PowerShell
PowerShell
Azure OpenID Connect Step 2 -- Get id_token and Validate
See more OIDC Examples
After getting the endpoints by querying the Azure's OIDC well-known discovery document (OpenID Configuration document), we use the authorization_endpoint to get the id_token, and then validate it..Chilkat PowerShell Downloads
Add-Type -Path "C:\chilkat\ChilkatDotNet47-x64\ChilkatDotNet47.dll"
$success = $false
# This example requires the Chilkat API to have been previously unlocked.
# See Global Unlock Sample for sample code.
# In our previous example (Azure Fetch OpenID Connect metadata document) we fetched
# the OpenID configuration document which is JSON which contains an entry for authorization_endpoint.
$authorization_endpoint = "https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize"
# The OpenID Connect metadata document also contained a jwks_uri entry. This is the JSON Web Key Set (JWKS),
# which is a set of keys containing the public keys used to verify any JSON Web Token (JWT) (in this case the id_token)
# issued by the authorization server and signed using the RS256 signing algorithm.
$jwks_uri = "https://login.microsoftonline.com/{tenant}/discovery/v2.0/keys"
# We're going to send the following GET request, but it will be sent through an interactive web browser (not by Chilkat).
# The following code will form the URL that is to be programmatically loaded and sent in a browser.
# GET https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
# client_id=6731de76-14a6-49ae-97bc-6eba6914391e
# &response_type=id_token
# &redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
# &response_mode=form_post
# &scope=openid
# &state=12345
# &nonce=678910
# Use this object to set params and then get the URL-encoded query params string
$req = New-Object Chilkat.HttpRequest
$req.AddParam("client_id","{client_id}")
$req.AddParam("response_type","id_token")
$req.AddParam("redirect_uri","http://localhost:3017/")
$req.AddParam("response_mode","form_post")
$req.AddParam("scope","openid")
$prng = New-Object Chilkat.Prng
$req.AddParam("state",$prng.GenRandom(3,"decimal"))
$req.AddParam("nonce",$prng.GenRandom(4,"decimal"))
$encodedParams = $req.GetUrlEncodedParams()
$($encodedParams)
# Sample URL encoded params:
# client_id=6731de76-14a6-49ae-97bc-6eba6914391e&redirect_uri=http%3A%2F%2Flocalhost%3A3017%2F&response_mode=form_post&scope=openid&state=3572902&nonce=57352474
# This is the URL to be programmatically loaded and sent in an interactive web browser..
$sbUrl = New-Object Chilkat.StringBuilder
$sbUrl.Append($authorization_endpoint)
$sbUrl.Append("?")
$sbUrl.Append($encodedParams)
$url = $sbUrl.GetAsString()
# Before we launch the browser with the contents of sbUrl, create a socket to listen for the eventual callback..
$listenSock = New-Object Chilkat.Socket
# This is the connection received from the browser.
$browserSock = New-Object Chilkat.Socket
# Listen at the port indicated by the redirect_uri above.
$backLog = 5
$success = $listenSock.BindAndListen(3017,$backLog)
if ($success -eq $false) {
$($listenSock.LastErrorText)
exit
}
# Wait for the browser's connection in a background thread.
# (We'll send load the URL into the browser following this..)
# Wait a max of 60 seconds before giving up.
$maxWaitMs = 30000
$task = $listenSock.AcceptNextAsync($maxWaitMs,$browserSock)
$task.Run()
# -------------------------------------------------------------------
# At this point, your application should load the URL in a browser.
$oauth2 = New-Object Chilkat.OAuth2
$success = $oauth2.LaunchBrowser($url)
if ($success -eq $false) {
$($oauth2.LastErrorText)
exit
}
# -------------------------------------------------------------------
# Wait for the listenSock's task to complete.
$success = $task.Wait($maxWaitMs)
if (!$success -or ($task.StatusInt -ne 7) -or ($task.TaskSuccess -ne $true)) {
if (!$success) {
# The task.LastErrorText applies to the Wait method call.
$($task.LastErrorText)
}
else {
# The ResultErrorText applies to the underlying task method call (i.e. the AcceptNextConnection)
$($task.Status)
$($task.ResultErrorText)
}
exit
}
# If we get to this point, a connection on listenSock was accepted, and the redirected POST
# is waiting to be read on the connected socket.
# The POST we are going to read contains the following:
# POST /myapp/ HTTP/1.1
# Host: localhost
# Content-Type: application/x-www-form-urlencoded
#
# id_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik1uQ19WWmNB...&state=12345
# But first.. we no longer need the listen socket...
# Stop listening on port 3017.
$listenSock.Close(10)
# We're acting as a temporary web server to receive this one redirected HTTP request..
# Read the start line of the request.. (i.e. the "POST /myapp/ HTTP/1.1")
$startLine = $browserSock.ReceiveUntilMatch("`r`n")
if ($browserSock.LastMethodSuccess -eq $false) {
$($browserSock.LastErrorText)
exit
}
# Read the request header.
$requestHeader = $browserSock.ReceiveUntilMatch("`r`n`r`n")
if ($browserSock.LastMethodSuccess -eq $false) {
$($browserSock.LastErrorText)
exit
}
$($requestHeader)
$("----")
# Read the body.
# The body will contain "id_token= eyJ......"
$sbRequestBody = New-Object Chilkat.StringBuilder
$success = $browserSock.ReceiveSb($sbRequestBody)
if ($success -eq $false) {
$($browserSock.LastErrorText)
exit
}
$($sbRequestBody.GetAsString())
# Given that we're acting as a web server, we must send a response..
# We can now send our HTTP response.
$sbResponseHtml = New-Object Chilkat.StringBuilder
$sbResponseHtml.Append("<html><body><p>Thank you!</b></body</html>")
$sbResponse = New-Object Chilkat.StringBuilder
$sbResponse.Append("HTTP/1.1 200 OK`r`n")
$sbResponse.Append("Content-Length: ")
$sbResponse.AppendInt($sbResponseHtml.Length)
$sbResponse.Append("`r`n")
$sbResponse.Append("Content-Type: text/html`r`n")
$sbResponse.Append("`r`n")
$sbResponse.AppendSb($sbResponseHtml)
$browserSock.SendString($sbResponse.GetAsString())
$browserSock.Close(50)
# Get the id_token from the sbRequestBody that we just received.
# (Remember, we're acting as the web server, thus we received the redirect request..)
$hashTab = New-Object Chilkat.Hashtable
$hashTab.AddQueryParams($sbRequestBody.GetAsString())
# See https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens#validating-an-id-token
# for more information about ID tokens..
$idToken = $hashTab.LookupStr("id_token")
$jwt = New-Object Chilkat.Jwt
# Let's see if the time constraints, if any, are valid.
# The above JWT was created on the afternoon of 16-May-2016, with an expiration of 1 hour.
# If the current system time is before the "nbf" time, or after the "exp" time,
# then IsTimeValid will return false/0.
# Also, we'll allow a leeway of 60 seconds to account for any clock skew.
# Note: If the token has no "nbf" or "exp" claim fields, then IsTimeValid is always true.
$leeway = 60
$bTimeValid = $jwt.IsTimeValid($idToken,$leeway)
$("time constraints valid: " + $bTimeValid)
# Now let's recover the original claims JSON (the payload).
$payload = $jwt.GetPayload($idToken)
# The payload will likely be in compact form:
$($payload)
# We can format for human viewing by loading it into Chilkat's JSON object
# and emit.
$json = New-Object Chilkat.JsonObject
$success = $json.Load($payload)
$json.EmitCompact = $false
$($json.Emit())
# Sample output:
# {
# "aud": "f125d695-c50e-456e-a579-a486f06d1213",
# "iss": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0",
# "iat": 1626535322,
# "nbf": 1626535322,
# "exp": 1626539222,
# "aio": "AWQAm/8TAAAAHQncmY0VvhgyMIhfleHX3DjsGfmlPM1CopkJ3mPnBUnCxrJ0ubruaACEhwGO7NsoHBhqFEzRzPxOq7MtuGVFsql+qJKZx8vQCszKYEPX9Wb3b5+d5KJTABHCIH48bTFd",
# "idp": "https://sts.windows.net/9188040d-6c67-4c5b-b112-36a304b66dad/",
# "nonce": "1519043321",
# "rh": "0.ARgAZt2NbdFosEOvXOMbS33VzZXWJfEOxW5FpXmkhvBtEhMYALQ.",
# "sub": "RMIZlHJ7hfsJmL8Qq3h6M0nPi4g-HEavnAFgxzaT2KM",
# "tid": "6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd",
# "uti": "-BXGHxvfREW-r9HI5NBiAA",
# "ver": "2.0"
# }
# We can recover the original JOSE header in the same way:
$joseHeader = $jwt.GetHeader($idToken)
# The payload will likely be in compact form:
$($joseHeader)
# We can format for human viewing by loading it into Chilkat's JSON object
# and emit.
$jsonJoseHeader = New-Object Chilkat.JsonObject
$success = $jsonJoseHeader.Load($joseHeader)
$jsonJoseHeader.EmitCompact = $false
$($jsonJoseHeader.Emit())
# Sample output:
# {
# "typ": "JWT",
# "alg": "RS256",
# "kid": "nOo3ZDrODXEK1jKWhXslHR_KXEg"
# }
# Finally, we need to fetch the JSON Web Key Sets from the jwks_uri
# and use it to verify the id_token's RSA signature.
$sbJwks = New-Object Chilkat.StringBuilder
$http = New-Object Chilkat.Http
$success = $http.QuickGetSb($jwks_uri,$sbJwks)
if ($success -eq $false) {
$($http.LastErrorText)
exit
}
$jwkset = New-Object Chilkat.JsonObject
$success = $jwkset.LoadSb($sbJwks)
$jwkset.EmitCompact = $false
$($jwkset.Emit())
# A sample jwkset:
# {
# "keys": [
# {
# "kty": "RSA",
# "use": "sig",
# "kid": "nOo3ZDrODXEK1jKWhXslHR_KXEg",
# "x5t": "nOo3ZDrODXEK1jKWhXslHR_KXEg",
# "n": "oaLLT9hkcSj ... NVrZdUdTBQ",
# "e": "AQAB",
# "x5c": [
# "MIIDBTC ... MRku44Dw7R"
# ],
# "issuer": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0"
# },
# {
# "kty": "RSA",
# "use": "sig",
# "kid": "l3sQ-50cCH4xBVZLHTGwnSR7680",
# "x5t": "l3sQ-50cCH4xBVZLHTGwnSR7680",
# "n": "sfsXMXW ... AYkwb6xUQ",
# "e": "AQAB",
# "x5c": [
# "MIIDBTCCA ... BWrh+/vJ"
# ],
# "issuer": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0"
# },
# {
# "kty": "RSA",
# "use": "sig",
# "kid": "DqUu8gf-nAgcyjP3-SuplNAXAnc",
# "x5t": "DqUu8gf-nAgcyjP3-SuplNAXAnc",
# "n": "1n7-nWSL ... V3pFWhQ",
# "e": "AQAB",
# "x5c": [
# "MIIC8TC ... 9pIcnkPQ=="
# ],
# "issuer": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0"
# },
# {
# "kty": "RSA",
# "use": "sig",
# "kid": "OzZ5Dbmcso9Qzt2ModGmihg30Bo",
# "x5t": "OzZ5Dbmcso9Qzt2ModGmihg30Bo",
# "n": "01re9a2BU ... 5OzQ6Q",
# "e": "AQAB",
# "x5c": [
# "MIIC8TC ... YmwJ6sDdRvQ=="
# ],
# "issuer": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0"
# }
# ]
# }
# We should have an RSA key with kid matching the kid from the joseHeader..
$kid = $jsonJoseHeader.StringOf("kid")
# Find the RSA key with the specified key id
$jwk = $jwkset.FindRecord("keys","kid",$kid,$true)
if ($jwkset.LastMethodSuccess -eq $false) {
$("Failed to find a matching RSA key in the JWK key set...")
exit
}
$pubkey = New-Object Chilkat.PublicKey
$success = $pubkey.LoadFromString($jwk.Emit())
if ($success -eq $false) {
$($pubkey.LastErrorText)
$($jwk.Emit())
}
else {
$verified = $jwt.VerifyJwtPk($idToken,$pubkey)
$("Verified: " + $verified)
}