Encoding and Decoding JWT

This snippet demonstrates how to use the jwt-encode() and jwt-decode() functions to work with JSON Web Tokens.

We want to have the JWT Secret (used for signing and verifying a JWS) configurable via an environment variable.

In a development setup, we can simply define a shell variable that starts with FLAT_. flat will forward all FLAT_* variables to the docker container:

$ FLAT_JWT_SECRET=YXNkZg== flat start

The secret must be base64-url encoded. We use our favorite passphrase asdf here.

When FLAT is running, we can obtain a token built with user params provided via query params:

$ curl localhost:8080/api/jwt?user=alice\&role=admin\&customer=flintstone

Later, we can decode and validate the user params with this call:

$ curl localhost:8080/api/jwt?token=eyJ0eXAiOiJKV1QiL…
"user": "alice",
"role": "admin",
"customer": "flintstone",
"exp": 1560789571

You have to be quick copy-pasting it, because the time-to-live (encoded as exp param) is set to 20 seconds :)

<!-- decode and dump content -->
<if test="$request/get/token">
{{ jwt-decode($request/get/token, $env/FLAT_JWT_SECRET) }}
<!-- read user params from query string ?user=…&customer=…&role=… -->
<template in="$request" out="$data">
{{: $request/get/user | $request/get/customer | $request/get/role }}
<!-- generate token -->
<eval out="$jwt">jwt-encode($data, $env/FLAT_JWT_SECRET, 20)</eval>
<dump in="$jwt" />


For HMAC based algorithms, the JWT functions expect the key to be base64 url encoded.

But some "bare keys" may already look base64 encoded. Auth0 for example, uses base64 strings as keys. They need another base64-encode() to be used with jwt-decode().

You can do this on-the-fly:

<template out="$jwt">
{{ jwt-encode($data, base64-encode($env/FLAT_JWT_SECRET), 20) }}

Of course, you could also do that once outside of FLAT before setting the env var:

$ echo -n "YXNkZg==" | base64
$ FLAT_AUTH0_JWT_SECRET=WVhOa1pnPT0= flat start

For RSASSA based algorithms, the JWT functions expect the key to be PEM encoded, but without the BEGIN and END lines, and without any line breaks. To generate the private and public keys in this format:

$ openssl genrsa > privateAndPublic.key
$ tail -n +2 privateAndPublic.key | head -n -1 | tr -d '\n'

To extract the public key for signature verification in the required format:

$ openssl rsa -in privateAndPublic.key -outform PEM -pubout -out public.key
$ tail -n +2 public.key | head -n -1 | tr -d '\n'

Note that, with RSASSA based algorithms, you have to specify the algorithm in the jwt-decode() function.

See also