-
-
Notifications
You must be signed in to change notification settings - Fork 647
Sample Node Tool jwtverify
TOP | Wiki | DOWNLOADS | TUTORIALS | API REFERENCE | Online Tool | DEMO | NODE TOOL
Script source code is here.
This script is to verify JWT(JSON Web Token) or JWS(JSON Web Signature) file or string using KJUR.jws.JWS.verifyJWT() method. It has following features:
- HS256/384/512,RS256/384/512,PS256/384/512,ES256/384 signature algorithm support
- string, hexadecimal and Base64URL passcode support for HS* signatures
- JWS and JWT validation
- JWT/JWS signature can be provided by a file or a string argument.
- Verbose mode for validation in detail.
To verify JWS(JSON Web Signature) or signature of JWT(JSON Web Token), you need to specify public key or HMAC password. For RS*, PS* and ES* signatures, you can specify public key by '-k' option as following:
% jwtverify -k rsa1.pem aaa.jws
This JWT/JWS is valid.
For an invalid signature, following message will be shown.
% jwtverify -k rsa2.pem aaa.jws
This JWT/JWS is *NOT* valid.
To verify HS* hmac JWS signature, there are four ways to specify hmac password using password type '-t' and password '-p' option.
- -t utf8 -p aaa (specify password 'aaa' by UTF-8 string)
- -t hex -p 616161 (specify password '616161' (i.e. aaa) by hexadecimal string
- -t b64 -p YWFh (specify password 'YWFh' (i.e. aaa) by Base64 encoded string
- -t b64u -p YWFh (specify password 'YWFh' (i.e. aaa) by Base64URL encoded string
For example, to verify HS256 JWS signature with password '616161' in hexadecimal string, command will be following:
% jwtverify -t hex -p 616161 aaa.jws
Password type "-t utf8" and password "-p passwd" is default. When the password is "passwd" for JWS, you can omit options:
% jwtverify aaa.jws (when password is string "passwd")
This JWT/JWS is valid.
When HMAC password is string "test", then you can omit "-t utf8" option:
% jwtverify -p test aaa.jws
For JWT validation, this script will do extra check about following payload properties:
- --verify_at: time relation among validation time, 'nbf', 'exp' and 'iat' properties
- --accept_iss: acceptable 'iss' property
- --accept_sub: acceptable 'sub' property
The '-v' (verbose) option can be specified to see JSON header, JSON payload and what kind of check is done.
% jwtverify -v \
--accept_iss https://jwt-idp.example.com \
--accept_sub mailto:mike@example.com,mailto:joe@example.com \
--verify_at 20050101000000Z -p passwd aaa.jwt
*** HEADER ***
{
"alg": "HS256",
"typ": "JWT"
}
*** PAYLOAD ***
{
"iss": "https://jwt-idp.example.com",
"sub": "mailto:mike@example.com",
"nbf": 946684800,
"exp": 1262304000,
"iat": 946684800,
"jti": "id123456",
"typ": "https://example.com/register",
"aud": "http://foo1.com"
}
*** JWT/JWS VALIDATION RESULT ***
- on: JWS signature validation
- on: check acceptable signature algorithm
- on: verify at "20050101000000Z"
- on: check iss in "https://jwt-idp.example.com"
- on: check sub in "mailto:mike@example.com,mailto:joe@example.com"
This JWT/JWS is valid.
Script supports '-h' or '--help' option for help:
% jwtverify -h
Usage: jwtverify [options] <JWT/JWS file or string to verify>
verify JWT/jWS file or string
Options:
-h, --help output usage information
-V, --version output the version number
-t, --passtype <utf8|hex|b64|b64u> Hmac(HS*) pass type
-p, --pass <pass> Hmac(HS*) password in specfied type
-k, --pubkey <file> public key file (ex. PKCS#8 PEM or JWK)
-v, --verbose show header and payload
--accept_iss <iss1,...> check iss is in the iss list (ex. a@a.com,b@b.com)
--accept_sub <sub1,...> check sub is in the sub list (ex. a@a.com,b@b.com)
--verify_at <YYYYMMDDHHmmSSZ> verify at specified UTC time(ex. 20151123235959Z)