithm used in the alg Header Parameter of the // ID Token's JOSE Header. For instance, if the alg is RS256, hash the access_token value with SHA-256, // then take the left-most 128 bits and base64url encode them. The at_hash value is a case sensitive string. Get ComStringOf Of hoJsonToken "access_token" To sToken_to_hash Get ComStringOf Of hoJsonClaims "at_hash" To sToken_hash_expected // Step 1. hashes the access token using SHA-256 (Google uses `RS256` as the ID Token `alg`). Get Create (RefClass(cComChilkatCrypt2)) To hoCrypt If (Not(IsComObjectCreated(hoCrypt))) Begin Send CreateComObject of hoCrypt End Get Create (RefClass(cComChilkatBinData)) To hoBdHash If (Not(IsComObjectCreated(hoBdHash))) Begin Send CreateComObject of hoBdHash End Set ComHashAlgorithm Of hoCrypt To "sha256" // This encoding mode must match the encoding mode passed in the 2nd arg to AppendEncoded. // The encoding mode can be anything, as long as they are the same in both places. Set ComEncodingMode Of hoCrypt To "hex" Get ComHashStringENC Of hoCrypt sToken_to_hash To sTemp1 Get ComAppendEncoded Of hoBdHash sTemp1 "hex" To iSuccess Get ComNumBytes Of hoBdHash To iSz Get ComGetEncodedChunk Of hoBdHash 0 (iSz / 2) "base64url" To sToken_hash_computed // If the hashes are identical, then the access_token as issued for the given id_token. Showln "token_hash_expected: " sToken_hash_expected Showln "token_hash_computed: " sToken_hash_computed End_Procedure |
||||
© 2000-2024 Chilkat Software, Inc. All Rights Reserved.