<div dir="ltr"><div>Hello Stian,</div><div><br></div>you are right, some tokens might not be decoded correctly...<div><br></div><div>The following works for me now:</div><div><br></div><div><div>decode_base64_url() {</div><div> local len=$((${#1} % 4))</div><div> local result="$1"</div><div> if [ $len -eq 2 ]; then result="$1"'=='</div><div> elif [ $len -eq 3 ]; then result="$1"'=' </div><div> fi</div><div> echo "$result" | tr '_-' '/+' | openssl enc -d -base64</div><div>}</div><div><br></div><div>decode_jwt(){</div><div> decode_base64_url $(echo -n $2 | cut -d "." -f $1) | jq .</div><div>}</div><div><br></div><div># Decode JWT header</div><div>alias jwth="decode_jwt 1"</div><div><br></div><div># Decode JWT Payload</div><div>alias jwtp="decode_jwt 2"</div></div><div><div><br></div><div>Took the decode_base64_url function from <a href="https://github.com/Moodstocks/moodstocks-api-clients/blob/master/bash/base64url.sh">https://github.com/Moodstocks/moodstocks-api-clients/blob/master/bash/base64url.sh</a></div><div><br></div><div>Cheers,</div><div>Thomas</div><div class="gmail_extra"><br><div class="gmail_quote">2016-09-09 8:50 GMT+02:00 Stian Thorgersen <span dir="ltr"><<a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">I think that'll only work most of the time as tokens are base64 url encoded, not plain <span style="font-size:12.8px">base64 encoded. Most of the time it works with standard base64 decoder, but once in a while those special characters that base64 url strips out gets in the way.</span></div><div class="gmail_extra"><br><div class="gmail_quote"><div><div>On 8 September 2016 at 17:26, Thomas Darimont <span dir="ltr"><<a href="mailto:thomas.darimont@googlemail.com" target="_blank">thomas.darimont@googlemail.co<wbr>m</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div><div dir="ltr"><div>... and here is a quick helper function for your shell:</div><div><br></div><div>#Keycloak</div><div>decode_jwt(){</div><div> echo -n $@ | cut -d "." -f 2 | base64 -d | jq .</div><div>}</div><div>alias jwtd=decode_jwt</div><div><br></div><div><div>$ jwtd $KC_ACCESS_TOKEN</div><div><div><div>{</div><div> "jti": "c5ed8525-f0c6-433f-9a88-ef926<wbr>45582dd",</div><div> "exp": 1473348085,</div><div> "nbf": 0,</div><div> "iat": 1473347785,</div><div> "iss": "<a href="http://localhost:8081/auth/realms/acme-test" target="_blank">http://localhost:8081/auth/re<wbr>alms/acme-test</a>",</div><div> "aud": "app1",</div><div> "sub": "c88e9053-89cf-4a4b-af09-c34d9<wbr>1d083af",</div><div> "typ": "Bearer",</div><div> "azp": "app1",</div><div> "auth_time": 0,</div><div> "session_state": "bfb1e6dd-b8c6-4379-bc47-e86c5<wbr>396b06b",</div><div> "acr": "1",</div><div> "client_session": "db292d8b-263e-4030-9b93-a1d37<wbr>e5ee5eb",</div><div> "allowed-origins": [],</div><div> "resource_access": {</div><div> "app-js-demo-client": {</div><div> "roles": [</div><div> "user"</div><div> ]</div><div> },</div><div> "account": {</div><div> "roles": [</div><div> "manage-account",</div><div> "view-profile"</div><div> ]</div><div> }</div><div> },</div><div> "name": "Theo Tester",</div><div> "preferred_username": "tester",</div><div> "given_name": "Theo",</div><div> "family_name": "Tester",</div><div> "email": "tom+tester@localhost"</div><div>}</div></div></div></div><div><br></div><div>Cheers,</div><div>Thomas</div></div><div><div><div class="gmail_extra"><br><div class="gmail_quote">2016-09-08 17:20 GMT+02:00 Thomas Darimont <span dir="ltr"><<a href="mailto:thomas.darimont@googlemail.com" target="_blank">thomas.darimont@googlemail.co<wbr>m</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>Hello group,</div><div><br></div><div>just found an interesting example for decoding a JWT token in the shell.</div><div>Perhaps some of you might find that handy... see below.</div><div><br></div><div>Cheers,</div><div>Thomas</div><div><br></div><div>KC_REALM=acme-test</div><div>KC_USERNAME=tester</div><div>KC_PASSWORD=test</div><div>KC_CLIENT=app1</div><div>KC_CLIENT_SECRET=aa937217-a566<wbr>-49e4-b46e-97866bad8032</div><div>KC_URL="<a href="http://localhost:8081/auth" target="_blank">http://localhost:8081/<wbr>auth</a>"</div><div><br></div><div># Request Tokens for credentials</div><div>KC_RESPONSE=$( \</div><div> curl -k -v \</div><div> -d "username=$KC_USERNAME" \</div><div> -d "password=$KC_PASSWORD" \</div><div> -d 'grant_type=password' \</div><div> -d "client_id=$KC_CLIENT" \</div><div> -d "client_secret=$KC_CLIENT_SECR<wbr>ET" \</div><div> "$KC_URL/realms/$KC_REALM/prot<wbr>ocol/openid-connect/token" \</div><div> | jq . </div><div>)</div><div><br></div><div>KC_ACCESS_TOKEN=$(echo $KC_RESPONSE| jq -r .access_token)</div><div>KC_ID_TOKEN=$(echo $KC_RESPONSE| jq -r .id_token)</div><div>KC_REFRESH_TOKEN=$(echo $KC_RESPONSE| jq -r .refresh_token)</div><div><br></div><div># one-liner to decode access token</div><div>echo -n $KC_ACCESS_TOKEN | cut -d "." -f 2 | base64 -d | jq .</div><div><br></div><div>{</div><div> "jti": "c5ed8525-f0c6-433f-9a88-ef926<wbr>45582dd",</div><div> "exp": 1473348085,</div><div> "nbf": 0,</div><div> "iat": 1473347785,</div><div> "iss": "<a href="http://localhost:8081/auth/realms/acme-test" target="_blank">http://localhost:8081/auth/re<wbr>alms/acme-test</a>",</div><div> "aud": "app1",</div><div> "sub": "c88e9053-89cf-4a4b-af09-c34d9<wbr>1d083af",</div><div> "typ": "Bearer",</div><div> "azp": "app1",</div><div> "auth_time": 0,</div><div> "session_state": "bfb1e6dd-b8c6-4379-bc47-e86c5<wbr>396b06b",</div><div> "acr": "1",</div><div> "client_session": "db292d8b-263e-4030-9b93-a1d37<wbr>e5ee5eb",</div><div> "allowed-origins": [],</div><div> "resource_access": {</div><div> "app-js-demo-client": {</div><div> "roles": [</div><div> "user"</div><div> ]</div><div> },</div><div> "account": {</div><div> "roles": [</div><div> "manage-account",</div><div> "view-profile"</div><div> ]</div><div> }</div><div> },</div><div> "name": "Theo Tester",</div><div> "preferred_username": "tester",</div><div> "given_name": "Theo",</div><div> "family_name": "Tester",</div><div> "email": "tom+tester@localhost"</div><div>}</div><div><br></div></div>
</blockquote></div><br></div>
</div></div><br></div></div>______________________________<wbr>_________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailma<wbr>n/listinfo/keycloak-user</a><br></blockquote></div><br></div>
</blockquote></div><br></div></div></div>