Hello Stian,

you are right, some tokens might not be decoded correctly...

The following works for me now:

decode_base64_url() {
  local len=$((${#1} % 4))
  local result="$1"
  if [ $len -eq 2 ]; then result="$1"'=='
  elif [ $len -eq 3 ]; then result="$1"'=' 
  fi
  echo "$result" | tr '_-' '/+' | openssl enc -d -base64
}

decode_jwt(){
   decode_base64_url $(echo -n $2 | cut -d "." -f $1) | jq .
}

# Decode JWT header
alias jwth="decode_jwt 1"

# Decode JWT Payload
alias jwtp="decode_jwt 2"

Took the decode_base64_url function from https://github.com/Moodstocks/moodstocks-api-clients/blob/master/bash/base64url.sh

Cheers,
Thomas

2016-09-09 8:50 GMT+02:00 Stian Thorgersen <sthorger@redhat.com>:
I think that'll only work most of the time as tokens are base64 url encoded, not plain base64 encoded. Most of the time it works with standard base64 decoder, but once in a while those special characters that base64 url strips out gets in the way.

On 8 September 2016 at 17:26, Thomas Darimont <thomas.darimont@googlemail.com> wrote:
... and here is a quick helper function for your shell:

#Keycloak
decode_jwt(){
  echo -n $@ | cut -d "." -f 2 | base64 -d | jq .
}
alias jwtd=decode_jwt

$ jwtd $KC_ACCESS_TOKEN
{
  "jti": "c5ed8525-f0c6-433f-9a88-ef92645582dd",
  "exp": 1473348085,
  "nbf": 0,
  "iat": 1473347785,
  "aud": "app1",
  "sub": "c88e9053-89cf-4a4b-af09-c34d91d083af",
  "typ": "Bearer",
  "azp": "app1",
  "auth_time": 0,
  "session_state": "bfb1e6dd-b8c6-4379-bc47-e86c5396b06b",
  "acr": "1",
  "client_session": "db292d8b-263e-4030-9b93-a1d37e5ee5eb",
  "allowed-origins": [],
  "resource_access": {
    "app-js-demo-client": {
      "roles": [
        "user"
      ]
    },
    "account": {
      "roles": [
        "manage-account",
        "view-profile"
      ]
    }
  },
  "name": "Theo Tester",
  "preferred_username": "tester",
  "given_name": "Theo",
  "family_name": "Tester",
  "email": "tom+tester@localhost"
}

Cheers,
Thomas

2016-09-08 17:20 GMT+02:00 Thomas Darimont <thomas.darimont@googlemail.com>:
Hello group,

just found an interesting example for decoding a JWT token in the shell.
Perhaps some of you might find that handy... see below.

Cheers,
Thomas

KC_REALM=acme-test
KC_USERNAME=tester
KC_PASSWORD=test
KC_CLIENT=app1
KC_CLIENT_SECRET=aa937217-a566-49e4-b46e-97866bad8032

# Request Tokens for credentials
KC_RESPONSE=$( \
   curl -k -v \
        -d "username=$KC_USERNAME" \
        -d "password=$KC_PASSWORD" \
        -d 'grant_type=password' \
        -d "client_id=$KC_CLIENT" \
        -d "client_secret=$KC_CLIENT_SECRET" \
        "$KC_URL/realms/$KC_REALM/protocol/openid-connect/token" \
    | jq . 
)

KC_ACCESS_TOKEN=$(echo $KC_RESPONSE| jq -r .access_token)
KC_ID_TOKEN=$(echo $KC_RESPONSE| jq -r .id_token)
KC_REFRESH_TOKEN=$(echo $KC_RESPONSE| jq -r .refresh_token)

# one-liner to decode access token
echo -n $KC_ACCESS_TOKEN | cut -d "." -f 2 | base64 -d | jq .

{
  "jti": "c5ed8525-f0c6-433f-9a88-ef92645582dd",
  "exp": 1473348085,
  "nbf": 0,
  "iat": 1473347785,
  "aud": "app1",
  "sub": "c88e9053-89cf-4a4b-af09-c34d91d083af",
  "typ": "Bearer",
  "azp": "app1",
  "auth_time": 0,
  "session_state": "bfb1e6dd-b8c6-4379-bc47-e86c5396b06b",
  "acr": "1",
  "client_session": "db292d8b-263e-4030-9b93-a1d37e5ee5eb",
  "allowed-origins": [],
  "resource_access": {
    "app-js-demo-client": {
      "roles": [
        "user"
      ]
    },
    "account": {
      "roles": [
        "manage-account",
        "view-profile"
      ]
    }
  },
  "name": "Theo Tester",
  "preferred_username": "tester",
  "given_name": "Theo",
  "family_name": "Tester",
  "email": "tom+tester@localhost"
}



_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user