Pascal (Lazarus/Delphi)
Pascal (Lazarus/Delphi)
Azure OpenID Connect Step 2 -- Get id_token and Validate
See more OIDC Examples
After getting the endpoints by querying the Azure's OIDC well-known discovery document (OpenID Configuration document), we use the authorization_endpoint to get the id_token, and then validate it..Chilkat Pascal (Lazarus/Delphi) Downloads
program ChilkatDemo;
// Demonstrates using the Chilkat Pascal wrapper via the C bridge DLL.
// Builds as a console application under Lazarus (FPC) or Delphi.
{$IFDEF FPC}
{$MODE DELPHI}
{$ENDIF}
{$APPTYPE CONSOLE}
uses
{$IFDEF UNIX}
cthreads,
{$ENDIF}
SysUtils,
CkDllLoader,
Chilkat.Http,
Chilkat.Jwt,
Chilkat.Hashtable,
Chilkat.Prng,
Chilkat.Socket,
Chilkat.OAuth2,
Chilkat.StringBuilder,
Chilkat.JsonObject,
Chilkat.PublicKey,
Chilkat.HttpRequest,
Chilkat.Task;
// ---------------------------------------------------------------------------
procedure RunDemo;
var
success: Boolean;
authorization_endpoint: string;
jwks_uri: string;
req: THttpRequest;
prng: TPrng;
encodedParams: string;
sbUrl: TStringBuilder;
url: string;
listenSock: TSocket;
browserSock: TSocket;
backLog: Integer;
maxWaitMs: Integer;
task: TTask;
oauth2: TOAuth2;
startLine: string;
requestHeader: string;
sbRequestBody: TStringBuilder;
sbResponseHtml: TStringBuilder;
sbResponse: TStringBuilder;
hashTab: THashtable;
idToken: string;
jwt: TJwt;
leeway: Integer;
bTimeValid: Boolean;
payload: string;
json: TJsonObject;
joseHeader: string;
jsonJoseHeader: TJsonObject;
sbJwks: TStringBuilder;
http: THttp;
jwkset: TJsonObject;
kid: string;
jwk: TJsonObject;
verified: Boolean;
pubkey: TPublicKey;
begin
success := False;
// This example requires the Chilkat API to have been previously unlocked.
// See Global Unlock Sample for sample code.
// In our previous example (Azure Fetch OpenID Connect metadata document) we fetched
// the OpenID configuration document which is JSON which contains an entry for authorization_endpoint.
authorization_endpoint := 'https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize';
// The OpenID Connect metadata document also contained a jwks_uri entry. This is the JSON Web Key Set (JWKS),
// which is a set of keys containing the public keys used to verify any JSON Web Token (JWT) (in this case the id_token)
// issued by the authorization server and signed using the RS256 signing algorithm.
jwks_uri := 'https://login.microsoftonline.com/{tenant}/discovery/v2.0/keys';
// We're going to send the following GET request, but it will be sent through an interactive web browser (not by Chilkat).
// The following code will form the URL that is to be programmatically loaded and sent in a browser.
// GET https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
// client_id=6731de76-14a6-49ae-97bc-6eba6914391e
// &response_type=id_token
// &redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
// &response_mode=form_post
// &scope=openid
// &state=12345
// &nonce=678910
// Use this object to set params and then get the URL-encoded query params string
req := THttpRequest.Create;
req.AddParam('client_id','{client_id}');
req.AddParam('response_type','id_token');
req.AddParam('redirect_uri','http://localhost:3017/');
req.AddParam('response_mode','form_post');
req.AddParam('scope','openid');
prng := TPrng.Create;
req.AddParam('state',prng.GenRandom(3,'decimal'));
req.AddParam('nonce',prng.GenRandom(4,'decimal'));
encodedParams := req.GetUrlEncodedParams();
WriteLn(encodedParams);
// Sample URL encoded params:
// client_id=6731de76-14a6-49ae-97bc-6eba6914391e&redirect_uri=http%3A%2F%2Flocalhost%3A3017%2F&response_mode=form_post&scope=openid&state=3572902&nonce=57352474
// This is the URL to be programmatically loaded and sent in an interactive web browser..
sbUrl := TStringBuilder.Create;
sbUrl.Append(authorization_endpoint);
sbUrl.Append('?');
sbUrl.Append(encodedParams);
url := sbUrl.GetAsString();
// Before we launch the browser with the contents of sbUrl, create a socket to listen for the eventual callback..
listenSock := TSocket.Create;
// This is the connection received from the browser.
browserSock := TSocket.Create;
// Listen at the port indicated by the redirect_uri above.
backLog := 5;
success := listenSock.BindAndListen(3017,backLog);
if (success = False) then
begin
WriteLn(listenSock.LastErrorText);
Exit;
end;
// Wait for the browser's connection in a background thread.
// (We'll send load the URL into the browser following this..)
// Wait a max of 60 seconds before giving up.
maxWaitMs := 30000;
task := listenSock.AcceptNextAsync(maxWaitMs,browserSock);
task.Run();
// -------------------------------------------------------------------
// At this point, your application should load the URL in a browser.
oauth2 := TOAuth2.Create;
success := oauth2.LaunchBrowser(url);
if (success = False) then
begin
WriteLn(oauth2.LastErrorText);
Exit;
end;
// -------------------------------------------------------------------
// Wait for the listenSock's task to complete.
success := task.Wait(maxWaitMs);
if (not success or (task.StatusInt <> 7) or (task.TaskSuccess <> True)) then
begin
if (not success) then
begin
// The task.LastErrorText applies to the Wait method call.
WriteLn(task.LastErrorText);
end
else
begin
// The ResultErrorText applies to the underlying task method call (i.e. the AcceptNextConnection)
WriteLn(task.Status);
WriteLn(task.ResultErrorText);
end;
task.Free;
Exit;
end;
// If we get to this point, a connection on listenSock was accepted, and the redirected POST
// is waiting to be read on the connected socket.
// The POST we are going to read contains the following:
// POST /myapp/ HTTP/1.1
// Host: localhost
// Content-Type: application/x-www-form-urlencoded
//
// id_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik1uQ19WWmNB...&state=12345
// But first.. we no longer need the listen socket...
// Stop listening on port 3017.
listenSock.Close(10);
task.Free;
// We're acting as a temporary web server to receive this one redirected HTTP request..
// Read the start line of the request.. (i.e. the "POST /myapp/ HTTP/1.1")
startLine := browserSock.ReceiveUntilMatch(#13#10);
if (browserSock.LastMethodSuccess = False) then
begin
WriteLn(browserSock.LastErrorText);
Exit;
end;
// Read the request header.
requestHeader := browserSock.ReceiveUntilMatch(#13#10 + #13#10);
if (browserSock.LastMethodSuccess = False) then
begin
WriteLn(browserSock.LastErrorText);
Exit;
end;
WriteLn(requestHeader);
WriteLn('----');
// Read the body.
// The body will contain "id_token= eyJ......"
sbRequestBody := TStringBuilder.Create;
success := browserSock.ReceiveSb(sbRequestBody);
if (success = False) then
begin
WriteLn(browserSock.LastErrorText);
Exit;
end;
WriteLn(sbRequestBody.GetAsString());
// Given that we're acting as a web server, we must send a response..
// We can now send our HTTP response.
sbResponseHtml := TStringBuilder.Create;
sbResponseHtml.Append('<html><body><p>Thank you!</b></body</html>');
sbResponse := TStringBuilder.Create;
sbResponse.Append('HTTP/1.1 200 OK' + #13#10);
sbResponse.Append('Content-Length: ');
sbResponse.AppendInt(sbResponseHtml.Length);
sbResponse.Append(#13#10);
sbResponse.Append('Content-Type: text/html' + #13#10);
sbResponse.Append(#13#10);
sbResponse.AppendSb(sbResponseHtml);
browserSock.SendString(sbResponse.GetAsString());
browserSock.Close(50);
// Get the id_token from the sbRequestBody that we just received.
// (Remember, we're acting as the web server, thus we received the redirect request..)
hashTab := THashtable.Create;
hashTab.AddQueryParams(sbRequestBody.GetAsString());
// See https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens#validating-an-id-token
// for more information about ID tokens..
idToken := hashTab.LookupStr('id_token');
jwt := TJwt.Create;
// Let's see if the time constraints, if any, are valid.
// The above JWT was created on the afternoon of 16-May-2016, with an expiration of 1 hour.
// If the current system time is before the "nbf" time, or after the "exp" time,
// then IsTimeValid will return false/0.
// Also, we'll allow a leeway of 60 seconds to account for any clock skew.
// Note: If the token has no "nbf" or "exp" claim fields, then IsTimeValid is always true.
leeway := 60;
bTimeValid := jwt.IsTimeValid(idToken,leeway);
WriteLn('time constraints valid: ' + bTimeValid);
// Now let's recover the original claims JSON (the payload).
payload := jwt.GetPayload(idToken);
// The payload will likely be in compact form:
WriteLn(payload);
// We can format for human viewing by loading it into Chilkat's JSON object
// and emit.
json := TJsonObject.Create;
success := json.Load(payload);
json.EmitCompact := False;
WriteLn(json.Emit());
// Sample output:
// {
// "aud": "f125d695-c50e-456e-a579-a486f06d1213",
// "iss": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0",
// "iat": 1626535322,
// "nbf": 1626535322,
// "exp": 1626539222,
// "aio": "AWQAm/8TAAAAHQncmY0VvhgyMIhfleHX3DjsGfmlPM1CopkJ3mPnBUnCxrJ0ubruaACEhwGO7NsoHBhqFEzRzPxOq7MtuGVFsql+qJKZx8vQCszKYEPX9Wb3b5+d5KJTABHCIH48bTFd",
// "idp": "https://sts.windows.net/9188040d-6c67-4c5b-b112-36a304b66dad/",
// "nonce": "1519043321",
// "rh": "0.ARgAZt2NbdFosEOvXOMbS33VzZXWJfEOxW5FpXmkhvBtEhMYALQ.",
// "sub": "RMIZlHJ7hfsJmL8Qq3h6M0nPi4g-HEavnAFgxzaT2KM",
// "tid": "6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd",
// "uti": "-BXGHxvfREW-r9HI5NBiAA",
// "ver": "2.0"
// }
// We can recover the original JOSE header in the same way:
joseHeader := jwt.GetHeader(idToken);
// The payload will likely be in compact form:
WriteLn(joseHeader);
// We can format for human viewing by loading it into Chilkat's JSON object
// and emit.
jsonJoseHeader := TJsonObject.Create;
success := jsonJoseHeader.Load(joseHeader);
jsonJoseHeader.EmitCompact := False;
WriteLn(jsonJoseHeader.Emit());
// Sample output:
// {
// "typ": "JWT",
// "alg": "RS256",
// "kid": "nOo3ZDrODXEK1jKWhXslHR_KXEg"
// }
// Finally, we need to fetch the JSON Web Key Sets from the jwks_uri
// and use it to verify the id_token's RSA signature.
sbJwks := TStringBuilder.Create;
http := THttp.Create;
success := http.QuickGetSb(jwks_uri,sbJwks);
if (success = False) then
begin
WriteLn(http.LastErrorText);
Exit;
end;
jwkset := TJsonObject.Create;
success := jwkset.LoadSb(sbJwks);
jwkset.EmitCompact := False;
WriteLn(jwkset.Emit());
// A sample jwkset:
// {
// "keys": [
// {
// "kty": "RSA",
// "use": "sig",
// "kid": "nOo3ZDrODXEK1jKWhXslHR_KXEg",
// "x5t": "nOo3ZDrODXEK1jKWhXslHR_KXEg",
// "n": "oaLLT9hkcSj ... NVrZdUdTBQ",
// "e": "AQAB",
// "x5c": [
// "MIIDBTC ... MRku44Dw7R"
// ],
// "issuer": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0"
// },
// {
// "kty": "RSA",
// "use": "sig",
// "kid": "l3sQ-50cCH4xBVZLHTGwnSR7680",
// "x5t": "l3sQ-50cCH4xBVZLHTGwnSR7680",
// "n": "sfsXMXW ... AYkwb6xUQ",
// "e": "AQAB",
// "x5c": [
// "MIIDBTCCA ... BWrh+/vJ"
// ],
// "issuer": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0"
// },
// {
// "kty": "RSA",
// "use": "sig",
// "kid": "DqUu8gf-nAgcyjP3-SuplNAXAnc",
// "x5t": "DqUu8gf-nAgcyjP3-SuplNAXAnc",
// "n": "1n7-nWSL ... V3pFWhQ",
// "e": "AQAB",
// "x5c": [
// "MIIC8TC ... 9pIcnkPQ=="
// ],
// "issuer": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0"
// },
// {
// "kty": "RSA",
// "use": "sig",
// "kid": "OzZ5Dbmcso9Qzt2ModGmihg30Bo",
// "x5t": "OzZ5Dbmcso9Qzt2ModGmihg30Bo",
// "n": "01re9a2BU ... 5OzQ6Q",
// "e": "AQAB",
// "x5c": [
// "MIIC8TC ... YmwJ6sDdRvQ=="
// ],
// "issuer": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0"
// }
// ]
// }
// We should have an RSA key with kid matching the kid from the joseHeader..
kid := jsonJoseHeader.StringOf('kid');
// Find the RSA key with the specified key id
jwk := jwkset.FindRecord('keys','kid',kid,True);
if (jwkset.LastMethodSuccess = False) then
begin
WriteLn('Failed to find a matching RSA key in the JWK key set...');
Exit;
end;
pubkey := TPublicKey.Create;
success := pubkey.LoadFromString(jwk.Emit());
if (success = False) then
begin
WriteLn(pubkey.LastErrorText);
WriteLn(jwk.Emit());
end
else
begin
verified := jwt.VerifyJwtPk(idToken,pubkey);
WriteLn('Verified: ' + verified);
end;
jwk.Free;
req.Free;
prng.Free;
sbUrl.Free;
listenSock.Free;
browserSock.Free;
oauth2.Free;
sbRequestBody.Free;
sbResponseHtml.Free;
sbResponse.Free;
hashTab.Free;
jwt.Free;
json.Free;
jsonJoseHeader.Free;
sbJwks.Free;
http.Free;
jwkset.Free;
pubkey.Free;
end;
// ---------------------------------------------------------------------------
begin
try
RunDemo;
except
on E: Exception do
WriteLn('Unhandled exception: ', E.ClassName, ': ', E.Message);
end;
WriteLn;
{$IFDEF MSWINDOWS}
WriteLn('Press Enter to exit...');
ReadLn;
{$ENDIF}
end.