Chilkat HOME .NET Core C# Android™ AutoIt C C# C++ Chilkat2-Python CkPython Classic ASP DataFlex Delphi ActiveX Delphi DLL Go Java Lianja Mono C# Node.js Objective-C PHP ActiveX PHP Extension Perl PowerBuilder PowerShell PureBasic Ruby SQL Server Swift 2 Swift 3,4,5... Tcl Unicode C Unicode C++ VB.NET VBScript Visual Basic 6.0 Visual FoxPro Xojo Plugin
(Perl) Azure OpenID Connect Step 2 -- Get id_token and ValidateSee more OIDC ExamplesAfter getting the endpoints by querying the Azure's OIDC well-known discovery document (OpenID Configuration document), we use the authorization_endpoint to get the id_token, and then validate it.. For more information, see https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc
use chilkat(); # This example requires the Chilkat API to have been previously unlocked. # See Global Unlock Sample for sample code. # In our previous example (Azure Fetch OpenID Connect metadata document) we fetched # the OpenID configuration document which is JSON which contains an entry for authorization_endpoint. $authorization_endpoint = "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/oauth2/v2.0/authorize"; # The OpenID Connect metadata document also contained a jwks_uri entry. This is the JSON Web Key Set (JWKS), # which is a set of keys containing the public keys used to verify any JSON Web Token (JWT) (in this case the id_token) # issued by the authorization server and signed using the RS256 signing algorithm. $jwks_uri = "https://login.microsoftonline.com/6d8ddd66-68d1-44b0-af5c-e31b4b7ee5cd/discovery/v2.0/keys"; # We're going to send the following GET request, but it will be sent through an interactive web browser (not by Chilkat). # The following code will form the URL that is to be programmatically loaded and sent in a browser. # GET https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize? # client_id=6731de76-14a6-49ae-97bc-6eba6914391e # &response_type=id_token # &redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F # &response_mode=form_post # &scope=openid # &state=12345 # &nonce=678910 # Use this object to set params and then get the URL-encoded query params string $req = chilkat::CkHttpRequest->new(); $req->AddParam("client_id","f125d695-c50e-456e-a579-a486f06d1213"); $req->AddParam("response_type","id_token"); $req->AddParam("redirect_uri","http://localhost:3017/"); $req->AddParam("response_mode","form_post"); $req->AddParam("scope","openid"); $prng = chilkat::CkPrng->new(); $req->AddParam("state",$prng->genRandom(3,"decimal")); $req->AddParam("nonce",$prng->genRandom(4,"decimal")); $encodedParams = $req->getUrlEncodedParams(); print $encodedParams . "\r\n"; # Sample URL encoded params: # client_id=6731de76-14a6-49ae-97bc-6eba6914391e&redirect_uri=http%3A%2F%2Flocalhost%3A3017%2F&response_mode=form_post&scope=openid&state=3572902&nonce=57352474 # This is the URL to be programmatically loaded and sent in an interactive web browser.. $sbUrl = chilkat::CkStringBuilder->new(); $sbUrl->Append($authorization_endpoint); $sbUrl->Append("?"); $sbUrl->Append($encodedParams); $url = $sbUrl->getAsString(); # Before we launch the browser with the contents of sbUrl, create a socket to listen for the eventual callback.. $listenSock = chilkat::CkSocket->new(); # Listen at the port indicated by the redirect_uri above. $backLog = 5; $success = $listenSock->BindAndListen(3017,$backLog); if ($success != 1) { print $listenSock->lastErrorText() . "\r\n"; exit; } # Wait for the browser's connection in a background thread. # (We'll send load the URL into the browser following this..) # Wait a max of 60 seconds before giving up. $maxWaitMs = 60000; # task is a Task $task = $listenSock->AcceptNextConnectionAsync($maxWaitMs); $task->Run(); # ------------------------------------------------------------------- # At this point, your application should load the URL in a browser. # You'll need to add code here to do it.. # For example, # in C#: System.Diagnostics.Process.Start(url); # in Java: Desktop.getDesktop().browse(new URI(url)); # in VBScript: Set wsh=WScript.CreateObject("WScript.Shell") # wsh.Run url # in Xojo: ShowURL(url) (see http://docs.xojo.com/index.php/ShowURL) # in Dataflex: Runprogram Background "c:\Program Files\Internet Explorer\iexplore.exe" sUrl # The account owner would interactively accept or deny the authorization request. # Add the code to load the url in a web browser here... # Add the code to load the url in a web browser here... # Add the code to load the url in a web browser here... # System.Diagnostics.Process.Start(url); # ------------------------------------------------------------------- # Wait for the listenSock's task to complete. $success = $task->Wait($maxWaitMs); if (!$success or ($task->get_StatusInt() != 7) or ($task->get_TaskSuccess() != 1)) { if (!$success) { # The task.LastErrorText applies to the Wait method call. print $task->lastErrorText() . "\r\n"; } else { # The ResultErrorText applies to the underlying task method call (i.e. the AcceptNextConnection) print $task->status() . "\r\n"; print $task->resultErrorText() . "\r\n"; } exit; } # If we get to this point, a connection on listenSock was accepted, and the redirected POST # is waiting to be read on the connected socket. # The POST we are going to read contains the following: # POST /myapp/ HTTP/1.1 # Host: localhost # Content-Type: application/x-www-form-urlencoded # # id_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik1uQ19WWmNB...&state=12345 # But first.. we no longer need the listen socket... # Stop listening on port 3017. $listenSock->Close(10); # Get the connected socket. $sock = chilkat::CkSocket->new(); $sock->LoadTaskResult($task); # We're acting as a temporary web server to receive this one redirected HTTP request.. # Read the start line of the request.. (i.e. the "POST /myapp/ HTTP/1.1") $startLine = $sock->receiveUntilMatch("\r\n"); if ($sock->get_LastMethodSuccess() != 1) { print $sock->lastErrorText() . "\r\n"; exit; } # Read the request header. $requestHeader = $sock->receiveUntilMatch("\r\n\r\n"); if ($sock->get_LastMethodSuccess() != 1) { print $sock->lastErrorText() . "\r\n"; exit; } print $requestHeader . "\r\n"; print "----" . "\r\n"; # Read the body. # The body will contain "id_token= eyJ......" $sbRequestBody = chilkat::CkStringBuilder->new(); $success = $sock->ReceiveSb($sbRequestBody); if ($success == 0) { print $sock->lastErrorText() . "\r\n"; exit; } print $sbRequestBody->getAsString() . "\r\n"; # Given that we're acting as a web server, we must send a response.. # We can now send our HTTP response. $sbResponseHtml = chilkat::CkStringBuilder->new(); $sbResponseHtml->Append("<html><body><p>Thank you!</b></body</html>"); $sbResponse = chilkat::CkStringBuilder->new(); $sbResponse->Append("HTTP/1.1 200 OK\r\n"); $sbResponse->Append("Content-Length: "); $sbResponse->AppendInt($sbResponseHtml->get_Length()); $sbResponse->Append("\r\n"); $sbResponse->Append("Content-Type: text/html\r\n"); $sbResponse->Append("\r\n"); $sbResponse->AppendSb($sbResponseHtml); $sock->SendString($sbResponse->getAsString()); $sock->Close(50); # Get the id_token from the sbRequestBody that we just received. # (Remember, we're acting as the web server, thus we received the redirect request..) $hashTab = chilkat::CkHashtable->new(); $hashTab->AddQueryParams($sbRequestBody->getAsString()); # See https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens#validating-an-id-token # for more information about ID tokens.. $idToken = $hashTab->lookupStr("id_token"); $jwt = chilkat::CkJwt->new(); # Let's see if the time constraints, if any, are valid. # The above JWT was created on the afternoon of 16-May-2016, with an expiration of 1 hour. # If the current system time is before the "nbf" time, or after the "exp" time, # then IsTimeValid will return false/0. # Also, we'll allow a leeway of 60 seconds to account for any clock skew. # Note: If the token has no "nbf" or "exp" claim fields, then IsTimeValid is always true. $leeway = 60; $bTimeValid = $jwt->IsTimeValid($idToken,$leeway); print "time constraints valid: " . $bTimeValid . "\r\n"; # Now let's recover the original claims JSON (the payload). $payload = $jwt->getPayload($idToken); # The payload will likely be in compact form: print $payload . "\r\n"; # We can format for human viewing by loading it into Chilkat's JSON object # and emit. $json = chilkat::CkJsonObject->new(); $success = $json->Load($payload); $json->put_EmitCompact(0); print $json->emit() . "\r\n"; # Sample output: # { # "aud": "f125d695-c50e-456e-a579-a486f06d1213", # "iss": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0", # "iat": 1626535322, # "nbf": 1626535322, # "exp": 1626539222, # "aio": "AWQAm/8TAAAAHQncmY0VvhgyMIhfleHX3DjsGfmlPM1CopkJ3mPnBUnCxrJ0ubruaACEhwGO7NsoHBhqFEzRzPxOq7MtuGVFsql+qJKZx8vQCszKYEPX9Wb3b5+d5KJTABHCIH48bTFd", # "idp": "https://sts.windows.net/9188040d-6c67-4c5b-b112-36a304b66dad/", # "nonce": "1519043321", # "rh": "0.ARgAZt2NbdFosEOvXOMbS33VzZXWJfEOxW5FpXmkhvBtEhMYALQ.", # "sub": "RMIZlHJ7hfsJmL8Qq3h6M0nPi4g-HEavnAFgxzaT2KM", # "tid": "6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd", # "uti": "-BXGHxvfREW-r9HI5NBiAA", # "ver": "2.0" # } # We can recover the original JOSE header in the same way: $joseHeader = $jwt->getHeader($idToken); # The payload will likely be in compact form: print $joseHeader . "\r\n"; # We can format for human viewing by loading it into Chilkat's JSON object # and emit. $jsonJoseHeader = chilkat::CkJsonObject->new(); $success = $jsonJoseHeader->Load($joseHeader); $jsonJoseHeader->put_EmitCompact(0); print $jsonJoseHeader->emit() . "\r\n"; # Sample output: # { # "typ": "JWT", # "alg": "RS256", # "kid": "nOo3ZDrODXEK1jKWhXslHR_KXEg" # } # Finally, we need to fetch the JSON Web Key Sets from the jwks_uri # and use it to verify the id_token's RSA signature. $sbJwks = chilkat::CkStringBuilder->new(); $http = chilkat::CkHttp->new(); $success = $http->QuickGetSb($jwks_uri,$sbJwks); if ($success == 0) { print $http->lastErrorText() . "\r\n"; exit; } $jwkset = chilkat::CkJsonObject->new(); $success = $jwkset->LoadSb($sbJwks); $jwkset->put_EmitCompact(0); print $jwkset->emit() . "\r\n"; # A sample jwkset: # { # "keys": [ # { # "kty": "RSA", # "use": "sig", # "kid": "nOo3ZDrODXEK1jKWhXslHR_KXEg", # "x5t": "nOo3ZDrODXEK1jKWhXslHR_KXEg", # "n": "oaLLT9hkcSj ... NVrZdUdTBQ", # "e": "AQAB", # "x5c": [ # "MIIDBTC ... MRku44Dw7R" # ], # "issuer": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0" # }, # { # "kty": "RSA", # "use": "sig", # "kid": "l3sQ-50cCH4xBVZLHTGwnSR7680", # "x5t": "l3sQ-50cCH4xBVZLHTGwnSR7680", # "n": "sfsXMXW ... AYkwb6xUQ", # "e": "AQAB", # "x5c": [ # "MIIDBTCCA ... BWrh+/vJ" # ], # "issuer": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0" # }, # { # "kty": "RSA", # "use": "sig", # "kid": "DqUu8gf-nAgcyjP3-SuplNAXAnc", # "x5t": "DqUu8gf-nAgcyjP3-SuplNAXAnc", # "n": "1n7-nWSL ... V3pFWhQ", # "e": "AQAB", # "x5c": [ # "MIIC8TC ... 9pIcnkPQ==" # ], # "issuer": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0" # }, # { # "kty": "RSA", # "use": "sig", # "kid": "OzZ5Dbmcso9Qzt2ModGmihg30Bo", # "x5t": "OzZ5Dbmcso9Qzt2ModGmihg30Bo", # "n": "01re9a2BU ... 5OzQ6Q", # "e": "AQAB", # "x5c": [ # "MIIC8TC ... YmwJ6sDdRvQ==" # ], # "issuer": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0" # } # ] # } # We should have an RSA key with kid matching the kid from the joseHeader.. $kid = $jsonJoseHeader->stringOf("kid"); # Find the RSA key with the specified key id # jwk is a JsonObject $jwk = $jwkset->FindRecord("keys","kid",$kid,1); if ($jwkset->get_LastMethodSuccess() == 0) { print "Failed to find a matching RSA key in the JWK key set..." . "\r\n"; exit; } $pubkey = chilkat::CkPublicKey->new(); $success = $pubkey->LoadFromString($jwk->emit()); if ($success == 0) { print $pubkey->lastErrorText() . "\r\n"; print $jwk->emit() . "\r\n"; } else { $verified = $jwt->VerifyJwtPk($idToken,$pubkey); print "Verified: " . $verified . "\r\n"; } |
© 2000-2024 Chilkat Software, Inc. All Rights Reserved.