Sample code for 30+ languages & platforms
Classic ASP

Validate a Google ID Token

See more OAuth2 Examples

Demonstrates how to verify the signature of a Google id token.

Chilkat Classic ASP Downloads

Classic ASP
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
<%
success = 0

' This example requires the Chilkat API to have been previously unlocked.
' See Global Unlock Sample for sample code.

set http = Server.CreateObject("Chilkat.Http")

' First get the public key we'll be needing..
jwkStr = http.QuickGetStr("https://www.googleapis.com/oauth2/v3/certs")
If (http.LastMethodSuccess = 0) Then
    Response.Write "<pre>" & Server.HTMLEncode( http.LastErrorText) & "</pre>"
    Response.End
End If

' We have the following:

'     {
'       "keys": [
' 	{
' 	  "kid": "e8732db06287515556213b80acbcfd08cfb302a9",
' 	  "n": "4RIrO30287Wsq3gqXCMkUYMVAeI3H8...w2mbMNEBQ",
' 	  "kty": "RSA",
' 	  "e": "AQAB",
' 	  "alg": "RS256",
' 	  "use": "sig"
' 	},
' 	{
' 	  "kid": "8462a71da4f6d611fc0fecf0fc4ba9c37d65e6cd",
' 	  "e": "AQAB",
' 	  "n": "xT_ngLZNmT5GBtJZeTB...Ft4gK0eoFi0d3l8bcw",
' 	  "alg": "RS256",
' 	  "use": "sig",
' 	  "kty": "RSA"
' 	}
'       ]
'     }

set json = Server.CreateObject("Chilkat.JsonObject")
success = json.Load(jwkStr)

' -------------------------------------------------

' Load the following..

'  {
'   "access_token": "ya29.a0...0f",
'   "expires_in": 3599,
'   "scope": "openid https://www.googleapis.com/auth/userinfo.email",
'   "token_type": "Bearer",
'   "id_token": "eyJhb...o5nQ"
' }

set jsonToken = Server.CreateObject("Chilkat.JsonObject")
success = jsonToken.LoadFile("qa_data/tokens/google_sample_id_token.json")
If (success = 0) Then
    Response.Write "<pre>" & Server.HTMLEncode( "Failed to load the JSON file...") & "</pre>"
    Response.End
End If

' Get the id_token;
set sbIdToken = Server.CreateObject("Chilkat.StringBuilder")
success = sbIdToken.Append(jsonToken.StringOf("id_token"))

' Get the signature in base64url format.
' The header + payload remains in sbIdToken.
sig_b64Url = sbIdToken.GetAfterFinal(".",1)
headerPlusPayload = sbIdToken.GetAsString()

Response.Write "<pre>" & Server.HTMLEncode( sig_b64Url) & "</pre>"
Response.Write "<pre>" & Server.HTMLEncode( headerPlusPayload) & "</pre>"

' ---------------------------------------------

' Try validating with each cert's public key.
' Hopefully one will be the key that verifies.

set rsa = Server.CreateObject("Chilkat.Rsa")
rsa.EncodingMode = "base64url"

set jsonKey = Server.CreateObject("Chilkat.JsonObject")
set pubKey = Server.CreateObject("Chilkat.PublicKey")

numKeys = json.SizeOfArray("keys")
i = 0
Do While i < numKeys
    json.I = i

    success = json.ObjectOf2("keys[i]",jsonKey)

    success = pubKey.LoadFromString(jsonKey.Emit())
    If (success = 0) Then
        Response.Write "<pre>" & Server.HTMLEncode( pubKey.LastErrorText) & "</pre>"
        Response.End
    End If

    Response.Write "<pre>" & Server.HTMLEncode( i) & "</pre>"
    Response.Write "<pre>" & Server.HTMLEncode( pubKey.GetPem(1)) & "</pre>"

    success = rsa.UsePublicKey(pubKey)

    bVerified = rsa.VerifyStringENC(headerPlusPayload,"sha256",sig_b64Url)
    Response.Write "<pre>" & Server.HTMLEncode( "bVerified = " & bVerified) & "</pre>"

    i = i + 1
Loop

' The output is:

' 0
' -----BEGIN RSA PUBLIC KEY-----
' MIIBCgKCAQEA4RIrO30287Wsq3gqXCMkUYMVAeI3H8LVE6IXR1krdFeGnZLiGUPw
' cbkeVpXf3lmJdsStOg+jijces2DZCfPyIBiQuLYfxxmAZE6ErJ0QJFg1stwli2Pz
' 9ncYhFoqi8pXr7kEzEJBTzX4thuw56ydbGsshSEznPXoerCJOc7UI2+n0wFCWQ4Y
' LHbh/PrWt4vdadyUUUW/QpQHXQLdD8q/Qwqdj0O9zlJE7R6Elw2E9EqnHyIGu1hm
' LxhqrTru1M18SUhONYbVskV/BCEdVKs//X96849HorWQDCAgVMWfGsdMVq55FAdJ
' 680N5UmQDRynIZ4+PeNGN4S9iw2mbMNEBQIDAQAB
' -----END RSA PUBLIC KEY-----
' 
' bVerified = True
' 1
' -----BEGIN RSA PUBLIC KEY-----
' MIIBCgKCAQEAxT/ngLZNmT5GBdkLtJZjNeTB+8B5yWgrq/e5eMZ1hrZhcmLK+dSn
' IkpOPV8/OekV67EnQ7I4II2rcNJnHGrGKZziXO3XN2gtUHE+mBJC99oULSbX/QwB
' Kz7gC/IBPq9EuxTt6Oq6fPkVQ9DbRIgWJSEGBF/KRaNl3kyAlIZfpY7XgHyJTTv8
' E7yAcYKPR+36gzdl+ps0sDLKzUuAtZNq8llK0u80z6AtAUIYwWdkEhM9upy6keKI
' TasIxcsO7M6kZPINUSbh6t5VAm8FuqRmxpgg+9c9/GQSGd89InVypoVzWLQ+wOGg
' 5G4H6JqIgtj0TRFt4gK0eoFi2U0d3l8bcwIDAQAB
' -----END RSA PUBLIC KEY-----
' 
' bVerified = False

%>
</body>
</html>