How to generate a CORRECT JWT?

2024-06-25 14:32:18 浏览数 (3)

JWT uses the Base64url Encoding to encode the token and there is an online encoder/decorder as below:

base64url-encoder

base64-decoder

If we want to generate an un-secure (note that the algorithm is "none") token of Header/Payload as below

Header:

代码语言:txt复制
{ "alg":"none", "typ" : "JWT" }

and you will get the encoded string like

代码语言:txt复制
eyAiYWxnIjoibm9uZSIsICJ0eXAiIDogIkpXVCIgfQ==

Payload

代码语言:txt复制
{ "sub":"alice", "iat" : 1629883000, "exp" : 9999999999999}

and you get the encoded string for the payload

代码语言:txt复制
eyAic3ViIjoiYWxpY2UiLCAiaWF0IiA6IDE2Mjk4ODMwMDAsICJleHAiIDogOTk5OTk5OTk5OTk5OX0=

then you concatenate the 2 encoded string with point as below

代码语言:txt复制
eyAiYWxnIjoibm9uZSIsICJ0eXAiIDogIkpXVCIgfQ==.eyAic3ViIjoiYWxpY2UiLCAiaWF0IiA6IDE2Mjk4ODMwMDAsICJleHAiIDogOTk5OTk5OTk5OTk5OX0=.

Then you think that it is good to be used in your program. NOOOOOOO...., a big PIT, this confused me a few days, you have to remove the padding equal signs as below, and the token is GOOD now.

代码语言:txt复制
eyAiYWxnIjoibm9uZSIsICJ0eXAiIDogIkpXVCIgfQ.eyAic3ViIjoiYWxpY2UiLCAiaWF0IiA6IDE2Mjk4ODMwMDAsICJleHAiIDogOTk5OTk5OTk5OTk5OX0.

WHY WHY WHY?

A JWT uses Base64url Encoding (RFC 4648 - The Base16, Base32, and Base64 Data Encodings) which is a variant of Base64 where the 62nd and 63rd are different and also where the padding (equal signs at the end) are not mandatory so you won’t see padding in the encoding of JWT’s.

Do we have any script to generate the token automatically?

Run the following script in a bash shell,

代码语言:bash复制
#!/bin/bash

header=`echo -n '{ "alg":"none", "typ" : "JWT" }' | base64 | tr -d '=' | tr '/ ' '_-' | tr -d 'n'`  #Header
payload=`echo -n '{ "sub":"alice", "iat" : 1629883000, "exp" : 9999999999999}' | base64 | tr -d '=' | tr '/ ' '_-' | tr -d 'n'`   # Payload
token=$header.$payload. #Token
echo $token

and you should be able to get the un-secure JsonWebToken.

代码语言:txt复制
eyAiYWxnIjoibm9uZSIsICJ0eXAiIDogIkpXVCIgfQ.eyAic3ViIjoiYWxpY2UiLCAiaWF0IiA6IDE2Mjk4ODMwMDAsICJleHAiIDogOTk5OTk5OTk5OTk5OX0.

We can also use the following python script to generate the token, run it in the python online compiler

代码语言:python代码运行次数:0复制
import base64
import json
import time

def base64url_encode(data):
    return base64.urlsafe_b64encode(data).rstrip(b'=').decode('utf-8')

# Create JWT header
header = {
    "alg": "none",
    "typ": "JWT"
}

# Create JWT payload
payload = {
    "sub": "alice",
    "iat": int(time.time()),
    "exp": int(time.time())   9999999999999  # Token expires in 1 hour
}

# Encode header and payload
encoded_header = base64url_encode(json.dumps(header).encode('utf-8'))
encoded_payload = base64url_encode(json.dumps(payload).encode('utf-8'))

# Combine encoded header and payload to form the token
token = f"{encoded_header}.{encoded_payload}."

print(f"Unsecured JWT Token: {token}")

the generated token is

代码语言:txt复制
Unsecured JWT Token: eyJhbGciOiAibm9uZSIsICJ0eXAiOiAiSldUIn0.eyJzdWIiOiAiYWxpY2UiLCAiaWF0IjogMTcxODcwMDMzOCwgImV4cCI6IDEwMDAxNzE4NzAwMzM3fQ.

=== Code Execution Successful ===

That's it :-)

1 人点赞