Sample code for 30+ languages & platforms
AutoIt

Azure OpenID Connect Step 2 -- Get id_token and Validate

See more OIDC Examples

After getting the endpoints by querying the Azure's OIDC well-known discovery document (OpenID Configuration document), we use the authorization_endpoint to get the id_token, and then validate it..

Chilkat AutoIt Downloads

AutoIt
Local $bSuccess = False

; This example requires the Chilkat API to have been previously unlocked.
; See Global Unlock Sample for sample code.

; In our previous example (Azure Fetch OpenID Connect metadata document) we fetched
; the OpenID configuration document which is JSON which contains an entry for authorization_endpoint.

Local $sAuthorization_endpoint = "https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize"

; The OpenID Connect metadata document also contained a jwks_uri entry.  This is the JSON Web Key Set (JWKS),
; which is a set of keys containing the public keys used to verify any JSON Web Token (JWT) (in this case the id_token)
; issued by the authorization server and signed using the RS256 signing algorithm. 
Local $sJwks_uri = "https://login.microsoftonline.com/{tenant}/discovery/v2.0/keys"

; We're going to send the following GET request, but it will be sent through an interactive web browser (not by Chilkat).
; The following code will form the URL that is to be programmatically loaded and sent in a browser.

; GET https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
; client_id=6731de76-14a6-49ae-97bc-6eba6914391e
; &response_type=id_token
; &redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
; &response_mode=form_post
; &scope=openid
; &state=12345
; &nonce=678910

; Use this object to set params and then get the URL-encoded query params string 
$oReq = ObjCreate("Chilkat.HttpRequest")
$oReq.AddParam "client_id","{client_id}"
$oReq.AddParam "response_type","id_token"
$oReq.AddParam "redirect_uri","http://localhost:3017/"
$oReq.AddParam "response_mode","form_post"
$oReq.AddParam "scope","openid"
$oPrng = ObjCreate("Chilkat.Prng")
$oReq.AddParam "state",$oPrng.GenRandom(3,"decimal")
$oReq.AddParam "nonce",$oPrng.GenRandom(4,"decimal")

Local $sEncodedParams = $oReq.GetUrlEncodedParams()
ConsoleWrite($sEncodedParams & @CRLF)

; Sample URL encoded params:
; client_id=6731de76-14a6-49ae-97bc-6eba6914391e&redirect_uri=http%3A%2F%2Flocalhost%3A3017%2F&response_mode=form_post&scope=openid&state=3572902&nonce=57352474

; This is the URL to be programmatically loaded and sent in an interactive web browser..
$oSbUrl = ObjCreate("Chilkat.StringBuilder")
$oSbUrl.Append($sAuthorization_endpoint)
$oSbUrl.Append("?")
$oSbUrl.Append($sEncodedParams)
Local $sUrl = $oSbUrl.GetAsString()

; Before we launch the browser with the contents of sbUrl, create a socket to listen for the eventual callback..

$oListenSock = ObjCreate("Chilkat.Socket")

; This is the connection received from the browser.
$oBrowserSock = ObjCreate("Chilkat.Socket")

; Listen at the port indicated by the redirect_uri above.
Local $iBackLog = 5
$bSuccess = $oListenSock.BindAndListen(3017,$iBackLog)
If ($bSuccess = False) Then
    ConsoleWrite($oListenSock.LastErrorText & @CRLF)
    Exit
EndIf

; Wait for the browser's connection in a background thread.
; (We'll send load the URL into the browser following this..)
; Wait a max of 60 seconds before giving up.
Local $iMaxWaitMs = 30000
Local $oTask = $oListenSock.AcceptNextAsync($iMaxWaitMs,$oBrowserSock)
$oTask.Run()

; -------------------------------------------------------------------
; At this point, your application should load the URL in a browser.
$oOauth2 = ObjCreate("Chilkat.OAuth2")
$bSuccess = $oOauth2.LaunchBrowser($sUrl)
If ($bSuccess = False) Then
    ConsoleWrite($oOauth2.LastErrorText & @CRLF)
    Exit
EndIf

; -------------------------------------------------------------------

; Wait for the listenSock's task to complete.
$bSuccess = $oTask.Wait($iMaxWaitMs)
If (Not $bSuccess Or ($oTask.StatusInt <> 7) Or ($oTask.TaskSuccess <> True)) Then
    If (Not $bSuccess) Then
        ; The task.LastErrorText applies to the Wait method call.
        ConsoleWrite($oTask.LastErrorText & @CRLF)
    Else
        ; The ResultErrorText applies to the underlying task method call (i.e. the AcceptNextConnection)
        ConsoleWrite($oTask.Status & @CRLF)
        ConsoleWrite($oTask.ResultErrorText & @CRLF)
    EndIf

    Exit
EndIf

; If we get to this point, a connection on listenSock was accepted, and the redirected POST
; is waiting to be read on the connected socket.
; The POST we are going to read contains the following:

; POST /myapp/ HTTP/1.1
; Host: localhost
; Content-Type: application/x-www-form-urlencoded
; 
; id_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik1uQ19WWmNB...&state=12345

; But first.. we no longer need the listen socket...
; Stop listening on port 3017.
$oListenSock.Close(10)

; We're acting as a temporary web server to receive this one redirected HTTP request..
; Read the start line of the request.. (i.e. the "POST /myapp/ HTTP/1.1")
Local $startLine = $oBrowserSock.ReceiveUntilMatch(@CRLF)
If ($oBrowserSock.LastMethodSuccess = False) Then
    ConsoleWrite($oBrowserSock.LastErrorText & @CRLF)
    Exit
EndIf

; Read the request header.
Local $sRequestHeader = $oBrowserSock.ReceiveUntilMatch(@CRLF & @CRLF)
If ($oBrowserSock.LastMethodSuccess = False) Then
    ConsoleWrite($oBrowserSock.LastErrorText & @CRLF)
    Exit
EndIf

ConsoleWrite($sRequestHeader & @CRLF)
ConsoleWrite("----" & @CRLF)

; Read the body.
; The body will contain "id_token= eyJ......"
$oSbRequestBody = ObjCreate("Chilkat.StringBuilder")
$bSuccess = $oBrowserSock.ReceiveSb($oSbRequestBody)
If ($bSuccess = False) Then
    ConsoleWrite($oBrowserSock.LastErrorText & @CRLF)
    Exit
EndIf

ConsoleWrite($oSbRequestBody.GetAsString() & @CRLF)

; Given that we're acting as a web server, we must send a response..
; We can now send our HTTP response.
$oSbResponseHtml = ObjCreate("Chilkat.StringBuilder")
$oSbResponseHtml.Append("<html><body><p>Thank you!</b></body</html>")

$oSbResponse = ObjCreate("Chilkat.StringBuilder")
$oSbResponse.Append("HTTP/1.1 200 OK" & @CRLF)
$oSbResponse.Append("Content-Length: ")
$oSbResponse.AppendInt($oSbResponseHtml.Length)
$oSbResponse.Append(@CRLF)
$oSbResponse.Append("Content-Type: text/html" & @CRLF)
$oSbResponse.Append(@CRLF)
$oSbResponse.AppendSb($oSbResponseHtml)

$oBrowserSock.SendString($oSbResponse.GetAsString())
$oBrowserSock.Close(50)

; Get the id_token from the sbRequestBody that we just received.
; (Remember, we're acting as the web server, thus we received the redirect request..)
$oHashTab = ObjCreate("Chilkat.Hashtable")
$oHashTab.AddQueryParams($oSbRequestBody.GetAsString())

; See https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens#validating-an-id-token
; for more information about ID tokens..
Local $sIdToken = $oHashTab.LookupStr("id_token")

$oJwt = ObjCreate("Chilkat.Jwt")

; Let's see if the time constraints, if any, are valid.
; The above JWT was created on the afternoon of 16-May-2016, with an expiration of 1 hour.
; If the current system time is before the "nbf" time, or after the "exp" time,
; then IsTimeValid will return false/0.
; Also, we'll allow a leeway of 60 seconds to account for any clock skew.
; Note: If the token has no "nbf" or "exp" claim fields, then IsTimeValid is always true.
Local $iLeeway = 60
Local $bTimeValid = $oJwt.IsTimeValid($sIdToken,$iLeeway)
ConsoleWrite("time constraints valid: " & $bTimeValid & @CRLF)

; Now let's recover the original claims JSON (the payload).
Local $sPayload = $oJwt.GetPayload($sIdToken)
; The payload will likely be in compact form:
ConsoleWrite($sPayload & @CRLF)

; We can format for human viewing by loading it into Chilkat's JSON object
; and emit.
$oJson = ObjCreate("Chilkat.JsonObject")
$bSuccess = $oJson.Load($sPayload)
$oJson.EmitCompact = False
ConsoleWrite($oJson.Emit() & @CRLF)

; Sample output:

; {
;   "aud": "f125d695-c50e-456e-a579-a486f06d1213",
;   "iss": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0",
;   "iat": 1626535322,
;   "nbf": 1626535322,
;   "exp": 1626539222,
;   "aio": "AWQAm/8TAAAAHQncmY0VvhgyMIhfleHX3DjsGfmlPM1CopkJ3mPnBUnCxrJ0ubruaACEhwGO7NsoHBhqFEzRzPxOq7MtuGVFsql+qJKZx8vQCszKYEPX9Wb3b5+d5KJTABHCIH48bTFd",
;   "idp": "https://sts.windows.net/9188040d-6c67-4c5b-b112-36a304b66dad/",
;   "nonce": "1519043321",
;   "rh": "0.ARgAZt2NbdFosEOvXOMbS33VzZXWJfEOxW5FpXmkhvBtEhMYALQ.",
;   "sub": "RMIZlHJ7hfsJmL8Qq3h6M0nPi4g-HEavnAFgxzaT2KM",
;   "tid": "6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd",
;   "uti": "-BXGHxvfREW-r9HI5NBiAA",
;   "ver": "2.0"
; }

; We can recover the original JOSE header in the same way:
Local $sJoseHeader = $oJwt.GetHeader($sIdToken)
; The payload will likely be in compact form:
ConsoleWrite($sJoseHeader & @CRLF)

; We can format for human viewing by loading it into Chilkat's JSON object
; and emit.
$oJsonJoseHeader = ObjCreate("Chilkat.JsonObject")
$bSuccess = $oJsonJoseHeader.Load($sJoseHeader)
$oJsonJoseHeader.EmitCompact = False
ConsoleWrite($oJsonJoseHeader.Emit() & @CRLF)

; Sample output:

; {
;   "typ": "JWT",
;   "alg": "RS256",
;   "kid": "nOo3ZDrODXEK1jKWhXslHR_KXEg"
; }

; Finally, we need to fetch the JSON Web Key Sets from the jwks_uri
; and use it to verify the id_token's RSA signature.
$oSbJwks = ObjCreate("Chilkat.StringBuilder")
$oHttp = ObjCreate("Chilkat.Http")
$bSuccess = $oHttp.QuickGetSb($sJwks_uri,$oSbJwks)
If ($bSuccess = False) Then
    ConsoleWrite($oHttp.LastErrorText & @CRLF)
    Exit
EndIf

$oJwkset = ObjCreate("Chilkat.JsonObject")
$bSuccess = $oJwkset.LoadSb($oSbJwks)
$oJwkset.EmitCompact = False
ConsoleWrite($oJwkset.Emit() & @CRLF)

; A sample jwkset:

; {
;   "keys": [
;     {
;       "kty": "RSA",
;       "use": "sig",
;       "kid": "nOo3ZDrODXEK1jKWhXslHR_KXEg",
;       "x5t": "nOo3ZDrODXEK1jKWhXslHR_KXEg",
;       "n": "oaLLT9hkcSj ... NVrZdUdTBQ",
;       "e": "AQAB",
;       "x5c": [
;         "MIIDBTC ... MRku44Dw7R"
;       ],
;       "issuer": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0"
;     },
;     {
;       "kty": "RSA",
;       "use": "sig",
;       "kid": "l3sQ-50cCH4xBVZLHTGwnSR7680",
;       "x5t": "l3sQ-50cCH4xBVZLHTGwnSR7680",
;       "n": "sfsXMXW ... AYkwb6xUQ",
;       "e": "AQAB",
;       "x5c": [
;         "MIIDBTCCA ... BWrh+/vJ"
;       ],
;       "issuer": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0"
;     },
;     {
;       "kty": "RSA",
;       "use": "sig",
;       "kid": "DqUu8gf-nAgcyjP3-SuplNAXAnc",
;       "x5t": "DqUu8gf-nAgcyjP3-SuplNAXAnc",
;       "n": "1n7-nWSL ... V3pFWhQ",
;       "e": "AQAB",
;       "x5c": [
;         "MIIC8TC ... 9pIcnkPQ=="
;       ],
;       "issuer": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0"
;     },
;     {
;       "kty": "RSA",
;       "use": "sig",
;       "kid": "OzZ5Dbmcso9Qzt2ModGmihg30Bo",
;       "x5t": "OzZ5Dbmcso9Qzt2ModGmihg30Bo",
;       "n": "01re9a2BU ... 5OzQ6Q",
;       "e": "AQAB",
;       "x5c": [
;         "MIIC8TC ... YmwJ6sDdRvQ=="
;       ],
;       "issuer": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0"
;     }
;   ]
; }

; We should have an RSA key with kid matching the kid from the joseHeader..
Local $sKid = $oJsonJoseHeader.StringOf("kid")

; Find the RSA key with the specified key id
Local $oJwk = $oJwkset.FindRecord("keys","kid",$sKid,True)
If ($oJwkset.LastMethodSuccess = False) Then
    ConsoleWrite("Failed to find a matching RSA key in the JWK key set..." & @CRLF)
    Exit
EndIf

Local $bVerified
$oPubkey = ObjCreate("Chilkat.PublicKey")

$bSuccess = $oPubkey.LoadFromString($oJwk.Emit())
If ($bSuccess = False) Then
    ConsoleWrite($oPubkey.LastErrorText & @CRLF)
    ConsoleWrite($oJwk.Emit() & @CRLF)
Else
    $bVerified = $oJwt.VerifyJwtPk($sIdToken,$oPubkey)
    ConsoleWrite("Verified: " & $bVerified & @CRLF)
EndIf