[keycloak-user] Example for decoding JWT Token in Shell

Christopher Davies christopher.james.davies at gmail.com
Fri Sep 9 06:35:58 EDT 2016 

A  colleague wrote this when we were testing keycloak.
Hope this helps: https://gist.github.com/rolandyoung/176dd310a6948e094be6

Chris


On Fri, Sep 9, 2016 at 9:47 AM Thomas Darimont <
thomas.darimont at googlemail.com> wrote:

> Hello Stian,
>
> you are right, some tokens might not be decoded correctly...
>
> The following works for me now:
>
> decode_base64_url() {
>   local len=$((${#1} % 4))
>   local result="$1"
>   if [ $len -eq 2 ]; then result="$1"'=='
>   elif [ $len -eq 3 ]; then result="$1"'='
>   fi
>   echo "$result" | tr '_-' '/+' | openssl enc -d -base64
> }
>
> decode_jwt(){
>    decode_base64_url $(echo -n $2 | cut -d "." -f $1) | jq .
> }
>
> # Decode JWT header
> alias jwth="decode_jwt 1"
>
> # Decode JWT Payload
> alias jwtp="decode_jwt 2"
>
> Took the decode_base64_url function from
> https://github.com/Moodstocks/moodstocks-api-clients/blob/master/bash/base64url.sh
>
> Cheers,
> Thomas
>
> 2016-09-09 8:50 GMT+02:00 Stian Thorgersen <sthorger at redhat.com>:
>
>> I think that'll only work most of the time as tokens are base64 url
>> encoded, not plain base64 encoded. Most of the time it works with
>> standard base64 decoder, but once in a while those special characters that
>> base64 url strips out gets in the way.
>>
>> On 8 September 2016 at 17:26, Thomas Darimont <
>> thomas.darimont at googlemail.com> wrote:
>>
>>> ... and here is a quick helper function for your shell:
>>>
>>> #Keycloak
>>> decode_jwt(){
>>>   echo -n $@ | cut -d "." -f 2 | base64 -d | jq .
>>> }
>>> alias jwtd=decode_jwt
>>>
>>> $ jwtd $KC_ACCESS_TOKEN
>>> {
>>>   "jti": "c5ed8525-f0c6-433f-9a88-ef92645582dd",
>>>   "exp": 1473348085,
>>>   "nbf": 0,
>>>   "iat": 1473347785,
>>>   "iss": "http://localhost:8081/auth/realms/acme-test",
>>>   "aud": "app1",
>>>   "sub": "c88e9053-89cf-4a4b-af09-c34d91d083af",
>>>   "typ": "Bearer",
>>>   "azp": "app1",
>>>   "auth_time": 0,
>>>   "session_state": "bfb1e6dd-b8c6-4379-bc47-e86c5396b06b",
>>>   "acr": "1",
>>>   "client_session": "db292d8b-263e-4030-9b93-a1d37e5ee5eb",
>>>   "allowed-origins": [],
>>>   "resource_access": {
>>>     "app-js-demo-client": {
>>>       "roles": [
>>>         "user"
>>>       ]
>>>     },
>>>     "account": {
>>>       "roles": [
>>>         "manage-account",
>>>         "view-profile"
>>>       ]
>>>     }
>>>   },
>>>   "name": "Theo Tester",
>>>   "preferred_username": "tester",
>>>   "given_name": "Theo",
>>>   "family_name": "Tester",
>>>   "email": "tom+tester at localhost"
>>> }
>>>
>>> Cheers,
>>> Thomas
>>>
>>> 2016-09-08 17:20 GMT+02:00 Thomas Darimont <
>>> thomas.darimont at googlemail.com>:
>>>
>>>> Hello group,
>>>>
>>>> just found an interesting example for decoding a JWT token in the shell.
>>>> Perhaps some of you might find that handy... see below.
>>>>
>>>> Cheers,
>>>> Thomas
>>>>
>>>> KC_REALM=acme-test
>>>> KC_USERNAME=tester
>>>> KC_PASSWORD=test
>>>> KC_CLIENT=app1
>>>> KC_CLIENT_SECRET=aa937217-a566-49e4-b46e-97866bad8032
>>>> KC_URL="http://localhost:8081/auth"
>>>>
>>>> # Request Tokens for credentials
>>>> KC_RESPONSE=$( \
>>>>    curl -k -v \
>>>>         -d "username=$KC_USERNAME" \
>>>>         -d "password=$KC_PASSWORD" \
>>>>         -d 'grant_type=password' \
>>>>         -d "client_id=$KC_CLIENT" \
>>>>         -d "client_secret=$KC_CLIENT_SECRET" \
>>>>         "$KC_URL/realms/$KC_REALM/protocol/openid-connect/token" \
>>>>     | jq .
>>>> )
>>>>
>>>> KC_ACCESS_TOKEN=$(echo $KC_RESPONSE| jq -r .access_token)
>>>> KC_ID_TOKEN=$(echo $KC_RESPONSE| jq -r .id_token)
>>>> KC_REFRESH_TOKEN=$(echo $KC_RESPONSE| jq -r .refresh_token)
>>>>
>>>> # one-liner to decode access token
>>>> echo -n $KC_ACCESS_TOKEN | cut -d "." -f 2 | base64 -d | jq .
>>>>
>>>> {
>>>>   "jti": "c5ed8525-f0c6-433f-9a88-ef92645582dd",
>>>>   "exp": 1473348085,
>>>>   "nbf": 0,
>>>>   "iat": 1473347785,
>>>>   "iss": "http://localhost:8081/auth/realms/acme-test",
>>>>   "aud": "app1",
>>>>   "sub": "c88e9053-89cf-4a4b-af09-c34d91d083af",
>>>>   "typ": "Bearer",
>>>>   "azp": "app1",
>>>>   "auth_time": 0,
>>>>   "session_state": "bfb1e6dd-b8c6-4379-bc47-e86c5396b06b",
>>>>   "acr": "1",
>>>>   "client_session": "db292d8b-263e-4030-9b93-a1d37e5ee5eb",
>>>>   "allowed-origins": [],
>>>>   "resource_access": {
>>>>     "app-js-demo-client": {
>>>>       "roles": [
>>>>         "user"
>>>>       ]
>>>>     },
>>>>     "account": {
>>>>       "roles": [
>>>>         "manage-account",
>>>>         "view-profile"
>>>>       ]
>>>>     }
>>>>   },
>>>>   "name": "Theo Tester",
>>>>   "preferred_username": "tester",
>>>>   "given_name": "Theo",
>>>>   "family_name": "Tester",
>>>>   "email": "tom+tester at localhost"
>>>> }
>>>>
>>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160909/bba0808d/attachment.html

More information about the keycloak-user mailing list