[keycloak-user] Example for decoding JWT Token in Shell

Thomas Darimont thomas.darimont at googlemail.com
Fri Sep 9 04:46:24 EDT 2016 

Hello Stian,

you are right, some tokens might not be decoded correctly...

The following works for me now:

decode_base64_url() {
  local len=$((${#1} % 4))
  local result="$1"
  if [ $len -eq 2 ]; then result="$1"'=='
  elif [ $len -eq 3 ]; then result="$1"'='
  fi
  echo "$result" | tr '_-' '/+' | openssl enc -d -base64
}

decode_jwt(){
   decode_base64_url $(echo -n $2 | cut -d "." -f $1) | jq .
}

# Decode JWT header
alias jwth="decode_jwt 1"

# Decode JWT Payload
alias jwtp="decode_jwt 2"

Took the decode_base64_url function from
https://github.com/Moodstocks/moodstocks-api-clients/blob/master/bash/base64url.sh

Cheers,
Thomas

2016-09-09 8:50 GMT+02:00 Stian Thorgersen <sthorger at redhat.com>:

> I think that'll only work most of the time as tokens are base64 url
> encoded, not plain base64 encoded. Most of the time it works with
> standard base64 decoder, but once in a while those special characters that
> base64 url strips out gets in the way.
>
> On 8 September 2016 at 17:26, Thomas Darimont <
> thomas.darimont at googlemail.com> wrote:
>
>> ... and here is a quick helper function for your shell:
>>
>> #Keycloak
>> decode_jwt(){
>>   echo -n $@ | cut -d "." -f 2 | base64 -d | jq .
>> }
>> alias jwtd=decode_jwt
>>
>> $ jwtd $KC_ACCESS_TOKEN
>> {
>>   "jti": "c5ed8525-f0c6-433f-9a88-ef92645582dd",
>>   "exp": 1473348085,
>>   "nbf": 0,
>>   "iat": 1473347785,
>>   "iss": "http://localhost:8081/auth/realms/acme-test",
>>   "aud": "app1",
>>   "sub": "c88e9053-89cf-4a4b-af09-c34d91d083af",
>>   "typ": "Bearer",
>>   "azp": "app1",
>>   "auth_time": 0,
>>   "session_state": "bfb1e6dd-b8c6-4379-bc47-e86c5396b06b",
>>   "acr": "1",
>>   "client_session": "db292d8b-263e-4030-9b93-a1d37e5ee5eb",
>>   "allowed-origins": [],
>>   "resource_access": {
>>     "app-js-demo-client": {
>>       "roles": [
>>         "user"
>>       ]
>>     },
>>     "account": {
>>       "roles": [
>>         "manage-account",
>>         "view-profile"
>>       ]
>>     }
>>   },
>>   "name": "Theo Tester",
>>   "preferred_username": "tester",
>>   "given_name": "Theo",
>>   "family_name": "Tester",
>>   "email": "tom+tester at localhost"
>> }
>>
>> Cheers,
>> Thomas
>>
>> 2016-09-08 17:20 GMT+02:00 Thomas Darimont <thomas.darimont at googlemail.co
>> m>:
>>
>>> Hello group,
>>>
>>> just found an interesting example for decoding a JWT token in the shell.
>>> Perhaps some of you might find that handy... see below.
>>>
>>> Cheers,
>>> Thomas
>>>
>>> KC_REALM=acme-test
>>> KC_USERNAME=tester
>>> KC_PASSWORD=test
>>> KC_CLIENT=app1
>>> KC_CLIENT_SECRET=aa937217-a566-49e4-b46e-97866bad8032
>>> KC_URL="http://localhost:8081/auth"
>>>
>>> # Request Tokens for credentials
>>> KC_RESPONSE=$( \
>>>    curl -k -v \
>>>         -d "username=$KC_USERNAME" \
>>>         -d "password=$KC_PASSWORD" \
>>>         -d 'grant_type=password' \
>>>         -d "client_id=$KC_CLIENT" \
>>>         -d "client_secret=$KC_CLIENT_SECRET" \
>>>         "$KC_URL/realms/$KC_REALM/protocol/openid-connect/token" \
>>>     | jq .
>>> )
>>>
>>> KC_ACCESS_TOKEN=$(echo $KC_RESPONSE| jq -r .access_token)
>>> KC_ID_TOKEN=$(echo $KC_RESPONSE| jq -r .id_token)
>>> KC_REFRESH_TOKEN=$(echo $KC_RESPONSE| jq -r .refresh_token)
>>>
>>> # one-liner to decode access token
>>> echo -n $KC_ACCESS_TOKEN | cut -d "." -f 2 | base64 -d | jq .
>>>
>>> {
>>>   "jti": "c5ed8525-f0c6-433f-9a88-ef92645582dd",
>>>   "exp": 1473348085,
>>>   "nbf": 0,
>>>   "iat": 1473347785,
>>>   "iss": "http://localhost:8081/auth/realms/acme-test",
>>>   "aud": "app1",
>>>   "sub": "c88e9053-89cf-4a4b-af09-c34d91d083af",
>>>   "typ": "Bearer",
>>>   "azp": "app1",
>>>   "auth_time": 0,
>>>   "session_state": "bfb1e6dd-b8c6-4379-bc47-e86c5396b06b",
>>>   "acr": "1",
>>>   "client_session": "db292d8b-263e-4030-9b93-a1d37e5ee5eb",
>>>   "allowed-origins": [],
>>>   "resource_access": {
>>>     "app-js-demo-client": {
>>>       "roles": [
>>>         "user"
>>>       ]
>>>     },
>>>     "account": {
>>>       "roles": [
>>>         "manage-account",
>>>         "view-profile"
>>>       ]
>>>     }
>>>   },
>>>   "name": "Theo Tester",
>>>   "preferred_username": "tester",
>>>   "given_name": "Theo",
>>>   "family_name": "Tester",
>>>   "email": "tom+tester at localhost"
>>> }
>>>
>>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160909/f17ebc66/attachment-0001.html

More information about the keycloak-user mailing list