Forked from justindav1s/Keycloak JWT Token validation in Bash
Created
November 3, 2023 08:06
-
-
Save svx/24f65db7207b5d67190e0fa744027ce7 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # This script requires jq, a command line to to parse and format JSon. | |
| # https://stedolan.github.io/jq/ | |
| function padBase64 { | |
| STR=$1 | |
| MOD=$((${#STR}%4)) | |
| if [ $MOD -eq 1 ]; then | |
| STR="${STR}=" | |
| elif [ $MOD -gt 1 ]; then | |
| STR="${STR}==" | |
| fi | |
| echo ${STR} | |
| } | |
| KEYCLOAK=http://127.0.0.1:8080 | |
| REALM="demo" | |
| GRANT_TYPE="password" | |
| CLIENT="tpp1" | |
| CLIENT_SECRET="b38eae9d-d5ef-4a98-b1e6-6b5084b09d91" | |
| USER="test_user2" | |
| USER_PASSWORD="123456" | |
| echo "Keycloak host : $KEYCLOAK" | |
| echo "Token URL : ${KEYCLOAK}/auth/realms/${REALM}/protocol/openid-connect/token" | |
| #Get Token | |
| POST_BODY="grant_type=${GRANT_TYPE}&client_id=${CLIENT}&client_secret=${CLIENT_SECRET}&username=${USER}&password=${USER_PASSWORD}" | |
| echo POST_BODY=${POST_BODY} | |
| RESPONSE=$(curl -k \ | |
| -d ${POST_BODY} \ | |
| -H "Content-Type: application/x-www-form-urlencoded" \ | |
| ${KEYCLOAK}/auth/realms/${REALM}/protocol/openid-connect/token) | |
| echo "RESPONSE"=${RESPONSE} | |
| ACCESS_TOKEN=$(echo ${RESPONSE} | jq -r .access_token) | |
| PART1_BASE64=$(echo ${ACCESS_TOKEN} | cut -d"." -f1) | |
| PART1_BASE64=$(padBase64 ${PART1_BASE64}) | |
| echo "HEADER" | |
| echo $(echo ${PART1_BASE64} | base64 -D) | |
| PART2_BASE64=$(echo ${ACCESS_TOKEN} | cut -d"." -f2) | |
| PART2_BASE64=$(padBase64 ${PART2_BASE64}) | |
| echo | |
| echo "PAYLOAD" | |
| echo $(echo ${PART2_BASE64} | base64 -D | jq .) | |
| HEADERPAYLOAD_BASE64=$(echo ${ACCESS_TOKEN} | cut -d"." -f1-2) | |
| echo -n $HEADERPAYLOAD_BASE64 > HEADERPAYLOAD_BASE64.txt | |
| PART3_BASE64=$(echo ${ACCESS_TOKEN} | cut -d"." -f3) | |
| PART3_BASE64=$(padBase64 ${PART3_BASE64}) | |
| echo -n $PART3_BASE64 \ | |
| | perl -ne 'tr|-_|+/|; print "$1\n" while length>76 and s/(.{0,76})//; print' \ | |
| | openssl enc -base64 -d > sig.dat | |
| echo | |
| #Get Public Key | |
| REALM_URL=${KEYCLOAK}/auth/realms/${REALM} | |
| PUBLIC_KEY=$(curl -k $REALM_URL | jq -r .public_key) | |
| PUBLIC_KEY=$(echo -n $PUBLIC_KEY | perl -ne 'tr|-_|+/|; print "$1\n" while length>76 and s/(.{0,76})//; print') | |
| cat <<EOF > key.pem | |
| -----BEGIN PUBLIC KEY----- | |
| $PUBLIC_KEY | |
| -----END PUBLIC KEY----- | |
| EOF | |
| #Perform Validation | |
| openssl dgst -sha256 -verify key.pem -signature sig.dat HEADERPAYLOAD_BASE64.txt |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment