PowerBuilder
PowerBuilder
Azure OpenID Connect Step 2 -- Get id_token and Validate
See more OIDC Examples
After getting the endpoints by querying the Azure's OIDC well-known discovery document (OpenID Configuration document), we use the authorization_endpoint to get the id_token, and then validate it..Chilkat PowerBuilder Downloads
integer li_rc
integer li_Success
string ls_Authorization_endpoint
string ls_Jwks_uri
oleobject loo_Req
oleobject loo_Prng
string ls_EncodedParams
oleobject loo_SbUrl
string ls_Url
oleobject loo_ListenSock
oleobject loo_BrowserSock
integer li_BackLog
integer li_MaxWaitMs
oleobject loo_Task
oleobject loo_Oauth2
string ls_StartLine
string ls_RequestHeader
oleobject loo_SbRequestBody
oleobject loo_SbResponseHtml
oleobject loo_SbResponse
oleobject loo_HashTab
string ls_IdToken
oleobject loo_Jwt
integer li_Leeway
integer li_BTimeValid
string ls_Payload
oleobject loo_Json
string ls_JoseHeader
oleobject loo_JsonJoseHeader
oleobject loo_SbJwks
oleobject loo_Http
oleobject loo_Jwkset
string ls_Kid
oleobject loo_Jwk
integer li_Verified
oleobject loo_Pubkey
li_Success = 0
// This example requires the Chilkat API to have been previously unlocked.
// See Global Unlock Sample for sample code.
// In our previous example (Azure Fetch OpenID Connect metadata document) we fetched
// the OpenID configuration document which is JSON which contains an entry for authorization_endpoint.
ls_Authorization_endpoint = "https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize"
// The OpenID Connect metadata document also contained a jwks_uri entry. This is the JSON Web Key Set (JWKS),
// which is a set of keys containing the public keys used to verify any JSON Web Token (JWT) (in this case the id_token)
// issued by the authorization server and signed using the RS256 signing algorithm.
ls_Jwks_uri = "https://login.microsoftonline.com/{tenant}/discovery/v2.0/keys"
// We're going to send the following GET request, but it will be sent through an interactive web browser (not by Chilkat).
// The following code will form the URL that is to be programmatically loaded and sent in a browser.
// GET https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
// client_id=6731de76-14a6-49ae-97bc-6eba6914391e
// &response_type=id_token
// &redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
// &response_mode=form_post
// &scope=openid
// &state=12345
// &nonce=678910
// Use this object to set params and then get the URL-encoded query params string
loo_Req = create oleobject
li_rc = loo_Req.ConnectToNewObject("Chilkat.HttpRequest")
if li_rc < 0 then
destroy loo_Req
MessageBox("Error","Connecting to COM object failed")
return
end if
loo_Req.AddParam("client_id","{client_id}")
loo_Req.AddParam("response_type","id_token")
loo_Req.AddParam("redirect_uri","http://localhost:3017/")
loo_Req.AddParam("response_mode","form_post")
loo_Req.AddParam("scope","openid")
loo_Prng = create oleobject
li_rc = loo_Prng.ConnectToNewObject("Chilkat.Prng")
loo_Req.AddParam("state",loo_Prng.GenRandom(3,"decimal"))
loo_Req.AddParam("nonce",loo_Prng.GenRandom(4,"decimal"))
ls_EncodedParams = loo_Req.GetUrlEncodedParams()
Write-Debug ls_EncodedParams
// Sample URL encoded params:
// client_id=6731de76-14a6-49ae-97bc-6eba6914391e&redirect_uri=http%3A%2F%2Flocalhost%3A3017%2F&response_mode=form_post&scope=openid&state=3572902&nonce=57352474
// This is the URL to be programmatically loaded and sent in an interactive web browser..
loo_SbUrl = create oleobject
li_rc = loo_SbUrl.ConnectToNewObject("Chilkat.StringBuilder")
loo_SbUrl.Append(ls_Authorization_endpoint)
loo_SbUrl.Append("?")
loo_SbUrl.Append(ls_EncodedParams)
ls_Url = loo_SbUrl.GetAsString()
// Before we launch the browser with the contents of sbUrl, create a socket to listen for the eventual callback..
loo_ListenSock = create oleobject
li_rc = loo_ListenSock.ConnectToNewObject("Chilkat.Socket")
// This is the connection received from the browser.
loo_BrowserSock = create oleobject
li_rc = loo_BrowserSock.ConnectToNewObject("Chilkat.Socket")
// Listen at the port indicated by the redirect_uri above.
li_BackLog = 5
li_Success = loo_ListenSock.BindAndListen(3017,li_BackLog)
if li_Success = 0 then
Write-Debug loo_ListenSock.LastErrorText
destroy loo_Req
destroy loo_Prng
destroy loo_SbUrl
destroy loo_ListenSock
destroy loo_BrowserSock
return
end if
// Wait for the browser's connection in a background thread.
// (We'll send load the URL into the browser following this..)
// Wait a max of 60 seconds before giving up.
li_MaxWaitMs = 30000
loo_Task = loo_ListenSock.AcceptNextAsync(li_MaxWaitMs,loo_BrowserSock)
loo_Task.Run()
// -------------------------------------------------------------------
// At this point, your application should load the URL in a browser.
loo_Oauth2 = create oleobject
li_rc = loo_Oauth2.ConnectToNewObject("Chilkat.OAuth2")
li_Success = loo_Oauth2.LaunchBrowser(ls_Url)
if li_Success = 0 then
Write-Debug loo_Oauth2.LastErrorText
destroy loo_Req
destroy loo_Prng
destroy loo_SbUrl
destroy loo_ListenSock
destroy loo_BrowserSock
destroy loo_Oauth2
return
end if
// -------------------------------------------------------------------
// Wait for the listenSock's task to complete.
li_Success = loo_Task.Wait(li_MaxWaitMs)
if not li_Success OR (loo_Task.StatusInt <> 7) OR (loo_Task.TaskSuccess <> 1) then
if not li_Success then
// The task.LastErrorText applies to the Wait method call.
Write-Debug loo_Task.LastErrorText
else
// The ResultErrorText applies to the underlying task method call (i.e. the AcceptNextConnection)
Write-Debug loo_Task.Status
Write-Debug loo_Task.ResultErrorText
end if
destroy loo_Task
destroy loo_Req
destroy loo_Prng
destroy loo_SbUrl
destroy loo_ListenSock
destroy loo_BrowserSock
destroy loo_Oauth2
return
end if
// If we get to this point, a connection on listenSock was accepted, and the redirected POST
// is waiting to be read on the connected socket.
// The POST we are going to read contains the following:
// POST /myapp/ HTTP/1.1
// Host: localhost
// Content-Type: application/x-www-form-urlencoded
//
// id_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik1uQ19WWmNB...&state=12345
// But first.. we no longer need the listen socket...
// Stop listening on port 3017.
loo_ListenSock.Close(10)
destroy loo_Task
// We're acting as a temporary web server to receive this one redirected HTTP request..
// Read the start line of the request.. (i.e. the "POST /myapp/ HTTP/1.1")
ls_StartLine = loo_BrowserSock.ReceiveUntilMatch("~r~n")
if loo_BrowserSock.LastMethodSuccess = 0 then
Write-Debug loo_BrowserSock.LastErrorText
destroy loo_Req
destroy loo_Prng
destroy loo_SbUrl
destroy loo_ListenSock
destroy loo_BrowserSock
destroy loo_Oauth2
return
end if
// Read the request header.
ls_RequestHeader = loo_BrowserSock.ReceiveUntilMatch("~r~n~r~n")
if loo_BrowserSock.LastMethodSuccess = 0 then
Write-Debug loo_BrowserSock.LastErrorText
destroy loo_Req
destroy loo_Prng
destroy loo_SbUrl
destroy loo_ListenSock
destroy loo_BrowserSock
destroy loo_Oauth2
return
end if
Write-Debug ls_RequestHeader
Write-Debug "----"
// Read the body.
// The body will contain "id_token= eyJ......"
loo_SbRequestBody = create oleobject
li_rc = loo_SbRequestBody.ConnectToNewObject("Chilkat.StringBuilder")
li_Success = loo_BrowserSock.ReceiveSb(loo_SbRequestBody)
if li_Success = 0 then
Write-Debug loo_BrowserSock.LastErrorText
destroy loo_Req
destroy loo_Prng
destroy loo_SbUrl
destroy loo_ListenSock
destroy loo_BrowserSock
destroy loo_Oauth2
destroy loo_SbRequestBody
return
end if
Write-Debug loo_SbRequestBody.GetAsString()
// Given that we're acting as a web server, we must send a response..
// We can now send our HTTP response.
loo_SbResponseHtml = create oleobject
li_rc = loo_SbResponseHtml.ConnectToNewObject("Chilkat.StringBuilder")
loo_SbResponseHtml.Append("<html><body><p>Thank you!</b></body</html>")
loo_SbResponse = create oleobject
li_rc = loo_SbResponse.ConnectToNewObject("Chilkat.StringBuilder")
loo_SbResponse.Append("HTTP/1.1 200 OK~r~n")
loo_SbResponse.Append("Content-Length: ")
loo_SbResponse.AppendInt(loo_SbResponseHtml.Length)
loo_SbResponse.Append("~r~n")
loo_SbResponse.Append("Content-Type: text/html~r~n")
loo_SbResponse.Append("~r~n")
loo_SbResponse.AppendSb(loo_SbResponseHtml)
loo_BrowserSock.SendString(loo_SbResponse.GetAsString())
loo_BrowserSock.Close(50)
// Get the id_token from the sbRequestBody that we just received.
// (Remember, we're acting as the web server, thus we received the redirect request..)
loo_HashTab = create oleobject
li_rc = loo_HashTab.ConnectToNewObject("Chilkat.Hashtable")
loo_HashTab.AddQueryParams(loo_SbRequestBody.GetAsString())
// See https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens#validating-an-id-token
// for more information about ID tokens..
ls_IdToken = loo_HashTab.LookupStr("id_token")
loo_Jwt = create oleobject
li_rc = loo_Jwt.ConnectToNewObject("Chilkat.Jwt")
// Let's see if the time constraints, if any, are valid.
// The above JWT was created on the afternoon of 16-May-2016, with an expiration of 1 hour.
// If the current system time is before the "nbf" time, or after the "exp" time,
// then IsTimeValid will return false/0.
// Also, we'll allow a leeway of 60 seconds to account for any clock skew.
// Note: If the token has no "nbf" or "exp" claim fields, then IsTimeValid is always true.
li_Leeway = 60
li_BTimeValid = loo_Jwt.IsTimeValid(ls_IdToken,li_Leeway)
Write-Debug "time constraints valid: " + string(li_BTimeValid)
// Now let's recover the original claims JSON (the payload).
ls_Payload = loo_Jwt.GetPayload(ls_IdToken)
// The payload will likely be in compact form:
Write-Debug ls_Payload
// We can format for human viewing by loading it into Chilkat's JSON object
// and emit.
loo_Json = create oleobject
li_rc = loo_Json.ConnectToNewObject("Chilkat.JsonObject")
li_Success = loo_Json.Load(ls_Payload)
loo_Json.EmitCompact = 0
Write-Debug loo_Json.Emit()
// Sample output:
// {
// "aud": "f125d695-c50e-456e-a579-a486f06d1213",
// "iss": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0",
// "iat": 1626535322,
// "nbf": 1626535322,
// "exp": 1626539222,
// "aio": "AWQAm/8TAAAAHQncmY0VvhgyMIhfleHX3DjsGfmlPM1CopkJ3mPnBUnCxrJ0ubruaACEhwGO7NsoHBhqFEzRzPxOq7MtuGVFsql+qJKZx8vQCszKYEPX9Wb3b5+d5KJTABHCIH48bTFd",
// "idp": "https://sts.windows.net/9188040d-6c67-4c5b-b112-36a304b66dad/",
// "nonce": "1519043321",
// "rh": "0.ARgAZt2NbdFosEOvXOMbS33VzZXWJfEOxW5FpXmkhvBtEhMYALQ.",
// "sub": "RMIZlHJ7hfsJmL8Qq3h6M0nPi4g-HEavnAFgxzaT2KM",
// "tid": "6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd",
// "uti": "-BXGHxvfREW-r9HI5NBiAA",
// "ver": "2.0"
// }
// We can recover the original JOSE header in the same way:
ls_JoseHeader = loo_Jwt.GetHeader(ls_IdToken)
// The payload will likely be in compact form:
Write-Debug ls_JoseHeader
// We can format for human viewing by loading it into Chilkat's JSON object
// and emit.
loo_JsonJoseHeader = create oleobject
li_rc = loo_JsonJoseHeader.ConnectToNewObject("Chilkat.JsonObject")
li_Success = loo_JsonJoseHeader.Load(ls_JoseHeader)
loo_JsonJoseHeader.EmitCompact = 0
Write-Debug loo_JsonJoseHeader.Emit()
// Sample output:
// {
// "typ": "JWT",
// "alg": "RS256",
// "kid": "nOo3ZDrODXEK1jKWhXslHR_KXEg"
// }
// Finally, we need to fetch the JSON Web Key Sets from the jwks_uri
// and use it to verify the id_token's RSA signature.
loo_SbJwks = create oleobject
li_rc = loo_SbJwks.ConnectToNewObject("Chilkat.StringBuilder")
loo_Http = create oleobject
li_rc = loo_Http.ConnectToNewObject("Chilkat.Http")
li_Success = loo_Http.QuickGetSb(ls_Jwks_uri,loo_SbJwks)
if li_Success = 0 then
Write-Debug loo_Http.LastErrorText
destroy loo_Req
destroy loo_Prng
destroy loo_SbUrl
destroy loo_ListenSock
destroy loo_BrowserSock
destroy loo_Oauth2
destroy loo_SbRequestBody
destroy loo_SbResponseHtml
destroy loo_SbResponse
destroy loo_HashTab
destroy loo_Jwt
destroy loo_Json
destroy loo_JsonJoseHeader
destroy loo_SbJwks
destroy loo_Http
return
end if
loo_Jwkset = create oleobject
li_rc = loo_Jwkset.ConnectToNewObject("Chilkat.JsonObject")
li_Success = loo_Jwkset.LoadSb(loo_SbJwks)
loo_Jwkset.EmitCompact = 0
Write-Debug loo_Jwkset.Emit()
// A sample jwkset:
// {
// "keys": [
// {
// "kty": "RSA",
// "use": "sig",
// "kid": "nOo3ZDrODXEK1jKWhXslHR_KXEg",
// "x5t": "nOo3ZDrODXEK1jKWhXslHR_KXEg",
// "n": "oaLLT9hkcSj ... NVrZdUdTBQ",
// "e": "AQAB",
// "x5c": [
// "MIIDBTC ... MRku44Dw7R"
// ],
// "issuer": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0"
// },
// {
// "kty": "RSA",
// "use": "sig",
// "kid": "l3sQ-50cCH4xBVZLHTGwnSR7680",
// "x5t": "l3sQ-50cCH4xBVZLHTGwnSR7680",
// "n": "sfsXMXW ... AYkwb6xUQ",
// "e": "AQAB",
// "x5c": [
// "MIIDBTCCA ... BWrh+/vJ"
// ],
// "issuer": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0"
// },
// {
// "kty": "RSA",
// "use": "sig",
// "kid": "DqUu8gf-nAgcyjP3-SuplNAXAnc",
// "x5t": "DqUu8gf-nAgcyjP3-SuplNAXAnc",
// "n": "1n7-nWSL ... V3pFWhQ",
// "e": "AQAB",
// "x5c": [
// "MIIC8TC ... 9pIcnkPQ=="
// ],
// "issuer": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0"
// },
// {
// "kty": "RSA",
// "use": "sig",
// "kid": "OzZ5Dbmcso9Qzt2ModGmihg30Bo",
// "x5t": "OzZ5Dbmcso9Qzt2ModGmihg30Bo",
// "n": "01re9a2BU ... 5OzQ6Q",
// "e": "AQAB",
// "x5c": [
// "MIIC8TC ... YmwJ6sDdRvQ=="
// ],
// "issuer": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0"
// }
// ]
// }
// We should have an RSA key with kid matching the kid from the joseHeader..
ls_Kid = loo_JsonJoseHeader.StringOf("kid")
// Find the RSA key with the specified key id
loo_Jwk = loo_Jwkset.FindRecord("keys","kid",ls_Kid,1)
if loo_Jwkset.LastMethodSuccess = 0 then
Write-Debug "Failed to find a matching RSA key in the JWK key set..."
destroy loo_Req
destroy loo_Prng
destroy loo_SbUrl
destroy loo_ListenSock
destroy loo_BrowserSock
destroy loo_Oauth2
destroy loo_SbRequestBody
destroy loo_SbResponseHtml
destroy loo_SbResponse
destroy loo_HashTab
destroy loo_Jwt
destroy loo_Json
destroy loo_JsonJoseHeader
destroy loo_SbJwks
destroy loo_Http
destroy loo_Jwkset
return
end if
loo_Pubkey = create oleobject
li_rc = loo_Pubkey.ConnectToNewObject("Chilkat.PublicKey")
li_Success = loo_Pubkey.LoadFromString(loo_Jwk.Emit())
if li_Success = 0 then
Write-Debug loo_Pubkey.LastErrorText
Write-Debug loo_Jwk.Emit()
else
li_Verified = loo_Jwt.VerifyJwtPk(ls_IdToken,loo_Pubkey)
Write-Debug "Verified: " + string(li_Verified)
end if
destroy loo_Jwk
destroy loo_Req
destroy loo_Prng
destroy loo_SbUrl
destroy loo_ListenSock
destroy loo_BrowserSock
destroy loo_Oauth2
destroy loo_SbRequestBody
destroy loo_SbResponseHtml
destroy loo_SbResponse
destroy loo_HashTab
destroy loo_Jwt
destroy loo_Json
destroy loo_JsonJoseHeader
destroy loo_SbJwks
destroy loo_Http
destroy loo_Jwkset
destroy loo_Pubkey