Snippets

The start of a collection of useful snippets (or "tit-bits") that don't warrent entire pages but might be useful to someone sometime, probably me!

Decoding JWTs for OpenID Federation

OpenID Federation likes JWTs. These are often shipped around in a not-human-friendly base64 encoded form:

base64(header) + "." + base64(json_payload) + "." base64(signature)

Furthermore, they sometimes carry other JWTs within their payload data structure (within trust_chain or trust_marks).

This snippet takes a JWT from stdin and decodes both the JWT itself and the contents of various other elements that are also JWTs (trust_chain and trust_marks) if present, and decodes the unixtimes (iat and exp) into ISO 8601 human-readable timestamps..

curl https://www.example.com/.well-known/openid-federation \
| jq -R '
    split(".")[1]
    | @base64d
    | fromjson
    | if .trust_chain then
        (.trust_chain) |= map(split(".")[1] | @base64d | fromjson)
    else . end
    | if .trust_marks then
        .trust_marks[].trust_mark |= (split(".")[1] | @base64d | fromjson)
    else . end
    | walk(
        if type == "object" then
            with_entries(
                if .key == "iat" or .key == "exp" then
                    .value = (.value | todate)
                else .  end
            )
        else . end
    )

Caution: It does not perform any signature verification so should not be used in a systematic way.

You could use it by doing something like:

curl -sS https://trust-anchor.example.com/resolve?sub=https://rp.example.com/&trust_anchor=https://trust-anchor.example.com/ | jwt-decode

Keys	Action
`?`	Open this help
`n`	Next page
`p`	Previous page
`s`	Search