(Delphi DLL) Validate a Google ID Token

Demonstrates how to verify the signature of a Google id token.

Chilkat for Delphi Downloads Chilkat non-ActiveX DLL for Delphi Chilkat ActiveX DLL for Delphi * The examples here use the non-ActiveX DLL.

uses
    Winapi.Windows, Winapi.Messages, System.SysUtils, System.Variants, System.Classes, Vcl.Graphics,
    Vcl.Controls, Vcl.Forms, Vcl.Dialogs, Vcl.StdCtrls, Http, StringBuilder, Rsa, PublicKey, JsonObject;

...

procedure TForm1.Button1Click(Sender: TObject);
var
http: HCkHttp;
jwkStr: PWideChar;
json: HCkJsonObject;
success: Boolean;
jsonToken: HCkJsonObject;
sbIdToken: HCkStringBuilder;
sig_b64Url: PWideChar;
headerPlusPayload: PWideChar;
rsa: HCkRsa;
numKeys: Integer;
i: Integer;
jsonKey: HCkJsonObject;
pubKey: HCkPublicKey;
bVerified: Boolean;

begin
// This example requires the Chilkat API to have been previously unlocked.
// See Global Unlock Sample for sample code.

http := CkHttp_Create();

// First get the public key we'll be needing..
jwkStr := CkHttp__quickGetStr(http,'https://www.googleapis.com/oauth2/v3/certs');
if (CkHttp_getLastMethodSuccess(http) = False) then
  begin
    Memo1.Lines.Add(CkHttp__lastErrorText(http));
    Exit;
  end;

// We have the following:

//     {
//       "keys": [
// 	{
// 	  "kid": "e8732db06287515556213b80acbcfd08cfb302a9",
// 	  "n": "4RIrO30287Wsq3gqXCMkUYMVAeI3H8...w2mbMNEBQ",
// 	  "kty": "RSA",
// 	  "e": "AQAB",
// 	  "alg": "RS256",
// 	  "use": "sig"
// 	},
// 	{
// 	  "kid": "8462a71da4f6d611fc0fecf0fc4ba9c37d65e6cd",
// 	  "e": "AQAB",
// 	  "n": "xT_ngLZNmT5GBtJZeTB...Ft4gK0eoFi0d3l8bcw",
// 	  "alg": "RS256",
// 	  "use": "sig",
// 	  "kty": "RSA"
// 	}
//       ]
//     }

json := CkJsonObject_Create();
success := CkJsonObject_Load(json,jwkStr);

// -------------------------------------------------

// Load the following..

//  {
//   "access_token": "ya29.a0...0f",
//   "expires_in": 3599,
//   "scope": "openid https://www.googleapis.com/auth/userinfo.email",
//   "token_type": "Bearer",
//   "id_token": "eyJhb...o5nQ"
// }

jsonToken := CkJsonObject_Create();
success := CkJsonObject_LoadFile(jsonToken,'qa_data/tokens/google_sample_id_token.json');
if (success = False) then
  begin
    Memo1.Lines.Add('Failed to load the JSON file...');
    Exit;
  end;

// Get the id_token;
sbIdToken := CkStringBuilder_Create();
success := CkStringBuilder_Append(sbIdToken,CkJsonObject__stringOf(jsonToken,'id_token'));

// Get the signature in base64url format.
// The header + payload remains in sbIdToken.
sig_b64Url := CkStringBuilder__getAfterFinal(sbIdToken,'.',True);
headerPlusPayload := CkStringBuilder__getAsString(sbIdToken);

Memo1.Lines.Add(sig_b64Url);
Memo1.Lines.Add(headerPlusPayload);

// ---------------------------------------------

// Try validating with each cert's public key.
// Hopefully one will be the key that verifies.

rsa := CkRsa_Create();
CkRsa_putEncodingMode(rsa,'base64url');

numKeys := CkJsonObject_SizeOfArray(json,'keys');
i := 0;
while i < numKeys do
  begin
    CkJsonObject_putI(json,i);
    jsonKey := CkJsonObject_ObjectOf(json,'keys[i]');
    pubKey := CkPublicKey_Create();
    success := CkPublicKey_LoadFromString(pubKey,CkJsonObject__emit(jsonKey));
    if (success = False) then
      begin
        Memo1.Lines.Add(CkPublicKey__lastErrorText(pubKey));
        Exit;
      end;
    Memo1.Lines.Add(IntToStr(i));
    Memo1.Lines.Add(CkPublicKey__getPem(pubKey,True));
    CkJsonObject_Dispose(jsonKey);

    success := CkRsa_ImportPublicKeyObj(rsa,pubKey);

    bVerified := CkRsa_VerifyStringENC(rsa,headerPlusPayload,'sha256',sig_b64Url);
    Memo1.Lines.Add('bVerified = ' + IntToStr(Ord(bVerified)));

    i := i + 1;
  end;

// The output is:

// 0
// -----BEGIN RSA PUBLIC KEY-----
// MIIBCgKCAQEA4RIrO30287Wsq3gqXCMkUYMVAeI3H8LVE6IXR1krdFeGnZLiGUPw
// cbkeVpXf3lmJdsStOg+jijces2DZCfPyIBiQuLYfxxmAZE6ErJ0QJFg1stwli2Pz
// 9ncYhFoqi8pXr7kEzEJBTzX4thuw56ydbGsshSEznPXoerCJOc7UI2+n0wFCWQ4Y
// LHbh/PrWt4vdadyUUUW/QpQHXQLdD8q/Qwqdj0O9zlJE7R6Elw2E9EqnHyIGu1hm
// LxhqrTru1M18SUhONYbVskV/BCEdVKs//X96849HorWQDCAgVMWfGsdMVq55FAdJ
// 680N5UmQDRynIZ4+PeNGN4S9iw2mbMNEBQIDAQAB
// -----END RSA PUBLIC KEY-----
// 
// bVerified = True
// 1
// -----BEGIN RSA PUBLIC KEY-----
// MIIBCgKCAQEAxT/ngLZNmT5GBdkLtJZjNeTB+8B5yWgrq/e5eMZ1hrZhcmLK+dSn
// IkpOPV8/OekV67EnQ7I4II2rcNJnHGrGKZziXO3XN2gtUHE+mBJC99oULSbX/QwB
// Kz7gC/IBPq9EuxTt6Oq6fPkVQ9DbRIgWJSEGBF/KRaNl3kyAlIZfpY7XgHyJTTv8
// E7yAcYKPR+36gzdl+ps0sDLKzUuAtZNq8llK0u80z6AtAUIYwWdkEhM9upy6keKI
// TasIxcsO7M6kZPINUSbh6t5VAm8FuqRmxpgg+9c9/GQSGd89InVypoVzWLQ+wOGg
// 5G4H6JqIgtj0TRFt4gK0eoFi2U0d3l8bcwIDAQAB
// -----END RSA PUBLIC KEY-----
// 
// bVerified = False

CkHttp_Dispose(http);
CkJsonObject_Dispose(json);
CkJsonObject_Dispose(jsonToken);
CkStringBuilder_Dispose(sbIdToken);
CkRsa_Dispose(rsa);
    CkPublicKey_Dispose(pubKey);

end;