DataFlex
DataFlex
Validate the at_hash Claim of an ID Token
See more JSON Web Token (JWT) Examples
Demonstrates how to hash an access token to compare it with the at_hash claim of an ID token.Chilkat DataFlex Downloads
Use ChilkatAx-win32.pkg
Procedure Test
Boolean iSuccess
Handle hoJsonToken
Handle hoJwt
String sIdToken
String sJose
Handle hoJsonHeader
String sClaims
Handle hoJsonClaims
String sToken_to_hash
String sToken_hash_expected
Handle hoCrypt
Handle hoBdHash
Integer iSz
String sToken_hash_computed
String sTemp1
Move False To iSuccess
// This example requires the Chilkat API to have been previously unlocked.
// See Global Unlock Sample for sample code.
// This example uses a Google access_token + id_token that looks like this:
// {
// "access_token": "ya29.a0...0f",
// "expires_in": 3599,
// "scope": "openid https://www.googleapis.com/auth/userinfo.email",
// "token_type": "Bearer",
// "id_token": "eyJhb...o5nQ"
// }
Get Create (RefClass(cComChilkatJsonObject)) To hoJsonToken
If (Not(IsComObjectCreated(hoJsonToken))) Begin
Send CreateComObject of hoJsonToken
End
Get ComLoadFile Of hoJsonToken "qa_data/tokens/google_sample_id_token.json" To iSuccess
If (iSuccess = False) Begin
Showln "Failed to load the JSON file..."
Procedure_Return
End
// Use Chilkat's JWT API to examine the id_token..
Get Create (RefClass(cComChilkatJwt)) To hoJwt
If (Not(IsComObjectCreated(hoJwt))) Begin
Send CreateComObject of hoJwt
End
Get ComStringOf Of hoJsonToken "id_token" To sIdToken
// Extract the JOSE header..
Get ComGetHeader Of hoJwt sIdToken To sJose
Get Create (RefClass(cComChilkatJsonObject)) To hoJsonHeader
If (Not(IsComObjectCreated(hoJsonHeader))) Begin
Send CreateComObject of hoJsonHeader
End
Get ComLoad Of hoJsonHeader sJose To iSuccess
Set ComEmitCompact Of hoJsonHeader To False
Get ComEmit Of hoJsonHeader To sTemp1
Showln sTemp1
// The JOSE header looks like this:
// {
// "alg": "RS256",
// "kid": "e8799db06287515556213c80acbcfd022fb302a9",
// "typ": "JWT"
// }
Get ComGetPayload Of hoJwt sIdToken To sClaims
Get Create (RefClass(cComChilkatJsonObject)) To hoJsonClaims
If (Not(IsComObjectCreated(hoJsonClaims))) Begin
Send CreateComObject of hoJsonClaims
End
Get ComLoad Of hoJsonClaims sClaims To iSuccess
Set ComEmitCompact Of hoJsonClaims To False
Get ComEmit Of hoJsonClaims To sTemp1
Showln sTemp1
// The claims look like this:
// {
// "iss": "https://accounts.google.com",
// "azp": "258999997753-5ni8lu5f15r7mno97d82f5lir9i9f6i1.apps.googleusercontent.com",
// "aud": "258999997753-5ni8lu5f15r7mno97d82f5lir9i9f6i1.apps.googleusercontent.com",
// "sub": "111787341816486547572",
// "email": "somebody@gmail.com",
// "email_verified": true,
// "at_hash": "HYJZImlW3mUK-UfjRfXjKw",
// "iat": 1615315968,
// "exp": 1615319568
// }
// The at_hash is the Access Token hash value. Its value is the base64url encoding of the
// left-most half of the hash of the octets of the ASCII representation of the access_token value,
// where the hash algorithm used is the hash algorithm used in the alg Header Parameter of the
// ID Token's JOSE Header. For instance, if the alg is RS256, hash the access_token value with SHA-256,
// then take the left-most 128 bits and base64url encode them. The at_hash value is a case sensitive string.
Get ComStringOf Of hoJsonToken "access_token" To sToken_to_hash
Get ComStringOf Of hoJsonClaims "at_hash" To sToken_hash_expected
// Step 1. hashes the access token using SHA-256 (Google uses `RS256` as the ID Token `alg`).
Get Create (RefClass(cComChilkatCrypt2)) To hoCrypt
If (Not(IsComObjectCreated(hoCrypt))) Begin
Send CreateComObject of hoCrypt
End
Get Create (RefClass(cComChilkatBinData)) To hoBdHash
If (Not(IsComObjectCreated(hoBdHash))) Begin
Send CreateComObject of hoBdHash
End
Set ComHashAlgorithm Of hoCrypt To "sha256"
// This encoding mode must match the encoding mode passed in the 2nd arg to AppendEncoded.
// The encoding mode can be anything, as long as they are the same in both places.
Set ComEncodingMode Of hoCrypt To "hex"
Get ComHashStringENC Of hoCrypt sToken_to_hash To sTemp1
Get ComAppendEncoded Of hoBdHash sTemp1 "hex" To iSuccess
Get ComNumBytes Of hoBdHash To iSz
Get ComGetEncodedChunk Of hoBdHash 0 (iSz / 2) "base64url" To sToken_hash_computed
// If the hashes are identical, then the access_token as issued for the given id_token.
Showln "token_hash_expected: " sToken_hash_expected
Showln "token_hash_computed: " sToken_hash_computed
End_Procedure