Sample code for 30+ languages & platforms
Pascal (Lazarus/Delphi)

Validate a Google ID Token

See more OAuth2 Examples

Demonstrates how to verify the signature of a Google id token.

Chilkat Pascal (Lazarus/Delphi) Downloads

Pascal (Lazarus/Delphi)
program ChilkatDemo;

// Demonstrates using the Chilkat Pascal wrapper via the C bridge DLL.
// Builds as a console application under Lazarus (FPC) or Delphi.

{$IFDEF FPC}
  {$MODE DELPHI}
{$ENDIF}
{$APPTYPE CONSOLE}

uses
  {$IFDEF UNIX}
  cthreads,
  {$ENDIF}
  SysUtils,
  CkDllLoader,
  Chilkat.Http,
  Chilkat.StringBuilder,
  Chilkat.Rsa,
  Chilkat.PublicKey,
  Chilkat.JsonObject;

// ---------------------------------------------------------------------------

procedure RunDemo;
var
  success: Boolean;
  http: THttp;
  jwkStr: string;
  json: TJsonObject;
  jsonToken: TJsonObject;
  sbIdToken: TStringBuilder;
  sig_b64Url: string;
  headerPlusPayload: string;
  rsa: TRsa;
  jsonKey: TJsonObject;
  pubKey: TPublicKey;
  numKeys: Integer;
  i: Integer;
  bVerified: Boolean;

begin
  success := False;

  //  This example requires the Chilkat API to have been previously unlocked.
  //  See Global Unlock Sample for sample code.

  http := THttp.Create;

  //  First get the public key we'll be needing..
  jwkStr := http.QuickGetStr('https://www.googleapis.com/oauth2/v3/certs');
  if (http.LastMethodSuccess = False) then
    begin
      WriteLn(http.LastErrorText);
      Exit;
    end;

  //  We have the following:

  //      {
  //        "keys": [
  //  	{
  //  	  "kid": "e8732db06287515556213b80acbcfd08cfb302a9",
  //  	  "n": "4RIrO30287Wsq3gqXCMkUYMVAeI3H8...w2mbMNEBQ",
  //  	  "kty": "RSA",
  //  	  "e": "AQAB",
  //  	  "alg": "RS256",
  //  	  "use": "sig"
  //  	},
  //  	{
  //  	  "kid": "8462a71da4f6d611fc0fecf0fc4ba9c37d65e6cd",
  //  	  "e": "AQAB",
  //  	  "n": "xT_ngLZNmT5GBtJZeTB...Ft4gK0eoFi0d3l8bcw",
  //  	  "alg": "RS256",
  //  	  "use": "sig",
  //  	  "kty": "RSA"
  //  	}
  //        ]
  //      }

  json := TJsonObject.Create;
  success := json.Load(jwkStr);

  //  -------------------------------------------------

  //  Load the following..

  //   {
  //    "access_token": "ya29.a0...0f",
  //    "expires_in": 3599,
  //    "scope": "openid https://www.googleapis.com/auth/userinfo.email",
  //    "token_type": "Bearer",
  //    "id_token": "eyJhb...o5nQ"
  //  }

  jsonToken := TJsonObject.Create;
  success := jsonToken.LoadFile('qa_data/tokens/google_sample_id_token.json');
  if (success = False) then
    begin
      WriteLn('Failed to load the JSON file...');
      Exit;
    end;

  //  Get the id_token;
  sbIdToken := TStringBuilder.Create;
  success := sbIdToken.Append(jsonToken.StringOf('id_token'));

  //  Get the signature in base64url format.
  //  The header + payload remains in sbIdToken.
  sig_b64Url := sbIdToken.GetAfterFinal('.',True);
  headerPlusPayload := sbIdToken.GetAsString();

  WriteLn(sig_b64Url);
  WriteLn(headerPlusPayload);

  //  ---------------------------------------------

  //  Try validating with each cert's public key.
  //  Hopefully one will be the key that verifies.

  rsa := TRsa.Create;
  rsa.EncodingMode := 'base64url';

  jsonKey := TJsonObject.Create;
  pubKey := TPublicKey.Create;

  numKeys := json.SizeOfArray('keys');
  i := 0;
  while i < numKeys do
    begin
      json.I := i;

      json.ObjectOf2('keys[i]',jsonKey);

      success := pubKey.LoadFromString(jsonKey.Emit());
      if (success = False) then
        begin
          WriteLn(pubKey.LastErrorText);
          Exit;
        end;

      WriteLn(i);
      WriteLn(pubKey.GetPem(True));

      success := rsa.UsePublicKey(pubKey);

      bVerified := rsa.VerifyStringENC(headerPlusPayload,'sha256',sig_b64Url);
      WriteLn('bVerified = ' + bVerified);

      i := i + 1;
    end;

  //  The output is:

  //  0
  //  -----BEGIN RSA PUBLIC KEY-----
  //  MIIBCgKCAQEA4RIrO30287Wsq3gqXCMkUYMVAeI3H8LVE6IXR1krdFeGnZLiGUPw
  //  cbkeVpXf3lmJdsStOg+jijces2DZCfPyIBiQuLYfxxmAZE6ErJ0QJFg1stwli2Pz
  //  9ncYhFoqi8pXr7kEzEJBTzX4thuw56ydbGsshSEznPXoerCJOc7UI2+n0wFCWQ4Y
  //  LHbh/PrWt4vdadyUUUW/QpQHXQLdD8q/Qwqdj0O9zlJE7R6Elw2E9EqnHyIGu1hm
  //  LxhqrTru1M18SUhONYbVskV/BCEdVKs//X96849HorWQDCAgVMWfGsdMVq55FAdJ
  //  680N5UmQDRynIZ4+PeNGN4S9iw2mbMNEBQIDAQAB
  //  -----END RSA PUBLIC KEY-----
  //  
  //  bVerified = True
  //  1
  //  -----BEGIN RSA PUBLIC KEY-----
  //  MIIBCgKCAQEAxT/ngLZNmT5GBdkLtJZjNeTB+8B5yWgrq/e5eMZ1hrZhcmLK+dSn
  //  IkpOPV8/OekV67EnQ7I4II2rcNJnHGrGKZziXO3XN2gtUHE+mBJC99oULSbX/QwB
  //  Kz7gC/IBPq9EuxTt6Oq6fPkVQ9DbRIgWJSEGBF/KRaNl3kyAlIZfpY7XgHyJTTv8
  //  E7yAcYKPR+36gzdl+ps0sDLKzUuAtZNq8llK0u80z6AtAUIYwWdkEhM9upy6keKI
  //  TasIxcsO7M6kZPINUSbh6t5VAm8FuqRmxpgg+9c9/GQSGd89InVypoVzWLQ+wOGg
  //  5G4H6JqIgtj0TRFt4gK0eoFi2U0d3l8bcwIDAQAB
  //  -----END RSA PUBLIC KEY-----
  //  
  //  bVerified = False


  http.Free;
  json.Free;
  jsonToken.Free;
  sbIdToken.Free;
  rsa.Free;
  jsonKey.Free;
  pubKey.Free;

end;

// ---------------------------------------------------------------------------

begin

  try
    RunDemo;
  except
    on E: Exception do
      WriteLn('Unhandled exception: ', E.ClassName, ': ', E.Message);
  end;

  WriteLn;
  {$IFDEF MSWINDOWS}
  WriteLn('Press Enter to exit...');
  ReadLn;
  {$ENDIF}
end.