10:20 a.m.
Hello group,
just found an interesting example for decoding a JWT token in the shell.
Perhaps some of you might find that handy... see below.
Cheers,
Thomas
KC_REALM=acme-test
KC_USERNAME=tester
KC_PASSWORD=test
KC_CLIENT=app1
KC_CLIENT_SECRET=aa937217-a566-49e4-b46e-97866bad8032
KC_URL="http://localhost:8081/auth"
# Request Tokens for credentials
KC_RESPONSE=$( \
curl -k -v \
-d "username=$KC_USERNAME" \
-d "password=$KC_PASSWORD" \
-d 'grant_type=password' \
-d "client_id=$KC_CLIENT" \
-d "client_secret=$KC_CLIENT_SECRET" \
"$KC_URL/realms/$KC_REALM/protocol/openid-connect/token" \
| jq .
)
KC_ACCESS_TOKEN=$(echo $KC_RESPONSE| jq -r .access_token)
KC_ID_TOKEN=$(echo $KC_RESPONSE| jq -r .id_token)
KC_REFRESH_TOKEN=$(echo $KC_RESPONSE| jq -r .refresh_token)
# one-liner to decode access token
echo -n $KC_ACCESS_TOKEN | cut -d "." -f 2 | base64 -d | jq .
{
"jti": "c5ed8525-f0c6-433f-9a88-ef92645582dd",
"exp": 1473348085,
"nbf": 0,
"iat": 1473347785,
"iss": "http://localhost:8081/auth/realms/acme-test",
"aud": "app1",
"sub": "c88e9053-89cf-4a4b-af09-c34d91d083af",
"typ": "Bearer",
"azp": "app1",
"auth_time": 0,
"session_state": "bfb1e6dd-b8c6-4379-bc47-e86c5396b06b",
"acr": "1",
"client_session": "db292d8b-263e-4030-9b93-a1d37e5ee5eb",
"allowed-origins": [],
"resource_access": {
"app-js-demo-client": {
"roles": [
"user"
]
},
"account": {
"roles": [
"manage-account",
"view-profile"
]
}
},
"name": "Theo Tester",
"preferred_username": "tester",
"given_name": "Theo",
"family_name": "Tester",
"email": "tom+tester@localhost"
}
10:26 a.m.
... and here is a quick helper function for your shell:
#Keycloak
decode_jwt(){
echo -n $@ | cut -d "." -f 2 | base64 -d | jq .
}
alias jwtd=decode_jwt
$ jwtd $KC_ACCESS_TOKEN
{
"jti": "c5ed8525-f0c6-433f-9a88-ef92645582dd",
"exp": 1473348085,
"nbf": 0,
"iat": 1473347785,
"iss": "http://localhost:8081/auth/realms/acme-test",
"aud": "app1",
"sub": "c88e9053-89cf-4a4b-af09-c34d91d083af",
"typ": "Bearer",
"azp": "app1",
"auth_time": 0,
"session_state": "bfb1e6dd-b8c6-4379-bc47-e86c5396b06b",
"acr": "1",
"client_session": "db292d8b-263e-4030-9b93-a1d37e5ee5eb",
"allowed-origins": [],
"resource_access": {
"app-js-demo-client": {
"roles": [
"user"
]
},
"account": {
"roles": [
"manage-account",
"view-profile"
]
}
},
"name": "Theo Tester",
"preferred_username": "tester",
"given_name": "Theo",
"family_name": "Tester",
"email": "tom+tester@localhost"
}
Cheers,
Thomas
2016-09-08 17:20 GMT+02:00 Thomas Darimont <thomas.darimont(a)googlemail.com>:
Hello group,
just found an interesting example for decoding a JWT token in the shell.
Perhaps some of you might find that handy... see below.
Cheers,
Thomas
KC_REALM=acme-test
KC_USERNAME=tester
KC_PASSWORD=test
KC_CLIENT=app1
KC_CLIENT_SECRET=aa937217-a566-49e4-b46e-97866bad8032
KC_URL="http://localhost:8081/auth"
# Request Tokens for credentials
KC_RESPONSE=$( \
curl -k -v \
-d "username=$KC_USERNAME" \
-d "password=$KC_PASSWORD" \
-d 'grant_type=password' \
-d "client_id=$KC_CLIENT" \
-d "client_secret=$KC_CLIENT_SECRET" \
"$KC_URL/realms/$KC_REALM/protocol/openid-connect/token" \
| jq .
)
KC_ACCESS_TOKEN=$(echo $KC_RESPONSE| jq -r .access_token)
KC_ID_TOKEN=$(echo $KC_RESPONSE| jq -r .id_token)
KC_REFRESH_TOKEN=$(echo $KC_RESPONSE| jq -r .refresh_token)
# one-liner to decode access token
echo -n $KC_ACCESS_TOKEN | cut -d "." -f 2 | base64 -d | jq .
{
"jti": "c5ed8525-f0c6-433f-9a88-ef92645582dd",
"exp": 1473348085,
"nbf": 0,
"iat": 1473347785,
"iss": "http://localhost:8081/auth/realms/acme-test",
"aud": "app1",
"sub": "c88e9053-89cf-4a4b-af09-c34d91d083af",
"typ": "Bearer",
"azp": "app1",
"auth_time": 0,
"session_state": "bfb1e6dd-b8c6-4379-bc47-e86c5396b06b",
"acr": "1",
"client_session": "db292d8b-263e-4030-9b93-a1d37e5ee5eb",
"allowed-origins": [],
"resource_access": {
"app-js-demo-client": {
"roles": [
"user"
]
},
"account": {
"roles": [
"manage-account",
"view-profile"
]
}
},
"name": "Theo Tester",
"preferred_username": "tester",
"given_name": "Theo",
"family_name": "Tester",
"email": "tom+tester@localhost"
}
1:50 a.m.
I think that'll only work most of the time as tokens are base64 url
encoded, not plain base64 encoded. Most of the time it works with standard
base64 decoder, but once in a while those special characters that base64
url strips out gets in the way.
On 8 September 2016 at 17:26, Thomas Darimont <
thomas.darimont(a)googlemail.com> wrote:
... and here is a quick helper function for your shell:
#Keycloak
decode_jwt(){
echo -n $@ | cut -d "." -f 2 | base64 -d | jq .
}
alias jwtd=decode_jwt
$ jwtd $KC_ACCESS_TOKEN
{
"jti": "c5ed8525-f0c6-433f-9a88-ef92645582dd",
"exp": 1473348085,
"nbf": 0,
"iat": 1473347785,
"iss": "http://localhost:8081/auth/realms/acme-test",
"aud": "app1",
"sub": "c88e9053-89cf-4a4b-af09-c34d91d083af",
"typ": "Bearer",
"azp": "app1",
"auth_time": 0,
"session_state": "bfb1e6dd-b8c6-4379-bc47-e86c5396b06b",
"acr": "1",
"client_session": "db292d8b-263e-4030-9b93-a1d37e5ee5eb",
"allowed-origins": [],
"resource_access": {
"app-js-demo-client": {
"roles": [
"user"
]
},
"account": {
"roles": [
"manage-account",
"view-profile"
]
}
},
"name": "Theo Tester",
"preferred_username": "tester",
"given_name": "Theo",
"family_name": "Tester",
"email": "tom+tester@localhost"
}
Cheers,
Thomas
2016-09-08 17:20 GMT+02:00 Thomas Darimont <thomas.darimont(a)googlemail.com
>:
> Hello group,
>
> just found an interesting example for decoding a JWT token in the shell.
> Perhaps some of you might find that handy... see below.
>
> Cheers,
> Thomas
>
> KC_REALM=acme-test
> KC_USERNAME=tester
> KC_PASSWORD=test
> KC_CLIENT=app1
> KC_CLIENT_SECRET=aa937217-a566-49e4-b46e-97866bad8032
> KC_URL="http://localhost:8081/auth"
>
> # Request Tokens for credentials
> KC_RESPONSE=$( \
> curl -k -v \
> -d "username=$KC_USERNAME" \
> -d "password=$KC_PASSWORD" \
> -d 'grant_type=password' \
> -d "client_id=$KC_CLIENT" \
> -d "client_secret=$KC_CLIENT_SECRET" \
> "$KC_URL/realms/$KC_REALM/protocol/openid-connect/token" \
> | jq .
> )
>
> KC_ACCESS_TOKEN=$(echo $KC_RESPONSE| jq -r .access_token)
> KC_ID_TOKEN=$(echo $KC_RESPONSE| jq -r .id_token)
> KC_REFRESH_TOKEN=$(echo $KC_RESPONSE| jq -r .refresh_token)
>
> # one-liner to decode access token
> echo -n $KC_ACCESS_TOKEN | cut -d "." -f 2 | base64 -d | jq .
>
> {
> "jti": "c5ed8525-f0c6-433f-9a88-ef92645582dd",
> "exp": 1473348085,
> "nbf": 0,
> "iat": 1473347785,
> "iss": "http://localhost:8081/auth/realms/acme-test",
> "aud": "app1",
> "sub": "c88e9053-89cf-4a4b-af09-c34d91d083af",
> "typ": "Bearer",
> "azp": "app1",
> "auth_time": 0,
> "session_state": "bfb1e6dd-b8c6-4379-bc47-e86c5396b06b",
> "acr": "1",
> "client_session": "db292d8b-263e-4030-9b93-a1d37e5ee5eb",
> "allowed-origins": [],
> "resource_access": {
> "app-js-demo-client": {
> "roles": [
> "user"
> ]
> },
> "account": {
> "roles": [
> "manage-account",
> "view-profile"
> ]
> }
> },
> "name": "Theo Tester",
> "preferred_username": "tester",
> "given_name": "Theo",
> "family_name": "Tester",
> "email": "tom+tester@localhost"
> }
>
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
3:46 a.m.
Hello Stian,
you are right, some tokens might not be decoded correctly...
The following works for me now:
decode_base64_url() {
local len=$((${#1} % 4))
local result="$1"
if [ $len -eq 2 ]; then result="$1"'=='
elif [ $len -eq 3 ]; then result="$1"'='
fi
echo "$result" | tr '_-' '/+' | openssl enc -d -base64
}
decode_jwt(){
decode_base64_url $(echo -n $2 | cut -d "." -f $1) | jq .
}
# Decode JWT header
alias jwth="decode_jwt 1"
# Decode JWT Payload
alias jwtp="decode_jwt 2"
Took the decode_base64_url function from
https://github.com/Moodstocks/moodstocks-api-clients/blob/master/bash/bas...
Cheers,
Thomas
2016-09-09 8:50 GMT+02:00 Stian Thorgersen <sthorger(a)redhat.com>:
I think that'll only work most of the time as tokens are base64
url
encoded, not plain base64 encoded. Most of the time it works with
standard base64 decoder, but once in a while those special characters that
base64 url strips out gets in the way.
On 8 September 2016 at 17:26, Thomas Darimont <
thomas.darimont(a)googlemail.com> wrote:
> ... and here is a quick helper function for your shell:
>
> #Keycloak
> decode_jwt(){
> echo -n $@ | cut -d "." -f 2 | base64 -d | jq .
> }
> alias jwtd=decode_jwt
>
> $ jwtd $KC_ACCESS_TOKEN
> {
> "jti": "c5ed8525-f0c6-433f-9a88-ef92645582dd",
> "exp": 1473348085,
> "nbf": 0,
> "iat": 1473347785,
> "iss": "http://localhost:8081/auth/realms/acme-test",
> "aud": "app1",
> "sub": "c88e9053-89cf-4a4b-af09-c34d91d083af",
> "typ": "Bearer",
> "azp": "app1",
> "auth_time": 0,
> "session_state": "bfb1e6dd-b8c6-4379-bc47-e86c5396b06b",
> "acr": "1",
> "client_session": "db292d8b-263e-4030-9b93-a1d37e5ee5eb",
> "allowed-origins": [],
> "resource_access": {
> "app-js-demo-client": {
> "roles": [
> "user"
> ]
> },
> "account": {
> "roles": [
> "manage-account",
> "view-profile"
> ]
> }
> },
> "name": "Theo Tester",
> "preferred_username": "tester",
> "given_name": "Theo",
> "family_name": "Tester",
> "email": "tom+tester@localhost"
> }
>
> Cheers,
> Thomas
>
> 2016-09-08 17:20 GMT+02:00 Thomas Darimont <thomas.darimont(a)googlemail.co
> m>:
>
>> Hello group,
>>
>> just found an interesting example for decoding a JWT token in the shell.
>> Perhaps some of you might find that handy... see below.
>>
>> Cheers,
>> Thomas
>>
>> KC_REALM=acme-test
>> KC_USERNAME=tester
>> KC_PASSWORD=test
>> KC_CLIENT=app1
>> KC_CLIENT_SECRET=aa937217-a566-49e4-b46e-97866bad8032
>> KC_URL="http://localhost:8081/auth"
>>
>> # Request Tokens for credentials
>> KC_RESPONSE=$( \
>> curl -k -v \
>> -d "username=$KC_USERNAME" \
>> -d "password=$KC_PASSWORD" \
>> -d 'grant_type=password' \
>> -d "client_id=$KC_CLIENT" \
>> -d "client_secret=$KC_CLIENT_SECRET" \
>> "$KC_URL/realms/$KC_REALM/protocol/openid-connect/token" \
>> | jq .
>> )
>>
>> KC_ACCESS_TOKEN=$(echo $KC_RESPONSE| jq -r .access_token)
>> KC_ID_TOKEN=$(echo $KC_RESPONSE| jq -r .id_token)
>> KC_REFRESH_TOKEN=$(echo $KC_RESPONSE| jq -r .refresh_token)
>>
>> # one-liner to decode access token
>> echo -n $KC_ACCESS_TOKEN | cut -d "." -f 2 | base64 -d | jq .
>>
>> {
>> "jti": "c5ed8525-f0c6-433f-9a88-ef92645582dd",
>> "exp": 1473348085,
>> "nbf": 0,
>> "iat": 1473347785,
>> "iss": "http://localhost:8081/auth/realms/acme-test",
>> "aud": "app1",
>> "sub": "c88e9053-89cf-4a4b-af09-c34d91d083af",
>> "typ": "Bearer",
>> "azp": "app1",
>> "auth_time": 0,
>> "session_state": "bfb1e6dd-b8c6-4379-bc47-e86c5396b06b",
>> "acr": "1",
>> "client_session": "db292d8b-263e-4030-9b93-a1d37e5ee5eb",
>> "allowed-origins": [],
>> "resource_access": {
>> "app-js-demo-client": {
>> "roles": [
>> "user"
>> ]
>> },
>> "account": {
>> "roles": [
>> "manage-account",
>> "view-profile"
>> ]
>> }
>> },
>> "name": "Theo Tester",
>> "preferred_username": "tester",
>> "given_name": "Theo",
>> "family_name": "Tester",
>> "email": "tom+tester@localhost"
>> }
>>
>>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
5:35 a.m.
A colleague wrote this when we were testing keycloak.
Hope this helps: https://gist.github.com/rolandyoung/176dd310a6948e094be6
Chris
On Fri, Sep 9, 2016 at 9:47 AM Thomas Darimont <
thomas.darimont(a)googlemail.com> wrote:
Hello Stian,
you are right, some tokens might not be decoded correctly...
The following works for me now:
decode_base64_url() {
local len=$((${#1} % 4))
local result="$1"
if [ $len -eq 2 ]; then result="$1"'=='
elif [ $len -eq 3 ]; then result="$1"'='
fi
echo "$result" | tr '_-' '/+' | openssl enc -d -base64
}
decode_jwt(){
decode_base64_url $(echo -n $2 | cut -d "." -f $1) | jq .
}
# Decode JWT header
alias jwth="decode_jwt 1"
# Decode JWT Payload
alias jwtp="decode_jwt 2"
Took the decode_base64_url function from
https://github.com/Moodstocks/moodstocks-api-clients/blob/master/bash/bas...
Cheers,
Thomas
2016-09-09 8:50 GMT+02:00 Stian Thorgersen <sthorger(a)redhat.com>:
> I think that'll only work most of the time as tokens are base64 url
> encoded, not plain base64 encoded. Most of the time it works with
> standard base64 decoder, but once in a while those special characters that
> base64 url strips out gets in the way.
>
> On 8 September 2016 at 17:26, Thomas Darimont <
> thomas.darimont(a)googlemail.com> wrote:
>
>> ... and here is a quick helper function for your shell:
>>
>> #Keycloak
>> decode_jwt(){
>> echo -n $@ | cut -d "." -f 2 | base64 -d | jq .
>> }
>> alias jwtd=decode_jwt
>>
>> $ jwtd $KC_ACCESS_TOKEN
>> {
>> "jti": "c5ed8525-f0c6-433f-9a88-ef92645582dd",
>> "exp": 1473348085,
>> "nbf": 0,
>> "iat": 1473347785,
>> "iss": "http://localhost:8081/auth/realms/acme-test",
>> "aud": "app1",
>> "sub": "c88e9053-89cf-4a4b-af09-c34d91d083af",
>> "typ": "Bearer",
>> "azp": "app1",
>> "auth_time": 0,
>> "session_state": "bfb1e6dd-b8c6-4379-bc47-e86c5396b06b",
>> "acr": "1",
>> "client_session": "db292d8b-263e-4030-9b93-a1d37e5ee5eb",
>> "allowed-origins": [],
>> "resource_access": {
>> "app-js-demo-client": {
>> "roles": [
>> "user"
>> ]
>> },
>> "account": {
>> "roles": [
>> "manage-account",
>> "view-profile"
>> ]
>> }
>> },
>> "name": "Theo Tester",
>> "preferred_username": "tester",
>> "given_name": "Theo",
>> "family_name": "Tester",
>> "email": "tom+tester@localhost"
>> }
>>
>> Cheers,
>> Thomas
>>
>> 2016-09-08 17:20 GMT+02:00 Thomas Darimont <
>> thomas.darimont(a)googlemail.com>:
>>
>>> Hello group,
>>>
>>> just found an interesting example for decoding a JWT token in the shell.
>>> Perhaps some of you might find that handy... see below.
>>>
>>> Cheers,
>>> Thomas
>>>
>>> KC_REALM=acme-test
>>> KC_USERNAME=tester
>>> KC_PASSWORD=test
>>> KC_CLIENT=app1
>>> KC_CLIENT_SECRET=aa937217-a566-49e4-b46e-97866bad8032
>>> KC_URL="http://localhost:8081/auth"
>>>
>>> # Request Tokens for credentials
>>> KC_RESPONSE=$( \
>>> curl -k -v \
>>> -d "username=$KC_USERNAME" \
>>> -d "password=$KC_PASSWORD" \
>>> -d 'grant_type=password' \
>>> -d "client_id=$KC_CLIENT" \
>>> -d "client_secret=$KC_CLIENT_SECRET" \
>>> "$KC_URL/realms/$KC_REALM/protocol/openid-connect/token" \
>>> | jq .
>>> )
>>>
>>> KC_ACCESS_TOKEN=$(echo $KC_RESPONSE| jq -r .access_token)
>>> KC_ID_TOKEN=$(echo $KC_RESPONSE| jq -r .id_token)
>>> KC_REFRESH_TOKEN=$(echo $KC_RESPONSE| jq -r .refresh_token)
>>>
>>> # one-liner to decode access token
>>> echo -n $KC_ACCESS_TOKEN | cut -d "." -f 2 | base64 -d | jq .
>>>
>>> {
>>> "jti": "c5ed8525-f0c6-433f-9a88-ef92645582dd",
>>> "exp": 1473348085,
>>> "nbf": 0,
>>> "iat": 1473347785,
>>> "iss": "http://localhost:8081/auth/realms/acme-test",
>>> "aud": "app1",
>>> "sub": "c88e9053-89cf-4a4b-af09-c34d91d083af",
>>> "typ": "Bearer",
>>> "azp": "app1",
>>> "auth_time": 0,
>>> "session_state":
"bfb1e6dd-b8c6-4379-bc47-e86c5396b06b",
>>> "acr": "1",
>>> "client_session":
"db292d8b-263e-4030-9b93-a1d37e5ee5eb",
>>> "allowed-origins": [],
>>> "resource_access": {
>>> "app-js-demo-client": {
>>> "roles": [
>>> "user"
>>> ]
>>> },
>>> "account": {
>>> "roles": [
>>> "manage-account",
>>> "view-profile"
>>> ]
>>> }
>>> },
>>> "name": "Theo Tester",
>>> "preferred_username": "tester",
>>> "given_name": "Theo",
>>> "family_name": "Tester",
>>> "email": "tom+tester@localhost"
>>> }
>>>
>>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
3510
days inactive
3511
days old
4 comments
3 participants
participants (3)
-
Christopher Davies -
Stian Thorgersen -
Thomas Darimont