|
Chilkat • HOME • .NET Core C# • Android™ • AutoIt • C • C# • C++ • Chilkat2-Python • CkPython • Classic ASP • DataFlex • Delphi ActiveX • Delphi DLL • Go • Java • Lianja • Mono C# • Node.js • Objective-C • PHP ActiveX • PHP Extension • Perl • PowerBuilder • PowerShell • PureBasic • Ruby • SQL Server • Swift 2 • Swift 3,4,5... • Tcl • Unicode C • Unicode C++ • VB.NET • VBScript • Visual Basic 6.0 • Visual FoxPro • Xojo Plugin
(PowerShell) Azure OpenID Connect Step 2 -- Get id_token and ValidateSee more OIDC ExamplesAfter getting the endpoints by querying the Azure's OIDC well-known discovery document (OpenID Configuration document), we use the authorization_endpoint to get the id_token, and then validate it.. For more information, see https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc
Add-Type -Path "C:\chilkat\ChilkatDotNet47-9.5.0-x64\ChilkatDotNet47.dll" # This example requires the Chilkat API to have been previously unlocked. # See Global Unlock Sample for sample code. # In our previous example (Azure Fetch OpenID Connect metadata document) we fetched # the OpenID configuration document which is JSON which contains an entry for authorization_endpoint. $authorization_endpoint = "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/oauth2/v2.0/authorize" # The OpenID Connect metadata document also contained a jwks_uri entry. This is the JSON Web Key Set (JWKS), # which is a set of keys containing the public keys used to verify any JSON Web Token (JWT) (in this case the id_token) # issued by the authorization server and signed using the RS256 signing algorithm. $jwks_uri = "https://login.microsoftonline.com/6d8ddd66-68d1-44b0-af5c-e31b4b7ee5cd/discovery/v2.0/keys" # We're going to send the following GET request, but it will be sent through an interactive web browser (not by Chilkat). # The following code will form the URL that is to be programmatically loaded and sent in a browser. # GET https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize? # client_id=6731de76-14a6-49ae-97bc-6eba6914391e # &response_type=id_token # &redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F # &response_mode=form_post # &scope=openid # &state=12345 # &nonce=678910 # Use this object to set params and then get the URL-encoded query params string $req = New-Object Chilkat.HttpRequest $req.AddParam("client_id","f125d695-c50e-456e-a579-a486f06d1213") $req.AddParam("response_type","id_token") $req.AddParam("redirect_uri","http://localhost:3017/") $req.AddParam("response_mode","form_post") $req.AddParam("scope","openid") $prng = New-Object Chilkat.Prng $req.AddParam("state",$prng.GenRandom(3,"decimal")) $req.AddParam("nonce",$prng.GenRandom(4,"decimal")) $encodedParams = $req.GetUrlEncodedParams() $($encodedParams) # Sample URL encoded params: # client_id=6731de76-14a6-49ae-97bc-6eba6914391e&redirect_uri=http%3A%2F%2Flocalhost%3A3017%2F&response_mode=form_post&scope=openid&state=3572902&nonce=57352474 # This is the URL to be programmatically loaded and sent in an interactive web browser.. $sbUrl = New-Object Chilkat.StringBuilder $sbUrl.Append($authorization_endpoint) $sbUrl.Append("?") $sbUrl.Append($encodedParams) $url = $sbUrl.GetAsString() # Before we launch the browser with the contents of sbUrl, create a socket to listen for the eventual callback.. $listenSock = New-Object Chilkat.Socket # Listen at the port indicated by the redirect_uri above. $backLog = 5 $success = $listenSock.BindAndListen(3017,$backLog) if ($success -ne $true) { $($listenSock.LastErrorText) exit } # Wait for the browser's connection in a background thread. # (We'll send load the URL into the browser following this..) # Wait a max of 60 seconds before giving up. $maxWaitMs = 60000 $task = $listenSock.AcceptNextConnectionAsync($maxWaitMs) $task.Run() # ------------------------------------------------------------------- # At this point, your application should load the URL in a browser. # You'll need to add code here to do it.. # For example, # in C#: System.Diagnostics.Process.Start(url); # in Java: Desktop.getDesktop().browse(new URI(url)); # in VBScript: Set wsh=WScript.CreateObject("WScript.Shell") # wsh.Run url # in Xojo: ShowURL(url) (see http://docs.xojo.com/index.php/ShowURL) # in Dataflex: Runprogram Background "c:\Program Files\Internet Explorer\iexplore.exe" sUrl # The account owner would interactively accept or deny the authorization request. # Add the code to load the url in a web browser here... # Add the code to load the url in a web browser here... # Add the code to load the url in a web browser here... # System.Diagnostics.Process.Start(url); # ------------------------------------------------------------------- # Wait for the listenSock's task to complete. $success = $task.Wait($maxWaitMs) if (!$success -or ($task.StatusInt -ne 7) -or ($task.TaskSuccess -ne $true)) { if (!$success) { # The task.LastErrorText applies to the Wait method call. $($task.LastErrorText) } else { # The ResultErrorText applies to the underlying task method call (i.e. the AcceptNextConnection) $($task.Status) $($task.ResultErrorText) } exit } # If we get to this point, a connection on listenSock was accepted, and the redirected POST # is waiting to be read on the connected socket. # The POST we are going to read contains the following: # POST /myapp/ HTTP/1.1 # Host: localhost # Content-Type: application/x-www-form-urlencoded # # id_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik1uQ19WWmNB...&state=12345 # But first.. we no longer need the listen socket... # Stop listening on port 3017. $listenSock.Close(10) # Get the connected socket. $sock = New-Object Chilkat.Socket $sock.LoadTaskResult($task) # We're acting as a temporary web server to receive this one redirected HTTP request.. # Read the start line of the request.. (i.e. the "POST /myapp/ HTTP/1.1") $startLine = $sock.ReceiveUntilMatch("`r`n") if ($sock.LastMethodSuccess -ne $true) { $($sock.LastErrorText) exit } # Read the request header. $requestHeader = $sock.ReceiveUntilMatch("`r`n`r`n") if ($sock.LastMethodSuccess -ne $true) { $($sock.LastErrorText) exit } $($requestHeader) $("----") # Read the body. # The body will contain "id_token= eyJ......" $sbRequestBody = New-Object Chilkat.StringBuilder $success = $sock.ReceiveSb($sbRequestBody) if ($success -eq $false) { $($sock.LastErrorText) exit } $($sbRequestBody.GetAsString()) # Given that we're acting as a web server, we must send a response.. # We can now send our HTTP response. $sbResponseHtml = New-Object Chilkat.StringBuilder $sbResponseHtml.Append("<html><body><p>Thank you!</b></body</html>") $sbResponse = New-Object Chilkat.StringBuilder $sbResponse.Append("HTTP/1.1 200 OK`r`n") $sbResponse.Append("Content-Length: ") $sbResponse.AppendInt($sbResponseHtml.Length) $sbResponse.Append("`r`n") $sbResponse.Append("Content-Type: text/html`r`n") $sbResponse.Append("`r`n") $sbResponse.AppendSb($sbResponseHtml) $sock.SendString($sbResponse.GetAsString()) $sock.Close(50) # Get the id_token from the sbRequestBody that we just received. # (Remember, we're acting as the web server, thus we received the redirect request..) $hashTab = New-Object Chilkat.Hashtable $hashTab.AddQueryParams($sbRequestBody.GetAsString()) # See https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens#validating-an-id-token # for more information about ID tokens.. $idToken = $hashTab.LookupStr("id_token") $jwt = New-Object Chilkat.Jwt # Let's see if the time constraints, if any, are valid. # The above JWT was created on the afternoon of 16-May-2016, with an expiration of 1 hour. # If the current system time is before the "nbf" time, or after the "exp" time, # then IsTimeValid will return false/0. # Also, we'll allow a leeway of 60 seconds to account for any clock skew. # Note: If the token has no "nbf" or "exp" claim fields, then IsTimeValid is always true. $leeway = 60 $bTimeValid = $jwt.IsTimeValid($idToken,$leeway) $("time constraints valid: " + $bTimeValid) # Now let's recover the original claims JSON (the payload). $payload = $jwt.GetPayload($idToken) # The payload will likely be in compact form: $($payload) # We can format for human viewing by loading it into Chilkat's JSON object # and emit. $json = New-Object Chilkat.JsonObject $success = $json.Load($payload) $json.EmitCompact = $false $($json.Emit()) # Sample output: # { # "aud": "f125d695-c50e-456e-a579-a486f06d1213", # "iss": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0", # "iat": 1626535322, # "nbf": 1626535322, # "exp": 1626539222, # "aio": "AWQAm/8TAAAAHQncmY0VvhgyMIhfleHX3DjsGfmlPM1CopkJ3mPnBUnCxrJ0ubruaACEhwGO7NsoHBhqFEzRzPxOq7MtuGVFsql+qJKZx8vQCszKYEPX9Wb3b5+d5KJTABHCIH48bTFd", # "idp": "https://sts.windows.net/9188040d-6c67-4c5b-b112-36a304b66dad/", # "nonce": "1519043321", # "rh": "0.ARgAZt2NbdFosEOvXOMbS33VzZXWJfEOxW5FpXmkhvBtEhMYALQ.", # "sub": "RMIZlHJ7hfsJmL8Qq3h6M0nPi4g-HEavnAFgxzaT2KM", # "tid": "6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd", # "uti": "-BXGHxvfREW-r9HI5NBiAA", # "ver": "2.0" # } # We can recover the original JOSE header in the same way: $joseHeader = $jwt.GetHeader($idToken) # The payload will likely be in compact form: $($joseHeader) # We can format for human viewing by loading it into Chilkat's JSON object # and emit. $jsonJoseHeader = New-Object Chilkat.JsonObject $success = $jsonJoseHeader.Load($joseHeader) $jsonJoseHeader.EmitCompact = $false $($jsonJoseHeader.Emit()) # Sample output: # { # "typ": "JWT", # "alg": "RS256", # "kid": "nOo3ZDrODXEK1jKWhXslHR_KXEg" # } # Finally, we need to fetch the JSON Web Key Sets from the jwks_uri # and use it to verify the id_token's RSA signature. $sbJwks = New-Object Chilkat.StringBuilder $http = New-Object Chilkat.Http $success = $http.QuickGetSb($jwks_uri,$sbJwks) if ($success -eq $false) { $($http.LastErrorText) exit } $jwkset = New-Object Chilkat.JsonObject $success = $jwkset.LoadSb($sbJwks) $jwkset.EmitCompact = $false $($jwkset.Emit()) # A sample jwkset: # { # "keys": [ # { # "kty": "RSA", # "use": "sig", # "kid": "nOo3ZDrODXEK1jKWhXslHR_KXEg", # "x5t": "nOo3ZDrODXEK1jKWhXslHR_KXEg", # "n": "oaLLT9hkcSj ... NVrZdUdTBQ", # "e": "AQAB", # "x5c": [ # "MIIDBTC ... MRku44Dw7R" # ], # "issuer": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0" # }, # { # "kty": "RSA", # "use": "sig", # "kid": "l3sQ-50cCH4xBVZLHTGwnSR7680", # "x5t": "l3sQ-50cCH4xBVZLHTGwnSR7680", # "n": "sfsXMXW ... AYkwb6xUQ", # "e": "AQAB", # "x5c": [ # "MIIDBTCCA ... BWrh+/vJ" # ], # "issuer": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0" # }, # { # "kty": "RSA", # "use": "sig", # "kid": "DqUu8gf-nAgcyjP3-SuplNAXAnc", # "x5t": "DqUu8gf-nAgcyjP3-SuplNAXAnc", # "n": "1n7-nWSL ... V3pFWhQ", # "e": "AQAB", # "x5c": [ # "MIIC8TC ... 9pIcnkPQ==" # ], # "issuer": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0" # }, # { # "kty": "RSA", # "use": "sig", # "kid": "OzZ5Dbmcso9Qzt2ModGmihg30Bo", # "x5t": "OzZ5Dbmcso9Qzt2ModGmihg30Bo", # "n": "01re9a2BU ... 5OzQ6Q", # "e": "AQAB", # "x5c": [ # "MIIC8TC ... YmwJ6sDdRvQ==" # ], # "issuer": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0" # } # ] # } # We should have an RSA key with kid matching the kid from the joseHeader.. $kid = $jsonJoseHeader.StringOf("kid") # Find the RSA key with the specified key id $jwk = $jwkset.FindRecord("keys","kid",$kid,$true) if ($jwkset.LastMethodSuccess -eq $false) { $("Failed to find a matching RSA key in the JWK key set...") exit } $pubkey = New-Object Chilkat.PublicKey $success = $pubkey.LoadFromString($jwk.Emit()) if ($success -eq $false) { $($pubkey.LastErrorText) $($jwk.Emit()) } else { $verified = $jwt.VerifyJwtPk($idToken,$pubkey) $("Verified: " + $verified) } |
||||
© 2000-2024 Chilkat Software, Inc. All Rights Reserved.