(Unicode C) Verify a Google JWT Using Google's Public Key

See more Google APIs Examples

Demonstrates how to verify a JWT that was signed using Google's RSA private key.

This example verifies the RSA signature. It also does the following:

• Checks to see if the time constraints ("nbf" and "exp") are valid.
• Recovers the original JOSE header.
• Recovers the original claims JSON.

Chilkat C/C++ Library Downloads
MS Visual C/C++ Linux/CentOS C/C++ Alpine Linux C/C++ MAC OS X C/C++	armhf/aarch64 C/C++ C++ Builder iOS C/C++ Android C/C++	Solaris C/C++ MinGW C/C++

#include <C_CkHttpW.h>
#include <C_CkStringBuilderW.h>
#include <C_CkJwtW.h>
#include <C_CkJsonObjectW.h>
#include <C_CkPublicKeyW.h>

void ChilkatSample(void)
    {
    HCkHttpW http;
    HCkStringBuilderW sbPubKeys;
    BOOL success;
    const wchar_t *token;
    HCkJwtW jwt;
    const wchar_t *header;
    HCkJsonObjectW json;
    const wchar_t *kid;
    HCkJsonObjectW jsonPubKeys;
    HCkJsonObjectW jsonKey;
    HCkPublicKeyW pubKey;

    // This example assumes the Chilkat API to have been previously unlocked.
    // See Global Unlock Sample for sample code.

    http = CkHttpW_Create();
    sbPubKeys = CkStringBuilderW_Create();

    success = CkHttpW_QuickGetSb(http,L"https://www.googleapis.com/oauth2/v3/certs",sbPubKeys);
    if (success == FALSE) {
        wprintf(L"%s\n",CkHttpW_lastErrorText(http));
        CkHttpW_Dispose(http);
        CkStringBuilderW_Dispose(sbPubKeys);
        return;
    }

    wprintf(L"%s\n",CkStringBuilderW_getAsString(sbPubKeys));

    // Here are the keys:

    // {
    //   "keys": [
    //     {
    //       "e": "AQAB",
    //       "n": "4bAT6C6EeX8Dspje3FrAXw-nnhNk04e1RmNa4kjc0CHf6Pk7ryARlwA-6YilyPABqQfYHx60s8oSnxvUVprFfQ2-Q8aAZO7bPKSxnoGlcKERL2oLNA4Msvc89N9Y5ycThZUplf_QC19e6jyYXN6Nz-UnJSCLrtQY8tVhhVRs61j4A2N_p-enAi-r704Qi1-v-DKV4eVRkClKViploo8NyjUaT9L4vbBssPCjyimJzsWnEe1fED5c4LnHeArYzA_FEn3JJotqDIz9t2VnvZNTMhizHEX4VnORlEWMEfR8n4CEHQx7PcQUOmfqyw08gWeXQl1-uTjtIGaE-sRIv9u_vQ",
    //       "kty": "RSA",
    //       "use": "sig",
    //       "alg": "RS256",
    //       "kid": "2af90e87be140c20038898a6efa11283dab6031d"
    //     },
    //     {
    //       "n": "nzGsrziOYrMVYMpvUZOwkKNiPWcOPTYRYlDSdRW4UpAHdWPbPlyqaaphYhoMB5DXrVxI3bdvm7DOlo-sHNnulmAFQa-7TsQMxrZCvVdAbyXGID9DZYEqf8mkCV1Ohv7WY5lDUqlybIk1OSHdK7-1et0QS8nn-5LojGg8FK4ssLf3mV1APpujl27D1bDhyRb1MGumXYElwlUms7F9p9OcSp5pTevXCLmXs9MJJk4o9E1zzPpQ9Ko0lH9l_UqFpA7vwQhnw0nbh73rXOX2TUDCUqL4ThKU5Z9Pd-eZCEOatKe0mJTpQ00XGACBME_6ojCdfNIJr84Y_IpGKvkAEksn9w",
    //       "use": "sig",
    //       "kid": "87bbe0815b064e6d449cac999f0e50e72a3e4374",
    //       "e": "AQAB",
    //       "alg": "RS256",
    //       "kty": "RSA"
    //     }
    //   ]
    // }

    // -------------------------------------------------------------------------------------------
    // Replace this with your actual token.
    // This sample token contains a kid that does not match any of the above Google public keys.
    // -------------------------------------------------------------------------------------------
    token = L"eyJhbGciOiJSUzI1NiIsImtpZCI6IjQyZmY5MGQ3ZDM0OGM5NzM4MWE3YzExOWVmMWY1MzI0ZWEzZjViZWIifQ.eyJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJzdWIiOiIxMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExIiwiaWF0IjoxNjExMTE1MTQzLCJleHAiOjE2MTEyMDE1NDMsImF1ZCI6IjQyOTc1NzExNTE0ODg0OSJ9.pLem5i0bx3M7lJYj7jKv2Nq7c07X5YpZz-x1uM5RniW-v4LsX-lKIVvOq2x3-WoPqkzLXJfP0kG0dx1uD2q1NfFQK60YwKH4FnFtB6INnUP1dRVpP9_pTTKyAE28I3s5Tay4PbPdrCl7ZLCIJzCfpCW1TiWeVoPjp5HgZKTBHdP_sEkN_yO5dQerQXAkFJkV3kNgF9jI3ayT-KPqOIH6GVoWXjHFDyA2EYgJPEFRo5WSe6XycJ85p5duwT-OoBcb_kJZG9PxYd91eHlPCzp8vGxzIb2dVROCBxyM8e8W0cd9v15hfmpg9R-eG9vCM5y63ZLChZLFeHFx0Pd7hvAqfKg";

    jwt = CkJwtW_Create();
    header = CkJwtW_getHeader(jwt,token);

    wprintf(L"%s\n",header);

    // Sample header:
    // {"alg":"RS256","kid":"87bbe0815b064e6d449cac999f0e50e72a3e4374"}

    // Load the public key matching the "kid" into a Chilkat public key object, then verify..

    json = CkJsonObjectW_Create();
    CkJsonObjectW_Load(json,header);
    kid = CkJsonObjectW_stringOf(json,L"kid");

    wprintf(L"kid = %s\n",kid);

    jsonPubKeys = CkJsonObjectW_Create();
    CkJsonObjectW_LoadSb(jsonPubKeys,sbPubKeys);

    jsonKey = CkJsonObjectW_FindRecord(jsonPubKeys,L"keys",L"kid",kid,TRUE);
    if (CkJsonObjectW_getLastMethodSuccess(jsonPubKeys) == FALSE) {
        wprintf(L"Did not find a matching public key based on the kid.\n");
        CkHttpW_Dispose(http);
        CkStringBuilderW_Dispose(sbPubKeys);
        CkJwtW_Dispose(jwt);
        CkJsonObjectW_Dispose(json);
        CkJsonObjectW_Dispose(jsonPubKeys);
        return;
    }

    wprintf(L"%s\n",CkJsonObjectW_emit(jsonKey));

    // Load the matching public key into a Chilkat public key object.
    pubKey = CkPublicKeyW_Create();
    success = CkPublicKeyW_LoadFromString(pubKey,CkJsonObjectW_emit(jsonKey));
    CkJsonObjectW_Dispose(jsonKey);
    if (success == FALSE) {
        wprintf(L"%s\n",CkPublicKeyW_lastErrorText(pubKey));
        CkHttpW_Dispose(http);
        CkStringBuilderW_Dispose(sbPubKeys);
        CkJwtW_Dispose(jwt);
        CkJsonObjectW_Dispose(json);
        CkJsonObjectW_Dispose(jsonPubKeys);
        CkPublicKeyW_Dispose(pubKey);
        return;
    }

    // ----------------------------------------------------------------------------------------
    // Now we can validate the JWT using Google's public key as shown in this example:
    // (Except we use the public key obtained as shown above instead of a public key loaded from a PEM file.
    // 
    // See Verify JWT Using an RSA Public Key


    CkHttpW_Dispose(http);
    CkStringBuilderW_Dispose(sbPubKeys);
    CkJwtW_Dispose(jwt);
    CkJsonObjectW_Dispose(json);
    CkJsonObjectW_Dispose(jsonPubKeys);
    CkPublicKeyW_Dispose(pubKey);

    }