Wiki: Sample Node Tool jwtverify

TOP | static wiki | wiki | DOWNLOADS | TUTORIALS | API REFERENCE | DEMOS |

TOP | DOWNLOADS-|-TUTORIALS-|-API-REFERENCE-|-Online-Tool-|-DEMO-|-[[NODE-TOOL|Sample-Node-Tool-List.html">Wiki


CODE

Script source code is here.

DESCRIPTION

This script is to verify JWT(JSON Web Token) or JWS(JSON Web Signature) file or string using KJUR.jws.JWS.verifyJWT() method. It has following features:

USAGE

Basic JWS validation

To verify JWS(JSON Web Signature) or signature of JWT(JSON Web Token), you need to specify public key or HMAC password. For RS*, PS* and ES* signatures, you can specify public key by '-k' option as following:

% jwtverify -k rsa1.pem aaa.jws
This JWT/JWS is valid.

For an invalid signature, following message will be shown.

% jwtverify -k rsa2.pem aaa.jws
This JWT/JWS is *NOT* valid.

To verify HS* hmac JWS signature, there are four ways to specify hmac password using password type '-t' and password '-p' option.

For example, to verify HS256 JWS signature with password '616161' in hexadecimal string, command will be following:

% jwtverify -t hex -p 616161 aaa.jws

Password type "-t utf8" and password "-p passwd" is default. When the password is "passwd" for JWS, you can omit options:

% jwtverify aaa.jws (when password is string "passwd")
This JWT/JWS is valid.

When HMAC password is string "test", then you can omit "-t utf8" option:

% jwtverify -p test aaa.jws

JWT validation

For JWT validation, this script will do extra check about following payload properties:

The '-v' (verbose) option can be specified to see JSON header, JSON payload and what kind of check is done.

% jwtverify -v \
    --accept_iss https://jwt-idp.example.com \
    --accept_sub mailto:mike@example.com,mailto:joe@example.com \
    --verify_at 20050101000000Z -p passwd aaa.jwt
*** HEADER ***
{
  "alg": "HS256",
  "typ": "JWT"
}
*** PAYLOAD ***
{
  "iss": "https://jwt-idp.example.com",
  "sub": "mailto:mike@example.com",
  "nbf": 946684800,
  "exp": 1262304000,
  "iat": 946684800,
  "jti": "id123456",
  "typ": "https://example.com/register",
  "aud": "http://foo1.com"
}
*** JWT/JWS VALIDATION RESULT ***
  - on: JWS signature validation
  - on: check acceptable signature algorithm
  - on: verify at "20050101000000Z"
  - on: check iss in "https://jwt-idp.example.com"
  - on: check sub in "mailto:mike@example.com,mailto:joe@example.com"
This JWT/JWS is valid.

COMMAND LINE HELP

Script supports '-h' or '--help' option for help:

% jwtverify -h

Usage: jwtverify [options] <JWT/JWS file or string to verify>

verify JWT/jWS file or string

Options:

  -h, --help                          output usage information
  -V, --version                       output the version number
  -t, --passtype <utf8|hex|b64|b64u>  Hmac(HS*) pass type
  -p, --pass <pass>                   Hmac(HS*) password in specfied type
  -k, --pubkey <file>                 public key file (ex. PKCS#8 PEM or JWK)
  -v, --verbose                       show header and payload
  --accept_iss <iss1,...>             check iss is in the iss list (ex. a@a.com,b@b.com)
  --accept_sub <sub1,...>             check sub is in the sub list (ex. a@a.com,b@b.com)
  --verify_at <YYYYMMDDHHmmSSZ>       verify at specified UTC time(ex. 20151123235959Z)