Chilkat HOME .NET Core C# Android™ AutoIt C C# C++ Chilkat2-Python CkPython Classic ASP DataFlex Delphi ActiveX Delphi DLL Go Java Lianja Mono C# Node.js Objective-C PHP ActiveX PHP Extension Perl PowerBuilder PowerShell PureBasic Ruby SQL Server Swift 2 Swift 3,4,5... Tcl Unicode C Unicode C++ VB.NET VBScript Visual Basic 6.0 Visual FoxPro Xojo Plugin
(Ruby) Azure OpenID Connect Step 2 -- Get id_token and ValidateSee more OIDC ExamplesAfter getting the endpoints by querying the Azure's OIDC well-known discovery document (OpenID Configuration document), we use the authorization_endpoint to get the id_token, and then validate it.. For more information, see https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc
require 'chilkat' # This example requires the Chilkat API to have been previously unlocked. # See Global Unlock Sample for sample code. # In our previous example (Azure Fetch OpenID Connect metadata document) we fetched # the OpenID configuration document which is JSON which contains an entry for authorization_endpoint. authorization_endpoint = "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/oauth2/v2.0/authorize" # The OpenID Connect metadata document also contained a jwks_uri entry. This is the JSON Web Key Set (JWKS), # which is a set of keys containing the public keys used to verify any JSON Web Token (JWT) (in this case the id_token) # issued by the authorization server and signed using the RS256 signing algorithm. jwks_uri = "https://login.microsoftonline.com/6d8ddd66-68d1-44b0-af5c-e31b4b7ee5cd/discovery/v2.0/keys" # We're going to send the following GET request, but it will be sent through an interactive web browser (not by Chilkat). # The following code will form the URL that is to be programmatically loaded and sent in a browser. # GET https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize? # client_id=6731de76-14a6-49ae-97bc-6eba6914391e # &response_type=id_token # &redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F # &response_mode=form_post # &scope=openid # &state=12345 # &nonce=678910 # Use this object to set params and then get the URL-encoded query params string req = Chilkat::CkHttpRequest.new() req.AddParam("client_id","f125d695-c50e-456e-a579-a486f06d1213") req.AddParam("response_type","id_token") req.AddParam("redirect_uri","http://localhost:3017/") req.AddParam("response_mode","form_post") req.AddParam("scope","openid") prng = Chilkat::CkPrng.new() req.AddParam("state",prng.genRandom(3,"decimal")) req.AddParam("nonce",prng.genRandom(4,"decimal")) encodedParams = req.getUrlEncodedParams() print encodedParams + "\n"; # Sample URL encoded params: # client_id=6731de76-14a6-49ae-97bc-6eba6914391e&redirect_uri=http%3A%2F%2Flocalhost%3A3017%2F&response_mode=form_post&scope=openid&state=3572902&nonce=57352474 # This is the URL to be programmatically loaded and sent in an interactive web browser.. sbUrl = Chilkat::CkStringBuilder.new() sbUrl.Append(authorization_endpoint) sbUrl.Append("?") sbUrl.Append(encodedParams) url = sbUrl.getAsString() # Before we launch the browser with the contents of sbUrl, create a socket to listen for the eventual callback.. listenSock = Chilkat::CkSocket.new() # Listen at the port indicated by the redirect_uri above. backLog = 5 success = listenSock.BindAndListen(3017,backLog) if (success != true) print listenSock.lastErrorText() + "\n"; exit end # Wait for the browser's connection in a background thread. # (We'll send load the URL into the browser following this..) # Wait a max of 60 seconds before giving up. maxWaitMs = 60000 # task is a CkTask task = listenSock.AcceptNextConnectionAsync(maxWaitMs) task.Run() # ------------------------------------------------------------------- # At this point, your application should load the URL in a browser. # You'll need to add code here to do it.. # For example, # in C#: System.Diagnostics.Process.Start(url); # in Java: Desktop.getDesktop().browse(new URI(url)); # in VBScript: Set wsh=WScript.CreateObject("WScript.Shell") # wsh.Run url # in Xojo: ShowURL(url) (see http://docs.xojo.com/index.php/ShowURL) # in Dataflex: Runprogram Background "c:\Program Files\Internet Explorer\iexplore.exe" sUrl # The account owner would interactively accept or deny the authorization request. # Add the code to load the url in a web browser here... # Add the code to load the url in a web browser here... # Add the code to load the url in a web browser here... # System.Diagnostics.Process.Start(url); # ------------------------------------------------------------------- # Wait for the listenSock's task to complete. success = task.Wait(maxWaitMs) if (!success or (task.get_StatusInt() != 7) or (task.get_TaskSuccess() != true)) if (!success) # The task.LastErrorText applies to the Wait method call. print task.lastErrorText() + "\n"; else # The ResultErrorText applies to the underlying task method call (i.e. the AcceptNextConnection) print task.status() + "\n"; print task.resultErrorText() + "\n"; end exit end # If we get to this point, a connection on listenSock was accepted, and the redirected POST # is waiting to be read on the connected socket. # The POST we are going to read contains the following: # POST /myapp/ HTTP/1.1 # Host: localhost # Content-Type: application/x-www-form-urlencoded # # id_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik1uQ19WWmNB...&state=12345 # But first.. we no longer need the listen socket... # Stop listening on port 3017. listenSock.Close(10) # Get the connected socket. sock = Chilkat::CkSocket.new() sock.LoadTaskResult(task) # We're acting as a temporary web server to receive this one redirected HTTP request.. # Read the start line of the request.. (i.e. the "POST /myapp/ HTTP/1.1") startLine = sock.receiveUntilMatch("\r\n") if (sock.get_LastMethodSuccess() != true) print sock.lastErrorText() + "\n"; exit end # Read the request header. requestHeader = sock.receiveUntilMatch("\r\n\r\n") if (sock.get_LastMethodSuccess() != true) print sock.lastErrorText() + "\n"; exit end print requestHeader + "\n"; print "----" + "\n"; # Read the body. # The body will contain "id_token= eyJ......" sbRequestBody = Chilkat::CkStringBuilder.new() success = sock.ReceiveSb(sbRequestBody) if (success == false) print sock.lastErrorText() + "\n"; exit end print sbRequestBody.getAsString() + "\n"; # Given that we're acting as a web server, we must send a response.. # We can now send our HTTP response. sbResponseHtml = Chilkat::CkStringBuilder.new() sbResponseHtml.Append("<html><body><p>Thank you!</b></body</html>") sbResponse = Chilkat::CkStringBuilder.new() sbResponse.Append("HTTP/1.1 200 OK\r\n") sbResponse.Append("Content-Length: ") sbResponse.AppendInt(sbResponseHtml.get_Length()) sbResponse.Append("\r\n") sbResponse.Append("Content-Type: text/html\r\n") sbResponse.Append("\r\n") sbResponse.AppendSb(sbResponseHtml) sock.SendString(sbResponse.getAsString()) sock.Close(50) # Get the id_token from the sbRequestBody that we just received. # (Remember, we're acting as the web server, thus we received the redirect request..) hashTab = Chilkat::CkHashtable.new() hashTab.AddQueryParams(sbRequestBody.getAsString()) # See https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens#validating-an-id-token # for more information about ID tokens.. idToken = hashTab.lookupStr("id_token") jwt = Chilkat::CkJwt.new() # Let's see if the time constraints, if any, are valid. # The above JWT was created on the afternoon of 16-May-2016, with an expiration of 1 hour. # If the current system time is before the "nbf" time, or after the "exp" time, # then IsTimeValid will return false/0. # Also, we'll allow a leeway of 60 seconds to account for any clock skew. # Note: If the token has no "nbf" or "exp" claim fields, then IsTimeValid is always true. leeway = 60 bTimeValid = jwt.IsTimeValid(idToken,leeway) print "time constraints valid: " + bTimeValid.to_s() + "\n"; # Now let's recover the original claims JSON (the payload). payload = jwt.getPayload(idToken) # The payload will likely be in compact form: print payload + "\n"; # We can format for human viewing by loading it into Chilkat's JSON object # and emit. json = Chilkat::CkJsonObject.new() success = json.Load(payload) json.put_EmitCompact(false) print json.emit() + "\n"; # Sample output: # { # "aud": "f125d695-c50e-456e-a579-a486f06d1213", # "iss": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0", # "iat": 1626535322, # "nbf": 1626535322, # "exp": 1626539222, # "aio": "AWQAm/8TAAAAHQncmY0VvhgyMIhfleHX3DjsGfmlPM1CopkJ3mPnBUnCxrJ0ubruaACEhwGO7NsoHBhqFEzRzPxOq7MtuGVFsql+qJKZx8vQCszKYEPX9Wb3b5+d5KJTABHCIH48bTFd", # "idp": "https://sts.windows.net/9188040d-6c67-4c5b-b112-36a304b66dad/", # "nonce": "1519043321", # "rh": "0.ARgAZt2NbdFosEOvXOMbS33VzZXWJfEOxW5FpXmkhvBtEhMYALQ.", # "sub": "RMIZlHJ7hfsJmL8Qq3h6M0nPi4g-HEavnAFgxzaT2KM", # "tid": "6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd", # "uti": "-BXGHxvfREW-r9HI5NBiAA", # "ver": "2.0" # } # We can recover the original JOSE header in the same way: joseHeader = jwt.getHeader(idToken) # The payload will likely be in compact form: print joseHeader + "\n"; # We can format for human viewing by loading it into Chilkat's JSON object # and emit. jsonJoseHeader = Chilkat::CkJsonObject.new() success = jsonJoseHeader.Load(joseHeader) jsonJoseHeader.put_EmitCompact(false) print jsonJoseHeader.emit() + "\n"; # Sample output: # { # "typ": "JWT", # "alg": "RS256", # "kid": "nOo3ZDrODXEK1jKWhXslHR_KXEg" # } # Finally, we need to fetch the JSON Web Key Sets from the jwks_uri # and use it to verify the id_token's RSA signature. sbJwks = Chilkat::CkStringBuilder.new() http = Chilkat::CkHttp.new() success = http.QuickGetSb(jwks_uri,sbJwks) if (success == false) print http.lastErrorText() + "\n"; exit end jwkset = Chilkat::CkJsonObject.new() success = jwkset.LoadSb(sbJwks) jwkset.put_EmitCompact(false) print jwkset.emit() + "\n"; # A sample jwkset: # { # "keys": [ # { # "kty": "RSA", # "use": "sig", # "kid": "nOo3ZDrODXEK1jKWhXslHR_KXEg", # "x5t": "nOo3ZDrODXEK1jKWhXslHR_KXEg", # "n": "oaLLT9hkcSj ... NVrZdUdTBQ", # "e": "AQAB", # "x5c": [ # "MIIDBTC ... MRku44Dw7R" # ], # "issuer": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0" # }, # { # "kty": "RSA", # "use": "sig", # "kid": "l3sQ-50cCH4xBVZLHTGwnSR7680", # "x5t": "l3sQ-50cCH4xBVZLHTGwnSR7680", # "n": "sfsXMXW ... AYkwb6xUQ", # "e": "AQAB", # "x5c": [ # "MIIDBTCCA ... BWrh+/vJ" # ], # "issuer": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0" # }, # { # "kty": "RSA", # "use": "sig", # "kid": "DqUu8gf-nAgcyjP3-SuplNAXAnc", # "x5t": "DqUu8gf-nAgcyjP3-SuplNAXAnc", # "n": "1n7-nWSL ... V3pFWhQ", # "e": "AQAB", # "x5c": [ # "MIIC8TC ... 9pIcnkPQ==" # ], # "issuer": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0" # }, # { # "kty": "RSA", # "use": "sig", # "kid": "OzZ5Dbmcso9Qzt2ModGmihg30Bo", # "x5t": "OzZ5Dbmcso9Qzt2ModGmihg30Bo", # "n": "01re9a2BU ... 5OzQ6Q", # "e": "AQAB", # "x5c": [ # "MIIC8TC ... YmwJ6sDdRvQ==" # ], # "issuer": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0" # } # ] # } # We should have an RSA key with kid matching the kid from the joseHeader.. kid = jsonJoseHeader.stringOf("kid") # Find the RSA key with the specified key id # jwk is a CkJsonObject jwk = jwkset.FindRecord("keys","kid",kid,true) if (jwkset.get_LastMethodSuccess() == false) print "Failed to find a matching RSA key in the JWK key set..." + "\n"; exit end pubkey = Chilkat::CkPublicKey.new() success = pubkey.LoadFromString(jwk.emit()) if (success == false) print pubkey.lastErrorText() + "\n"; print jwk.emit() + "\n"; else verified = jwt.VerifyJwtPk(idToken,pubkey) print "Verified: " + verified.to_s() + "\n"; end |
© 2000-2024 Chilkat Software, Inc. All Rights Reserved.