(PureBasic) Verify a Google JWT Using Google's Public Key

See more Google APIs Examples

Demonstrates how to verify a JWT that was signed using Google's RSA private key.

This example verifies the RSA signature. It also does the following:

• Checks to see if the time constraints ("nbf" and "exp") are valid.
• Recovers the original JOSE header.
• Recovers the original claims JSON.

Chilkat PureBasic Module Download Chilkat PureBasic Module

IncludeFile "CkHttp.pb"
IncludeFile "CkStringBuilder.pb"
IncludeFile "CkJsonObject.pb"
IncludeFile "CkPublicKey.pb"
IncludeFile "CkJwt.pb"

Procedure ChilkatExample()

    ; This example assumes the Chilkat API to have been previously unlocked.
    ; See Global Unlock Sample for sample code.

    http.i = CkHttp::ckCreate()
    If http.i = 0
        Debug "Failed to create object."
        ProcedureReturn
    EndIf

    sbPubKeys.i = CkStringBuilder::ckCreate()
    If sbPubKeys.i = 0
        Debug "Failed to create object."
        ProcedureReturn
    EndIf

    success.i = CkHttp::ckQuickGetSb(http,"https://www.googleapis.com/oauth2/v3/certs",sbPubKeys)
    If success = 0
        Debug CkHttp::ckLastErrorText(http)
        CkHttp::ckDispose(http)
        CkStringBuilder::ckDispose(sbPubKeys)
        ProcedureReturn
    EndIf

    Debug CkStringBuilder::ckGetAsString(sbPubKeys)

    ; Here are the keys:

    ; {
    ;   "keys": [
    ;     {
    ;       "e": "AQAB",
    ;       "n": "4bAT6C6EeX8Dspje3FrAXw-nnhNk04e1RmNa4kjc0CHf6Pk7ryARlwA-6YilyPABqQfYHx60s8oSnxvUVprFfQ2-Q8aAZO7bPKSxnoGlcKERL2oLNA4Msvc89N9Y5ycThZUplf_QC19e6jyYXN6Nz-UnJSCLrtQY8tVhhVRs61j4A2N_p-enAi-r704Qi1-v-DKV4eVRkClKViploo8NyjUaT9L4vbBssPCjyimJzsWnEe1fED5c4LnHeArYzA_FEn3JJotqDIz9t2VnvZNTMhizHEX4VnORlEWMEfR8n4CEHQx7PcQUOmfqyw08gWeXQl1-uTjtIGaE-sRIv9u_vQ",
    ;       "kty": "RSA",
    ;       "use": "sig",
    ;       "alg": "RS256",
    ;       "kid": "2af90e87be140c20038898a6efa11283dab6031d"
    ;     },
    ;     {
    ;       "n": "nzGsrziOYrMVYMpvUZOwkKNiPWcOPTYRYlDSdRW4UpAHdWPbPlyqaaphYhoMB5DXrVxI3bdvm7DOlo-sHNnulmAFQa-7TsQMxrZCvVdAbyXGID9DZYEqf8mkCV1Ohv7WY5lDUqlybIk1OSHdK7-1et0QS8nn-5LojGg8FK4ssLf3mV1APpujl27D1bDhyRb1MGumXYElwlUms7F9p9OcSp5pTevXCLmXs9MJJk4o9E1zzPpQ9Ko0lH9l_UqFpA7vwQhnw0nbh73rXOX2TUDCUqL4ThKU5Z9Pd-eZCEOatKe0mJTpQ00XGACBME_6ojCdfNIJr84Y_IpGKvkAEksn9w",
    ;       "use": "sig",
    ;       "kid": "87bbe0815b064e6d449cac999f0e50e72a3e4374",
    ;       "e": "AQAB",
    ;       "alg": "RS256",
    ;       "kty": "RSA"
    ;     }
    ;   ]
    ; }

    ; -------------------------------------------------------------------------------------------
    ; Replace this with your actual token.
    ; This sample token contains a kid that does not match any of the above Google public keys.
    ; -------------------------------------------------------------------------------------------
    token.s = "eyJhbGciOiJSUzI1NiIsImtpZCI6IjQyZmY5MGQ3ZDM0OGM5NzM4MWE3YzExOWVmMWY1MzI0ZWEzZjViZWIifQ.eyJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJzdWIiOiIxMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExIiwiaWF0IjoxNjExMTE1MTQzLCJleHAiOjE2MTEyMDE1NDMsImF1ZCI6IjQyOTc1NzExNTE0ODg0OSJ9.pLem5i0bx3M7lJYj7jKv2Nq7c07X5YpZz-x1uM5RniW-v4LsX-lKIVvOq2x3-WoPqkzLXJfP0kG0dx1uD2q1NfFQK60YwKH4FnFtB6INnUP1dRVpP9_pTTKyAE28I3s5Tay4PbPdrCl7ZLCIJzCfpCW1TiWeVoPjp5HgZKTBHdP_sEkN_yO5dQerQXAkFJkV3kNgF9jI3ayT-KPqOIH6GVoWXjHFDyA2EYgJPEFRo5WSe6XycJ85p5duwT-OoBcb_kJZG9PxYd91eHlPCzp8vGxzIb2dVROCBxyM8e8W0cd9v15hfmpg9R-eG9vCM5y63ZLChZLFeHFx0Pd7hvAqfKg"

    jwt.i = CkJwt::ckCreate()
    If jwt.i = 0
        Debug "Failed to create object."
        ProcedureReturn
    EndIf

    header.s = CkJwt::ckGetHeader(jwt,token)

    Debug header

    ; Sample header:
    ; {"alg":"RS256","kid":"87bbe0815b064e6d449cac999f0e50e72a3e4374"}

    ; Load the public key matching the "kid" into a Chilkat public key object, then verify..

    json.i = CkJsonObject::ckCreate()
    If json.i = 0
        Debug "Failed to create object."
        ProcedureReturn
    EndIf

    CkJsonObject::ckLoad(json,header)
    kid.s = CkJsonObject::ckStringOf(json,"kid")

    Debug "kid = " + kid

    jsonPubKeys.i = CkJsonObject::ckCreate()
    If jsonPubKeys.i = 0
        Debug "Failed to create object."
        ProcedureReturn
    EndIf

    CkJsonObject::ckLoadSb(jsonPubKeys,sbPubKeys)

    jsonKey.i = CkJsonObject::ckFindRecord(jsonPubKeys,"keys","kid",kid,1)
    If CkJsonObject::ckLastMethodSuccess(jsonPubKeys) = 0
        Debug "Did not find a matching public key based on the kid."
        CkHttp::ckDispose(http)
        CkStringBuilder::ckDispose(sbPubKeys)
        CkJwt::ckDispose(jwt)
        CkJsonObject::ckDispose(json)
        CkJsonObject::ckDispose(jsonPubKeys)
        ProcedureReturn
    EndIf

    Debug CkJsonObject::ckEmit(jsonKey)

    ; Load the matching public key into a Chilkat public key object.
    pubKey.i = CkPublicKey::ckCreate()
    If pubKey.i = 0
        Debug "Failed to create object."
        ProcedureReturn
    EndIf

    success = CkPublicKey::ckLoadFromString(pubKey,CkJsonObject::ckEmit(jsonKey))
    CkJsonObject::ckDispose(jsonKey)

    If success = 0
        Debug CkPublicKey::ckLastErrorText(pubKey)
        CkHttp::ckDispose(http)
        CkStringBuilder::ckDispose(sbPubKeys)
        CkJwt::ckDispose(jwt)
        CkJsonObject::ckDispose(json)
        CkJsonObject::ckDispose(jsonPubKeys)
        CkPublicKey::ckDispose(pubKey)
        ProcedureReturn
    EndIf

    ; ----------------------------------------------------------------------------------------
    ; Now we can validate the JWT using Google's public key as shown in this example:
    ; (Except we use the public key obtained as shown above instead of a public key loaded from a PEM file.
    ; 
    ; See Verify JWT Using an RSA Public Key


    CkHttp::ckDispose(http)
    CkStringBuilder::ckDispose(sbPubKeys)
    CkJwt::ckDispose(jwt)
    CkJsonObject::ckDispose(json)
    CkJsonObject::ckDispose(jsonPubKeys)
    CkPublicKey::ckDispose(pubKey)


    ProcedureReturn
EndProcedure