-
-
Save stokito/f2d7ea0b300f14638a9063559384ec89 to your computer and use it in GitHub Desktop.
Revisions
-
stokito revised this gist
Jun 27, 2020 . No changes.There are no files selected for viewing
-
Feb 1, 2020 . 1 changed file with 26 additions and 8 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -44,7 +44,7 @@ base64_padding() base64url_to_b64() { base64_padding "${1}" | tr -- '-_' '+/' } # read the JWT from stdin and split by comma into three variables @@ -67,6 +67,7 @@ echo "${JWT_SIGNATURE_B64}" JWT_ALG=$(echo "$JWT_HEADER" | jq -r .alg) JWT_KID=$(echo "$JWT_HEADER" | jq -r .kid) JWT_TYP=$(echo "$JWT_HEADER" | jq -r .typ) JWT_ISS=$(echo "$JWT_PAYLOAD" | jq -r .iss) JWT_SUB=$(echo "$JWT_PAYLOAD" | jq -r .sub) JWT_EMAIL=$(echo "$JWT_PAYLOAD" | jq -r .email) JWT_IAT=$(echo "$JWT_PAYLOAD" | jq -r .iat) @@ -75,19 +76,36 @@ echo "sub: $JWT_SUB email: $JWT_EMAIL iat: $JWT_IAT" # verify signature if [ ${JWT_ALG} = "RS256" ]; then PUB_KEY_FILE="/var/tmp/oauth/$JWT_KID.key.pub.pem" if [ ! -f $PUB_KEY_FILE ]; then >&2 echo "No pub key $JWT_KID" if [ $JWT_ISS = "https://accounts.google.com" ]; then mkdir -p /var/tmp/oauth/ # use old jwks_url which return certs in PEM format OAUTH_CERTS_URL="https://www.googleapis.com/oauth2/v1/certs" echo "Fetch it from $OAUTH_CERTS_URL" wget $OAUTH_CERTS_URL -q -O /tmp/jwks.json CERT_FILE="/tmp/$JWT_KID.crt" jq -r ".$JWT_KID" /tmp/jwks.json > "$CERT_FILE" rm /tmp/jwks.json openssl x509 -pubkey -in "$CERT_FILE" -noout > "$PUB_KEY_FILE" rm "$CERT_FILE" else exit 1 fi fi SIG_FILE="/tmp/$JWT_SUB-$JWT_IAT.sig.dat" echo -n "$JWT_SIGNATURE_B64" | base64 -d > ${SIG_FILE} JWT_BODY=$(echo -n "$JWT_HEADER_B64URL.$JWT_PAYLOAD_B64URL") echo -n "$JWT_BODY" | openssl dgst -sha256 -verify "${PUB_KEY_FILE}" -signature ${SIG_FILE} JWT_SIG_VERIFIED=$? rm ${SIG_FILE} if [ ${JWT_SIG_VERIFIED} -ne 0 ]; then >&2 echo "Bad Signature" exit ${JWT_SIG_VERIFIED} exit; fi else >&2 echo "Error 3: Unsupported signature algorithm $JWT_ALG" exit 3 fi -
Jan 23, 2020 . 1 changed file with 2 additions and 4 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -33,9 +33,9 @@ base64_padding() local len=$(( ${#1} % 4 )) local padded_b64='' if [ ${len} = 2 ]; then padded_b64="${1}==" elif [ ${len} = 3 ]; then padded_b64="${1}=" else padded_b64="${1}" fi @@ -91,5 +91,3 @@ else >&2 echo "Unsupported signature algorithm" exit 1 fi -
Jan 21, 2020 . 1 changed file with 4 additions and 4 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -9,10 +9,10 @@ # NOTE: For Google you can get the keys in PEM format via https://www.googleapis.com/oauth2/v1/certs # Decode the keys with decodeURIComponent() # TODO fetch public key automatically in https://jwt.io/ manner: # get "kid" field from JWT header # get "iss" field from JWT header which is the token issuer url e.g. https://accounts.google.com # add /.well-known/openid-configuration and fetch OIDC discovery e.g. wget https://accounts.google.com/.well-known/openid-configuration # from the OIDC discovery JSON take jwks_uri e.g. https://www.googleapis.com/oauth2/v3/certs # in the JWKS find the public key (JWK) which signed the JWT # convert the JWK to PEM format to make openssl happy # store the fetched pub key into /var/cache/ and next time check it there first to avoid calls to jwks_uri -
Jan 21, 2020 . 1 changed file with 17 additions and 11 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -22,7 +22,7 @@ # $ cat id_token.txt | ./jwt-decode.sh # if signature check failed then error code will be non-zero if [ -z $(command -v jq) ]; then echo "This script will NOT work on your machine." echo "Please install jq first: https://stedolan.github.io/jq/download/" exit 1 @@ -31,20 +31,20 @@ fi base64_padding() { local len=$(( ${#1} % 4 )) local padded_b64='' if [ ${len} = 2 ]; then padded_b64="${1}"'==' elif [ ${len} = 3 ]; then padded_b64="${1}"'=' else padded_b64="${1}" fi echo -n "$padded_b64" } base64url_to_b64() { base64_padding ${1} | tr -- '-_' '+/' } # read the JWT from stdin and split by comma into three variables @@ -82,8 +82,14 @@ if [ ${JWT_ALG} = "RS256" ]; then echo -n "$JWT_BODY" | openssl dgst -sha256 -verify ${PUB_KEY_FILE} -signature ${SIG_FILE} JWT_SIG_VERIFIED=$? rm ${SIG_FILE} if [ ${JWT_SIG_VERIFIED} -ne 0 ]; then >&2 echo "Bad Signature" exit ${JWT_SIG_VERIFIED} exit; fi else >&2 echo "Unsupported signature algorithm" exit 1 fi echo -n "${JWT_PAYLOAD}" -
Jan 21, 2020 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -58,9 +58,9 @@ JWT_HEADER=$(echo "${JWT_HEADER_B64}" | base64 -d) JWT_PAYLOAD=$(echo "${JWT_PAYLOAD_B64}" | base64 -d) echo "JWT Header:" echo "${JWT_HEADER}" | jq echo "JWT Payload:" echo "${JWT_PAYLOAD}" | jq echo "JWT Signature (Base 64 padded):" echo "${JWT_SIGNATURE_B64}" -
Jan 21, 2020 . 1 changed file with 3 additions and 4 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -64,8 +64,7 @@ echo "${JWT_PAYLOAD}" | jq '.' echo "JWT Signature (Base 64 padded):" echo "${JWT_SIGNATURE_B64}" JWT_ALG=$(echo "$JWT_HEADER" | jq -r .alg) JWT_KID=$(echo "$JWT_HEADER" | jq -r .kid) JWT_TYP=$(echo "$JWT_HEADER" | jq -r .typ) JWT_SUB=$(echo "$JWT_PAYLOAD" | jq -r .sub) @@ -82,8 +81,8 @@ if [ ${JWT_ALG} = "RS256" ]; then JWT_BODY=$(echo -n "$JWT_HEADER_B64URL.$JWT_PAYLOAD_B64URL") echo -n "$JWT_BODY" | openssl dgst -sha256 -verify ${PUB_KEY_FILE} -signature ${SIG_FILE} JWT_SIG_VERIFIED=$? rm ${SIG_FILE} exit ${JWT_SIG_VERIFIED} else >&2 echo "Unsupported signature algorithm" exit 1 -
Jan 21, 2020 . 2 changed files with 90 additions and 79 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,90 @@ #!/bin/sh # Decode a JWT from stdin and verify it's signature with the JWT issuer public key # Only RS256 keys are supported for signature check # # Put OAuth server public key in PEM format to /var/cache/oauth/$JWT_KID.key.pub.pem # You must create the folder first # $ sudo mkdir -p /var/cache/oauth/ # To converted key from JWK to PEM use https://8gwifi.org/jwkconvertfunctions.jsp or https://keytool.online/ # NOTE: For Google you can get the keys in PEM format via https://www.googleapis.com/oauth2/v1/certs # Decode the keys with decodeURIComponent() # TODO fetch public key automatically in https://jwt.io/ manner: # ket "kid" field from JWT header # get "iss" field from JWT header which is the token issuer url e.g. https://accounts.google.com/.well-known/openid-configuration # add .well-known/openid-configuration and fetch OIDC discovery # from it take jwks_uri e.g. https://www.googleapis.com/oauth2/v3/certs # in the JWKS find the public key (JWK) which signed the JWT # convert the JWK to PEM format to make openssl happy # store the fetched pub key into /var/cache/ and next time check it there first to avoid calls to jwks_uri # HOW TO USE: # $ chmod +x jwt-decode.sh # Parse file: # $ cat id_token.txt | ./jwt-decode.sh # if signature check failed then error code will be non-zero if [[ -z $(command -v jq) ]]; then echo "This script will NOT work on your machine." echo "Please install jq first: https://stedolan.github.io/jq/download/" exit 1 fi base64_padding() { local len=$(( ${#1} % 4 )) local padded_b64=${1} if (( ${len} == 2 )) then padded_b64="$1"'==' elif (( ${len} == 3 )) then padded_b64="$1"'=' fi echo -n "$padded_b64" } base64url_to_b64() { base64_padding ${1} | tr -- '-_ ' '+/=' } # read the JWT from stdin and split by comma into three variables IFS='.' read -r JWT_HEADER_B64URL JWT_PAYLOAD_B64URL JWT_SIGNATURE_B64URL JWT_HEADER_B64=$(base64url_to_b64 ${JWT_HEADER_B64URL}) JWT_PAYLOAD_B64=$(base64url_to_b64 ${JWT_PAYLOAD_B64URL}) JWT_SIGNATURE_B64=$(base64url_to_b64 ${JWT_SIGNATURE_B64URL}) JWT_HEADER=$(echo "${JWT_HEADER_B64}" | base64 -d) JWT_PAYLOAD=$(echo "${JWT_PAYLOAD_B64}" | base64 -d) echo "JWT Header:" echo "${JWT_HEADER}" | jq '.' echo "JWT Payload:" echo "${JWT_PAYLOAD}" | jq '.' echo "JWT Signature (Base 64 padded):" echo "${JWT_SIGNATURE_B64}" #JWT_ALG=$(echo "$JWT_HEADER" | jq -r .alg) JWT_ALG="HS256" JWT_KID=$(echo "$JWT_HEADER" | jq -r .kid) JWT_TYP=$(echo "$JWT_HEADER" | jq -r .typ) JWT_SUB=$(echo "$JWT_PAYLOAD" | jq -r .sub) JWT_EMAIL=$(echo "$JWT_PAYLOAD" | jq -r .email) JWT_IAT=$(echo "$JWT_PAYLOAD" | jq -r .iat) echo "alg: $JWT_ALG kid: $JWT_KID" echo "sub: $JWT_SUB email: $JWT_EMAIL iat: $JWT_IAT" # verify signature if [ ${JWT_ALG} = "RS256" ]; then PUB_KEY_FILE="/var/cache/oauth/$JWT_KID.key.pub.pem" SIG_FILE="/tmp/$JWT_SUB-$JWT_IAT.sig.dat" echo -n "$JWT_SIGNATURE_B64" | base64 -d > ${SIG_FILE} JWT_BODY=$(echo -n "$JWT_HEADER_B64URL.$JWT_PAYLOAD_B64URL") echo -n "$JWT_BODY" | openssl dgst -sha256 -verify ${PUB_KEY_FILE} -signature ${SIG_FILE} JWT_SIG_VERIFIED=$? rm $SIG_FILE exit $JWT_SIG_VERIFIED else >&2 echo "Unsupported signature algorithm" exit 1 fi This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,79 +0,0 @@ -
Jan 21, 2020 . 1 changed file with 54 additions and 8 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,14 +1,39 @@ #!/usr/bin/env bash # HOW TO USE: # put OAuth server public key in pem format to /var/cache/oauth/$JWT_KID.key.pub.pem # sudo mkdir -p /var/cache/oauth/ # $ chmod +x jwtDecoder.sh # $ ./jwtDecoder.sh "<JWT token>" # Parse file: # $ JWT=$(cat id_token.txt) # $ ./jwtDecoder.sh $JWT if [[ -z $(command -v jq) ]]; then echo "This script will NOT work on your machine." echo "Please install jq first: https://stedolan.github.io/jq/download/" exit 1 fi function base64_padding() { local len=$(( ${#1} % 4 )) local padded_b64=${1} if (( ${len} == 2 )) then padded_b64="$1"'==' elif (( ${len} == 3 )) then padded_b64="$1"'=' fi echo -n "$padded_b64" } function base64url_to_b64() { base64_padding ${1} | tr -- '-_ ' '+/=' } #input=`cat id_token.txt` clear input=("${@}") input=("${input//$'\n'/}") @@ -18,16 +43,37 @@ token=$(IFS=$'\n'; echo "${input[*]}") echo -e "JWT token:\\n${token}" IFS='.' read -ra ADDR <<< "$token" JWT_HEADER_B64URL=${ADDR[0]} JWT_PAYLOAD_B64URL=${ADDR[1]} JWT_SIGNATURE_B64URL=${ADDR[2]} JWT_HEADER_B64=$(base64url_to_b64 ${JWT_HEADER_B64URL}) JWT_PAYLOAD_B64=$(base64url_to_b64 ${JWT_PAYLOAD_B64URL}) JWT_SIGNATURE_B64=$(base64url_to_b64 ${JWT_SIGNATURE_B64URL}) JWT_HEADER=$(echo "${JWT_HEADER_B64}" | base64 -d) JWT_PAYLOAD=$(echo "${JWT_PAYLOAD_B64}" | base64 -d) echo "JWT Header:" echo "${JWT_HEADER}" | jq '.' echo "JWT Payload:" echo "${JWT_PAYLOAD}" | jq '.' echo "JWT Signature (Base 64):" echo "${JWT_SIGNATURE_B64}" JWT_ALG=$(echo "$JWT_HEADER" | jq -r .alg) JWT_KID=$(echo "$JWT_HEADER" | jq -r .kid) JWT_TYP=$(echo "$JWT_HEADER" | jq -r .typ) JWT_SUB=$(echo "$JWT_PAYLOAD" | jq -r .sub) JWT_EMAIL=$(echo "$JWT_PAYLOAD" | jq -r .email) JWT_IAT=$(echo "$JWT_PAYLOAD" | jq -r .iat) echo "alg: $JWT_ALG kid: $JWT_KID" echo "sub: $JWT_SUB email: $JWT_EMAIL iat: $JWT_IAT" SIG_FILE="/tmp/$JWT_SUB-$JWT_IAT.sig.dat" echo -n "$JWT_SIGNATURE_B64" | base64 -d > $SIG_FILE JWT_BODY=$(echo -n "$JWT_HEADER_B64URL.$JWT_PAYLOAD_B64URL") echo -n "$JWT_BODY" | openssl dgst -sha256 -verify "/var/cache/oauth/$JWT_KID.key.pub.pem" -signature $SIG_FILE -
Jan 18, 2020 . 1 changed file with 13 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -18,6 +18,16 @@ token=$(IFS=$'\n'; echo "${input[*]}") echo -e "JWT token:\\n${token}" IFS='.' read -ra ADDR <<< "$token" JWT_HEADER=$(echo "${ADDR[0]}" | base64 -d 2> /dev/null) JWT_PAYLOAD=$(echo "${ADDR[1]}" | base64 -d 2> /dev/null) JWT_SIGNATURE="${ADDR[2]}" echo "JWT Header:" echo "${JWT_HEADER}" | jq '.' echo "JWT Payload:" echo "${JWT_PAYLOAD}" | jq '.' echo "JWT Signature:" echo "${JWT_SIGNATURE}" JWT_SUB=$(echo "$JWT_PAYLOAD" | jq -r .sub) JWT_EMAIL=$(echo "$JWT_PAYLOAD" | jq -r .email) echo "sub: $JWT_SUB email: $JWT_EMAIL" -
KevCui revised this gist
Oct 9, 2018 . 1 changed file with 1 addition and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -5,8 +5,7 @@ if [[ -z $(command -v jq) ]]; then echo "This script will NOT work on your machine." echo "Please install jq first: https://stedolan.github.io/jq/download/" exit 1 fi -
Oct 9, 2018 . 1 changed file with 0 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,6 +1,5 @@ #!/usr/bin/env bash # HOW TO USE: # ~$ chmod +x jwtDecoder.sh # ~$ ./jwtDecoder.sh "<JWT token>" -
Oct 9, 2018 . 1 changed file with 3 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,6 +1,8 @@ #!/usr/bin/env bash # HOW TO USE: # ~$ wget "https://gist.github.com/KevCui/767ebcdf8afb1df2a2abb4e95d9a70e3/raw/82427e0e6d2894d9dfd65b2e72e79ddf5fc7f44d/jwtDecoder.sh" # ~$ chmod +x jwtDecoder.sh # ~$ ./jwtDecoder.sh "<JWT token>" if [[ -z $(command -v jq) ]]; then echo "This script will NOT work on your machine." -
Oct 9, 2018 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -13,11 +13,11 @@ clear input=("${@}") input=("${input//$'\n'/}") input=("${input//' '/}") token=$(IFS=$'\n'; echo "${input[*]}") echo -e "JWT token:\\n${token}" IFS='.' read -ra ADDR <<< "$token" for i in "${ADDR[@]}"; do echo "$i" | base64 -d 2> /dev/null | jq '.' 2> /dev/null done -
Oct 9, 2018 . No changes.There are no files selected for viewing
-
Oct 9, 2018 . No changes.There are no files selected for viewing
-
Oct 9, 2018 . 1 changed file with 2 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,4 +1,6 @@ #!/usr/bin/env bash # HOW TO USE: # ./jwtDecoder.sh "<JWT token>" if [[ -z $(command -v jq) ]]; then echo "This script will NOT work on your machine." -
Oct 9, 2018 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,21 @@ #!/usr/bin/env bash if [[ -z $(command -v jq) ]]; then echo "This script will NOT work on your machine." echo "Please install jq using command below:" echo "> brew install jq" exit 1 fi clear input=("${@}") input=("${input//$'\n'/}") input=("${input//' '/}") token=$( IFS=$'\n'; echo "${input[*]}" ) echo -e "JWT token:\\n${token}" IFS='.' read -ra ADDR <<< "$token" for i in "${ADDR[@]}"; do echo "$i" | base64 -d 2> /dev/null | jq . 2> /dev/null done