Sample code for 30+ languages & platforms
Tcl

Add Custom Claims to JWT for Google Service Account OAuth2

Demonstrates how add custom claims to the JWT when getting a Google API OAuth2 access token using a JSON service account private key.

Chilkat Tcl Downloads

Tcl

load ./chilkat.dll

set success 0

# This example requires the Chilkat API to have been previously unlocked.
# See Global Unlock Sample for sample code.

# First load the JSON key into a string.
set fac [new_CkFileAccess]

set jsonKey [CkFileAccess_readEntireTextFile $fac "qa_data/googleApi/ChilkatTest-ab2ecd52ef98.json" "utf-8"]
if {[CkFileAccess_get_LastMethodSuccess $fac] != 1} then {
    puts [CkFileAccess_lastErrorText $fac]
    delete_CkFileAccess $fac
    exit
}

# A JSON private key should look like this:

# 	{
# 	  "type": "service_account",
# 	  "project_id": "chilkattest-1350",
# 	  "private_key_id": "fa2e36ee26986eab628b59868af8bec1d1c64c38",
# 	  "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvgIjFa...28N64N2n1E4FYzBZjSdy\n-----END PRIVATE KEY-----\n",
# 	  "client_email": "598922945226-00rb0ppfg0sndajo6bhvd4v17jtj2d3a@developer.gserviceaccount.com",
# 	  "client_id": "598922945226-00rb0ppfg0snd9jo7bhvd4v17jtj2d3a.apps.googleusercontent.com",
# 	  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
# 	  "token_uri": "https://accounts.google.com/o/oauth2/token",
# 	  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
# 	  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/598922945226-00rb0ppfg0sndajo6bhvd4v17jtj2d3a%40developer.gserviceaccount.com"
# 	}

set gAuth [new_CkAuthGoogle]

CkAuthGoogle_put_JsonKey $gAuth $jsonKey

# Choose a scope.
CkAuthGoogle_put_Scope $gAuth "https://www.googleapis.com/auth/cloud-platform"

# Request an access token that is valid for this many seconds.
CkAuthGoogle_put_ExpireNumSeconds $gAuth 3600

# If the application is requesting delegated access:
# The email address of the user for which the application is requesting delegated access,
# then set the email address here. (Otherwise leave it empty.)
CkAuthGoogle_put_SubEmailAddress $gAuth ""

# --------------------------------------------------------------------------------------
# To add custom claims, create JSON containing the claims to be added and call AddClaims.
set moreClaims [new_CkJsonObject]

CkJsonObject_UpdateString $moreClaims "claimAbc" "valueAbc"
CkJsonObject_UpdateString $moreClaims "claimXyz" "valueXyz"
# ...
CkAuthGoogle_AddClaims $gAuth $moreClaims
# --------------------------------------------------------------------------------------

# Connect to www.googleapis.com using TLS (TLS 1.2 is the default.)
# The Chilkat socket object is used so that the connection can be established
# through proxies or an SSH tunnel if desired.
set tlsSock [new_CkSocket]

set success [CkSocket_Connect $tlsSock "www.googleapis.com" 443 1 5000]
if {$success != 1} then {
    puts [CkSocket_lastErrorText $tlsSock]
    delete_CkFileAccess $fac
    delete_CkAuthGoogle $gAuth
    delete_CkJsonObject $moreClaims
    delete_CkSocket $tlsSock
    exit
}

# Send the request to obtain the access token.
set success [CkAuthGoogle_ObtainAccessToken $gAuth $tlsSock]
if {$success != 1} then {
    puts [CkAuthGoogle_lastErrorText $gAuth]
    delete_CkFileAccess $fac
    delete_CkAuthGoogle $gAuth
    delete_CkJsonObject $moreClaims
    delete_CkSocket $tlsSock
    exit
}

# Examine the access token:
puts "Access Token: [CkAuthGoogle_accessToken $gAuth]"

delete_CkFileAccess $fac
delete_CkAuthGoogle $gAuth
delete_CkJsonObject $moreClaims
delete_CkSocket $tlsSock