|
Chilkat • HOME • .NET Core C# • Android™ • AutoIt • C • C# • C++ • Chilkat2-Python • CkPython • Classic ASP • DataFlex • Delphi ActiveX • Delphi DLL • Go • Java • Lianja • Mono C# • Node.js • Objective-C • PHP ActiveX • PHP Extension • Perl • PowerBuilder • PowerShell • PureBasic • Ruby • SQL Server • Swift 2 • Swift 3,4,5... • Tcl • Unicode C • Unicode C++ • VB.NET • VBScript • Visual Basic 6.0 • Visual FoxPro • Xojo Plugin
(PureBasic) Azure OpenID Connect Step 2 -- Get id_token and ValidateSee more OIDC ExamplesAfter getting the endpoints by querying the Azure's OIDC well-known discovery document (OpenID Configuration document), we use the authorization_endpoint to get the id_token, and then validate it.. For more information, see https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc
IncludeFile "CkPublicKey.pb" IncludeFile "CkJsonObject.pb" IncludeFile "CkJwt.pb" IncludeFile "CkPrng.pb" IncludeFile "CkSocket.pb" IncludeFile "CkHttp.pb" IncludeFile "CkHashtable.pb" IncludeFile "CkHttpRequest.pb" IncludeFile "CkTask.pb" IncludeFile "CkStringBuilder.pb" Procedure ChilkatExample() ; This example requires the Chilkat API to have been previously unlocked. ; See Global Unlock Sample for sample code. success.i ; In our previous example (Azure Fetch OpenID Connect metadata document) we fetched ; the OpenID configuration document which is JSON which contains an entry for authorization_endpoint. authorization_endpoint.s = "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/oauth2/v2.0/authorize" ; The OpenID Connect metadata document also contained a jwks_uri entry. This is the JSON Web Key Set (JWKS), ; which is a set of keys containing the public keys used to verify any JSON Web Token (JWT) (in this case the id_token) ; issued by the authorization server and signed using the RS256 signing algorithm. jwks_uri.s = "https://login.microsoftonline.com/6d8ddd66-68d1-44b0-af5c-e31b4b7ee5cd/discovery/v2.0/keys" ; We're going to send the following GET request, but it will be sent through an interactive web browser (not by Chilkat). ; The following code will form the URL that is to be programmatically loaded and sent in a browser. ; GET https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize? ; client_id=6731de76-14a6-49ae-97bc-6eba6914391e ; &response_type=id_token ; &redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F ; &response_mode=form_post ; &scope=openid ; &state=12345 ; &nonce=678910 ; Use this object to set params and then get the URL-encoded query params string req.i = CkHttpRequest::ckCreate() If req.i = 0 Debug "Failed to create object." ProcedureReturn EndIf CkHttpRequest::ckAddParam(req,"client_id","f125d695-c50e-456e-a579-a486f06d1213") CkHttpRequest::ckAddParam(req,"response_type","id_token") CkHttpRequest::ckAddParam(req,"redirect_uri","http://localhost:3017/") CkHttpRequest::ckAddParam(req,"response_mode","form_post") CkHttpRequest::ckAddParam(req,"scope","openid") prng.i = CkPrng::ckCreate() If prng.i = 0 Debug "Failed to create object." ProcedureReturn EndIf CkHttpRequest::ckAddParam(req,"state",CkPrng::ckGenRandom(prng,3,"decimal")) CkHttpRequest::ckAddParam(req,"nonce",CkPrng::ckGenRandom(prng,4,"decimal")) encodedParams.s = CkHttpRequest::ckGetUrlEncodedParams(req) Debug encodedParams ; Sample URL encoded params: ; client_id=6731de76-14a6-49ae-97bc-6eba6914391e&redirect_uri=http%3A%2F%2Flocalhost%3A3017%2F&response_mode=form_post&scope=openid&state=3572902&nonce=57352474 ; This is the URL to be programmatically loaded and sent in an interactive web browser.. sbUrl.i = CkStringBuilder::ckCreate() If sbUrl.i = 0 Debug "Failed to create object." ProcedureReturn EndIf CkStringBuilder::ckAppend(sbUrl,authorization_endpoint) CkStringBuilder::ckAppend(sbUrl,"?") CkStringBuilder::ckAppend(sbUrl,encodedParams) url.s = CkStringBuilder::ckGetAsString(sbUrl) ; Before we launch the browser with the contents of sbUrl, create a socket to listen for the eventual callback.. listenSock.i = CkSocket::ckCreate() If listenSock.i = 0 Debug "Failed to create object." ProcedureReturn EndIf ; Listen at the port indicated by the redirect_uri above. backLog.i = 5 success = CkSocket::ckBindAndListen(listenSock,3017,backLog) If success <> 1 Debug CkSocket::ckLastErrorText(listenSock) CkHttpRequest::ckDispose(req) CkPrng::ckDispose(prng) CkStringBuilder::ckDispose(sbUrl) CkSocket::ckDispose(listenSock) ProcedureReturn EndIf ; Wait for the browser's connection in a background thread. ; (We'll send load the URL into the browser following this..) ; Wait a max of 60 seconds before giving up. maxWaitMs.i = 60000 task.i = CkSocket::ckAcceptNextConnectionAsync(listenSock,maxWaitMs) CkTask::ckRun(task) ; ------------------------------------------------------------------- ; At this point, your application should load the URL in a browser. ; You'll need to add code here to do it.. ; For example, ; in C#: System.Diagnostics.Process.Start(url); ; in Java: Desktop.getDesktop().browse(new URI(url)); ; in VBScript: Set wsh=WScript.CreateObject("WScript.Shell") ; wsh.Run url ; in Xojo: ShowURL(url) (see http://docs.xojo.com/index.php/ShowURL) ; in Dataflex: Runprogram Background "c:\Program Files\Internet Explorer\iexplore.exe" sUrl ; The account owner would interactively accept or deny the authorization request. ; Add the code to load the url in a web browser here... ; Add the code to load the url in a web browser here... ; Add the code to load the url in a web browser here... ; System.Diagnostics.Process.Start(url); ; ------------------------------------------------------------------- ; Wait for the listenSock's task to complete. success = CkTask::ckWait(task,maxWaitMs) If Not success OR (CkTask::ckStatusInt(task) <> 7) OR (CkTask::ckTaskSuccess(task) <> 1) If Not success ; The task.LastErrorText applies to the Wait method call. Debug CkTask::ckLastErrorText(task) Else ; The ResultErrorText applies to the underlying task method call (i.e. the AcceptNextConnection) Debug CkTask::ckStatus(task) Debug CkTask::ckResultErrorText(task) EndIf CkTask::ckDispose(task) CkHttpRequest::ckDispose(req) CkPrng::ckDispose(prng) CkStringBuilder::ckDispose(sbUrl) CkSocket::ckDispose(listenSock) ProcedureReturn EndIf ; If we get to this point, a connection on listenSock was accepted, and the redirected POST ; is waiting to be read on the connected socket. ; The POST we are going to read contains the following: ; POST /myapp/ HTTP/1.1 ; Host: localhost ; Content-Type: application/x-www-form-urlencoded ; ; id_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik1uQ19WWmNB...&state=12345 ; But first.. we no longer need the listen socket... ; Stop listening on port 3017. CkSocket::ckClose(listenSock,10) ; Get the connected socket. sock.i = CkSocket::ckCreate() If sock.i = 0 Debug "Failed to create object." ProcedureReturn EndIf CkSocket::ckLoadTaskResult(sock,task) CkTask::ckDispose(task) ; We're acting as a temporary web server to receive this one redirected HTTP request.. ; Read the start line of the request.. (i.e. the "POST /myapp/ HTTP/1.1") startLine.s = CkSocket::ckReceiveUntilMatch(sock,Chr(13) + Chr(10)) If CkSocket::ckLastMethodSuccess(sock) <> 1 Debug CkSocket::ckLastErrorText(sock) CkHttpRequest::ckDispose(req) CkPrng::ckDispose(prng) CkStringBuilder::ckDispose(sbUrl) CkSocket::ckDispose(listenSock) CkSocket::ckDispose(sock) ProcedureReturn EndIf ; Read the request header. requestHeader.s = CkSocket::ckReceiveUntilMatch(sock,Chr(13) + Chr(10) + Chr(13) + Chr(10)) If CkSocket::ckLastMethodSuccess(sock) <> 1 Debug CkSocket::ckLastErrorText(sock) CkHttpRequest::ckDispose(req) CkPrng::ckDispose(prng) CkStringBuilder::ckDispose(sbUrl) CkSocket::ckDispose(listenSock) CkSocket::ckDispose(sock) ProcedureReturn EndIf Debug requestHeader Debug "----" ; Read the body. ; The body will contain "id_token= eyJ......" sbRequestBody.i = CkStringBuilder::ckCreate() If sbRequestBody.i = 0 Debug "Failed to create object." ProcedureReturn EndIf success = CkSocket::ckReceiveSb(sock,sbRequestBody) If success = 0 Debug CkSocket::ckLastErrorText(sock) CkHttpRequest::ckDispose(req) CkPrng::ckDispose(prng) CkStringBuilder::ckDispose(sbUrl) CkSocket::ckDispose(listenSock) CkSocket::ckDispose(sock) CkStringBuilder::ckDispose(sbRequestBody) ProcedureReturn EndIf Debug CkStringBuilder::ckGetAsString(sbRequestBody) ; Given that we're acting as a web server, we must send a response.. ; We can now send our HTTP response. sbResponseHtml.i = CkStringBuilder::ckCreate() If sbResponseHtml.i = 0 Debug "Failed to create object." ProcedureReturn EndIf CkStringBuilder::ckAppend(sbResponseHtml,"<html><body><p>Thank you!</b></body</html>") sbResponse.i = CkStringBuilder::ckCreate() If sbResponse.i = 0 Debug "Failed to create object." ProcedureReturn EndIf CkStringBuilder::ckAppend(sbResponse,"HTTP/1.1 200 OK" + Chr(13) + Chr(10)) CkStringBuilder::ckAppend(sbResponse,"Content-Length: ") CkStringBuilder::ckAppendInt(sbResponse,CkStringBuilder::ckLength(sbResponseHtml)) CkStringBuilder::ckAppend(sbResponse,Chr(13) + Chr(10)) CkStringBuilder::ckAppend(sbResponse,"Content-Type: text/html" + Chr(13) + Chr(10)) CkStringBuilder::ckAppend(sbResponse,Chr(13) + Chr(10)) CkStringBuilder::ckAppendSb(sbResponse,sbResponseHtml) CkSocket::ckSendString(sock,CkStringBuilder::ckGetAsString(sbResponse)) CkSocket::ckClose(sock,50) ; Get the id_token from the sbRequestBody that we just received. ; (Remember, we're acting as the web server, thus we received the redirect request..) hashTab.i = CkHashtable::ckCreate() If hashTab.i = 0 Debug "Failed to create object." ProcedureReturn EndIf CkHashtable::ckAddQueryParams(hashTab,CkStringBuilder::ckGetAsString(sbRequestBody)) ; See https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens#validating-an-id-token ; for more information about ID tokens.. idToken.s = CkHashtable::ckLookupStr(hashTab,"id_token") jwt.i = CkJwt::ckCreate() If jwt.i = 0 Debug "Failed to create object." ProcedureReturn EndIf ; Let's see if the time constraints, if any, are valid. ; The above JWT was created on the afternoon of 16-May-2016, with an expiration of 1 hour. ; If the current system time is before the "nbf" time, or after the "exp" time, ; then IsTimeValid will return false/0. ; Also, we'll allow a leeway of 60 seconds to account for any clock skew. ; Note: If the token has no "nbf" or "exp" claim fields, then IsTimeValid is always true. leeway.i = 60 bTimeValid.i = CkJwt::ckIsTimeValid(jwt,idToken,leeway) Debug "time constraints valid: " + Str(bTimeValid) ; Now let's recover the original claims JSON (the payload). payload.s = CkJwt::ckGetPayload(jwt,idToken) ; The payload will likely be in compact form: Debug payload ; We can format for human viewing by loading it into Chilkat's JSON object ; and emit. json.i = CkJsonObject::ckCreate() If json.i = 0 Debug "Failed to create object." ProcedureReturn EndIf success = CkJsonObject::ckLoad(json,payload) CkJsonObject::setCkEmitCompact(json, 0) Debug CkJsonObject::ckEmit(json) ; Sample output: ; { ; "aud": "f125d695-c50e-456e-a579-a486f06d1213", ; "iss": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0", ; "iat": 1626535322, ; "nbf": 1626535322, ; "exp": 1626539222, ; "aio": "AWQAm/8TAAAAHQncmY0VvhgyMIhfleHX3DjsGfmlPM1CopkJ3mPnBUnCxrJ0ubruaACEhwGO7NsoHBhqFEzRzPxOq7MtuGVFsql+qJKZx8vQCszKYEPX9Wb3b5+d5KJTABHCIH48bTFd", ; "idp": "https://sts.windows.net/9188040d-6c67-4c5b-b112-36a304b66dad/", ; "nonce": "1519043321", ; "rh": "0.ARgAZt2NbdFosEOvXOMbS33VzZXWJfEOxW5FpXmkhvBtEhMYALQ.", ; "sub": "RMIZlHJ7hfsJmL8Qq3h6M0nPi4g-HEavnAFgxzaT2KM", ; "tid": "6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd", ; "uti": "-BXGHxvfREW-r9HI5NBiAA", ; "ver": "2.0" ; } ; We can recover the original JOSE header in the same way: joseHeader.s = CkJwt::ckGetHeader(jwt,idToken) ; The payload will likely be in compact form: Debug joseHeader ; We can format for human viewing by loading it into Chilkat's JSON object ; and emit. jsonJoseHeader.i = CkJsonObject::ckCreate() If jsonJoseHeader.i = 0 Debug "Failed to create object." ProcedureReturn EndIf success = CkJsonObject::ckLoad(jsonJoseHeader,joseHeader) CkJsonObject::setCkEmitCompact(jsonJoseHeader, 0) Debug CkJsonObject::ckEmit(jsonJoseHeader) ; Sample output: ; { ; "typ": "JWT", ; "alg": "RS256", ; "kid": "nOo3ZDrODXEK1jKWhXslHR_KXEg" ; } ; Finally, we need to fetch the JSON Web Key Sets from the jwks_uri ; and use it to verify the id_token's RSA signature. sbJwks.i = CkStringBuilder::ckCreate() If sbJwks.i = 0 Debug "Failed to create object." ProcedureReturn EndIf http.i = CkHttp::ckCreate() If http.i = 0 Debug "Failed to create object." ProcedureReturn EndIf success = CkHttp::ckQuickGetSb(http,jwks_uri,sbJwks) If success = 0 Debug CkHttp::ckLastErrorText(http) CkHttpRequest::ckDispose(req) CkPrng::ckDispose(prng) CkStringBuilder::ckDispose(sbUrl) CkSocket::ckDispose(listenSock) CkSocket::ckDispose(sock) CkStringBuilder::ckDispose(sbRequestBody) CkStringBuilder::ckDispose(sbResponseHtml) CkStringBuilder::ckDispose(sbResponse) CkHashtable::ckDispose(hashTab) CkJwt::ckDispose(jwt) CkJsonObject::ckDispose(json) CkJsonObject::ckDispose(jsonJoseHeader) CkStringBuilder::ckDispose(sbJwks) CkHttp::ckDispose(http) ProcedureReturn EndIf jwkset.i = CkJsonObject::ckCreate() If jwkset.i = 0 Debug "Failed to create object." ProcedureReturn EndIf success = CkJsonObject::ckLoadSb(jwkset,sbJwks) CkJsonObject::setCkEmitCompact(jwkset, 0) Debug CkJsonObject::ckEmit(jwkset) ; A sample jwkset: ; { ; "keys": [ ; { ; "kty": "RSA", ; "use": "sig", ; "kid": "nOo3ZDrODXEK1jKWhXslHR_KXEg", ; "x5t": "nOo3ZDrODXEK1jKWhXslHR_KXEg", ; "n": "oaLLT9hkcSj ... NVrZdUdTBQ", ; "e": "AQAB", ; "x5c": [ ; "MIIDBTC ... MRku44Dw7R" ; ], ; "issuer": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0" ; }, ; { ; "kty": "RSA", ; "use": "sig", ; "kid": "l3sQ-50cCH4xBVZLHTGwnSR7680", ; "x5t": "l3sQ-50cCH4xBVZLHTGwnSR7680", ; "n": "sfsXMXW ... AYkwb6xUQ", ; "e": "AQAB", ; "x5c": [ ; "MIIDBTCCA ... BWrh+/vJ" ; ], ; "issuer": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0" ; }, ; { ; "kty": "RSA", ; "use": "sig", ; "kid": "DqUu8gf-nAgcyjP3-SuplNAXAnc", ; "x5t": "DqUu8gf-nAgcyjP3-SuplNAXAnc", ; "n": "1n7-nWSL ... V3pFWhQ", ; "e": "AQAB", ; "x5c": [ ; "MIIC8TC ... 9pIcnkPQ==" ; ], ; "issuer": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0" ; }, ; { ; "kty": "RSA", ; "use": "sig", ; "kid": "OzZ5Dbmcso9Qzt2ModGmihg30Bo", ; "x5t": "OzZ5Dbmcso9Qzt2ModGmihg30Bo", ; "n": "01re9a2BU ... 5OzQ6Q", ; "e": "AQAB", ; "x5c": [ ; "MIIC8TC ... YmwJ6sDdRvQ==" ; ], ; "issuer": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0" ; } ; ] ; } ; We should have an RSA key with kid matching the kid from the joseHeader.. kid.s = CkJsonObject::ckStringOf(jsonJoseHeader,"kid") ; Find the RSA key with the specified key id jwk.i = CkJsonObject::ckFindRecord(jwkset,"keys","kid",kid,1) If CkJsonObject::ckLastMethodSuccess(jwkset) = 0 Debug "Failed to find a matching RSA key in the JWK key set..." CkHttpRequest::ckDispose(req) CkPrng::ckDispose(prng) CkStringBuilder::ckDispose(sbUrl) CkSocket::ckDispose(listenSock) CkSocket::ckDispose(sock) CkStringBuilder::ckDispose(sbRequestBody) CkStringBuilder::ckDispose(sbResponseHtml) CkStringBuilder::ckDispose(sbResponse) CkHashtable::ckDispose(hashTab) CkJwt::ckDispose(jwt) CkJsonObject::ckDispose(json) CkJsonObject::ckDispose(jsonJoseHeader) CkStringBuilder::ckDispose(sbJwks) CkHttp::ckDispose(http) CkJsonObject::ckDispose(jwkset) ProcedureReturn EndIf verified.i pubkey.i = CkPublicKey::ckCreate() If pubkey.i = 0 Debug "Failed to create object." ProcedureReturn EndIf success = CkPublicKey::ckLoadFromString(pubkey,CkJsonObject::ckEmit(jwk)) If success = 0 Debug CkPublicKey::ckLastErrorText(pubkey) Debug CkJsonObject::ckEmit(jwk) Else verified = CkJwt::ckVerifyJwtPk(jwt,idToken,pubkey) Debug "Verified: " + Str(verified) EndIf CkJsonObject::ckDispose(jwk) CkHttpRequest::ckDispose(req) CkPrng::ckDispose(prng) CkStringBuilder::ckDispose(sbUrl) CkSocket::ckDispose(listenSock) CkSocket::ckDispose(sock) CkStringBuilder::ckDispose(sbRequestBody) CkStringBuilder::ckDispose(sbResponseHtml) CkStringBuilder::ckDispose(sbResponse) CkHashtable::ckDispose(hashTab) CkJwt::ckDispose(jwt) CkJsonObject::ckDispose(json) CkJsonObject::ckDispose(jsonJoseHeader) CkStringBuilder::ckDispose(sbJwks) CkHttp::ckDispose(http) CkJsonObject::ckDispose(jwkset) CkPublicKey::ckDispose(pubkey) ProcedureReturn EndProcedure |
||||
© 2000-2024 Chilkat Software, Inc. All Rights Reserved.