|
Chilkat • HOME • .NET Core C# • Android™ • AutoIt • C • C# • C++ • Chilkat2-Python • CkPython • Classic ASP • DataFlex • Delphi ActiveX • Delphi DLL • Go • Java • Lianja • Mono C# • Node.js • Objective-C • PHP ActiveX • PHP Extension • Perl • PowerBuilder • PowerShell • PureBasic • Ruby • SQL Server • Swift 2 • Swift 3,4,5... • Tcl • Unicode C • Unicode C++ • VB.NET • VBScript • Visual Basic 6.0 • Visual FoxPro • Xojo Plugin
(Unicode C) Azure OpenID Connect Step 2 -- Get id_token and ValidateSee more OIDC ExamplesAfter getting the endpoints by querying the Azure's OIDC well-known discovery document (OpenID Configuration document), we use the authorization_endpoint to get the id_token, and then validate it.. For more information, see https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc
#include <C_CkHttpRequestW.h> #include <C_CkPrngW.h> #include <C_CkStringBuilderW.h> #include <C_CkSocketW.h> #include <C_CkTaskW.h> #include <C_CkHashtableW.h> #include <C_CkJwtW.h> #include <C_CkJsonObjectW.h> #include <C_CkHttpW.h> #include <C_CkPublicKeyW.h> void ChilkatSample(void) { BOOL success; const wchar_t *authorization_endpoint; const wchar_t *jwks_uri; HCkHttpRequestW req; HCkPrngW prng; const wchar_t *encodedParams; HCkStringBuilderW sbUrl; const wchar_t *url; HCkSocketW listenSock; int backLog; int maxWaitMs; HCkTaskW task; HCkSocketW sock; const wchar_t *startLine; const wchar_t *requestHeader; HCkStringBuilderW sbRequestBody; HCkStringBuilderW sbResponseHtml; HCkStringBuilderW sbResponse; HCkHashtableW hashTab; const wchar_t *idToken; HCkJwtW jwt; int leeway; BOOL bTimeValid; const wchar_t *payload; HCkJsonObjectW json; const wchar_t *joseHeader; HCkJsonObjectW jsonJoseHeader; HCkStringBuilderW sbJwks; HCkHttpW http; HCkJsonObjectW jwkset; const wchar_t *kid; HCkJsonObjectW jwk; BOOL verified; HCkPublicKeyW pubkey; // This example requires the Chilkat API to have been previously unlocked. // See Global Unlock Sample for sample code. // In our previous example (Azure Fetch OpenID Connect metadata document) we fetched // the OpenID configuration document which is JSON which contains an entry for authorization_endpoint. authorization_endpoint = L"https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/oauth2/v2.0/authorize"; // The OpenID Connect metadata document also contained a jwks_uri entry. This is the JSON Web Key Set (JWKS), // which is a set of keys containing the public keys used to verify any JSON Web Token (JWT) (in this case the id_token) // issued by the authorization server and signed using the RS256 signing algorithm. jwks_uri = L"https://login.microsoftonline.com/6d8ddd66-68d1-44b0-af5c-e31b4b7ee5cd/discovery/v2.0/keys"; // We're going to send the following GET request, but it will be sent through an interactive web browser (not by Chilkat). // The following code will form the URL that is to be programmatically loaded and sent in a browser. // GET https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize? // client_id=6731de76-14a6-49ae-97bc-6eba6914391e // &response_type=id_token // &redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F // &response_mode=form_post // &scope=openid // &state=12345 // &nonce=678910 // Use this object to set params and then get the URL-encoded query params string req = CkHttpRequestW_Create(); CkHttpRequestW_AddParam(req,L"client_id",L"f125d695-c50e-456e-a579-a486f06d1213"); CkHttpRequestW_AddParam(req,L"response_type",L"id_token"); CkHttpRequestW_AddParam(req,L"redirect_uri",L"http://localhost:3017/"); CkHttpRequestW_AddParam(req,L"response_mode",L"form_post"); CkHttpRequestW_AddParam(req,L"scope",L"openid"); prng = CkPrngW_Create(); CkHttpRequestW_AddParam(req,L"state",CkPrngW_genRandom(prng,3,L"decimal")); CkHttpRequestW_AddParam(req,L"nonce",CkPrngW_genRandom(prng,4,L"decimal")); encodedParams = CkHttpRequestW_getUrlEncodedParams(req); wprintf(L"%s\n",encodedParams); // Sample URL encoded params: // client_id=6731de76-14a6-49ae-97bc-6eba6914391e&redirect_uri=http%3A%2F%2Flocalhost%3A3017%2F&response_mode=form_post&scope=openid&state=3572902&nonce=57352474 // This is the URL to be programmatically loaded and sent in an interactive web browser.. sbUrl = CkStringBuilderW_Create(); CkStringBuilderW_Append(sbUrl,authorization_endpoint); CkStringBuilderW_Append(sbUrl,L"?"); CkStringBuilderW_Append(sbUrl,encodedParams); url = CkStringBuilderW_getAsString(sbUrl); // Before we launch the browser with the contents of sbUrl, create a socket to listen for the eventual callback.. listenSock = CkSocketW_Create(); // Listen at the port indicated by the redirect_uri above. backLog = 5; success = CkSocketW_BindAndListen(listenSock,3017,backLog); if (success != TRUE) { wprintf(L"%s\n",CkSocketW_lastErrorText(listenSock)); CkHttpRequestW_Dispose(req); CkPrngW_Dispose(prng); CkStringBuilderW_Dispose(sbUrl); CkSocketW_Dispose(listenSock); return; } // Wait for the browser's connection in a background thread. // (We'll send load the URL into the browser following this..) // Wait a max of 60 seconds before giving up. maxWaitMs = 60000; task = CkSocketW_AcceptNextConnectionAsync(listenSock,maxWaitMs); CkTaskW_Run(task); // ------------------------------------------------------------------- // At this point, your application should load the URL in a browser. // You'll need to add code here to do it.. // For example, // in C#: System.Diagnostics.Process.Start(url); // in Java: Desktop.getDesktop().browse(new URI(url)); // in VBScript: Set wsh=WScript.CreateObject("WScript.Shell") // wsh.Run url // in Xojo: ShowURL(url) (see http://docs.xojo.com/index.php/ShowURL) // in Dataflex: Runprogram Background "c:\Program Files\Internet Explorer\iexplore.exe" sUrl // The account owner would interactively accept or deny the authorization request. // Add the code to load the url in a web browser here... // Add the code to load the url in a web browser here... // Add the code to load the url in a web browser here... // System.Diagnostics.Process.Start(url); // ------------------------------------------------------------------- // Wait for the listenSock's task to complete. success = CkTaskW_Wait(task,maxWaitMs); if (!success || (CkTaskW_getStatusInt(task) != 7) || (CkTaskW_getTaskSuccess(task) != TRUE)) { if (!success) { // The task.LastErrorText applies to the Wait method call. wprintf(L"%s\n",CkTaskW_lastErrorText(task)); } else { // The ResultErrorText applies to the underlying task method call (i.e. the AcceptNextConnection) wprintf(L"%s\n",CkTaskW_status(task)); wprintf(L"%s\n",CkTaskW_resultErrorText(task)); } CkTaskW_Dispose(task); CkHttpRequestW_Dispose(req); CkPrngW_Dispose(prng); CkStringBuilderW_Dispose(sbUrl); CkSocketW_Dispose(listenSock); return; } // If we get to this point, a connection on listenSock was accepted, and the redirected POST // is waiting to be read on the connected socket. // The POST we are going to read contains the following: // POST /myapp/ HTTP/1.1 // Host: localhost // Content-Type: application/x-www-form-urlencoded // // id_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik1uQ19WWmNB...&state=12345 // But first.. we no longer need the listen socket... // Stop listening on port 3017. CkSocketW_Close(listenSock,10); // Get the connected socket. sock = CkSocketW_Create(); CkSocketW_LoadTaskResult(sock,task); CkTaskW_Dispose(task); // We're acting as a temporary web server to receive this one redirected HTTP request.. // Read the start line of the request.. (i.e. the "POST /myapp/ HTTP/1.1") startLine = CkSocketW_receiveUntilMatch(sock,L"\r\n"); if (CkSocketW_getLastMethodSuccess(sock) != TRUE) { wprintf(L"%s\n",CkSocketW_lastErrorText(sock)); CkHttpRequestW_Dispose(req); CkPrngW_Dispose(prng); CkStringBuilderW_Dispose(sbUrl); CkSocketW_Dispose(listenSock); CkSocketW_Dispose(sock); return; } // Read the request header. requestHeader = CkSocketW_receiveUntilMatch(sock,L"\r\n\r\n"); if (CkSocketW_getLastMethodSuccess(sock) != TRUE) { wprintf(L"%s\n",CkSocketW_lastErrorText(sock)); CkHttpRequestW_Dispose(req); CkPrngW_Dispose(prng); CkStringBuilderW_Dispose(sbUrl); CkSocketW_Dispose(listenSock); CkSocketW_Dispose(sock); return; } wprintf(L"%s\n",requestHeader); wprintf(L"----\n"); // Read the body. // The body will contain "id_token= eyJ......" sbRequestBody = CkStringBuilderW_Create(); success = CkSocketW_ReceiveSb(sock,sbRequestBody); if (success == FALSE) { wprintf(L"%s\n",CkSocketW_lastErrorText(sock)); CkHttpRequestW_Dispose(req); CkPrngW_Dispose(prng); CkStringBuilderW_Dispose(sbUrl); CkSocketW_Dispose(listenSock); CkSocketW_Dispose(sock); CkStringBuilderW_Dispose(sbRequestBody); return; } wprintf(L"%s\n",CkStringBuilderW_getAsString(sbRequestBody)); // Given that we're acting as a web server, we must send a response.. // We can now send our HTTP response. sbResponseHtml = CkStringBuilderW_Create(); CkStringBuilderW_Append(sbResponseHtml,L"<html><body><p>Thank you!</b></body</html>"); sbResponse = CkStringBuilderW_Create(); CkStringBuilderW_Append(sbResponse,L"HTTP/1.1 200 OK\r\n"); CkStringBuilderW_Append(sbResponse,L"Content-Length: "); CkStringBuilderW_AppendInt(sbResponse,CkStringBuilderW_getLength(sbResponseHtml)); CkStringBuilderW_Append(sbResponse,L"\r\n"); CkStringBuilderW_Append(sbResponse,L"Content-Type: text/html\r\n"); CkStringBuilderW_Append(sbResponse,L"\r\n"); CkStringBuilderW_AppendSb(sbResponse,sbResponseHtml); CkSocketW_SendString(sock,CkStringBuilderW_getAsString(sbResponse)); CkSocketW_Close(sock,50); // Get the id_token from the sbRequestBody that we just received. // (Remember, we're acting as the web server, thus we received the redirect request..) hashTab = CkHashtableW_Create(); CkHashtableW_AddQueryParams(hashTab,CkStringBuilderW_getAsString(sbRequestBody)); // See https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens#validating-an-id-token // for more information about ID tokens.. idToken = CkHashtableW_lookupStr(hashTab,L"id_token"); jwt = CkJwtW_Create(); // Let's see if the time constraints, if any, are valid. // The above JWT was created on the afternoon of 16-May-2016, with an expiration of 1 hour. // If the current system time is before the "nbf" time, or after the "exp" time, // then IsTimeValid will return false/0. // Also, we'll allow a leeway of 60 seconds to account for any clock skew. // Note: If the token has no "nbf" or "exp" claim fields, then IsTimeValid is always true. leeway = 60; bTimeValid = CkJwtW_IsTimeValid(jwt,idToken,leeway); wprintf(L"time constraints valid: %d\n",bTimeValid); // Now let's recover the original claims JSON (the payload). payload = CkJwtW_getPayload(jwt,idToken); // The payload will likely be in compact form: wprintf(L"%s\n",payload); // We can format for human viewing by loading it into Chilkat's JSON object // and emit. json = CkJsonObjectW_Create(); success = CkJsonObjectW_Load(json,payload); CkJsonObjectW_putEmitCompact(json,FALSE); wprintf(L"%s\n",CkJsonObjectW_emit(json)); // Sample output: // { // "aud": "f125d695-c50e-456e-a579-a486f06d1213", // "iss": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0", // "iat": 1626535322, // "nbf": 1626535322, // "exp": 1626539222, // "aio": "AWQAm/8TAAAAHQncmY0VvhgyMIhfleHX3DjsGfmlPM1CopkJ3mPnBUnCxrJ0ubruaACEhwGO7NsoHBhqFEzRzPxOq7MtuGVFsql+qJKZx8vQCszKYEPX9Wb3b5+d5KJTABHCIH48bTFd", // "idp": "https://sts.windows.net/9188040d-6c67-4c5b-b112-36a304b66dad/", // "nonce": "1519043321", // "rh": "0.ARgAZt2NbdFosEOvXOMbS33VzZXWJfEOxW5FpXmkhvBtEhMYALQ.", // "sub": "RMIZlHJ7hfsJmL8Qq3h6M0nPi4g-HEavnAFgxzaT2KM", // "tid": "6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd", // "uti": "-BXGHxvfREW-r9HI5NBiAA", // "ver": "2.0" // } // We can recover the original JOSE header in the same way: joseHeader = CkJwtW_getHeader(jwt,idToken); // The payload will likely be in compact form: wprintf(L"%s\n",joseHeader); // We can format for human viewing by loading it into Chilkat's JSON object // and emit. jsonJoseHeader = CkJsonObjectW_Create(); success = CkJsonObjectW_Load(jsonJoseHeader,joseHeader); CkJsonObjectW_putEmitCompact(jsonJoseHeader,FALSE); wprintf(L"%s\n",CkJsonObjectW_emit(jsonJoseHeader)); // Sample output: // { // "typ": "JWT", // "alg": "RS256", // "kid": "nOo3ZDrODXEK1jKWhXslHR_KXEg" // } // Finally, we need to fetch the JSON Web Key Sets from the jwks_uri // and use it to verify the id_token's RSA signature. sbJwks = CkStringBuilderW_Create(); http = CkHttpW_Create(); success = CkHttpW_QuickGetSb(http,jwks_uri,sbJwks); if (success == FALSE) { wprintf(L"%s\n",CkHttpW_lastErrorText(http)); CkHttpRequestW_Dispose(req); CkPrngW_Dispose(prng); CkStringBuilderW_Dispose(sbUrl); CkSocketW_Dispose(listenSock); CkSocketW_Dispose(sock); CkStringBuilderW_Dispose(sbRequestBody); CkStringBuilderW_Dispose(sbResponseHtml); CkStringBuilderW_Dispose(sbResponse); CkHashtableW_Dispose(hashTab); CkJwtW_Dispose(jwt); CkJsonObjectW_Dispose(json); CkJsonObjectW_Dispose(jsonJoseHeader); CkStringBuilderW_Dispose(sbJwks); CkHttpW_Dispose(http); return; } jwkset = CkJsonObjectW_Create(); success = CkJsonObjectW_LoadSb(jwkset,sbJwks); CkJsonObjectW_putEmitCompact(jwkset,FALSE); wprintf(L"%s\n",CkJsonObjectW_emit(jwkset)); // A sample jwkset: // { // "keys": [ // { // "kty": "RSA", // "use": "sig", // "kid": "nOo3ZDrODXEK1jKWhXslHR_KXEg", // "x5t": "nOo3ZDrODXEK1jKWhXslHR_KXEg", // "n": "oaLLT9hkcSj ... NVrZdUdTBQ", // "e": "AQAB", // "x5c": [ // "MIIDBTC ... MRku44Dw7R" // ], // "issuer": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0" // }, // { // "kty": "RSA", // "use": "sig", // "kid": "l3sQ-50cCH4xBVZLHTGwnSR7680", // "x5t": "l3sQ-50cCH4xBVZLHTGwnSR7680", // "n": "sfsXMXW ... AYkwb6xUQ", // "e": "AQAB", // "x5c": [ // "MIIDBTCCA ... BWrh+/vJ" // ], // "issuer": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0" // }, // { // "kty": "RSA", // "use": "sig", // "kid": "DqUu8gf-nAgcyjP3-SuplNAXAnc", // "x5t": "DqUu8gf-nAgcyjP3-SuplNAXAnc", // "n": "1n7-nWSL ... V3pFWhQ", // "e": "AQAB", // "x5c": [ // "MIIC8TC ... 9pIcnkPQ==" // ], // "issuer": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0" // }, // { // "kty": "RSA", // "use": "sig", // "kid": "OzZ5Dbmcso9Qzt2ModGmihg30Bo", // "x5t": "OzZ5Dbmcso9Qzt2ModGmihg30Bo", // "n": "01re9a2BU ... 5OzQ6Q", // "e": "AQAB", // "x5c": [ // "MIIC8TC ... YmwJ6sDdRvQ==" // ], // "issuer": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0" // } // ] // } // We should have an RSA key with kid matching the kid from the joseHeader.. kid = CkJsonObjectW_stringOf(jsonJoseHeader,L"kid"); // Find the RSA key with the specified key id jwk = CkJsonObjectW_FindRecord(jwkset,L"keys",L"kid",kid,TRUE); if (CkJsonObjectW_getLastMethodSuccess(jwkset) == FALSE) { wprintf(L"Failed to find a matching RSA key in the JWK key set...\n"); CkHttpRequestW_Dispose(req); CkPrngW_Dispose(prng); CkStringBuilderW_Dispose(sbUrl); CkSocketW_Dispose(listenSock); CkSocketW_Dispose(sock); CkStringBuilderW_Dispose(sbRequestBody); CkStringBuilderW_Dispose(sbResponseHtml); CkStringBuilderW_Dispose(sbResponse); CkHashtableW_Dispose(hashTab); CkJwtW_Dispose(jwt); CkJsonObjectW_Dispose(json); CkJsonObjectW_Dispose(jsonJoseHeader); CkStringBuilderW_Dispose(sbJwks); CkHttpW_Dispose(http); CkJsonObjectW_Dispose(jwkset); return; } pubkey = CkPublicKeyW_Create(); success = CkPublicKeyW_LoadFromString(pubkey,CkJsonObjectW_emit(jwk)); if (success == FALSE) { wprintf(L"%s\n",CkPublicKeyW_lastErrorText(pubkey)); wprintf(L"%s\n",CkJsonObjectW_emit(jwk)); } else { verified = CkJwtW_VerifyJwtPk(jwt,idToken,pubkey); wprintf(L"Verified: %d\n",verified); } CkJsonObjectW_Dispose(jwk); CkHttpRequestW_Dispose(req); CkPrngW_Dispose(prng); CkStringBuilderW_Dispose(sbUrl); CkSocketW_Dispose(listenSock); CkSocketW_Dispose(sock); CkStringBuilderW_Dispose(sbRequestBody); CkStringBuilderW_Dispose(sbResponseHtml); CkStringBuilderW_Dispose(sbResponse); CkHashtableW_Dispose(hashTab); CkJwtW_Dispose(jwt); CkJsonObjectW_Dispose(json); CkJsonObjectW_Dispose(jsonJoseHeader); CkStringBuilderW_Dispose(sbJwks); CkHttpW_Dispose(http); CkJsonObjectW_Dispose(jwkset); CkPublicKeyW_Dispose(pubkey); } |
|||||||
© 2000-2024 Chilkat Software, Inc. All Rights Reserved.