(VBScript) Azure OpenID Connect Step 2 -- Get id_token and Validate

See more OIDC Examples

After getting the endpoints by querying the Azure's OIDC well-known discovery document (OpenID Configuration document), we use the authorization_endpoint to get the id_token, and then validate it..

For more information, see https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc

Chilkat ActiveX Downloads ActiveX for 32-bit and 64-bit Windows

Dim fso, outFile
Set fso = CreateObject("Scripting.FileSystemObject")
'Create a Unicode (utf-16) output text file.
Set outFile = fso.CreateTextFile("output.txt", True, True)

' This example requires the Chilkat API to have been previously unlocked.
' See Global Unlock Sample for sample code.

' In our previous example (Azure Fetch OpenID Connect metadata document) we fetched
' the OpenID configuration document which is JSON which contains an entry for authorization_endpoint.

authorization_endpoint = "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/oauth2/v2.0/authorize"

' The OpenID Connect metadata document also contained a jwks_uri entry.  This is the JSON Web Key Set (JWKS),
' which is a set of keys containing the public keys used to verify any JSON Web Token (JWT) (in this case the id_token)
' issued by the authorization server and signed using the RS256 signing algorithm. 
jwks_uri = "https://login.microsoftonline.com/6d8ddd66-68d1-44b0-af5c-e31b4b7ee5cd/discovery/v2.0/keys"

' We're going to send the following GET request, but it will be sent through an interactive web browser (not by Chilkat).
' The following code will form the URL that is to be programmatically loaded and sent in a browser.

' GET https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
' client_id=6731de76-14a6-49ae-97bc-6eba6914391e
' &response_type=id_token
' &redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
' &response_mode=form_post
' &scope=openid
' &state=12345
' &nonce=678910

' Use this object to set params and then get the URL-encoded query params string 
' For versions of Chilkat < 10.0.0, use CreateObject("Chilkat_9_5_0.HttpRequest")
set req = CreateObject("Chilkat.HttpRequest")
req.AddParam "client_id","f125d695-c50e-456e-a579-a486f06d1213"
req.AddParam "response_type","id_token"
req.AddParam "redirect_uri","http://localhost:3017/"
req.AddParam "response_mode","form_post"
req.AddParam "scope","openid"
' For versions of Chilkat < 10.0.0, use CreateObject("Chilkat_9_5_0.Prng")
set prng = CreateObject("Chilkat.Prng")
req.AddParam "state",prng.GenRandom(3,"decimal")
req.AddParam "nonce",prng.GenRandom(4,"decimal")

encodedParams = req.GetUrlEncodedParams()
outFile.WriteLine(encodedParams)

' Sample URL encoded params:
' client_id=6731de76-14a6-49ae-97bc-6eba6914391e&redirect_uri=http%3A%2F%2Flocalhost%3A3017%2F&response_mode=form_post&scope=openid&state=3572902&nonce=57352474

' This is the URL to be programmatically loaded and sent in an interactive web browser..
' For versions of Chilkat < 10.0.0, use CreateObject("Chilkat_9_5_0.StringBuilder")
set sbUrl = CreateObject("Chilkat.StringBuilder")
success = sbUrl.Append(authorization_endpoint)
success = sbUrl.Append("?")
success = sbUrl.Append(encodedParams)
url = sbUrl.GetAsString()

' Before we launch the browser with the contents of sbUrl, create a socket to listen for the eventual callback..

' For versions of Chilkat < 10.0.0, use CreateObject("Chilkat_9_5_0.Socket")
set listenSock = CreateObject("Chilkat.Socket")

' Listen at the port indicated by the redirect_uri above.
backLog = 5
success = listenSock.BindAndListen(3017,backLog)
If (success <> 1) Then
    outFile.WriteLine(listenSock.LastErrorText)
    WScript.Quit
End If

' Wait for the browser's connection in a background thread.
' (We'll send load the URL into the browser following this..)
' Wait a max of 60 seconds before giving up.
maxWaitMs = 60000
' task is a Chilkat.Task
Set task = listenSock.AcceptNextConnectionAsync(maxWaitMs)
success = task.Run()

' -------------------------------------------------------------------
' At this point, your application should load the URL in a browser.
' You'll need to add code here to do it..

' For example, 
' in C#: System.Diagnostics.Process.Start(url);
' in Java: Desktop.getDesktop().browse(new URI(url));
' in VBScript: Set wsh=WScript.CreateObject("WScript.Shell")
'              wsh.Run url
' in Xojo: ShowURL(url)  (see http://docs.xojo.com/index.php/ShowURL)
' in Dataflex: Runprogram Background "c:\Program Files\Internet Explorer\iexplore.exe" sUrl        
' The account owner would interactively accept or deny the authorization request.

' Add the code to load the url in a web browser here...
' Add the code to load the url in a web browser here...
' Add the code to load the url in a web browser here...
' System.Diagnostics.Process.Start(url);

' -------------------------------------------------------------------

' Wait for the listenSock's task to complete.
success = task.Wait(maxWaitMs)
If (Not success Or (task.StatusInt <> 7) Or (task.TaskSuccess <> 1)) Then
    If (Not success) Then
        ' The task.LastErrorText applies to the Wait method call.
        outFile.WriteLine(task.LastErrorText)
    Else
        ' The ResultErrorText applies to the underlying task method call (i.e. the AcceptNextConnection)
        outFile.WriteLine(task.Status)
        outFile.WriteLine(task.ResultErrorText)
    End If

    WScript.Quit
End If

' If we get to this point, a connection on listenSock was accepted, and the redirected POST
' is waiting to be read on the connected socket.
' The POST we are going to read contains the following:

' POST /myapp/ HTTP/1.1
' Host: localhost
' Content-Type: application/x-www-form-urlencoded
' 
' id_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik1uQ19WWmNB...&state=12345

' But first.. we no longer need the listen socket...
' Stop listening on port 3017.
success = listenSock.Close(10)

' Get the connected socket.
' For versions of Chilkat < 10.0.0, use CreateObject("Chilkat_9_5_0.Socket")
set sock = CreateObject("Chilkat.Socket")
success = sock.LoadTaskResult(task)

' We're acting as a temporary web server to receive this one redirected HTTP request..
' Read the start line of the request.. (i.e. the "POST /myapp/ HTTP/1.1")
startLine = sock.ReceiveUntilMatch(vbCrLf)
If (sock.LastMethodSuccess <> 1) Then
    outFile.WriteLine(sock.LastErrorText)
    WScript.Quit
End If

' Read the request header.
requestHeader = sock.ReceiveUntilMatch(vbCrLf & vbCrLf)
If (sock.LastMethodSuccess <> 1) Then
    outFile.WriteLine(sock.LastErrorText)
    WScript.Quit
End If

outFile.WriteLine(requestHeader)
outFile.WriteLine("----")

' Read the body.
' The body will contain "id_token= eyJ......"
' For versions of Chilkat < 10.0.0, use CreateObject("Chilkat_9_5_0.StringBuilder")
set sbRequestBody = CreateObject("Chilkat.StringBuilder")
success = sock.ReceiveSb(sbRequestBody)
If (success = 0) Then
    outFile.WriteLine(sock.LastErrorText)
    WScript.Quit
End If

outFile.WriteLine(sbRequestBody.GetAsString())

' Given that we're acting as a web server, we must send a response..
' We can now send our HTTP response.
' For versions of Chilkat < 10.0.0, use CreateObject("Chilkat_9_5_0.StringBuilder")
set sbResponseHtml = CreateObject("Chilkat.StringBuilder")
success = sbResponseHtml.Append("<html><body><p>Thank you!</b></body</html>")

' For versions of Chilkat < 10.0.0, use CreateObject("Chilkat_9_5_0.StringBuilder")
set sbResponse = CreateObject("Chilkat.StringBuilder")
success = sbResponse.Append("HTTP/1.1 200 OK" & vbCrLf)
success = sbResponse.Append("Content-Length: ")
success = sbResponse.AppendInt(sbResponseHtml.Length)
success = sbResponse.Append(vbCrLf)
success = sbResponse.Append("Content-Type: text/html" & vbCrLf)
success = sbResponse.Append(vbCrLf)
success = sbResponse.AppendSb(sbResponseHtml)

success = sock.SendString(sbResponse.GetAsString())
success = sock.Close(50)

' Get the id_token from the sbRequestBody that we just received.
' (Remember, we're acting as the web server, thus we received the redirect request..)
' For versions of Chilkat < 10.0.0, use CreateObject("Chilkat_9_5_0.Hashtable")
set hashTab = CreateObject("Chilkat.Hashtable")
success = hashTab.AddQueryParams(sbRequestBody.GetAsString())

' See https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens#validating-an-id-token
' for more information about ID tokens..
idToken = hashTab.LookupStr("id_token")

' For versions of Chilkat < 10.0.0, use CreateObject("Chilkat_9_5_0.Jwt")
set jwt = CreateObject("Chilkat.Jwt")

' Let's see if the time constraints, if any, are valid.
' The above JWT was created on the afternoon of 16-May-2016, with an expiration of 1 hour.
' If the current system time is before the "nbf" time, or after the "exp" time,
' then IsTimeValid will return false/0.
' Also, we'll allow a leeway of 60 seconds to account for any clock skew.
' Note: If the token has no "nbf" or "exp" claim fields, then IsTimeValid is always true.
leeway = 60
bTimeValid = jwt.IsTimeValid(idToken,leeway)
outFile.WriteLine("time constraints valid: " & bTimeValid)

' Now let's recover the original claims JSON (the payload).
payload = jwt.GetPayload(idToken)
' The payload will likely be in compact form:
outFile.WriteLine(payload)

' We can format for human viewing by loading it into Chilkat's JSON object
' and emit.
' For versions of Chilkat < 10.0.0, use CreateObject("Chilkat_9_5_0.JsonObject")
set json = CreateObject("Chilkat.JsonObject")
success = json.Load(payload)
json.EmitCompact = 0
outFile.WriteLine(json.Emit())

' Sample output:

' {
'   "aud": "f125d695-c50e-456e-a579-a486f06d1213",
'   "iss": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0",
'   "iat": 1626535322,
'   "nbf": 1626535322,
'   "exp": 1626539222,
'   "aio": "AWQAm/8TAAAAHQncmY0VvhgyMIhfleHX3DjsGfmlPM1CopkJ3mPnBUnCxrJ0ubruaACEhwGO7NsoHBhqFEzRzPxOq7MtuGVFsql+qJKZx8vQCszKYEPX9Wb3b5+d5KJTABHCIH48bTFd",
'   "idp": "https://sts.windows.net/9188040d-6c67-4c5b-b112-36a304b66dad/",
'   "nonce": "1519043321",
'   "rh": "0.ARgAZt2NbdFosEOvXOMbS33VzZXWJfEOxW5FpXmkhvBtEhMYALQ.",
'   "sub": "RMIZlHJ7hfsJmL8Qq3h6M0nPi4g-HEavnAFgxzaT2KM",
'   "tid": "6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd",
'   "uti": "-BXGHxvfREW-r9HI5NBiAA",
'   "ver": "2.0"
' }

' We can recover the original JOSE header in the same way:
joseHeader = jwt.GetHeader(idToken)
' The payload will likely be in compact form:
outFile.WriteLine(joseHeader)

' We can format for human viewing by loading it into Chilkat's JSON object
' and emit.
' For versions of Chilkat < 10.0.0, use CreateObject("Chilkat_9_5_0.JsonObject")
set jsonJoseHeader = CreateObject("Chilkat.JsonObject")
success = jsonJoseHeader.Load(joseHeader)
jsonJoseHeader.EmitCompact = 0
outFile.WriteLine(jsonJoseHeader.Emit())

' Sample output:

' {
'   "typ": "JWT",
'   "alg": "RS256",
'   "kid": "nOo3ZDrODXEK1jKWhXslHR_KXEg"
' }

' Finally, we need to fetch the JSON Web Key Sets from the jwks_uri
' and use it to verify the id_token's RSA signature.
' For versions of Chilkat < 10.0.0, use CreateObject("Chilkat_9_5_0.StringBuilder")
set sbJwks = CreateObject("Chilkat.StringBuilder")
' For versions of Chilkat < 10.0.0, use CreateObject("Chilkat_9_5_0.Http")
set http = CreateObject("Chilkat.Http")
success = http.QuickGetSb(jwks_uri,sbJwks)
If (success = 0) Then
    outFile.WriteLine(http.LastErrorText)
    WScript.Quit
End If

' For versions of Chilkat < 10.0.0, use CreateObject("Chilkat_9_5_0.JsonObject")
set jwkset = CreateObject("Chilkat.JsonObject")
success = jwkset.LoadSb(sbJwks)
jwkset.EmitCompact = 0
outFile.WriteLine(jwkset.Emit())

' A sample jwkset:

' {
'   "keys": [
'     {
'       "kty": "RSA",
'       "use": "sig",
'       "kid": "nOo3ZDrODXEK1jKWhXslHR_KXEg",
'       "x5t": "nOo3ZDrODXEK1jKWhXslHR_KXEg",
'       "n": "oaLLT9hkcSj ... NVrZdUdTBQ",
'       "e": "AQAB",
'       "x5c": [
'         "MIIDBTC ... MRku44Dw7R"
'       ],
'       "issuer": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0"
'     },
'     {
'       "kty": "RSA",
'       "use": "sig",
'       "kid": "l3sQ-50cCH4xBVZLHTGwnSR7680",
'       "x5t": "l3sQ-50cCH4xBVZLHTGwnSR7680",
'       "n": "sfsXMXW ... AYkwb6xUQ",
'       "e": "AQAB",
'       "x5c": [
'         "MIIDBTCCA ... BWrh+/vJ"
'       ],
'       "issuer": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0"
'     },
'     {
'       "kty": "RSA",
'       "use": "sig",
'       "kid": "DqUu8gf-nAgcyjP3-SuplNAXAnc",
'       "x5t": "DqUu8gf-nAgcyjP3-SuplNAXAnc",
'       "n": "1n7-nWSL ... V3pFWhQ",
'       "e": "AQAB",
'       "x5c": [
'         "MIIC8TC ... 9pIcnkPQ=="
'       ],
'       "issuer": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0"
'     },
'     {
'       "kty": "RSA",
'       "use": "sig",
'       "kid": "OzZ5Dbmcso9Qzt2ModGmihg30Bo",
'       "x5t": "OzZ5Dbmcso9Qzt2ModGmihg30Bo",
'       "n": "01re9a2BU ... 5OzQ6Q",
'       "e": "AQAB",
'       "x5c": [
'         "MIIC8TC ... YmwJ6sDdRvQ=="
'       ],
'       "issuer": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0"
'     }
'   ]
' }

' We should have an RSA key with kid matching the kid from the joseHeader..
kid = jsonJoseHeader.StringOf("kid")

' Find the RSA key with the specified key id
' jwk is a Chilkat.JsonObject
Set jwk = jwkset.FindRecord("keys","kid",kid,1)
If (jwkset.LastMethodSuccess = 0) Then
    outFile.WriteLine("Failed to find a matching RSA key in the JWK key set...")
    WScript.Quit
End If

' For versions of Chilkat < 10.0.0, use CreateObject("Chilkat_9_5_0.PublicKey")
set pubkey = CreateObject("Chilkat.PublicKey")

success = pubkey.LoadFromString(jwk.Emit())
If (success = 0) Then
    outFile.WriteLine(pubkey.LastErrorText)
    outFile.WriteLine(jwk.Emit())
Else
    verified = jwt.VerifyJwtPk(idToken,pubkey)
    outFile.WriteLine("Verified: " & verified)
End If


outFile.Close