Sample code for 30+ languages & platforms
Tcl

Validate a Google ID Token

See more OAuth2 Examples

Demonstrates how to verify the signature of a Google id token.

Chilkat Tcl Downloads

Tcl

load ./chilkat.dll

set success 0

# This example requires the Chilkat API to have been previously unlocked.
# See Global Unlock Sample for sample code.

set http [new_CkHttp]

# First get the public key we'll be needing..
set jwkStr [CkHttp_quickGetStr $http "https://www.googleapis.com/oauth2/v3/certs"]
if {[CkHttp_get_LastMethodSuccess $http] == 0} then {
    puts [CkHttp_lastErrorText $http]
    delete_CkHttp $http
    exit
}

# We have the following:

#     {
#       "keys": [
# 	{
# 	  "kid": "e8732db06287515556213b80acbcfd08cfb302a9",
# 	  "n": "4RIrO30287Wsq3gqXCMkUYMVAeI3H8...w2mbMNEBQ",
# 	  "kty": "RSA",
# 	  "e": "AQAB",
# 	  "alg": "RS256",
# 	  "use": "sig"
# 	},
# 	{
# 	  "kid": "8462a71da4f6d611fc0fecf0fc4ba9c37d65e6cd",
# 	  "e": "AQAB",
# 	  "n": "xT_ngLZNmT5GBtJZeTB...Ft4gK0eoFi0d3l8bcw",
# 	  "alg": "RS256",
# 	  "use": "sig",
# 	  "kty": "RSA"
# 	}
#       ]
#     }

set json [new_CkJsonObject]

set success [CkJsonObject_Load $json $jwkStr]

# -------------------------------------------------

# Load the following..

#  {
#   "access_token": "ya29.a0...0f",
#   "expires_in": 3599,
#   "scope": "openid https://www.googleapis.com/auth/userinfo.email",
#   "token_type": "Bearer",
#   "id_token": "eyJhb...o5nQ"
# }

set jsonToken [new_CkJsonObject]

set success [CkJsonObject_LoadFile $jsonToken "qa_data/tokens/google_sample_id_token.json"]
if {$success == 0} then {
    puts "Failed to load the JSON file..."
    delete_CkHttp $http
    delete_CkJsonObject $json
    delete_CkJsonObject $jsonToken
    exit
}

# Get the id_token;
set sbIdToken [new_CkStringBuilder]

set success [CkStringBuilder_Append $sbIdToken [CkJsonObject_stringOf $jsonToken "id_token"]]

# Get the signature in base64url format.
# The header + payload remains in sbIdToken.
set sig_b64Url [CkStringBuilder_getAfterFinal $sbIdToken "." 1]
set headerPlusPayload [CkStringBuilder_getAsString $sbIdToken]

puts "$sig_b64Url"
puts "$headerPlusPayload"

# ---------------------------------------------

# Try validating with each cert's public key.
# Hopefully one will be the key that verifies.

set rsa [new_CkRsa]

CkRsa_put_EncodingMode $rsa "base64url"

set jsonKey [new_CkJsonObject]

set pubKey [new_CkPublicKey]

set numKeys [CkJsonObject_SizeOfArray $json "keys"]
set i 0
while {$i < $numKeys} {
    CkJsonObject_put_I $json $i

    CkJsonObject_ObjectOf2 $json "keys[i]" $jsonKey

    set success [CkPublicKey_LoadFromString $pubKey [CkJsonObject_emit $jsonKey]]
    if {$success == 0} then {
        puts [CkPublicKey_lastErrorText $pubKey]
        delete_CkHttp $http
        delete_CkJsonObject $json
        delete_CkJsonObject $jsonToken
        delete_CkStringBuilder $sbIdToken
        delete_CkRsa $rsa
        delete_CkJsonObject $jsonKey
        delete_CkPublicKey $pubKey
        exit
    }

    puts "$i"
    puts [CkPublicKey_getPem $pubKey 1]

    set success [CkRsa_UsePublicKey $rsa $pubKey]

    set bVerified [CkRsa_VerifyStringENC $rsa $headerPlusPayload "sha256" $sig_b64Url]
    puts "bVerified = $bVerified"

    set i [expr $i + 1]
}

# The output is:

# 0
# -----BEGIN RSA PUBLIC KEY-----
# MIIBCgKCAQEA4RIrO30287Wsq3gqXCMkUYMVAeI3H8LVE6IXR1krdFeGnZLiGUPw
# cbkeVpXf3lmJdsStOg+jijces2DZCfPyIBiQuLYfxxmAZE6ErJ0QJFg1stwli2Pz
# 9ncYhFoqi8pXr7kEzEJBTzX4thuw56ydbGsshSEznPXoerCJOc7UI2+n0wFCWQ4Y
# LHbh/PrWt4vdadyUUUW/QpQHXQLdD8q/Qwqdj0O9zlJE7R6Elw2E9EqnHyIGu1hm
# LxhqrTru1M18SUhONYbVskV/BCEdVKs//X96849HorWQDCAgVMWfGsdMVq55FAdJ
# 680N5UmQDRynIZ4+PeNGN4S9iw2mbMNEBQIDAQAB
# -----END RSA PUBLIC KEY-----
# 
# bVerified = True
# 1
# -----BEGIN RSA PUBLIC KEY-----
# MIIBCgKCAQEAxT/ngLZNmT5GBdkLtJZjNeTB+8B5yWgrq/e5eMZ1hrZhcmLK+dSn
# IkpOPV8/OekV67EnQ7I4II2rcNJnHGrGKZziXO3XN2gtUHE+mBJC99oULSbX/QwB
# Kz7gC/IBPq9EuxTt6Oq6fPkVQ9DbRIgWJSEGBF/KRaNl3kyAlIZfpY7XgHyJTTv8
# E7yAcYKPR+36gzdl+ps0sDLKzUuAtZNq8llK0u80z6AtAUIYwWdkEhM9upy6keKI
# TasIxcsO7M6kZPINUSbh6t5VAm8FuqRmxpgg+9c9/GQSGd89InVypoVzWLQ+wOGg
# 5G4H6JqIgtj0TRFt4gK0eoFi2U0d3l8bcwIDAQAB
# -----END RSA PUBLIC KEY-----
# 
# bVerified = False

delete_CkHttp $http
delete_CkJsonObject $json
delete_CkJsonObject $jsonToken
delete_CkStringBuilder $sbIdToken
delete_CkRsa $rsa
delete_CkJsonObject $jsonKey
delete_CkPublicKey $pubKey