Sample code for 30+ languages & platforms
Tcl

Azure OpenID Connect Step 2 -- Get id_token and Validate

See more OIDC Examples

After getting the endpoints by querying the Azure's OIDC well-known discovery document (OpenID Configuration document), we use the authorization_endpoint to get the id_token, and then validate it..

Chilkat Tcl Downloads

Tcl

load ./chilkat.dll

set success 0

# This example requires the Chilkat API to have been previously unlocked.
# See Global Unlock Sample for sample code.

# In our previous example (Azure Fetch OpenID Connect metadata document) we fetched
# the OpenID configuration document which is JSON which contains an entry for authorization_endpoint.

set authorization_endpoint "https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize"

# The OpenID Connect metadata document also contained a jwks_uri entry.  This is the JSON Web Key Set (JWKS),
# which is a set of keys containing the public keys used to verify any JSON Web Token (JWT) (in this case the id_token)
# issued by the authorization server and signed using the RS256 signing algorithm. 
set jwks_uri "https://login.microsoftonline.com/{tenant}/discovery/v2.0/keys"

# We're going to send the following GET request, but it will be sent through an interactive web browser (not by Chilkat).
# The following code will form the URL that is to be programmatically loaded and sent in a browser.

# GET https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
# client_id=6731de76-14a6-49ae-97bc-6eba6914391e
# &response_type=id_token
# &redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
# &response_mode=form_post
# &scope=openid
# &state=12345
# &nonce=678910

# Use this object to set params and then get the URL-encoded query params string 
set req [new_CkHttpRequest]

CkHttpRequest_AddParam $req "client_id" "{client_id}"
CkHttpRequest_AddParam $req "response_type" "id_token"
CkHttpRequest_AddParam $req "redirect_uri" "http://localhost:3017/"
CkHttpRequest_AddParam $req "response_mode" "form_post"
CkHttpRequest_AddParam $req "scope" "openid"
set prng [new_CkPrng]

CkHttpRequest_AddParam $req "state" [CkPrng_genRandom $prng 3 "decimal"]
CkHttpRequest_AddParam $req "nonce" [CkPrng_genRandom $prng 4 "decimal"]

set encodedParams [CkHttpRequest_getUrlEncodedParams $req]
puts "$encodedParams"

# Sample URL encoded params:
# client_id=6731de76-14a6-49ae-97bc-6eba6914391e&redirect_uri=http%3A%2F%2Flocalhost%3A3017%2F&response_mode=form_post&scope=openid&state=3572902&nonce=57352474

# This is the URL to be programmatically loaded and sent in an interactive web browser..
set sbUrl [new_CkStringBuilder]

CkStringBuilder_Append $sbUrl $authorization_endpoint
CkStringBuilder_Append $sbUrl "?"
CkStringBuilder_Append $sbUrl $encodedParams
set url [CkStringBuilder_getAsString $sbUrl]

# Before we launch the browser with the contents of sbUrl, create a socket to listen for the eventual callback..

set listenSock [new_CkSocket]

# This is the connection received from the browser.
set browserSock [new_CkSocket]

# Listen at the port indicated by the redirect_uri above.
set backLog 5
set success [CkSocket_BindAndListen $listenSock 3017 $backLog]
if {$success == 0} then {
    puts [CkSocket_lastErrorText $listenSock]
    delete_CkHttpRequest $req
    delete_CkPrng $prng
    delete_CkStringBuilder $sbUrl
    delete_CkSocket $listenSock
    delete_CkSocket $browserSock
    exit
}

# Wait for the browser's connection in a background thread.
# (We'll send load the URL into the browser following this..)
# Wait a max of 60 seconds before giving up.
set maxWaitMs 30000
# task is a CkTask
set task [CkSocket_AcceptNextAsync $listenSock $maxWaitMs $browserSock]
CkTask_Run $task

# -------------------------------------------------------------------
# At this point, your application should load the URL in a browser.
set oauth2 [new_CkOAuth2]

set success [CkOAuth2_LaunchBrowser $oauth2 $url]
if {$success == 0} then {
    puts [CkOAuth2_lastErrorText $oauth2]
    delete_CkHttpRequest $req
    delete_CkPrng $prng
    delete_CkStringBuilder $sbUrl
    delete_CkSocket $listenSock
    delete_CkSocket $browserSock
    delete_CkOAuth2 $oauth2
    exit
}

# -------------------------------------------------------------------

# Wait for the listenSock's task to complete.
set success [CkTask_Wait $task $maxWaitMs]
if {expr !$success  ||  [expr [[CkTask_get_StatusInt $task] != 7]  ||  [[CkTask_get_TaskSuccess $task] != 1]]} then {
    if {!$success} then {
        # The task.LastErrorText applies to the Wait method call.
        puts [CkTask_lastErrorText $task]
    }     else {
        # The ResultErrorText applies to the underlying task method call (i.e. the AcceptNextConnection)
        puts [CkTask_status $task]
        puts [CkTask_resultErrorText $task]
    }

    delete_CkTask $task

    delete_CkHttpRequest $req
    delete_CkPrng $prng
    delete_CkStringBuilder $sbUrl
    delete_CkSocket $listenSock
    delete_CkSocket $browserSock
    delete_CkOAuth2 $oauth2
    exit
}

# If we get to this point, a connection on listenSock was accepted, and the redirected POST
# is waiting to be read on the connected socket.
# The POST we are going to read contains the following:

# POST /myapp/ HTTP/1.1
# Host: localhost
# Content-Type: application/x-www-form-urlencoded
# 
# id_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik1uQ19WWmNB...&state=12345

# But first.. we no longer need the listen socket...
# Stop listening on port 3017.
CkSocket_Close $listenSock 10

delete_CkTask $task

# We're acting as a temporary web server to receive this one redirected HTTP request..
# Read the start line of the request.. (i.e. the "POST /myapp/ HTTP/1.1")
set startLine [CkSocket_receiveUntilMatch $browserSock "\r\n"]
if {[CkSocket_get_LastMethodSuccess $browserSock] == 0} then {
    puts [CkSocket_lastErrorText $browserSock]
    delete_CkHttpRequest $req
    delete_CkPrng $prng
    delete_CkStringBuilder $sbUrl
    delete_CkSocket $listenSock
    delete_CkSocket $browserSock
    delete_CkOAuth2 $oauth2
    exit
}

# Read the request header.
set requestHeader [CkSocket_receiveUntilMatch $browserSock "\r\n\r\n"]
if {[CkSocket_get_LastMethodSuccess $browserSock] == 0} then {
    puts [CkSocket_lastErrorText $browserSock]
    delete_CkHttpRequest $req
    delete_CkPrng $prng
    delete_CkStringBuilder $sbUrl
    delete_CkSocket $listenSock
    delete_CkSocket $browserSock
    delete_CkOAuth2 $oauth2
    exit
}

puts "$requestHeader"
puts "----"

# Read the body.
# The body will contain "id_token= eyJ......"
set sbRequestBody [new_CkStringBuilder]

set success [CkSocket_ReceiveSb $browserSock $sbRequestBody]
if {$success == 0} then {
    puts [CkSocket_lastErrorText $browserSock]
    delete_CkHttpRequest $req
    delete_CkPrng $prng
    delete_CkStringBuilder $sbUrl
    delete_CkSocket $listenSock
    delete_CkSocket $browserSock
    delete_CkOAuth2 $oauth2
    delete_CkStringBuilder $sbRequestBody
    exit
}

puts [CkStringBuilder_getAsString $sbRequestBody]

# Given that we're acting as a web server, we must send a response..
# We can now send our HTTP response.
set sbResponseHtml [new_CkStringBuilder]

CkStringBuilder_Append $sbResponseHtml "<html><body><p>Thank you!</b></body</html>"

set sbResponse [new_CkStringBuilder]

CkStringBuilder_Append $sbResponse "HTTP/1.1 200 OK\r\n"
CkStringBuilder_Append $sbResponse "Content-Length: "
CkStringBuilder_AppendInt $sbResponse [CkStringBuilder_get_Length $sbResponseHtml]
CkStringBuilder_Append $sbResponse "\r\n"
CkStringBuilder_Append $sbResponse "Content-Type: text/html\r\n"
CkStringBuilder_Append $sbResponse "\r\n"
CkStringBuilder_AppendSb $sbResponse $sbResponseHtml

CkSocket_SendString $browserSock [CkStringBuilder_getAsString $sbResponse]
CkSocket_Close $browserSock 50

# Get the id_token from the sbRequestBody that we just received.
# (Remember, we're acting as the web server, thus we received the redirect request..)
set hashTab [new_CkHashtable]

CkHashtable_AddQueryParams $hashTab [CkStringBuilder_getAsString $sbRequestBody]

# See https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens#validating-an-id-token
# for more information about ID tokens..
set idToken [CkHashtable_lookupStr $hashTab "id_token"]

set jwt [new_CkJwt]

# Let's see if the time constraints, if any, are valid.
# The above JWT was created on the afternoon of 16-May-2016, with an expiration of 1 hour.
# If the current system time is before the "nbf" time, or after the "exp" time,
# then IsTimeValid will return false/0.
# Also, we'll allow a leeway of 60 seconds to account for any clock skew.
# Note: If the token has no "nbf" or "exp" claim fields, then IsTimeValid is always true.
set leeway 60
set bTimeValid [CkJwt_IsTimeValid $jwt $idToken $leeway]
puts "time constraints valid: $bTimeValid"

# Now let's recover the original claims JSON (the payload).
set payload [CkJwt_getPayload $jwt $idToken]
# The payload will likely be in compact form:
puts "$payload"

# We can format for human viewing by loading it into Chilkat's JSON object
# and emit.
set json [new_CkJsonObject]

set success [CkJsonObject_Load $json $payload]
CkJsonObject_put_EmitCompact $json 0
puts [CkJsonObject_emit $json]

# Sample output:

# {
#   "aud": "f125d695-c50e-456e-a579-a486f06d1213",
#   "iss": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0",
#   "iat": 1626535322,
#   "nbf": 1626535322,
#   "exp": 1626539222,
#   "aio": "AWQAm/8TAAAAHQncmY0VvhgyMIhfleHX3DjsGfmlPM1CopkJ3mPnBUnCxrJ0ubruaACEhwGO7NsoHBhqFEzRzPxOq7MtuGVFsql+qJKZx8vQCszKYEPX9Wb3b5+d5KJTABHCIH48bTFd",
#   "idp": "https://sts.windows.net/9188040d-6c67-4c5b-b112-36a304b66dad/",
#   "nonce": "1519043321",
#   "rh": "0.ARgAZt2NbdFosEOvXOMbS33VzZXWJfEOxW5FpXmkhvBtEhMYALQ.",
#   "sub": "RMIZlHJ7hfsJmL8Qq3h6M0nPi4g-HEavnAFgxzaT2KM",
#   "tid": "6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd",
#   "uti": "-BXGHxvfREW-r9HI5NBiAA",
#   "ver": "2.0"
# }

# We can recover the original JOSE header in the same way:
set joseHeader [CkJwt_getHeader $jwt $idToken]
# The payload will likely be in compact form:
puts "$joseHeader"

# We can format for human viewing by loading it into Chilkat's JSON object
# and emit.
set jsonJoseHeader [new_CkJsonObject]

set success [CkJsonObject_Load $jsonJoseHeader $joseHeader]
CkJsonObject_put_EmitCompact $jsonJoseHeader 0
puts [CkJsonObject_emit $jsonJoseHeader]

# Sample output:

# {
#   "typ": "JWT",
#   "alg": "RS256",
#   "kid": "nOo3ZDrODXEK1jKWhXslHR_KXEg"
# }

# Finally, we need to fetch the JSON Web Key Sets from the jwks_uri
# and use it to verify the id_token's RSA signature.
set sbJwks [new_CkStringBuilder]

set http [new_CkHttp]

set success [CkHttp_QuickGetSb $http $jwks_uri $sbJwks]
if {$success == 0} then {
    puts [CkHttp_lastErrorText $http]
    delete_CkHttpRequest $req
    delete_CkPrng $prng
    delete_CkStringBuilder $sbUrl
    delete_CkSocket $listenSock
    delete_CkSocket $browserSock
    delete_CkOAuth2 $oauth2
    delete_CkStringBuilder $sbRequestBody
    delete_CkStringBuilder $sbResponseHtml
    delete_CkStringBuilder $sbResponse
    delete_CkHashtable $hashTab
    delete_CkJwt $jwt
    delete_CkJsonObject $json
    delete_CkJsonObject $jsonJoseHeader
    delete_CkStringBuilder $sbJwks
    delete_CkHttp $http
    exit
}

set jwkset [new_CkJsonObject]

set success [CkJsonObject_LoadSb $jwkset $sbJwks]
CkJsonObject_put_EmitCompact $jwkset 0
puts [CkJsonObject_emit $jwkset]

# A sample jwkset:

# {
#   "keys": [
#     {
#       "kty": "RSA",
#       "use": "sig",
#       "kid": "nOo3ZDrODXEK1jKWhXslHR_KXEg",
#       "x5t": "nOo3ZDrODXEK1jKWhXslHR_KXEg",
#       "n": "oaLLT9hkcSj ... NVrZdUdTBQ",
#       "e": "AQAB",
#       "x5c": [
#         "MIIDBTC ... MRku44Dw7R"
#       ],
#       "issuer": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0"
#     },
#     {
#       "kty": "RSA",
#       "use": "sig",
#       "kid": "l3sQ-50cCH4xBVZLHTGwnSR7680",
#       "x5t": "l3sQ-50cCH4xBVZLHTGwnSR7680",
#       "n": "sfsXMXW ... AYkwb6xUQ",
#       "e": "AQAB",
#       "x5c": [
#         "MIIDBTCCA ... BWrh+/vJ"
#       ],
#       "issuer": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0"
#     },
#     {
#       "kty": "RSA",
#       "use": "sig",
#       "kid": "DqUu8gf-nAgcyjP3-SuplNAXAnc",
#       "x5t": "DqUu8gf-nAgcyjP3-SuplNAXAnc",
#       "n": "1n7-nWSL ... V3pFWhQ",
#       "e": "AQAB",
#       "x5c": [
#         "MIIC8TC ... 9pIcnkPQ=="
#       ],
#       "issuer": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0"
#     },
#     {
#       "kty": "RSA",
#       "use": "sig",
#       "kid": "OzZ5Dbmcso9Qzt2ModGmihg30Bo",
#       "x5t": "OzZ5Dbmcso9Qzt2ModGmihg30Bo",
#       "n": "01re9a2BU ... 5OzQ6Q",
#       "e": "AQAB",
#       "x5c": [
#         "MIIC8TC ... YmwJ6sDdRvQ=="
#       ],
#       "issuer": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0"
#     }
#   ]
# }

# We should have an RSA key with kid matching the kid from the joseHeader..
set kid [CkJsonObject_stringOf $jsonJoseHeader "kid"]

# Find the RSA key with the specified key id
# jwk is a CkJsonObject
set jwk [CkJsonObject_FindRecord $jwkset "keys" "kid" $kid 1]
if {[CkJsonObject_get_LastMethodSuccess $jwkset] == 0} then {
    puts "Failed to find a matching RSA key in the JWK key set..."
    delete_CkHttpRequest $req
    delete_CkPrng $prng
    delete_CkStringBuilder $sbUrl
    delete_CkSocket $listenSock
    delete_CkSocket $browserSock
    delete_CkOAuth2 $oauth2
    delete_CkStringBuilder $sbRequestBody
    delete_CkStringBuilder $sbResponseHtml
    delete_CkStringBuilder $sbResponse
    delete_CkHashtable $hashTab
    delete_CkJwt $jwt
    delete_CkJsonObject $json
    delete_CkJsonObject $jsonJoseHeader
    delete_CkStringBuilder $sbJwks
    delete_CkHttp $http
    delete_CkJsonObject $jwkset
    exit
}

set pubkey [new_CkPublicKey]

set success [CkPublicKey_LoadFromString $pubkey [CkJsonObject_emit $jwk]]
if {$success == 0} then {
    puts [CkPublicKey_lastErrorText $pubkey]
    puts [CkJsonObject_emit $jwk]
} else {
    set verified [CkJwt_VerifyJwtPk $jwt $idToken $pubkey]
    puts "Verified: $verified"
}

delete_CkJsonObject $jwk


delete_CkHttpRequest $req
delete_CkPrng $prng
delete_CkStringBuilder $sbUrl
delete_CkSocket $listenSock
delete_CkSocket $browserSock
delete_CkOAuth2 $oauth2
delete_CkStringBuilder $sbRequestBody
delete_CkStringBuilder $sbResponseHtml
delete_CkStringBuilder $sbResponse
delete_CkHashtable $hashTab
delete_CkJwt $jwt
delete_CkJsonObject $json
delete_CkJsonObject $jsonJoseHeader
delete_CkStringBuilder $sbJwks
delete_CkHttp $http
delete_CkJsonObject $jwkset
delete_CkPublicKey $pubkey