forked from kiali/kiali
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathjwt-decode.sh
executable file
·96 lines (81 loc) · 2.25 KB
/
jwt-decode.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
#!/usr/bin/env bash
#
# JWT Decoder Bash Script
#
# To run, pipe the JWT encoded token (found in the Kiali cookie) like this:
# echo -n $MY_JWT_TOKEN | ./jwt-decode.sh
#
secret='kiali'
while [ $# -gt 0 ]; do
key="$1"
case $key in
-k|--key)
secret="$2"
shift;shift
;;
*)
echo "Unknown argument [$key]. Aborting."
exit 1
;;
esac
done
base64_encode()
{
declare input=${1:-$(</dev/stdin)}
# Use `tr` to URL encode the output from base64.
printf '%s' "${input}" | base64 | tr -d '=' | tr '/+' '_-' | tr -d '\n'
}
base64_decode()
{
declare input=${1:-$(</dev/stdin)}
# A standard base64 string should always be `n % 4 == 0`. We made the base64
# string URL safe when we created the JWT, which meant removing the `=`
# signs that are there for padding. Now we must add them back to get the
# proper length.
remainder=$((${#input} % 4));
if [ $remainder -eq 1 ];
then
>2& echo "fatal error. base64 string is unexepcted length"
elif [[ $remainder -eq 2 || $remainder -eq 3 ]];
then
input="${input}$(for i in `seq $((4 - $remainder))`; do printf =; done)"
fi
printf '%s' "${input}" | base64 --decode
}
verify_signature()
{
declare header_and_payload=${1}
expected=$(echo "${header_and_payload}" | hmacsha256_encode | base64_encode)
actual=${2}
if [ "${expected}" = "${actual}" ]
then
echo "Signature is valid"
else
echo "Signature is NOT valid"
fi
}
hmacsha256_encode()
{
declare input=${1:-$(</dev/stdin)}
printf '%s' "${input}" | openssl dgst -binary -sha256 -hmac "${secret}"
}
# Read the token from stdin
declare token=${1:-$(</dev/stdin)};
IFS='.' read -ra pieces <<< "$token"
declare header=${pieces[0]}
declare payload=${pieces[1]}
declare signature=${pieces[2]}
# the payload may have different base64 strings separated with dash characters
IFS='-' read -ra payload_pieces <<< "$payload"
echo "Header"
echo "${header}" | base64_decode | jq
echo "Payload"
for (( i=0; i<${#payload_pieces[@]}; i++ ));
do
if [ "$i" -gt "0" ]; then
payload_decoded="${payload_decoded}~" # OpenShift OAuth access tokens want "~" character
fi
payload_decoded="${payload_decoded}$(echo -n "${payload_pieces[$i]}" | base64_decode)"
done
echo "${payload_decoded}" | jq
verify_signature "${header}.${payload}" "${signature}"