1*e7b1675dSTing-Kang Chang // Copyright 2023 Google LLC
2*e7b1675dSTing-Kang Chang //
3*e7b1675dSTing-Kang Chang // Licensed under the Apache License, Version 2.0 (the "License");
4*e7b1675dSTing-Kang Chang // you may not use this file except in compliance with the License.
5*e7b1675dSTing-Kang Chang // You may obtain a copy of the License at
6*e7b1675dSTing-Kang Chang //
7*e7b1675dSTing-Kang Chang // http://www.apache.org/licenses/LICENSE-2.0
8*e7b1675dSTing-Kang Chang //
9*e7b1675dSTing-Kang Chang // Unless required by applicable law or agreed to in writing, software
10*e7b1675dSTing-Kang Chang // distributed under the License is distributed on an "AS IS" BASIS,
11*e7b1675dSTing-Kang Chang // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12*e7b1675dSTing-Kang Chang // See the License for the specific language governing permissions and
13*e7b1675dSTing-Kang Chang // limitations under the License.
14*e7b1675dSTing-Kang Chang //
15*e7b1675dSTing-Kang Chang ///////////////////////////////////////////////////////////////////////////////
16*e7b1675dSTing-Kang Chang // [START jwt-verify]
17*e7b1675dSTing-Kang Chang // A utility for creating, signing and verifying JSON Web Tokens (JWT).
18*e7b1675dSTing-Kang Chang #include <iostream>
19*e7b1675dSTing-Kang Chang #include <memory>
20*e7b1675dSTing-Kang Chang #include <ostream>
21*e7b1675dSTing-Kang Chang #include <string>
22*e7b1675dSTing-Kang Chang #include <utility>
23*e7b1675dSTing-Kang Chang
24*e7b1675dSTing-Kang Chang #include "absl/flags/flag.h"
25*e7b1675dSTing-Kang Chang #include "absl/flags/parse.h"
26*e7b1675dSTing-Kang Chang #include "absl/log/check.h"
27*e7b1675dSTing-Kang Chang #include "util/util.h"
28*e7b1675dSTing-Kang Chang #include "tink/jwt/jwk_set_converter.h"
29*e7b1675dSTing-Kang Chang #include "tink/jwt/jwt_public_key_verify.h"
30*e7b1675dSTing-Kang Chang #include "tink/jwt/jwt_signature_config.h"
31*e7b1675dSTing-Kang Chang #include "tink/jwt/jwt_validator.h"
32*e7b1675dSTing-Kang Chang #include "tink/keyset_handle.h"
33*e7b1675dSTing-Kang Chang #include "tink/util/status.h"
34*e7b1675dSTing-Kang Chang
35*e7b1675dSTing-Kang Chang ABSL_FLAG(std::string, jwk_set_filename, "", "Path to the JWK set file");
36*e7b1675dSTing-Kang Chang ABSL_FLAG(std::string, audience, "", "Expected audience in the token");
37*e7b1675dSTing-Kang Chang ABSL_FLAG(std::string, token_filename, "", "Path to the token file");
38*e7b1675dSTing-Kang Chang
39*e7b1675dSTing-Kang Chang namespace {
40*e7b1675dSTing-Kang Chang
41*e7b1675dSTing-Kang Chang using ::crypto::tink::JwkSetToPublicKeysetHandle;
42*e7b1675dSTing-Kang Chang using ::crypto::tink::JwtPublicKeyVerify;
43*e7b1675dSTing-Kang Chang using ::crypto::tink::JwtValidator;
44*e7b1675dSTing-Kang Chang using ::crypto::tink::KeysetHandle;
45*e7b1675dSTing-Kang Chang using ::crypto::tink::util::Status;
46*e7b1675dSTing-Kang Chang using ::crypto::tink::util::StatusOr;
47*e7b1675dSTing-Kang Chang
ValidateParams()48*e7b1675dSTing-Kang Chang void ValidateParams() {
49*e7b1675dSTing-Kang Chang // [START_EXCLUDE]
50*e7b1675dSTing-Kang Chang CHECK(!absl::GetFlag(FLAGS_jwk_set_filename).empty())
51*e7b1675dSTing-Kang Chang << "Keyset file must be specified";
52*e7b1675dSTing-Kang Chang CHECK(!absl::GetFlag(FLAGS_audience).empty())
53*e7b1675dSTing-Kang Chang << "Expected audience in the token must be specified";
54*e7b1675dSTing-Kang Chang CHECK(!absl::GetFlag(FLAGS_token_filename).empty())
55*e7b1675dSTing-Kang Chang << "Token file must be specified";
56*e7b1675dSTing-Kang Chang // [END_EXCLUDE]
57*e7b1675dSTing-Kang Chang }
58*e7b1675dSTing-Kang Chang
59*e7b1675dSTing-Kang Chang } // namespace
60*e7b1675dSTing-Kang Chang
61*e7b1675dSTing-Kang Chang namespace tink_cc_examples {
62*e7b1675dSTing-Kang Chang
63*e7b1675dSTing-Kang Chang // JWT verify example CLI implementation.
JwtVerify(const std::string & jwk_set_filename,absl::string_view audience,const std::string & token_filename)64*e7b1675dSTing-Kang Chang Status JwtVerify(const std::string& jwk_set_filename,
65*e7b1675dSTing-Kang Chang absl::string_view audience,
66*e7b1675dSTing-Kang Chang const std::string& token_filename) {
67*e7b1675dSTing-Kang Chang Status result = crypto::tink::JwtSignatureRegister();
68*e7b1675dSTing-Kang Chang if (!result.ok()) return result;
69*e7b1675dSTing-Kang Chang
70*e7b1675dSTing-Kang Chang // Read the JWK set from file and convert it.
71*e7b1675dSTing-Kang Chang StatusOr<std::string> jwk_set = ReadFile(jwk_set_filename);
72*e7b1675dSTing-Kang Chang if (!jwk_set.ok()) return jwk_set.status();
73*e7b1675dSTing-Kang Chang StatusOr<std::unique_ptr<KeysetHandle>> keyset_handle =
74*e7b1675dSTing-Kang Chang JwkSetToPublicKeysetHandle(*jwk_set);
75*e7b1675dSTing-Kang Chang
76*e7b1675dSTing-Kang Chang // Read the token.
77*e7b1675dSTing-Kang Chang StatusOr<std::string> token = ReadFile(token_filename);
78*e7b1675dSTing-Kang Chang if (!token.ok()) return token.status();
79*e7b1675dSTing-Kang Chang
80*e7b1675dSTing-Kang Chang StatusOr<JwtValidator> validator =
81*e7b1675dSTing-Kang Chang crypto::tink::JwtValidatorBuilder().ExpectAudience(audience).Build();
82*e7b1675dSTing-Kang Chang if (!validator.ok()) return validator.status();
83*e7b1675dSTing-Kang Chang
84*e7b1675dSTing-Kang Chang StatusOr<std::unique_ptr<JwtPublicKeyVerify>> jwt_verifier =
85*e7b1675dSTing-Kang Chang (*keyset_handle)->GetPrimitive<JwtPublicKeyVerify>();
86*e7b1675dSTing-Kang Chang if (!jwt_verifier.ok()) return jwt_verifier.status();
87*e7b1675dSTing-Kang Chang
88*e7b1675dSTing-Kang Chang return (*jwt_verifier)->VerifyAndDecode(*token, *validator).status();
89*e7b1675dSTing-Kang Chang }
90*e7b1675dSTing-Kang Chang
91*e7b1675dSTing-Kang Chang } // namespace tink_cc_examples
92*e7b1675dSTing-Kang Chang
main(int argc,char ** argv)93*e7b1675dSTing-Kang Chang int main(int argc, char** argv) {
94*e7b1675dSTing-Kang Chang absl::ParseCommandLine(argc, argv);
95*e7b1675dSTing-Kang Chang
96*e7b1675dSTing-Kang Chang ValidateParams();
97*e7b1675dSTing-Kang Chang
98*e7b1675dSTing-Kang Chang std::string jwk_set_filename = absl::GetFlag(FLAGS_jwk_set_filename);
99*e7b1675dSTing-Kang Chang std::string audience = absl::GetFlag(FLAGS_audience);
100*e7b1675dSTing-Kang Chang std::string token_filename = absl::GetFlag(FLAGS_token_filename);
101*e7b1675dSTing-Kang Chang
102*e7b1675dSTing-Kang Chang std::clog << "Using keyset in " << jwk_set_filename << " to ";
103*e7b1675dSTing-Kang Chang std::clog << " verify a token with expected audience '" << audience
104*e7b1675dSTing-Kang Chang << std::endl;
105*e7b1675dSTing-Kang Chang
106*e7b1675dSTing-Kang Chang CHECK_OK(
107*e7b1675dSTing-Kang Chang tink_cc_examples::JwtVerify(jwk_set_filename, audience, token_filename));
108*e7b1675dSTing-Kang Chang return 0;
109*e7b1675dSTing-Kang Chang }
110*e7b1675dSTing-Kang Chang // [END jwt-verify]
111