(Objective-C) Azure OpenID Connect Step 2 -- Get id_token and Validate

See more OIDC Examples

After getting the endpoints by querying the Azure's OIDC well-known discovery document (OpenID Configuration document), we use the authorization_endpoint to get the id_token, and then validate it..

For more information, see https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc

Chilkat Objective-C Library Downloads MAC OS X (Cocoa) Libs iOS Libs

#import <NSString.h>
#import <CkoHttpRequest.h>
#import <CkoPrng.h>
#import <CkoStringBuilder.h>
#import <CkoSocket.h>
#import <CkoTask.h>
#import <CkoHashtable.h>
#import <CkoJwt.h>
#import <CkoJsonObject.h>
#import <CkoHttp.h>
#import <CkoPublicKey.h>

// This example requires the Chilkat API to have been previously unlocked.
// See Global Unlock Sample for sample code.

BOOL success;

// In our previous example (Azure Fetch OpenID Connect metadata document) we fetched
// the OpenID configuration document which is JSON which contains an entry for authorization_endpoint.

NSString *authorization_endpoint = @"https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/oauth2/v2.0/authorize";

// The OpenID Connect metadata document also contained a jwks_uri entry.  This is the JSON Web Key Set (JWKS),
// which is a set of keys containing the public keys used to verify any JSON Web Token (JWT) (in this case the id_token)
// issued by the authorization server and signed using the RS256 signing algorithm. 
NSString *jwks_uri = @"https://login.microsoftonline.com/6d8ddd66-68d1-44b0-af5c-e31b4b7ee5cd/discovery/v2.0/keys";

// We're going to send the following GET request, but it will be sent through an interactive web browser (not by Chilkat).
// The following code will form the URL that is to be programmatically loaded and sent in a browser.

// GET https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
// client_id=6731de76-14a6-49ae-97bc-6eba6914391e
// &response_type=id_token
// &redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
// &response_mode=form_post
// &scope=openid
// &state=12345
// &nonce=678910

// Use this object to set params and then get the URL-encoded query params string 
CkoHttpRequest *req = [[CkoHttpRequest alloc] init];
[req AddParam: @"client_id" value: @"f125d695-c50e-456e-a579-a486f06d1213"];
[req AddParam: @"response_type" value: @"id_token"];
[req AddParam: @"redirect_uri" value: @"http://localhost:3017/"];
[req AddParam: @"response_mode" value: @"form_post"];
[req AddParam: @"scope" value: @"openid"];
CkoPrng *prng = [[CkoPrng alloc] init];
[req AddParam: @"state" value: [prng GenRandom: [NSNumber numberWithInt: 3] encoding: @"decimal"]];
[req AddParam: @"nonce" value: [prng GenRandom: [NSNumber numberWithInt: 4] encoding: @"decimal"]];

NSString *encodedParams = [req GetUrlEncodedParams];
NSLog(@"%@",encodedParams);

// Sample URL encoded params:
// client_id=6731de76-14a6-49ae-97bc-6eba6914391e&redirect_uri=http%3A%2F%2Flocalhost%3A3017%2F&response_mode=form_post&scope=openid&state=3572902&nonce=57352474

// This is the URL to be programmatically loaded and sent in an interactive web browser..
CkoStringBuilder *sbUrl = [[CkoStringBuilder alloc] init];
[sbUrl Append: authorization_endpoint];
[sbUrl Append: @"?"];
[sbUrl Append: encodedParams];
NSString *url = [sbUrl GetAsString];

// Before we launch the browser with the contents of sbUrl, create a socket to listen for the eventual callback..

CkoSocket *listenSock = [[CkoSocket alloc] init];

// Listen at the port indicated by the redirect_uri above.
int backLog = 5;
success = [listenSock BindAndListen: [NSNumber numberWithInt: 3017] backlog: [NSNumber numberWithInt: backLog]];
if (success != YES) {
    NSLog(@"%@",listenSock.LastErrorText);
    return;
}

// Wait for the browser's connection in a background thread.
// (We'll send load the URL into the browser following this..)
// Wait a max of 60 seconds before giving up.
int maxWaitMs = 60000;
CkoTask *task = [listenSock AcceptNextConnectionAsync: [NSNumber numberWithInt: maxWaitMs]];
[task Run];

// -------------------------------------------------------------------
// At this point, your application should load the URL in a browser.
// You'll need to add code here to do it..

// For example, 
// in C#: System.Diagnostics.Process.Start(url);
// in Java: Desktop.getDesktop().browse(new URI(url));
// in VBScript: Set wsh=WScript.CreateObject("WScript.Shell")
//              wsh.Run url
// in Xojo: ShowURL(url)  (see http://docs.xojo.com/index.php/ShowURL)
// in Dataflex: Runprogram Background "c:\Program Files\Internet Explorer\iexplore.exe" sUrl        
// The account owner would interactively accept or deny the authorization request.

// Add the code to load the url in a web browser here...
// Add the code to load the url in a web browser here...
// Add the code to load the url in a web browser here...
// System.Diagnostics.Process.Start(url);

// -------------------------------------------------------------------

// Wait for the listenSock's task to complete.
success = [task Wait: [NSNumber numberWithInt: maxWaitMs]];
if (!success || ([task.StatusInt intValue] != 7) || (task.TaskSuccess != YES)) {
    if (!success) {
        // The task.LastErrorText applies to the Wait method call.
        NSLog(@"%@",task.LastErrorText);
    }
    else {
        // The ResultErrorText applies to the underlying task method call (i.e. the AcceptNextConnection)
        NSLog(@"%@",task.Status);
        NSLog(@"%@",task.ResultErrorText);
    }

    return;
}

// If we get to this point, a connection on listenSock was accepted, and the redirected POST
// is waiting to be read on the connected socket.
// The POST we are going to read contains the following:

// POST /myapp/ HTTP/1.1
// Host: localhost
// Content-Type: application/x-www-form-urlencoded
// 
// id_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik1uQ19WWmNB...&state=12345

// But first.. we no longer need the listen socket...
// Stop listening on port 3017.
[listenSock Close: [NSNumber numberWithInt: 10]];

// Get the connected socket.
CkoSocket *sock = [[CkoSocket alloc] init];
[sock LoadTaskResult: task];

// We're acting as a temporary web server to receive this one redirected HTTP request..
// Read the start line of the request.. (i.e. the "POST /myapp/ HTTP/1.1")
NSString *startLine = [sock ReceiveUntilMatch: @"\r\n"];
if (sock.LastMethodSuccess != YES) {
    NSLog(@"%@",sock.LastErrorText);
    return;
}

// Read the request header.
NSString *requestHeader = [sock ReceiveUntilMatch: @"\r\n\r\n"];
if (sock.LastMethodSuccess != YES) {
    NSLog(@"%@",sock.LastErrorText);
    return;
}

NSLog(@"%@",requestHeader);
NSLog(@"%@",@"----");

// Read the body.
// The body will contain "id_token= eyJ......"
CkoStringBuilder *sbRequestBody = [[CkoStringBuilder alloc] init];
success = [sock ReceiveSb: sbRequestBody];
if (success == NO) {
    NSLog(@"%@",sock.LastErrorText);
    return;
}

NSLog(@"%@",[sbRequestBody GetAsString]);

// Given that we're acting as a web server, we must send a response..
// We can now send our HTTP response.
CkoStringBuilder *sbResponseHtml = [[CkoStringBuilder alloc] init];
[sbResponseHtml Append: @"<html><body><p>Thank you!</b></body</html>"];

CkoStringBuilder *sbResponse = [[CkoStringBuilder alloc] init];
[sbResponse Append: @"HTTP/1.1 200 OK\r\n"];
[sbResponse Append: @"Content-Length: "];
[sbResponse AppendInt: sbResponseHtml.Length];
[sbResponse Append: @"\r\n"];
[sbResponse Append: @"Content-Type: text/html\r\n"];
[sbResponse Append: @"\r\n"];
[sbResponse AppendSb: sbResponseHtml];

[sock SendString: [sbResponse GetAsString]];
[sock Close: [NSNumber numberWithInt: 50]];

// Get the id_token from the sbRequestBody that we just received.
// (Remember, we're acting as the web server, thus we received the redirect request..)
CkoHashtable *hashTab = [[CkoHashtable alloc] init];
[hashTab AddQueryParams: [sbRequestBody GetAsString]];

// See https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens#validating-an-id-token
// for more information about ID tokens..
NSString *idToken = [hashTab LookupStr: @"id_token"];

CkoJwt *jwt = [[CkoJwt alloc] init];

// Let's see if the time constraints, if any, are valid.
// The above JWT was created on the afternoon of 16-May-2016, with an expiration of 1 hour.
// If the current system time is before the "nbf" time, or after the "exp" time,
// then IsTimeValid will return false/0.
// Also, we'll allow a leeway of 60 seconds to account for any clock skew.
// Note: If the token has no "nbf" or "exp" claim fields, then IsTimeValid is always true.
int leeway = 60;
BOOL bTimeValid = [jwt IsTimeValid: idToken leeway: [NSNumber numberWithInt: leeway]];
NSLog(@"%@%d",@"time constraints valid: ",bTimeValid);

// Now let's recover the original claims JSON (the payload).
NSString *payload = [jwt GetPayload: idToken];
// The payload will likely be in compact form:
NSLog(@"%@",payload);

// We can format for human viewing by loading it into Chilkat's JSON object
// and emit.
CkoJsonObject *json = [[CkoJsonObject alloc] init];
success = [json Load: payload];
json.EmitCompact = NO;
NSLog(@"%@",[json Emit]);

// Sample output:

// {
//   "aud": "f125d695-c50e-456e-a579-a486f06d1213",
//   "iss": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0",
//   "iat": 1626535322,
//   "nbf": 1626535322,
//   "exp": 1626539222,
//   "aio": "AWQAm/8TAAAAHQncmY0VvhgyMIhfleHX3DjsGfmlPM1CopkJ3mPnBUnCxrJ0ubruaACEhwGO7NsoHBhqFEzRzPxOq7MtuGVFsql+qJKZx8vQCszKYEPX9Wb3b5+d5KJTABHCIH48bTFd",
//   "idp": "https://sts.windows.net/9188040d-6c67-4c5b-b112-36a304b66dad/",
//   "nonce": "1519043321",
//   "rh": "0.ARgAZt2NbdFosEOvXOMbS33VzZXWJfEOxW5FpXmkhvBtEhMYALQ.",
//   "sub": "RMIZlHJ7hfsJmL8Qq3h6M0nPi4g-HEavnAFgxzaT2KM",
//   "tid": "6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd",
//   "uti": "-BXGHxvfREW-r9HI5NBiAA",
//   "ver": "2.0"
// }

// We can recover the original JOSE header in the same way:
NSString *joseHeader = [jwt GetHeader: idToken];
// The payload will likely be in compact form:
NSLog(@"%@",joseHeader);

// We can format for human viewing by loading it into Chilkat's JSON object
// and emit.
CkoJsonObject *jsonJoseHeader = [[CkoJsonObject alloc] init];
success = [jsonJoseHeader Load: joseHeader];
jsonJoseHeader.EmitCompact = NO;
NSLog(@"%@",[jsonJoseHeader Emit]);

// Sample output:

// {
//   "typ": "JWT",
//   "alg": "RS256",
//   "kid": "nOo3ZDrODXEK1jKWhXslHR_KXEg"
// }

// Finally, we need to fetch the JSON Web Key Sets from the jwks_uri
// and use it to verify the id_token's RSA signature.
CkoStringBuilder *sbJwks = [[CkoStringBuilder alloc] init];
CkoHttp *http = [[CkoHttp alloc] init];
success = [http QuickGetSb: jwks_uri sbContent: sbJwks];
if (success == NO) {
    NSLog(@"%@",http.LastErrorText);
    return;
}

CkoJsonObject *jwkset = [[CkoJsonObject alloc] init];
success = [jwkset LoadSb: sbJwks];
jwkset.EmitCompact = NO;
NSLog(@"%@",[jwkset Emit]);

// A sample jwkset:

// {
//   "keys": [
//     {
//       "kty": "RSA",
//       "use": "sig",
//       "kid": "nOo3ZDrODXEK1jKWhXslHR_KXEg",
//       "x5t": "nOo3ZDrODXEK1jKWhXslHR_KXEg",
//       "n": "oaLLT9hkcSj ... NVrZdUdTBQ",
//       "e": "AQAB",
//       "x5c": [
//         "MIIDBTC ... MRku44Dw7R"
//       ],
//       "issuer": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0"
//     },
//     {
//       "kty": "RSA",
//       "use": "sig",
//       "kid": "l3sQ-50cCH4xBVZLHTGwnSR7680",
//       "x5t": "l3sQ-50cCH4xBVZLHTGwnSR7680",
//       "n": "sfsXMXW ... AYkwb6xUQ",
//       "e": "AQAB",
//       "x5c": [
//         "MIIDBTCCA ... BWrh+/vJ"
//       ],
//       "issuer": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0"
//     },
//     {
//       "kty": "RSA",
//       "use": "sig",
//       "kid": "DqUu8gf-nAgcyjP3-SuplNAXAnc",
//       "x5t": "DqUu8gf-nAgcyjP3-SuplNAXAnc",
//       "n": "1n7-nWSL ... V3pFWhQ",
//       "e": "AQAB",
//       "x5c": [
//         "MIIC8TC ... 9pIcnkPQ=="
//       ],
//       "issuer": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0"
//     },
//     {
//       "kty": "RSA",
//       "use": "sig",
//       "kid": "OzZ5Dbmcso9Qzt2ModGmihg30Bo",
//       "x5t": "OzZ5Dbmcso9Qzt2ModGmihg30Bo",
//       "n": "01re9a2BU ... 5OzQ6Q",
//       "e": "AQAB",
//       "x5c": [
//         "MIIC8TC ... YmwJ6sDdRvQ=="
//       ],
//       "issuer": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0"
//     }
//   ]
// }

// We should have an RSA key with kid matching the kid from the joseHeader..
NSString *kid = [jsonJoseHeader StringOf: @"kid"];

// Find the RSA key with the specified key id
CkoJsonObject *jwk = [jwkset FindRecord: @"keys" relPath: @"kid" value: kid caseSensitive: YES];
if (jwkset.LastMethodSuccess == NO) {
    NSLog(@"%@",@"Failed to find a matching RSA key in the JWK key set...");
    return;
}

BOOL verified;
CkoPublicKey *pubkey = [[CkoPublicKey alloc] init];

success = [pubkey LoadFromString: [jwk Emit]];
if (success == NO) {
    NSLog(@"%@",pubkey.LastErrorText);
    NSLog(@"%@",[jwk Emit]);
}
else {
    verified = [jwt VerifyJwtPk: idToken key: pubkey];
    NSLog(@"%@%d",@"Verified: ",verified);
}