(Go) Azure OpenID Connect Step 2 -- Get id_token and Validate

See more OIDC Examples

After getting the endpoints by querying the Azure's OIDC well-known discovery document (OpenID Configuration document), we use the authorization_endpoint to get the id_token, and then validate it..

For more information, see https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc

Chilkat Go Downloads Go Package for Windows, MacOS, Linux, Alpine Linux, Solaris

    // This example requires the Chilkat API to have been previously unlocked.
    // See Global Unlock Sample for sample code.

    var success bool

    // In our previous example (Azure Fetch OpenID Connect metadata document) we fetched
    // the OpenID configuration document which is JSON which contains an entry for authorization_endpoint.

    authorization_endpoint := "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/oauth2/v2.0/authorize"

    // The OpenID Connect metadata document also contained a jwks_uri entry.  This is the JSON Web Key Set (JWKS),
    // which is a set of keys containing the public keys used to verify any JSON Web Token (JWT) (in this case the id_token)
    // issued by the authorization server and signed using the RS256 signing algorithm. 
    jwks_uri := "https://login.microsoftonline.com/6d8ddd66-68d1-44b0-af5c-e31b4b7ee5cd/discovery/v2.0/keys"

    // We're going to send the following GET request, but it will be sent through an interactive web browser (not by Chilkat).
    // The following code will form the URL that is to be programmatically loaded and sent in a browser.

    // GET https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
    // client_id=6731de76-14a6-49ae-97bc-6eba6914391e
    // &response_type=id_token
    // &redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
    // &response_mode=form_post
    // &scope=openid
    // &state=12345
    // &nonce=678910

    // Use this object to set params and then get the URL-encoded query params string 
    req := chilkat.NewHttpRequest()
    req.AddParam("client_id","f125d695-c50e-456e-a579-a486f06d1213")
    req.AddParam("response_type","id_token")
    req.AddParam("redirect_uri","http://localhost:3017/")
    req.AddParam("response_mode","form_post")
    req.AddParam("scope","openid")
    prng := chilkat.NewPrng()
    req.AddParam("state",*prng.GenRandom(3,"decimal"))
    req.AddParam("nonce",*prng.GenRandom(4,"decimal"))

    encodedParams := req.GetUrlEncodedParams()
    fmt.Println(*encodedParams)

    // Sample URL encoded params:
    // client_id=6731de76-14a6-49ae-97bc-6eba6914391e&redirect_uri=http%3A%2F%2Flocalhost%3A3017%2F&response_mode=form_post&scope=openid&state=3572902&nonce=57352474

    // This is the URL to be programmatically loaded and sent in an interactive web browser..
    sbUrl := chilkat.NewStringBuilder()
    sbUrl.Append(authorization_endpoint)
    sbUrl.Append("?")
    sbUrl.Append(*encodedParams)
    url := sbUrl.GetAsString()

    // Before we launch the browser with the contents of sbUrl, create a socket to listen for the eventual callback..

    listenSock := chilkat.NewSocket()

    // Listen at the port indicated by the redirect_uri above.
    backLog := 5
    success = listenSock.BindAndListen(3017,backLog)
    if success != true {
        fmt.Println(listenSock.LastErrorText())
        req.DisposeHttpRequest()
        prng.DisposePrng()
        sbUrl.DisposeStringBuilder()
        listenSock.DisposeSocket()
        return
    }

    // Wait for the browser's connection in a background thread.
    // (We'll send load the URL into the browser following this..)
    // Wait a max of 60 seconds before giving up.
    maxWaitMs := 60000
    c := make(chan *chilkat.Task)
    go listenSock.AcceptNextConnectionAsync(maxWaitMs,c)
    task := <-c

    // -------------------------------------------------------------------
    // At this point, your application should load the URL in a browser.
    // You'll need to add code here to do it..

    // For example, 
    // in C#: System.Diagnostics.Process.Start(url);
    // in Java: Desktop.getDesktop().browse(new URI(url));
    // in VBScript: Set wsh=WScript.CreateObject("WScript.Shell")
    //              wsh.Run url
    // in Xojo: ShowURL(url)  (see http://docs.xojo.com/index.php/ShowURL)
    // in Dataflex: Runprogram Background "c:\Program Files\Internet Explorer\iexplore.exe" sUrl        
    // The account owner would interactively accept or deny the authorization request.

    // Add the code to load the url in a web browser here...
    // Add the code to load the url in a web browser here...
    // Add the code to load the url in a web browser here...
    // System.Diagnostics.Process.Start(url);

    // -------------------------------------------------------------------

    // Wait for the listenSock's task to complete.
    success = task.Wait(maxWaitMs)
    if !success || (task.StatusInt() != 7) || (task.TaskSuccess() != true) {
        if !success {
            // The task.LastErrorText applies to the Wait method call.
            fmt.Println(task.LastErrorText())
        } else {
            // The ResultErrorText applies to the underlying task method call (i.e. the AcceptNextConnection)
            fmt.Println(task.Status())
            fmt.Println(task.ResultErrorText())
        }

        task.DisposeTask()
        req.DisposeHttpRequest()
        prng.DisposePrng()
        sbUrl.DisposeStringBuilder()
        listenSock.DisposeSocket()
        task.DisposeTask()
        return
    }

    // If we get to this point, a connection on listenSock was accepted, and the redirected POST
    // is waiting to be read on the connected socket.
    // The POST we are going to read contains the following:

    // POST /myapp/ HTTP/1.1
    // Host: localhost
    // Content-Type: application/x-www-form-urlencoded
    // 
    // id_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik1uQ19WWmNB...&state=12345

    // But first.. we no longer need the listen socket...
    // Stop listening on port 3017.
    listenSock.Close(10)

    // Get the connected socket.
    sock := chilkat.NewSocket()
    sock.LoadTaskResult(task)
    task.DisposeTask()

    // We're acting as a temporary web server to receive this one redirected HTTP request..
    // Read the start line of the request.. (i.e. the "POST /myapp/ HTTP/1.1")
    startLine := sock.ReceiveUntilMatch("\r\n")
    if sock.LastMethodSuccess() != true {
        fmt.Println(sock.LastErrorText())
        req.DisposeHttpRequest()
        prng.DisposePrng()
        sbUrl.DisposeStringBuilder()
        listenSock.DisposeSocket()
        task.DisposeTask()
        sock.DisposeSocket()
        return
    }

    // Read the request header.
    requestHeader := sock.ReceiveUntilMatch("\r\n\r\n")
    if sock.LastMethodSuccess() != true {
        fmt.Println(sock.LastErrorText())
        req.DisposeHttpRequest()
        prng.DisposePrng()
        sbUrl.DisposeStringBuilder()
        listenSock.DisposeSocket()
        task.DisposeTask()
        sock.DisposeSocket()
        return
    }

    fmt.Println(*requestHeader)
    fmt.Println("----")

    // Read the body.
    // The body will contain "id_token= eyJ......"
    sbRequestBody := chilkat.NewStringBuilder()
    success = sock.ReceiveSb(sbRequestBody)
    if success == false {
        fmt.Println(sock.LastErrorText())
        req.DisposeHttpRequest()
        prng.DisposePrng()
        sbUrl.DisposeStringBuilder()
        listenSock.DisposeSocket()
        task.DisposeTask()
        sock.DisposeSocket()
        sbRequestBody.DisposeStringBuilder()
        return
    }

    fmt.Println(*sbRequestBody.GetAsString())

    // Given that we're acting as a web server, we must send a response..
    // We can now send our HTTP response.
    sbResponseHtml := chilkat.NewStringBuilder()
    sbResponseHtml.Append("<html><body><p>Thank you!</b></body</html>")

    sbResponse := chilkat.NewStringBuilder()
    sbResponse.Append("HTTP/1.1 200 OK\r\n")
    sbResponse.Append("Content-Length: ")
    sbResponse.AppendInt(sbResponseHtml.Length())
    sbResponse.Append("\r\n")
    sbResponse.Append("Content-Type: text/html\r\n")
    sbResponse.Append("\r\n")
    sbResponse.AppendSb(sbResponseHtml)

    sock.SendString(*sbResponse.GetAsString())
    sock.Close(50)

    // Get the id_token from the sbRequestBody that we just received.
    // (Remember, we're acting as the web server, thus we received the redirect request..)
    hashTab := chilkat.NewHashtable()
    hashTab.AddQueryParams(*sbRequestBody.GetAsString())

    // See https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens#validating-an-id-token
    // for more information about ID tokens..
    idToken := hashTab.LookupStr("id_token")

    jwt := chilkat.NewJwt()

    // Let's see if the time constraints, if any, are valid.
    // The above JWT was created on the afternoon of 16-May-2016, with an expiration of 1 hour.
    // If the current system time is before the "nbf" time, or after the "exp" time,
    // then IsTimeValid will return false/0.
    // Also, we'll allow a leeway of 60 seconds to account for any clock skew.
    // Note: If the token has no "nbf" or "exp" claim fields, then IsTimeValid is always true.
    leeway := 60
    bTimeValid := jwt.IsTimeValid(*idToken,leeway)
    fmt.Println("time constraints valid: ", bTimeValid)

    // Now let's recover the original claims JSON (the payload).
    payload := jwt.GetPayload(*idToken)
    // The payload will likely be in compact form:
    fmt.Println(*payload)

    // We can format for human viewing by loading it into Chilkat's JSON object
    // and emit.
    json := chilkat.NewJsonObject()
    success = json.Load(*payload)
    json.SetEmitCompact(false)
    fmt.Println(*json.Emit())

    // Sample output:

    // {
    //   "aud": "f125d695-c50e-456e-a579-a486f06d1213",
    //   "iss": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0",
    //   "iat": 1626535322,
    //   "nbf": 1626535322,
    //   "exp": 1626539222,
    //   "aio": "AWQAm/8TAAAAHQncmY0VvhgyMIhfleHX3DjsGfmlPM1CopkJ3mPnBUnCxrJ0ubruaACEhwGO7NsoHBhqFEzRzPxOq7MtuGVFsql+qJKZx8vQCszKYEPX9Wb3b5+d5KJTABHCIH48bTFd",
    //   "idp": "https://sts.windows.net/9188040d-6c67-4c5b-b112-36a304b66dad/",
    //   "nonce": "1519043321",
    //   "rh": "0.ARgAZt2NbdFosEOvXOMbS33VzZXWJfEOxW5FpXmkhvBtEhMYALQ.",
    //   "sub": "RMIZlHJ7hfsJmL8Qq3h6M0nPi4g-HEavnAFgxzaT2KM",
    //   "tid": "6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd",
    //   "uti": "-BXGHxvfREW-r9HI5NBiAA",
    //   "ver": "2.0"
    // }

    // We can recover the original JOSE header in the same way:
    joseHeader := jwt.GetHeader(*idToken)
    // The payload will likely be in compact form:
    fmt.Println(*joseHeader)

    // We can format for human viewing by loading it into Chilkat's JSON object
    // and emit.
    jsonJoseHeader := chilkat.NewJsonObject()
    success = jsonJoseHeader.Load(*joseHeader)
    jsonJoseHeader.SetEmitCompact(false)
    fmt.Println(*jsonJoseHeader.Emit())

    // Sample output:

    // {
    //   "typ": "JWT",
    //   "alg": "RS256",
    //   "kid": "nOo3ZDrODXEK1jKWhXslHR_KXEg"
    // }

    // Finally, we need to fetch the JSON Web Key Sets from the jwks_uri
    // and use it to verify the id_token's RSA signature.
    sbJwks := chilkat.NewStringBuilder()
    http := chilkat.NewHttp()
    success = http.QuickGetSb(jwks_uri,sbJwks)
    if success == false {
        fmt.Println(http.LastErrorText())
        req.DisposeHttpRequest()
        prng.DisposePrng()
        sbUrl.DisposeStringBuilder()
        listenSock.DisposeSocket()
        task.DisposeTask()
        sock.DisposeSocket()
        sbRequestBody.DisposeStringBuilder()
        sbResponseHtml.DisposeStringBuilder()
        sbResponse.DisposeStringBuilder()
        hashTab.DisposeHashtable()
        jwt.DisposeJwt()
        json.DisposeJsonObject()
        jsonJoseHeader.DisposeJsonObject()
        sbJwks.DisposeStringBuilder()
        http.DisposeHttp()
        return
    }

    jwkset := chilkat.NewJsonObject()
    success = jwkset.LoadSb(sbJwks)
    jwkset.SetEmitCompact(false)
    fmt.Println(*jwkset.Emit())

    // A sample jwkset:

    // {
    //   "keys": [
    //     {
    //       "kty": "RSA",
    //       "use": "sig",
    //       "kid": "nOo3ZDrODXEK1jKWhXslHR_KXEg",
    //       "x5t": "nOo3ZDrODXEK1jKWhXslHR_KXEg",
    //       "n": "oaLLT9hkcSj ... NVrZdUdTBQ",
    //       "e": "AQAB",
    //       "x5c": [
    //         "MIIDBTC ... MRku44Dw7R"
    //       ],
    //       "issuer": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0"
    //     },
    //     {
    //       "kty": "RSA",
    //       "use": "sig",
    //       "kid": "l3sQ-50cCH4xBVZLHTGwnSR7680",
    //       "x5t": "l3sQ-50cCH4xBVZLHTGwnSR7680",
    //       "n": "sfsXMXW ... AYkwb6xUQ",
    //       "e": "AQAB",
    //       "x5c": [
    //         "MIIDBTCCA ... BWrh+/vJ"
    //       ],
    //       "issuer": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0"
    //     },
    //     {
    //       "kty": "RSA",
    //       "use": "sig",
    //       "kid": "DqUu8gf-nAgcyjP3-SuplNAXAnc",
    //       "x5t": "DqUu8gf-nAgcyjP3-SuplNAXAnc",
    //       "n": "1n7-nWSL ... V3pFWhQ",
    //       "e": "AQAB",
    //       "x5c": [
    //         "MIIC8TC ... 9pIcnkPQ=="
    //       ],
    //       "issuer": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0"
    //     },
    //     {
    //       "kty": "RSA",
    //       "use": "sig",
    //       "kid": "OzZ5Dbmcso9Qzt2ModGmihg30Bo",
    //       "x5t": "OzZ5Dbmcso9Qzt2ModGmihg30Bo",
    //       "n": "01re9a2BU ... 5OzQ6Q",
    //       "e": "AQAB",
    //       "x5c": [
    //         "MIIC8TC ... YmwJ6sDdRvQ=="
    //       ],
    //       "issuer": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0"
    //     }
    //   ]
    // }

    // We should have an RSA key with kid matching the kid from the joseHeader..
    kid := jsonJoseHeader.StringOf("kid")

    // Find the RSA key with the specified key id
    jwk := jwkset.FindRecord("keys","kid",*kid,true)
    if jwkset.LastMethodSuccess() == false {
        fmt.Println("Failed to find a matching RSA key in the JWK key set...")
        req.DisposeHttpRequest()
        prng.DisposePrng()
        sbUrl.DisposeStringBuilder()
        listenSock.DisposeSocket()
        task.DisposeTask()
        sock.DisposeSocket()
        sbRequestBody.DisposeStringBuilder()
        sbResponseHtml.DisposeStringBuilder()
        sbResponse.DisposeStringBuilder()
        hashTab.DisposeHashtable()
        jwt.DisposeJwt()
        json.DisposeJsonObject()
        jsonJoseHeader.DisposeJsonObject()
        sbJwks.DisposeStringBuilder()
        http.DisposeHttp()
        jwkset.DisposeJsonObject()
        return
    }

    var verified bool
    pubkey := chilkat.NewPublicKey()

    success = pubkey.LoadFromString(*jwk.Emit())
    if success == false {
        fmt.Println(pubkey.LastErrorText())
        fmt.Println(*jwk.Emit())
    } else {
        verified = jwt.VerifyJwtPk(*idToken,pubkey)
        fmt.Println("Verified: ", verified)
    }

    jwk.DisposeJsonObject()

    req.DisposeHttpRequest()
    prng.DisposePrng()
    sbUrl.DisposeStringBuilder()
    listenSock.DisposeSocket()
    task.DisposeTask()
    sock.DisposeSocket()
    sbRequestBody.DisposeStringBuilder()
    sbResponseHtml.DisposeStringBuilder()
    sbResponse.DisposeStringBuilder()
    hashTab.DisposeHashtable()
    jwt.DisposeJwt()
    json.DisposeJsonObject()
    jsonJoseHeader.DisposeJsonObject()
    sbJwks.DisposeStringBuilder()
    http.DisposeHttp()
    jwkset.DisposeJsonObject()
    pubkey.DisposePublicKey()