Chilkat HOME .NET Core C# Android™ AutoIt C C# C++ Chilkat2-Python CkPython Classic ASP DataFlex Delphi ActiveX Delphi DLL Go Java Lianja Mono C# Node.js Objective-C PHP ActiveX PHP Extension Perl PowerBuilder PowerShell PureBasic Ruby SQL Server Swift 2 Swift 3,4,5... Tcl Unicode C Unicode C++ VB.NET VBScript Visual Basic 6.0 Visual FoxPro Xojo Plugin
(Visual Basic 6.0) Azure OpenID Connect Step 2 -- Get id_token and ValidateSee more OIDC ExamplesAfter getting the endpoints by querying the Azure's OIDC well-known discovery document (OpenID Configuration document), we use the authorization_endpoint to get the id_token, and then validate it.. For more information, see https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc
' This example requires the Chilkat API to have been previously unlocked. ' See Global Unlock Sample for sample code. Dim success As Long ' In our previous example (Azure Fetch OpenID Connect metadata document) we fetched ' the OpenID configuration document which is JSON which contains an entry for authorization_endpoint. Dim authorization_endpoint As String authorization_endpoint = "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/oauth2/v2.0/authorize" ' The OpenID Connect metadata document also contained a jwks_uri entry. This is the JSON Web Key Set (JWKS), ' which is a set of keys containing the public keys used to verify any JSON Web Token (JWT) (in this case the id_token) ' issued by the authorization server and signed using the RS256 signing algorithm. Dim jwks_uri As String jwks_uri = "https://login.microsoftonline.com/6d8ddd66-68d1-44b0-af5c-e31b4b7ee5cd/discovery/v2.0/keys" ' We're going to send the following GET request, but it will be sent through an interactive web browser (not by Chilkat). ' The following code will form the URL that is to be programmatically loaded and sent in a browser. ' GET https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize? ' client_id=6731de76-14a6-49ae-97bc-6eba6914391e ' &response_type=id_token ' &redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F ' &response_mode=form_post ' &scope=openid ' &state=12345 ' &nonce=678910 ' Use this object to set params and then get the URL-encoded query params string Dim req As New ChilkatHttpRequest req.AddParam "client_id","f125d695-c50e-456e-a579-a486f06d1213" req.AddParam "response_type","id_token" req.AddParam "redirect_uri","http://localhost:3017/" req.AddParam "response_mode","form_post" req.AddParam "scope","openid" Dim prng As New ChilkatPrng req.AddParam "state",prng.GenRandom(3,"decimal") req.AddParam "nonce",prng.GenRandom(4,"decimal") Dim encodedParams As String encodedParams = req.GetUrlEncodedParams() Debug.Print encodedParams ' Sample URL encoded params: ' client_id=6731de76-14a6-49ae-97bc-6eba6914391e&redirect_uri=http%3A%2F%2Flocalhost%3A3017%2F&response_mode=form_post&scope=openid&state=3572902&nonce=57352474 ' This is the URL to be programmatically loaded and sent in an interactive web browser.. Dim sbUrl As New ChilkatStringBuilder success = sbUrl.Append(authorization_endpoint) success = sbUrl.Append("?") success = sbUrl.Append(encodedParams) Dim url As String url = sbUrl.GetAsString() ' Before we launch the browser with the contents of sbUrl, create a socket to listen for the eventual callback.. Dim listenSock As New ChilkatSocket ' Listen at the port indicated by the redirect_uri above. Dim backLog As Long backLog = 5 success = listenSock.BindAndListen(3017,backLog) If (success <> 1) Then Debug.Print listenSock.LastErrorText Exit Sub End If ' Wait for the browser's connection in a background thread. ' (We'll send load the URL into the browser following this..) ' Wait a max of 60 seconds before giving up. Dim maxWaitMs As Long maxWaitMs = 60000 Dim task As ChilkatTask Set task = listenSock.AcceptNextConnectionAsync(maxWaitMs) success = task.Run() ' ------------------------------------------------------------------- ' At this point, your application should load the URL in a browser. ' You'll need to add code here to do it.. ' For example, ' in C#: System.Diagnostics.Process.Start(url); ' in Java: Desktop.getDesktop().browse(new URI(url)); ' in VBScript: Set wsh=WScript.CreateObject("WScript.Shell") ' wsh.Run url ' in Xojo: ShowURL(url) (see http://docs.xojo.com/index.php/ShowURL) ' in Dataflex: Runprogram Background "c:\Program Files\Internet Explorer\iexplore.exe" sUrl ' The account owner would interactively accept or deny the authorization request. ' Add the code to load the url in a web browser here... ' Add the code to load the url in a web browser here... ' Add the code to load the url in a web browser here... ' System.Diagnostics.Process.Start(url); ' ------------------------------------------------------------------- ' Wait for the listenSock's task to complete. success = task.Wait(maxWaitMs) If (Not success Or (task.StatusInt <> 7) Or (task.TaskSuccess <> 1)) Then If (Not success) Then ' The task.LastErrorText applies to the Wait method call. Debug.Print task.LastErrorText Else ' The ResultErrorText applies to the underlying task method call (i.e. the AcceptNextConnection) Debug.Print task.Status Debug.Print task.ResultErrorText End If Exit Sub End If ' If we get to this point, a connection on listenSock was accepted, and the redirected POST ' is waiting to be read on the connected socket. ' The POST we are going to read contains the following: ' POST /myapp/ HTTP/1.1 ' Host: localhost ' Content-Type: application/x-www-form-urlencoded ' ' id_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik1uQ19WWmNB...&state=12345 ' But first.. we no longer need the listen socket... ' Stop listening on port 3017. success = listenSock.Close(10) ' Get the connected socket. Dim sock As New ChilkatSocket success = sock.LoadTaskResult(task) ' We're acting as a temporary web server to receive this one redirected HTTP request.. ' Read the start line of the request.. (i.e. the "POST /myapp/ HTTP/1.1") Dim startLine As String startLine = sock.ReceiveUntilMatch(vbCrLf) If (sock.LastMethodSuccess <> 1) Then Debug.Print sock.LastErrorText Exit Sub End If ' Read the request header. Dim requestHeader As String requestHeader = sock.ReceiveUntilMatch(vbCrLf & vbCrLf) If (sock.LastMethodSuccess <> 1) Then Debug.Print sock.LastErrorText Exit Sub End If Debug.Print requestHeader Debug.Print "----" ' Read the body. ' The body will contain "id_token= eyJ......" Dim sbRequestBody As New ChilkatStringBuilder success = sock.ReceiveSb(sbRequestBody) If (success = 0) Then Debug.Print sock.LastErrorText Exit Sub End If Debug.Print sbRequestBody.GetAsString() ' Given that we're acting as a web server, we must send a response.. ' We can now send our HTTP response. Dim sbResponseHtml As New ChilkatStringBuilder success = sbResponseHtml.Append("<html><body><p>Thank you!</b></body</html>") Dim sbResponse As New ChilkatStringBuilder success = sbResponse.Append("HTTP/1.1 200 OK" & vbCrLf) success = sbResponse.Append("Content-Length: ") success = sbResponse.AppendInt(sbResponseHtml.Length) success = sbResponse.Append(vbCrLf) success = sbResponse.Append("Content-Type: text/html" & vbCrLf) success = sbResponse.Append(vbCrLf) success = sbResponse.AppendSb(sbResponseHtml) success = sock.SendString(sbResponse.GetAsString()) success = sock.Close(50) ' Get the id_token from the sbRequestBody that we just received. ' (Remember, we're acting as the web server, thus we received the redirect request..) Dim hashTab As New ChilkatHashtable success = hashTab.AddQueryParams(sbRequestBody.GetAsString()) ' See https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens#validating-an-id-token ' for more information about ID tokens.. Dim idToken As String idToken = hashTab.LookupStr("id_token") Dim jwt As New ChilkatJwt ' Let's see if the time constraints, if any, are valid. ' The above JWT was created on the afternoon of 16-May-2016, with an expiration of 1 hour. ' If the current system time is before the "nbf" time, or after the "exp" time, ' then IsTimeValid will return false/0. ' Also, we'll allow a leeway of 60 seconds to account for any clock skew. ' Note: If the token has no "nbf" or "exp" claim fields, then IsTimeValid is always true. Dim leeway As Long leeway = 60 Dim bTimeValid As Long bTimeValid = jwt.IsTimeValid(idToken,leeway) Debug.Print "time constraints valid: " & bTimeValid ' Now let's recover the original claims JSON (the payload). Dim payload As String payload = jwt.GetPayload(idToken) ' The payload will likely be in compact form: Debug.Print payload ' We can format for human viewing by loading it into Chilkat's JSON object ' and emit. Dim json As New ChilkatJsonObject success = json.Load(payload) json.EmitCompact = 0 Debug.Print json.Emit() ' Sample output: ' { ' "aud": "f125d695-c50e-456e-a579-a486f06d1213", ' "iss": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0", ' "iat": 1626535322, ' "nbf": 1626535322, ' "exp": 1626539222, ' "aio": "AWQAm/8TAAAAHQncmY0VvhgyMIhfleHX3DjsGfmlPM1CopkJ3mPnBUnCxrJ0ubruaACEhwGO7NsoHBhqFEzRzPxOq7MtuGVFsql+qJKZx8vQCszKYEPX9Wb3b5+d5KJTABHCIH48bTFd", ' "idp": "https://sts.windows.net/9188040d-6c67-4c5b-b112-36a304b66dad/", ' "nonce": "1519043321", ' "rh": "0.ARgAZt2NbdFosEOvXOMbS33VzZXWJfEOxW5FpXmkhvBtEhMYALQ.", ' "sub": "RMIZlHJ7hfsJmL8Qq3h6M0nPi4g-HEavnAFgxzaT2KM", ' "tid": "6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd", ' "uti": "-BXGHxvfREW-r9HI5NBiAA", ' "ver": "2.0" ' } ' We can recover the original JOSE header in the same way: Dim joseHeader As String joseHeader = jwt.GetHeader(idToken) ' The payload will likely be in compact form: Debug.Print joseHeader ' We can format for human viewing by loading it into Chilkat's JSON object ' and emit. Dim jsonJoseHeader As New ChilkatJsonObject success = jsonJoseHeader.Load(joseHeader) jsonJoseHeader.EmitCompact = 0 Debug.Print jsonJoseHeader.Emit() ' Sample output: ' { ' "typ": "JWT", ' "alg": "RS256", ' "kid": "nOo3ZDrODXEK1jKWhXslHR_KXEg" ' } ' Finally, we need to fetch the JSON Web Key Sets from the jwks_uri ' and use it to verify the id_token's RSA signature. Dim sbJwks As New ChilkatStringBuilder Dim http As New ChilkatHttp success = http.QuickGetSb(jwks_uri,sbJwks) If (success = 0) Then Debug.Print http.LastErrorText Exit Sub End If Dim jwkset As New ChilkatJsonObject success = jwkset.LoadSb(sbJwks) jwkset.EmitCompact = 0 Debug.Print jwkset.Emit() ' A sample jwkset: ' { ' "keys": [ ' { ' "kty": "RSA", ' "use": "sig", ' "kid": "nOo3ZDrODXEK1jKWhXslHR_KXEg", ' "x5t": "nOo3ZDrODXEK1jKWhXslHR_KXEg", ' "n": "oaLLT9hkcSj ... NVrZdUdTBQ", ' "e": "AQAB", ' "x5c": [ ' "MIIDBTC ... MRku44Dw7R" ' ], ' "issuer": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0" ' }, ' { ' "kty": "RSA", ' "use": "sig", ' "kid": "l3sQ-50cCH4xBVZLHTGwnSR7680", ' "x5t": "l3sQ-50cCH4xBVZLHTGwnSR7680", ' "n": "sfsXMXW ... AYkwb6xUQ", ' "e": "AQAB", ' "x5c": [ ' "MIIDBTCCA ... BWrh+/vJ" ' ], ' "issuer": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0" ' }, ' { ' "kty": "RSA", ' "use": "sig", ' "kid": "DqUu8gf-nAgcyjP3-SuplNAXAnc", ' "x5t": "DqUu8gf-nAgcyjP3-SuplNAXAnc", ' "n": "1n7-nWSL ... V3pFWhQ", ' "e": "AQAB", ' "x5c": [ ' "MIIC8TC ... 9pIcnkPQ==" ' ], ' "issuer": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0" ' }, ' { ' "kty": "RSA", ' "use": "sig", ' "kid": "OzZ5Dbmcso9Qzt2ModGmihg30Bo", ' "x5t": "OzZ5Dbmcso9Qzt2ModGmihg30Bo", ' "n": "01re9a2BU ... 5OzQ6Q", ' "e": "AQAB", ' "x5c": [ ' "MIIC8TC ... YmwJ6sDdRvQ==" ' ], ' "issuer": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0" ' } ' ] ' } ' We should have an RSA key with kid matching the kid from the joseHeader.. Dim kid As String kid = jsonJoseHeader.StringOf("kid") ' Find the RSA key with the specified key id Dim jwk As ChilkatJsonObject Set jwk = jwkset.FindRecord("keys","kid",kid,1) If (jwkset.LastMethodSuccess = 0) Then Debug.Print "Failed to find a matching RSA key in the JWK key set..." Exit Sub End If Dim verified As Long Dim pubkey As New PublicKey success = pubkey.LoadFromString(jwk.Emit()) If (success = 0) Then Debug.Print pubkey.LastErrorText Debug.Print jwk.Emit() Else verified = jwt.VerifyJwtPk(idToken,pubkey) Debug.Print "Verified: " & verified End If |
© 2000-2024 Chilkat Software, Inc. All Rights Reserved.