Sample code for 30+ languages & platforms
Visual FoxPro

Verify a Google JWT Using Google's Public Key

See more Google APIs Examples

Demonstrates how to verify a JWT that was signed using Google's RSA private key.

This example verifies the RSA signature. It also does the following:

  • Checks to see if the time constraints ("nbf" and "exp") are valid.
  • Recovers the original JOSE header.
  • Recovers the original claims JSON.

Chilkat Visual FoxPro Downloads

Visual FoxPro
LOCAL lnSuccess
LOCAL loHttp
LOCAL loSbPubKeys
LOCAL lcToken
LOCAL loJwt
LOCAL lcHeader
LOCAL loJson
LOCAL lcKid
LOCAL loJsonPubKeys
LOCAL loJsonKey
LOCAL loPubKey

lnSuccess = 0

* This example assumes the Chilkat API to have been previously unlocked.
* See Global Unlock Sample for sample code.

loHttp = CreateObject('Chilkat.Http')
loSbPubKeys = CreateObject('Chilkat.StringBuilder')

lnSuccess = loHttp.QuickGetSb("https://www.googleapis.com/oauth2/v3/certs",loSbPubKeys)
IF (lnSuccess = 0) THEN
    ? loHttp.LastErrorText
    RELEASE loHttp
    RELEASE loSbPubKeys
    CANCEL
ENDIF

? loSbPubKeys.GetAsString()

* Here are the keys:

* {
*   "keys": [
*     {
*       "e": "AQAB",
*       "n": "4bAT6C6EeX8Dspje3FrAXw-nnhNk04e1RmNa4kjc0CHf6Pk7ryARlwA-6YilyPABqQfYHx60s8oSnxvUVprFfQ2-Q8aAZO7bPKSxnoGlcKERL2oLNA4Msvc89N9Y5ycThZUplf_QC19e6jyYXN6Nz-UnJSCLrtQY8tVhhVRs61j4A2N_p-enAi-r704Qi1-v-DKV4eVRkClKViploo8NyjUaT9L4vbBssPCjyimJzsWnEe1fED5c4LnHeArYzA_FEn3JJotqDIz9t2VnvZNTMhizHEX4VnORlEWMEfR8n4CEHQx7PcQUOmfqyw08gWeXQl1-uTjtIGaE-sRIv9u_vQ",
*       "kty": "RSA",
*       "use": "sig",
*       "alg": "RS256",
*       "kid": "2af90e87be140c20038898a6efa11283dab6031d"
*     },
*     {
*       "n": "nzGsrziOYrMVYMpvUZOwkKNiPWcOPTYRYlDSdRW4UpAHdWPbPlyqaaphYhoMB5DXrVxI3bdvm7DOlo-sHNnulmAFQa-7TsQMxrZCvVdAbyXGID9DZYEqf8mkCV1Ohv7WY5lDUqlybIk1OSHdK7-1et0QS8nn-5LojGg8FK4ssLf3mV1APpujl27D1bDhyRb1MGumXYElwlUms7F9p9OcSp5pTevXCLmXs9MJJk4o9E1zzPpQ9Ko0lH9l_UqFpA7vwQhnw0nbh73rXOX2TUDCUqL4ThKU5Z9Pd-eZCEOatKe0mJTpQ00XGACBME_6ojCdfNIJr84Y_IpGKvkAEksn9w",
*       "use": "sig",
*       "kid": "87bbe0815b064e6d449cac999f0e50e72a3e4374",
*       "e": "AQAB",
*       "alg": "RS256",
*       "kty": "RSA"
*     }
*   ]
* }

* -------------------------------------------------------------------------------------------
* Replace this with your actual token.
* This sample token contains a kid that does not match any of the above Google public keys.
* -------------------------------------------------------------------------------------------
lcToken = "eyJhbGciOiJSUzI1NiIsImtpZCI6IjQyZmY5MGQ3ZDM0OGM5NzM4MWE3YzExOWVmMWY1MzI0ZWEzZjViZWIifQ.eyJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJzdWIiOiIxMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExIiwiaWF0IjoxNjExMTE1MTQzLCJleHAiOjE2MTEyMDE1NDMsImF1ZCI6IjQyOTc1NzExNTE0ODg0OSJ9.pLem5i0bx3M7lJYj7jKv2Nq7c07X5YpZz-x1uM5RniW-v4LsX-lKIVvOq2x3-WoPqkzLXJfP0kG0dx1uD2q1NfFQK60YwKH4FnFtB6INnUP1dRVpP9_pTTKyAE28I3s5Tay4PbPdrCl7ZLCIJzCfpCW1TiWeVoPjp5HgZKTBHdP_sEkN_yO5dQerQXAkFJkV3kNgF9jI3ayT-KPqOIH6GVoWXjHFDyA2EYgJPEFRo5WSe6XycJ85p5duwT-OoBcb_kJZG9PxYd91eHlPCzp8vGxzIb2dVROCBxyM8e8W0cd9v15hfmpg9R-eG9vCM5y63ZLChZLFeHFx0Pd7hvAqfKg"

loJwt = CreateObject('Chilkat.Jwt')
lcHeader = loJwt.GetHeader(lcToken)

? lcHeader

* Sample header:
* {"alg":"RS256","kid":"87bbe0815b064e6d449cac999f0e50e72a3e4374"}

* Load the public key matching the "kid" into a Chilkat public key object, then verify..

loJson = CreateObject('Chilkat.JsonObject')
loJson.Load(lcHeader)
lcKid = loJson.StringOf("kid")

? "kid = " + lcKid

loJsonPubKeys = CreateObject('Chilkat.JsonObject')
loJsonPubKeys.LoadSb(loSbPubKeys)

loJsonKey = loJsonPubKeys.FindRecord("keys","kid",lcKid,1)
IF (loJsonPubKeys.LastMethodSuccess = 0) THEN
    ? "Did not find a matching public key based on the kid."
    RELEASE loHttp
    RELEASE loSbPubKeys
    RELEASE loJwt
    RELEASE loJson
    RELEASE loJsonPubKeys
    CANCEL
ENDIF

? loJsonKey.Emit()

* Load the matching public key into a Chilkat public key object.
loPubKey = CreateObject('Chilkat.PublicKey')
lnSuccess = loPubKey.LoadFromString(loJsonKey.Emit())
RELEASE loJsonKey
IF (lnSuccess = 0) THEN
    ? loPubKey.LastErrorText
    RELEASE loHttp
    RELEASE loSbPubKeys
    RELEASE loJwt
    RELEASE loJson
    RELEASE loJsonPubKeys
    RELEASE loPubKey
    CANCEL
ENDIF

* ----------------------------------------------------------------------------------------
* Now we can validate the JWT using Google's public key as shown in this example:
* (Except we use the public key obtained as shown above instead of a public key loaded from a PEM file.
* 
* See Verify JWT Using an RSA Public Key

RELEASE loHttp
RELEASE loSbPubKeys
RELEASE loJwt
RELEASE loJson
RELEASE loJsonPubKeys
RELEASE loPubKey