(Objective-C) Validate a Google ID Token

Demonstrates how to verify the signature of a Google id token.

Chilkat Objective-C Library Downloads MAC OS X (Cocoa) Libs iOS Libs

#import <CkoHttp.h>
#import <NSString.h>
#import <CkoJsonObject.h>
#import <CkoStringBuilder.h>
#import <CkoRsa.h>
#import <CkoPublicKey.h>

// This example requires the Chilkat API to have been previously unlocked.
// See Global Unlock Sample for sample code.

CkoHttp *http = [[CkoHttp alloc] init];

// First get the public key we'll be needing..
NSString *jwkStr = [http QuickGetStr: @"https://www.googleapis.com/oauth2/v3/certs"];
if (http.LastMethodSuccess == NO) {
    NSLog(@"%@",http.LastErrorText);
    return;
}

// We have the following:

//     {
//       "keys": [
// 	{
// 	  "kid": "e8732db06287515556213b80acbcfd08cfb302a9",
// 	  "n": "4RIrO30287Wsq3gqXCMkUYMVAeI3H8...w2mbMNEBQ",
// 	  "kty": "RSA",
// 	  "e": "AQAB",
// 	  "alg": "RS256",
// 	  "use": "sig"
// 	},
// 	{
// 	  "kid": "8462a71da4f6d611fc0fecf0fc4ba9c37d65e6cd",
// 	  "e": "AQAB",
// 	  "n": "xT_ngLZNmT5GBtJZeTB...Ft4gK0eoFi0d3l8bcw",
// 	  "alg": "RS256",
// 	  "use": "sig",
// 	  "kty": "RSA"
// 	}
//       ]
//     }

CkoJsonObject *json = [[CkoJsonObject alloc] init];
BOOL success = [json Load: jwkStr];

// -------------------------------------------------

// Load the following..

//  {
//   "access_token": "ya29.a0...0f",
//   "expires_in": 3599,
//   "scope": "openid https://www.googleapis.com/auth/userinfo.email",
//   "token_type": "Bearer",
//   "id_token": "eyJhb...o5nQ"
// }

CkoJsonObject *jsonToken = [[CkoJsonObject alloc] init];
success = [jsonToken LoadFile: @"qa_data/tokens/google_sample_id_token.json"];
if (success == NO) {
    NSLog(@"%@",@"Failed to load the JSON file...");
    return;
}

// Get the id_token;
CkoStringBuilder *sbIdToken = [[CkoStringBuilder alloc] init];
success = [sbIdToken Append: [jsonToken StringOf: @"id_token"]];

// Get the signature in base64url format.
// The header + payload remains in sbIdToken.
NSString *sig_b64Url = [sbIdToken GetAfterFinal: @"." removeFlag: YES];
NSString *headerPlusPayload = [sbIdToken GetAsString];

NSLog(@"%@",sig_b64Url);
NSLog(@"%@",headerPlusPayload);

// ---------------------------------------------

// Try validating with each cert's public key.
// Hopefully one will be the key that verifies.

CkoRsa *rsa = [[CkoRsa alloc] init];
rsa.EncodingMode = @"base64url";

int numKeys = [[json SizeOfArray: @"keys"] intValue];
int i = 0;
while (i < numKeys) {
    json.I = [NSNumber numberWithInt: i];
    CkoJsonObject *jsonKey = [json ObjectOf: @"keys[i]"];
    CkoPublicKey *pubKey = [[CkoPublicKey alloc] init];
    success = [pubKey LoadFromString: [jsonKey Emit]];
    if (success == NO) {
        NSLog(@"%@",pubKey.LastErrorText);
        return;
    }

    NSLog(@"%d",i);
    NSLog(@"%@",[pubKey GetPem: YES]);

    success = [rsa ImportPublicKeyObj: pubKey];

    BOOL bVerified = [rsa VerifyStringENC: headerPlusPayload hashAlg: @"sha256" sig: sig_b64Url];
    NSLog(@"%@%d",@"bVerified = ",bVerified);

    i = i + 1;
}

// The output is:

// 0
// -----BEGIN RSA PUBLIC KEY-----
// MIIBCgKCAQEA4RIrO30287Wsq3gqXCMkUYMVAeI3H8LVE6IXR1krdFeGnZLiGUPw
// cbkeVpXf3lmJdsStOg+jijces2DZCfPyIBiQuLYfxxmAZE6ErJ0QJFg1stwli2Pz
// 9ncYhFoqi8pXr7kEzEJBTzX4thuw56ydbGsshSEznPXoerCJOc7UI2+n0wFCWQ4Y
// LHbh/PrWt4vdadyUUUW/QpQHXQLdD8q/Qwqdj0O9zlJE7R6Elw2E9EqnHyIGu1hm
// LxhqrTru1M18SUhONYbVskV/BCEdVKs//X96849HorWQDCAgVMWfGsdMVq55FAdJ
// 680N5UmQDRynIZ4+PeNGN4S9iw2mbMNEBQIDAQAB
// -----END RSA PUBLIC KEY-----
// 
// bVerified = True
// 1
// -----BEGIN RSA PUBLIC KEY-----
// MIIBCgKCAQEAxT/ngLZNmT5GBdkLtJZjNeTB+8B5yWgrq/e5eMZ1hrZhcmLK+dSn
// IkpOPV8/OekV67EnQ7I4II2rcNJnHGrGKZziXO3XN2gtUHE+mBJC99oULSbX/QwB
// Kz7gC/IBPq9EuxTt6Oq6fPkVQ9DbRIgWJSEGBF/KRaNl3kyAlIZfpY7XgHyJTTv8
// E7yAcYKPR+36gzdl+ps0sDLKzUuAtZNq8llK0u80z6AtAUIYwWdkEhM9upy6keKI
// TasIxcsO7M6kZPINUSbh6t5VAm8FuqRmxpgg+9c9/GQSGd89InVypoVzWLQ+wOGg
// 5G4H6JqIgtj0TRFt4gK0eoFi2U0d3l8bcwIDAQAB
// -----END RSA PUBLIC KEY-----
// 
// bVerified = False