I think that'll only work most of the time as tokens are base64 url encoded, not plain base64 encoded. Most of the time it works with standard base64 decoder, but once in a while those special characters that base64 url strips out gets in the way.

On 8 September 2016 at 17:26, Thomas Darimont <thomas.darimont@googlemail.com> wrote:
... and here is a quick helper function for your shell:

#Keycloak
decode_jwt(){
  echo -n $@ | cut -d "." -f 2 | base64 -d | jq .
}
alias jwtd=decode_jwt

$ jwtd $KC_ACCESS_TOKEN
{
  "jti": "c5ed8525-f0c6-433f-9a88-ef92645582dd",
  "exp": 1473348085,
  "nbf": 0,
  "iat": 1473347785,
  "aud": "app1",
  "sub": "c88e9053-89cf-4a4b-af09-c34d91d083af",
  "typ": "Bearer",
  "azp": "app1",
  "auth_time": 0,
  "session_state": "bfb1e6dd-b8c6-4379-bc47-e86c5396b06b",
  "acr": "1",
  "client_session": "db292d8b-263e-4030-9b93-a1d37e5ee5eb",
  "allowed-origins": [],
  "resource_access": {
    "app-js-demo-client": {
      "roles": [
        "user"
      ]
    },
    "account": {
      "roles": [
        "manage-account",
        "view-profile"
      ]
    }
  },
  "name": "Theo Tester",
  "preferred_username": "tester",
  "given_name": "Theo",
  "family_name": "Tester",
  "email": "tom+tester@localhost"
}

Cheers,
Thomas

2016-09-08 17:20 GMT+02:00 Thomas Darimont <thomas.darimont@googlemail.com>:
Hello group,

just found an interesting example for decoding a JWT token in the shell.
Perhaps some of you might find that handy... see below.

Cheers,
Thomas

KC_REALM=acme-test
KC_USERNAME=tester
KC_PASSWORD=test
KC_CLIENT=app1
KC_CLIENT_SECRET=aa937217-a566-49e4-b46e-97866bad8032

# Request Tokens for credentials
KC_RESPONSE=$( \
   curl -k -v \
        -d "username=$KC_USERNAME" \
        -d "password=$KC_PASSWORD" \
        -d 'grant_type=password' \
        -d "client_id=$KC_CLIENT" \
        -d "client_secret=$KC_CLIENT_SECRET" \
        "$KC_URL/realms/$KC_REALM/protocol/openid-connect/token" \
    | jq . 
)

KC_ACCESS_TOKEN=$(echo $KC_RESPONSE| jq -r .access_token)
KC_ID_TOKEN=$(echo $KC_RESPONSE| jq -r .id_token)
KC_REFRESH_TOKEN=$(echo $KC_RESPONSE| jq -r .refresh_token)

# one-liner to decode access token
echo -n $KC_ACCESS_TOKEN | cut -d "." -f 2 | base64 -d | jq .

{
  "jti": "c5ed8525-f0c6-433f-9a88-ef92645582dd",
  "exp": 1473348085,
  "nbf": 0,
  "iat": 1473347785,
  "aud": "app1",
  "sub": "c88e9053-89cf-4a4b-af09-c34d91d083af",
  "typ": "Bearer",
  "azp": "app1",
  "auth_time": 0,
  "session_state": "bfb1e6dd-b8c6-4379-bc47-e86c5396b06b",
  "acr": "1",
  "client_session": "db292d8b-263e-4030-9b93-a1d37e5ee5eb",
  "allowed-origins": [],
  "resource_access": {
    "app-js-demo-client": {
      "roles": [
        "user"
      ]
    },
    "account": {
      "roles": [
        "manage-account",
        "view-profile"
      ]
    }
  },
  "name": "Theo Tester",
  "preferred_username": "tester",
  "given_name": "Theo",
  "family_name": "Tester",
  "email": "tom+tester@localhost"
}



_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user