Sample code for 30+ languages & platforms
Pascal (Lazarus/Delphi)

Azure OpenID Connect Step 2 -- Get id_token and Validate

See more OIDC Examples

After getting the endpoints by querying the Azure's OIDC well-known discovery document (OpenID Configuration document), we use the authorization_endpoint to get the id_token, and then validate it..

Chilkat Pascal (Lazarus/Delphi) Downloads

Pascal (Lazarus/Delphi)
program ChilkatDemo;

// Demonstrates using the Chilkat Pascal wrapper via the C bridge DLL.
// Builds as a console application under Lazarus (FPC) or Delphi.

{$IFDEF FPC}
  {$MODE DELPHI}
{$ENDIF}
{$APPTYPE CONSOLE}

uses
  {$IFDEF UNIX}
  cthreads,
  {$ENDIF}
  SysUtils,
  CkDllLoader,
  Chilkat.Http,
  Chilkat.Jwt,
  Chilkat.Hashtable,
  Chilkat.Prng,
  Chilkat.Socket,
  Chilkat.OAuth2,
  Chilkat.StringBuilder,
  Chilkat.JsonObject,
  Chilkat.PublicKey,
  Chilkat.HttpRequest,
  Chilkat.Task;

// ---------------------------------------------------------------------------

procedure RunDemo;
var
  success: Boolean;
  authorization_endpoint: string;
  jwks_uri: string;
  req: THttpRequest;
  prng: TPrng;
  encodedParams: string;
  sbUrl: TStringBuilder;
  url: string;
  listenSock: TSocket;
  browserSock: TSocket;
  backLog: Integer;
  maxWaitMs: Integer;
  task: TTask;
  oauth2: TOAuth2;
  startLine: string;
  requestHeader: string;
  sbRequestBody: TStringBuilder;
  sbResponseHtml: TStringBuilder;
  sbResponse: TStringBuilder;
  hashTab: THashtable;
  idToken: string;
  jwt: TJwt;
  leeway: Integer;
  bTimeValid: Boolean;
  payload: string;
  json: TJsonObject;
  joseHeader: string;
  jsonJoseHeader: TJsonObject;
  sbJwks: TStringBuilder;
  http: THttp;
  jwkset: TJsonObject;
  kid: string;
  jwk: TJsonObject;
  verified: Boolean;
  pubkey: TPublicKey;

begin
  success := False;

  //  This example requires the Chilkat API to have been previously unlocked.
  //  See Global Unlock Sample for sample code.

  //  In our previous example (Azure Fetch OpenID Connect metadata document) we fetched
  //  the OpenID configuration document which is JSON which contains an entry for authorization_endpoint.

  authorization_endpoint := 'https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize';

  //  The OpenID Connect metadata document also contained a jwks_uri entry.  This is the JSON Web Key Set (JWKS),
  //  which is a set of keys containing the public keys used to verify any JSON Web Token (JWT) (in this case the id_token)
  //  issued by the authorization server and signed using the RS256 signing algorithm. 
  jwks_uri := 'https://login.microsoftonline.com/{tenant}/discovery/v2.0/keys';

  //  We're going to send the following GET request, but it will be sent through an interactive web browser (not by Chilkat).
  //  The following code will form the URL that is to be programmatically loaded and sent in a browser.

  //  GET https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
  //  client_id=6731de76-14a6-49ae-97bc-6eba6914391e
  //  &response_type=id_token
  //  &redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
  //  &response_mode=form_post
  //  &scope=openid
  //  &state=12345
  //  &nonce=678910

  //  Use this object to set params and then get the URL-encoded query params string 
  req := THttpRequest.Create;
  req.AddParam('client_id','{client_id}');
  req.AddParam('response_type','id_token');
  req.AddParam('redirect_uri','http://localhost:3017/');
  req.AddParam('response_mode','form_post');
  req.AddParam('scope','openid');
  prng := TPrng.Create;
  req.AddParam('state',prng.GenRandom(3,'decimal'));
  req.AddParam('nonce',prng.GenRandom(4,'decimal'));

  encodedParams := req.GetUrlEncodedParams();
  WriteLn(encodedParams);

  //  Sample URL encoded params:
  //  client_id=6731de76-14a6-49ae-97bc-6eba6914391e&redirect_uri=http%3A%2F%2Flocalhost%3A3017%2F&response_mode=form_post&scope=openid&state=3572902&nonce=57352474

  //  This is the URL to be programmatically loaded and sent in an interactive web browser..
  sbUrl := TStringBuilder.Create;
  sbUrl.Append(authorization_endpoint);
  sbUrl.Append('?');
  sbUrl.Append(encodedParams);
  url := sbUrl.GetAsString();

  //  Before we launch the browser with the contents of sbUrl, create a socket to listen for the eventual callback..

  listenSock := TSocket.Create;

  //  This is the connection received from the browser.
  browserSock := TSocket.Create;

  //  Listen at the port indicated by the redirect_uri above.
  backLog := 5;
  success := listenSock.BindAndListen(3017,backLog);
  if (success = False) then
    begin
      WriteLn(listenSock.LastErrorText);
      Exit;
    end;

  //  Wait for the browser's connection in a background thread.
  //  (We'll send load the URL into the browser following this..)
  //  Wait a max of 60 seconds before giving up.
  maxWaitMs := 30000;
  task := listenSock.AcceptNextAsync(maxWaitMs,browserSock);
  task.Run();

  //  -------------------------------------------------------------------
  //  At this point, your application should load the URL in a browser.
  oauth2 := TOAuth2.Create;
  success := oauth2.LaunchBrowser(url);
  if (success = False) then
    begin
      WriteLn(oauth2.LastErrorText);
      Exit;
    end;
  //  -------------------------------------------------------------------

  //  Wait for the listenSock's task to complete.
  success := task.Wait(maxWaitMs);
  if (not success or (task.StatusInt <> 7) or (task.TaskSuccess <> True)) then
    begin
      if (not success) then
        begin
          //  The task.LastErrorText applies to the Wait method call.
          WriteLn(task.LastErrorText);
        end
      else
        begin
          //  The ResultErrorText applies to the underlying task method call (i.e. the AcceptNextConnection)
          WriteLn(task.Status);
          WriteLn(task.ResultErrorText);
        end;
      task.Free;
      Exit;
    end;

  //  If we get to this point, a connection on listenSock was accepted, and the redirected POST
  //  is waiting to be read on the connected socket.
  //  The POST we are going to read contains the following:

  //  POST /myapp/ HTTP/1.1
  //  Host: localhost
  //  Content-Type: application/x-www-form-urlencoded
  //  
  //  id_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik1uQ19WWmNB...&state=12345

  //  But first.. we no longer need the listen socket...
  //  Stop listening on port 3017.
  listenSock.Close(10);

  task.Free;

  //  We're acting as a temporary web server to receive this one redirected HTTP request..
  //  Read the start line of the request.. (i.e. the "POST /myapp/ HTTP/1.1")
  startLine := browserSock.ReceiveUntilMatch(#13#10);
  if (browserSock.LastMethodSuccess = False) then
    begin
      WriteLn(browserSock.LastErrorText);
      Exit;
    end;

  //  Read the request header.
  requestHeader := browserSock.ReceiveUntilMatch(#13#10 + #13#10);
  if (browserSock.LastMethodSuccess = False) then
    begin
      WriteLn(browserSock.LastErrorText);
      Exit;
    end;

  WriteLn(requestHeader);
  WriteLn('----');

  //  Read the body.
  //  The body will contain "id_token= eyJ......"
  sbRequestBody := TStringBuilder.Create;
  success := browserSock.ReceiveSb(sbRequestBody);
  if (success = False) then
    begin
      WriteLn(browserSock.LastErrorText);
      Exit;
    end;

  WriteLn(sbRequestBody.GetAsString());

  //  Given that we're acting as a web server, we must send a response..
  //  We can now send our HTTP response.
  sbResponseHtml := TStringBuilder.Create;
  sbResponseHtml.Append('<html><body><p>Thank you!</b></body</html>');

  sbResponse := TStringBuilder.Create;
  sbResponse.Append('HTTP/1.1 200 OK' + #13#10);
  sbResponse.Append('Content-Length: ');
  sbResponse.AppendInt(sbResponseHtml.Length);
  sbResponse.Append(#13#10);
  sbResponse.Append('Content-Type: text/html' + #13#10);
  sbResponse.Append(#13#10);
  sbResponse.AppendSb(sbResponseHtml);

  browserSock.SendString(sbResponse.GetAsString());
  browserSock.Close(50);

  //  Get the id_token from the sbRequestBody that we just received.
  //  (Remember, we're acting as the web server, thus we received the redirect request..)
  hashTab := THashtable.Create;
  hashTab.AddQueryParams(sbRequestBody.GetAsString());

  //  See https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens#validating-an-id-token
  //  for more information about ID tokens..
  idToken := hashTab.LookupStr('id_token');

  jwt := TJwt.Create;

  //  Let's see if the time constraints, if any, are valid.
  //  The above JWT was created on the afternoon of 16-May-2016, with an expiration of 1 hour.
  //  If the current system time is before the "nbf" time, or after the "exp" time,
  //  then IsTimeValid will return false/0.
  //  Also, we'll allow a leeway of 60 seconds to account for any clock skew.
  //  Note: If the token has no "nbf" or "exp" claim fields, then IsTimeValid is always true.
  leeway := 60;
  bTimeValid := jwt.IsTimeValid(idToken,leeway);
  WriteLn('time constraints valid: ' + bTimeValid);

  //  Now let's recover the original claims JSON (the payload).
  payload := jwt.GetPayload(idToken);
  //  The payload will likely be in compact form:
  WriteLn(payload);

  //  We can format for human viewing by loading it into Chilkat's JSON object
  //  and emit.
  json := TJsonObject.Create;
  success := json.Load(payload);
  json.EmitCompact := False;
  WriteLn(json.Emit());

  //  Sample output:

  //  {
  //    "aud": "f125d695-c50e-456e-a579-a486f06d1213",
  //    "iss": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0",
  //    "iat": 1626535322,
  //    "nbf": 1626535322,
  //    "exp": 1626539222,
  //    "aio": "AWQAm/8TAAAAHQncmY0VvhgyMIhfleHX3DjsGfmlPM1CopkJ3mPnBUnCxrJ0ubruaACEhwGO7NsoHBhqFEzRzPxOq7MtuGVFsql+qJKZx8vQCszKYEPX9Wb3b5+d5KJTABHCIH48bTFd",
  //    "idp": "https://sts.windows.net/9188040d-6c67-4c5b-b112-36a304b66dad/",
  //    "nonce": "1519043321",
  //    "rh": "0.ARgAZt2NbdFosEOvXOMbS33VzZXWJfEOxW5FpXmkhvBtEhMYALQ.",
  //    "sub": "RMIZlHJ7hfsJmL8Qq3h6M0nPi4g-HEavnAFgxzaT2KM",
  //    "tid": "6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd",
  //    "uti": "-BXGHxvfREW-r9HI5NBiAA",
  //    "ver": "2.0"
  //  }

  //  We can recover the original JOSE header in the same way:
  joseHeader := jwt.GetHeader(idToken);
  //  The payload will likely be in compact form:
  WriteLn(joseHeader);

  //  We can format for human viewing by loading it into Chilkat's JSON object
  //  and emit.
  jsonJoseHeader := TJsonObject.Create;
  success := jsonJoseHeader.Load(joseHeader);
  jsonJoseHeader.EmitCompact := False;
  WriteLn(jsonJoseHeader.Emit());

  //  Sample output:

  //  {
  //    "typ": "JWT",
  //    "alg": "RS256",
  //    "kid": "nOo3ZDrODXEK1jKWhXslHR_KXEg"
  //  }

  //  Finally, we need to fetch the JSON Web Key Sets from the jwks_uri
  //  and use it to verify the id_token's RSA signature.
  sbJwks := TStringBuilder.Create;
  http := THttp.Create;
  success := http.QuickGetSb(jwks_uri,sbJwks);
  if (success = False) then
    begin
      WriteLn(http.LastErrorText);
      Exit;
    end;

  jwkset := TJsonObject.Create;
  success := jwkset.LoadSb(sbJwks);
  jwkset.EmitCompact := False;
  WriteLn(jwkset.Emit());

  //  A sample jwkset:

  //  {
  //    "keys": [
  //      {
  //        "kty": "RSA",
  //        "use": "sig",
  //        "kid": "nOo3ZDrODXEK1jKWhXslHR_KXEg",
  //        "x5t": "nOo3ZDrODXEK1jKWhXslHR_KXEg",
  //        "n": "oaLLT9hkcSj ... NVrZdUdTBQ",
  //        "e": "AQAB",
  //        "x5c": [
  //          "MIIDBTC ... MRku44Dw7R"
  //        ],
  //        "issuer": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0"
  //      },
  //      {
  //        "kty": "RSA",
  //        "use": "sig",
  //        "kid": "l3sQ-50cCH4xBVZLHTGwnSR7680",
  //        "x5t": "l3sQ-50cCH4xBVZLHTGwnSR7680",
  //        "n": "sfsXMXW ... AYkwb6xUQ",
  //        "e": "AQAB",
  //        "x5c": [
  //          "MIIDBTCCA ... BWrh+/vJ"
  //        ],
  //        "issuer": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0"
  //      },
  //      {
  //        "kty": "RSA",
  //        "use": "sig",
  //        "kid": "DqUu8gf-nAgcyjP3-SuplNAXAnc",
  //        "x5t": "DqUu8gf-nAgcyjP3-SuplNAXAnc",
  //        "n": "1n7-nWSL ... V3pFWhQ",
  //        "e": "AQAB",
  //        "x5c": [
  //          "MIIC8TC ... 9pIcnkPQ=="
  //        ],
  //        "issuer": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0"
  //      },
  //      {
  //        "kty": "RSA",
  //        "use": "sig",
  //        "kid": "OzZ5Dbmcso9Qzt2ModGmihg30Bo",
  //        "x5t": "OzZ5Dbmcso9Qzt2ModGmihg30Bo",
  //        "n": "01re9a2BU ... 5OzQ6Q",
  //        "e": "AQAB",
  //        "x5c": [
  //          "MIIC8TC ... YmwJ6sDdRvQ=="
  //        ],
  //        "issuer": "https://login.microsoftonline.com/6d8ddd66-68d1-43b0-af5c-e31b4b7dd5cd/v2.0"
  //      }
  //    ]
  //  }

  //  We should have an RSA key with kid matching the kid from the joseHeader..
  kid := jsonJoseHeader.StringOf('kid');

  //  Find the RSA key with the specified key id
  jwk := jwkset.FindRecord('keys','kid',kid,True);
  if (jwkset.LastMethodSuccess = False) then
    begin
      WriteLn('Failed to find a matching RSA key in the JWK key set...');
      Exit;
    end;

  pubkey := TPublicKey.Create;

  success := pubkey.LoadFromString(jwk.Emit());
  if (success = False) then
    begin
      WriteLn(pubkey.LastErrorText);
      WriteLn(jwk.Emit());
    end
  else
    begin
      verified := jwt.VerifyJwtPk(idToken,pubkey);
      WriteLn('Verified: ' + verified);
    end;

  jwk.Free;


  req.Free;
  prng.Free;
  sbUrl.Free;
  listenSock.Free;
  browserSock.Free;
  oauth2.Free;
  sbRequestBody.Free;
  sbResponseHtml.Free;
  sbResponse.Free;
  hashTab.Free;
  jwt.Free;
  json.Free;
  jsonJoseHeader.Free;
  sbJwks.Free;
  http.Free;
  jwkset.Free;
  pubkey.Free;

end;

// ---------------------------------------------------------------------------

begin

  try
    RunDemo;
  except
    on E: Exception do
      WriteLn('Unhandled exception: ', E.ClassName, ': ', E.Message);
  end;

  WriteLn;
  {$IFDEF MSWINDOWS}
  WriteLn('Press Enter to exit...');
  ReadLn;
  {$ENDIF}
end.