Sample code for 30+ languages & platforms
Tcl

Verify a Google JWT Using Google's Public Key

See more Google APIs Examples

Demonstrates how to verify a JWT that was signed using Google's RSA private key.

This example verifies the RSA signature. It also does the following:

  • Checks to see if the time constraints ("nbf" and "exp") are valid.
  • Recovers the original JOSE header.
  • Recovers the original claims JSON.

Chilkat Tcl Downloads

Tcl

load ./chilkat.dll

set success 0

# This example assumes the Chilkat API to have been previously unlocked.
# See Global Unlock Sample for sample code.

set http [new_CkHttp]

set sbPubKeys [new_CkStringBuilder]

set success [CkHttp_QuickGetSb $http "https://www.googleapis.com/oauth2/v3/certs" $sbPubKeys]
if {$success == 0} then {
    puts [CkHttp_lastErrorText $http]
    delete_CkHttp $http
    delete_CkStringBuilder $sbPubKeys
    exit
}

puts [CkStringBuilder_getAsString $sbPubKeys]

# Here are the keys:

# {
#   "keys": [
#     {
#       "e": "AQAB",
#       "n": "4bAT6C6EeX8Dspje3FrAXw-nnhNk04e1RmNa4kjc0CHf6Pk7ryARlwA-6YilyPABqQfYHx60s8oSnxvUVprFfQ2-Q8aAZO7bPKSxnoGlcKERL2oLNA4Msvc89N9Y5ycThZUplf_QC19e6jyYXN6Nz-UnJSCLrtQY8tVhhVRs61j4A2N_p-enAi-r704Qi1-v-DKV4eVRkClKViploo8NyjUaT9L4vbBssPCjyimJzsWnEe1fED5c4LnHeArYzA_FEn3JJotqDIz9t2VnvZNTMhizHEX4VnORlEWMEfR8n4CEHQx7PcQUOmfqyw08gWeXQl1-uTjtIGaE-sRIv9u_vQ",
#       "kty": "RSA",
#       "use": "sig",
#       "alg": "RS256",
#       "kid": "2af90e87be140c20038898a6efa11283dab6031d"
#     },
#     {
#       "n": "nzGsrziOYrMVYMpvUZOwkKNiPWcOPTYRYlDSdRW4UpAHdWPbPlyqaaphYhoMB5DXrVxI3bdvm7DOlo-sHNnulmAFQa-7TsQMxrZCvVdAbyXGID9DZYEqf8mkCV1Ohv7WY5lDUqlybIk1OSHdK7-1et0QS8nn-5LojGg8FK4ssLf3mV1APpujl27D1bDhyRb1MGumXYElwlUms7F9p9OcSp5pTevXCLmXs9MJJk4o9E1zzPpQ9Ko0lH9l_UqFpA7vwQhnw0nbh73rXOX2TUDCUqL4ThKU5Z9Pd-eZCEOatKe0mJTpQ00XGACBME_6ojCdfNIJr84Y_IpGKvkAEksn9w",
#       "use": "sig",
#       "kid": "87bbe0815b064e6d449cac999f0e50e72a3e4374",
#       "e": "AQAB",
#       "alg": "RS256",
#       "kty": "RSA"
#     }
#   ]
# }

# -------------------------------------------------------------------------------------------
# Replace this with your actual token.
# This sample token contains a kid that does not match any of the above Google public keys.
# -------------------------------------------------------------------------------------------
set token "eyJhbGciOiJSUzI1NiIsImtpZCI6IjQyZmY5MGQ3ZDM0OGM5NzM4MWE3YzExOWVmMWY1MzI0ZWEzZjViZWIifQ.eyJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJzdWIiOiIxMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExIiwiaWF0IjoxNjExMTE1MTQzLCJleHAiOjE2MTEyMDE1NDMsImF1ZCI6IjQyOTc1NzExNTE0ODg0OSJ9.pLem5i0bx3M7lJYj7jKv2Nq7c07X5YpZz-x1uM5RniW-v4LsX-lKIVvOq2x3-WoPqkzLXJfP0kG0dx1uD2q1NfFQK60YwKH4FnFtB6INnUP1dRVpP9_pTTKyAE28I3s5Tay4PbPdrCl7ZLCIJzCfpCW1TiWeVoPjp5HgZKTBHdP_sEkN_yO5dQerQXAkFJkV3kNgF9jI3ayT-KPqOIH6GVoWXjHFDyA2EYgJPEFRo5WSe6XycJ85p5duwT-OoBcb_kJZG9PxYd91eHlPCzp8vGxzIb2dVROCBxyM8e8W0cd9v15hfmpg9R-eG9vCM5y63ZLChZLFeHFx0Pd7hvAqfKg"

set jwt [new_CkJwt]

set header [CkJwt_getHeader $jwt $token]

puts "$header"

# Sample header:
# {"alg":"RS256","kid":"87bbe0815b064e6d449cac999f0e50e72a3e4374"}

# Load the public key matching the "kid" into a Chilkat public key object, then verify..

set json [new_CkJsonObject]

CkJsonObject_Load $json $header
set kid [CkJsonObject_stringOf $json "kid"]

puts "kid = $kid"

set jsonPubKeys [new_CkJsonObject]

CkJsonObject_LoadSb $jsonPubKeys $sbPubKeys

# jsonKey is a CkJsonObject
set jsonKey [CkJsonObject_FindRecord $jsonPubKeys "keys" "kid" $kid 1]
if {[CkJsonObject_get_LastMethodSuccess $jsonPubKeys] == 0} then {
    puts "Did not find a matching public key based on the kid."
    delete_CkHttp $http
    delete_CkStringBuilder $sbPubKeys
    delete_CkJwt $jwt
    delete_CkJsonObject $json
    delete_CkJsonObject $jsonPubKeys
    exit
}

puts [CkJsonObject_emit $jsonKey]

# Load the matching public key into a Chilkat public key object.
set pubKey [new_CkPublicKey]

set success [CkPublicKey_LoadFromString $pubKey [CkJsonObject_emit $jsonKey]]
delete_CkJsonObject $jsonKey

if {$success == 0} then {
    puts [CkPublicKey_lastErrorText $pubKey]
    delete_CkHttp $http
    delete_CkStringBuilder $sbPubKeys
    delete_CkJwt $jwt
    delete_CkJsonObject $json
    delete_CkJsonObject $jsonPubKeys
    delete_CkPublicKey $pubKey
    exit
}

# ----------------------------------------------------------------------------------------
# Now we can validate the JWT using Google's public key as shown in this example:
# (Except we use the public key obtained as shown above instead of a public key loaded from a PEM file.
# 
# See Verify JWT Using an RSA Public Key

delete_CkHttp $http
delete_CkStringBuilder $sbPubKeys
delete_CkJwt $jwt
delete_CkJsonObject $json
delete_CkJsonObject $jsonPubKeys
delete_CkPublicKey $pubKey