Validating JWT Tokens in shell scripts
02 Jun 2020 - cr0hn
JWT Tokens are very popular as SSO authentication mechanism, for authorization and widely used in the Microservices paradigm. But have we really pay attention if JWT tokens are valid?
There are many amazing online validators out there, like JWT.io but they’re not useful if you want to integrate the validation process into a script or into an shell execution pipeline.
$ acp install jwtchk $ acp install acurl $ acurl http://my-company.com/api/entry-point | jwtchk -allowAlg HS256 -allowAlg HS384 -issuer bbva-iam -audience my-api-id -secret bXlTZWNyZXRQYXNzd29yZG15U2VjcmV0UGFzc3dvcmQK Issuer claim doesn't match. Expected: bbva-iam, got: other-iam Audience claim doesn't match. Expected: my-api-id, got: other-id
You have several others options available in order to check if the JWT token was generated following the best practices.