Sample code for 30+ languages & platforms
Pascal (Lazarus/Delphi)

Verify a Google JWT Using Google's Public Key

See more Google APIs Examples

Demonstrates how to verify a JWT that was signed using Google's RSA private key.

This example verifies the RSA signature. It also does the following:

  • Checks to see if the time constraints ("nbf" and "exp") are valid.
  • Recovers the original JOSE header.
  • Recovers the original claims JSON.

Chilkat Pascal (Lazarus/Delphi) Downloads

Pascal (Lazarus/Delphi)
program ChilkatDemo;

// Demonstrates using the Chilkat Pascal wrapper via the C bridge DLL.
// Builds as a console application under Lazarus (FPC) or Delphi.

{$IFDEF FPC}
  {$MODE DELPHI}
{$ENDIF}
{$APPTYPE CONSOLE}

uses
  {$IFDEF UNIX}
  cthreads,
  {$ENDIF}
  SysUtils,
  CkDllLoader,
  Chilkat.Http,
  Chilkat.StringBuilder,
  Chilkat.PublicKey,
  Chilkat.Jwt,
  Chilkat.JsonObject;

// ---------------------------------------------------------------------------

procedure RunDemo;
var
  success: Boolean;
  http: THttp;
  sbPubKeys: TStringBuilder;
  token: string;
  jwt: TJwt;
  header: string;
  json: TJsonObject;
  kid: string;
  jsonPubKeys: TJsonObject;
  jsonKey: TJsonObject;
  pubKey: TPublicKey;

begin
  success := False;

  //  This example assumes the Chilkat API to have been previously unlocked.
  //  See Global Unlock Sample for sample code.

  http := THttp.Create;
  sbPubKeys := TStringBuilder.Create;

  success := http.QuickGetSb('https://www.googleapis.com/oauth2/v3/certs',sbPubKeys);
  if (success = False) then
    begin
      WriteLn(http.LastErrorText);
      Exit;
    end;

  WriteLn(sbPubKeys.GetAsString());

  //  Here are the keys:

  //  {
  //    "keys": [
  //      {
  //        "e": "AQAB",
  //        "n": "4bAT6C6EeX8Dspje3FrAXw-nnhNk04e1RmNa4kjc0CHf6Pk7ryARlwA-6YilyPABqQfYHx60s8oSnxvUVprFfQ2-Q8aAZO7bPKSxnoGlcKERL2oLNA4Msvc89N9Y5ycThZUplf_QC19e6jyYXN6Nz-UnJSCLrtQY8tVhhVRs61j4A2N_p-enAi-r704Qi1-v-DKV4eVRkClKViploo8NyjUaT9L4vbBssPCjyimJzsWnEe1fED5c4LnHeArYzA_FEn3JJotqDIz9t2VnvZNTMhizHEX4VnORlEWMEfR8n4CEHQx7PcQUOmfqyw08gWeXQl1-uTjtIGaE-sRIv9u_vQ",
  //        "kty": "RSA",
  //        "use": "sig",
  //        "alg": "RS256",
  //        "kid": "2af90e87be140c20038898a6efa11283dab6031d"
  //      },
  //      {
  //        "n": "nzGsrziOYrMVYMpvUZOwkKNiPWcOPTYRYlDSdRW4UpAHdWPbPlyqaaphYhoMB5DXrVxI3bdvm7DOlo-sHNnulmAFQa-7TsQMxrZCvVdAbyXGID9DZYEqf8mkCV1Ohv7WY5lDUqlybIk1OSHdK7-1et0QS8nn-5LojGg8FK4ssLf3mV1APpujl27D1bDhyRb1MGumXYElwlUms7F9p9OcSp5pTevXCLmXs9MJJk4o9E1zzPpQ9Ko0lH9l_UqFpA7vwQhnw0nbh73rXOX2TUDCUqL4ThKU5Z9Pd-eZCEOatKe0mJTpQ00XGACBME_6ojCdfNIJr84Y_IpGKvkAEksn9w",
  //        "use": "sig",
  //        "kid": "87bbe0815b064e6d449cac999f0e50e72a3e4374",
  //        "e": "AQAB",
  //        "alg": "RS256",
  //        "kty": "RSA"
  //      }
  //    ]
  //  }

  //  -------------------------------------------------------------------------------------------
  //  Replace this with your actual token.
  //  This sample token contains a kid that does not match any of the above Google public keys.
  //  -------------------------------------------------------------------------------------------
  token := 'eyJhbGciOiJSUzI1NiIsImtpZCI6IjQyZmY5MGQ3ZDM0OGM5NzM4MWE3YzExOWVmMWY1MzI0ZWEzZjViZWIifQ.eyJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJzdWIiOiIxMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExIiwiaWF0IjoxNjExMTE1MTQzLCJleHAiOjE2MTEyMDE1NDMsImF1ZCI6IjQyOTc1NzExNTE0ODg0OSJ9.pLem5i0bx3M7lJYj7jKv2Nq7c07X5YpZz-x1uM5RniW-v4LsX-lKIVvOq2x3-WoPqkzLXJfP0kG0dx1uD2q1NfFQK60YwKH4FnFtB6INnUP1dRVpP9_pTTKyAE28I3s5Tay4PbPdrCl7ZLCIJzCfpCW1TiWeVoPjp5HgZKTBHdP_sEkN_yO5dQerQXAkFJkV3kNgF9jI3ayT-KPqOIH6GVoWXjHFDyA2EYgJPEFRo5WSe6XycJ85p5duwT-OoBcb_kJZG9PxYd91eHlPCzp8vGxzIb2dVROCBxyM8e8W0cd9v15hfmpg9R-eG9vCM5y63ZLChZLFeHFx0Pd7hvAqfKg';

  jwt := TJwt.Create;
  header := jwt.GetHeader(token);

  WriteLn(header);

  //  Sample header:
  //  {"alg":"RS256","kid":"87bbe0815b064e6d449cac999f0e50e72a3e4374"}

  //  Load the public key matching the "kid" into a Chilkat public key object, then verify..

  json := TJsonObject.Create;
  json.Load(header);
  kid := json.StringOf('kid');

  WriteLn('kid = ' + kid);

  jsonPubKeys := TJsonObject.Create;
  jsonPubKeys.LoadSb(sbPubKeys);

  jsonKey := jsonPubKeys.FindRecord('keys','kid',kid,True);
  if (jsonPubKeys.LastMethodSuccess = False) then
    begin
      WriteLn('Did not find a matching public key based on the kid.');
      Exit;
    end;

  WriteLn(jsonKey.Emit());

  //  Load the matching public key into a Chilkat public key object.
  pubKey := TPublicKey.Create;
  success := pubKey.LoadFromString(jsonKey.Emit());
  jsonKey.Free;
  if (success = False) then
    begin
      WriteLn(pubKey.LastErrorText);
      Exit;
    end;

  //  ----------------------------------------------------------------------------------------
  //  Now we can validate the JWT using Google's public key as shown in this example:
  //  (Except we use the public key obtained as shown above instead of a public key loaded from a PEM file.
  //  
  //  See Verify JWT Using an RSA Public Key


  http.Free;
  sbPubKeys.Free;
  jwt.Free;
  json.Free;
  jsonPubKeys.Free;
  pubKey.Free;

end;

// ---------------------------------------------------------------------------

begin

  try
    RunDemo;
  except
    on E: Exception do
      WriteLn('Unhandled exception: ', E.ClassName, ': ', E.Message);
  end;

  WriteLn;
  {$IFDEF MSWINDOWS}
  WriteLn('Press Enter to exit...');
  ReadLn;
  {$ENDIF}
end.