3:46 a.m.
Hello Stian,
you are right, some tokens might not be decoded correctly...
The following works for me now:
decode_base64_url() {
local len=$((${#1} % 4))
local result="$1"
if [ $len -eq 2 ]; then result="$1"'=='
elif [ $len -eq 3 ]; then result="$1"'='
fi
echo "$result" | tr '_-' '/+' | openssl enc -d -base64
}
decode_jwt(){
decode_base64_url $(echo -n $2 | cut -d "." -f $1) | jq .
}
# Decode JWT header
alias jwth="decode_jwt 1"
# Decode JWT Payload
alias jwtp="decode_jwt 2"
Took the decode_base64_url function from
https://github.com/Moodstocks/moodstocks-api-clients/blob/master/bash/bas...
Cheers,
Thomas
2016-09-09 8:50 GMT+02:00 Stian Thorgersen <sthorger(a)redhat.com>:
I think that'll only work most of the time as tokens are base64
url
encoded, not plain base64 encoded. Most of the time it works with
standard base64 decoder, but once in a while those special characters that
base64 url strips out gets in the way.
On 8 September 2016 at 17:26, Thomas Darimont <
thomas.darimont(a)googlemail.com> wrote:
> ... and here is a quick helper function for your shell:
>
> #Keycloak
> decode_jwt(){
> echo -n $@ | cut -d "." -f 2 | base64 -d | jq .
> }
> alias jwtd=decode_jwt
>
> $ jwtd $KC_ACCESS_TOKEN
> {
> "jti": "c5ed8525-f0c6-433f-9a88-ef92645582dd",
> "exp": 1473348085,
> "nbf": 0,
> "iat": 1473347785,
> "iss": "http://localhost:8081/auth/realms/acme-test",
> "aud": "app1",
> "sub": "c88e9053-89cf-4a4b-af09-c34d91d083af",
> "typ": "Bearer",
> "azp": "app1",
> "auth_time": 0,
> "session_state": "bfb1e6dd-b8c6-4379-bc47-e86c5396b06b",
> "acr": "1",
> "client_session": "db292d8b-263e-4030-9b93-a1d37e5ee5eb",
> "allowed-origins": [],
> "resource_access": {
> "app-js-demo-client": {
> "roles": [
> "user"
> ]
> },
> "account": {
> "roles": [
> "manage-account",
> "view-profile"
> ]
> }
> },
> "name": "Theo Tester",
> "preferred_username": "tester",
> "given_name": "Theo",
> "family_name": "Tester",
> "email": "tom+tester@localhost"
> }
>
> Cheers,
> Thomas
>
> 2016-09-08 17:20 GMT+02:00 Thomas Darimont <thomas.darimont(a)googlemail.co
> m>:
>
>> Hello group,
>>
>> just found an interesting example for decoding a JWT token in the shell.
>> Perhaps some of you might find that handy... see below.
>>
>> Cheers,
>> Thomas
>>
>> KC_REALM=acme-test
>> KC_USERNAME=tester
>> KC_PASSWORD=test
>> KC_CLIENT=app1
>> KC_CLIENT_SECRET=aa937217-a566-49e4-b46e-97866bad8032
>> KC_URL="http://localhost:8081/auth"
>>
>> # Request Tokens for credentials
>> KC_RESPONSE=$( \
>> curl -k -v \
>> -d "username=$KC_USERNAME" \
>> -d "password=$KC_PASSWORD" \
>> -d 'grant_type=password' \
>> -d "client_id=$KC_CLIENT" \
>> -d "client_secret=$KC_CLIENT_SECRET" \
>> "$KC_URL/realms/$KC_REALM/protocol/openid-connect/token" \
>> | jq .
>> )
>>
>> KC_ACCESS_TOKEN=$(echo $KC_RESPONSE| jq -r .access_token)
>> KC_ID_TOKEN=$(echo $KC_RESPONSE| jq -r .id_token)
>> KC_REFRESH_TOKEN=$(echo $KC_RESPONSE| jq -r .refresh_token)
>>
>> # one-liner to decode access token
>> echo -n $KC_ACCESS_TOKEN | cut -d "." -f 2 | base64 -d | jq .
>>
>> {
>> "jti": "c5ed8525-f0c6-433f-9a88-ef92645582dd",
>> "exp": 1473348085,
>> "nbf": 0,
>> "iat": 1473347785,
>> "iss": "http://localhost:8081/auth/realms/acme-test",
>> "aud": "app1",
>> "sub": "c88e9053-89cf-4a4b-af09-c34d91d083af",
>> "typ": "Bearer",
>> "azp": "app1",
>> "auth_time": 0,
>> "session_state": "bfb1e6dd-b8c6-4379-bc47-e86c5396b06b",
>> "acr": "1",
>> "client_session": "db292d8b-263e-4030-9b93-a1d37e5ee5eb",
>> "allowed-origins": [],
>> "resource_access": {
>> "app-js-demo-client": {
>> "roles": [
>> "user"
>> ]
>> },
>> "account": {
>> "roles": [
>> "manage-account",
>> "view-profile"
>> ]
>> }
>> },
>> "name": "Theo Tester",
>> "preferred_username": "tester",
>> "given_name": "Theo",
>> "family_name": "Tester",
>> "email": "tom+tester@localhost"
>> }
>>
>>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>