{"id":31570289,"url":"https://github.com/rgl/jenkins-validate-jwt","last_synced_at":"2026-04-19T05:34:50.884Z","repository":{"id":311047548,"uuid":"1042267146","full_name":"rgl/jenkins-validate-jwt","owner":"rgl","description":"Validate a Jenkins CI JWT using the keys available at its jwks endpoint ","archived":false,"fork":false,"pushed_at":"2025-10-04T17:56:25.000Z","size":9,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-10-09T04:24:57.232Z","etag":null,"topics":["jenkins","jwt","oidc"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rgl.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-08-21T18:35:07.000Z","updated_at":"2025-10-04T17:56:28.000Z","dependencies_parsed_at":"2025-08-21T21:37:43.178Z","dependency_job_id":"00800740-0ba1-4c57-801a-96c751df573f","html_url":"https://github.com/rgl/jenkins-validate-jwt","commit_stats":null,"previous_names":["rgl/jenkins-validate-jwt"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/rgl/jenkins-validate-jwt","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgl%2Fjenkins-validate-jwt","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgl%2Fjenkins-validate-jwt/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgl%2Fjenkins-validate-jwt/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgl%2Fjenkins-validate-jwt/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rgl","download_url":"https://codeload.github.com/rgl/jenkins-validate-jwt/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgl%2Fjenkins-validate-jwt/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31996444,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-18T20:23:30.271Z","status":"online","status_checked_at":"2026-04-19T02:00:07.110Z","response_time":55,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["jenkins","jwt","oidc"],"created_at":"2025-10-05T12:20:16.743Z","updated_at":"2026-04-19T05:34:50.879Z","avatar_url":"https://github.com/rgl.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"This validates a Jenkins CI OIDC ID Token JWT using the keys available at its JWKS endpoint.\n\nA Jenkins CI OIDC ID Token JWT is a secret string that can be used to authenticate a particular CI job in 3rd party services (like HashiCorp Vault).\n\nThe OIDC ID Token JWT available in a CI job as a [environment variable provided by the IdTokenStringCredentials Credential Type](https://javadoc.jenkins.io/plugin/oidc-provider/io/jenkins/plugins/oidc_provider/IdTokenCredentials.html) (from the [OpenID Connect Provider Plugin](https://plugins.jenkins.io/oidc-provider)).\n\nIts used from the pipeline as, e.g.:\n\n```groovy\npipeline {\n  agent {\n    label 'linux'\n  }\n  stages {\n    stage('test') {\n      steps {\n        withCredentials([string(credentialsId: 'oidc-id-token-example', variable: 'EXAMPLE_ID_TOKEN')]) {\n          sh 'echo \"$EXAMPLE_ID_TOKEN\"'\n        }\n      }\n    }\n  }\n}\n```\n\nA JWT is a structured string separated by dot characters; for example:\n\n```\neyJraWQiOiJvaWRjLWlkLXRva2VuLWV4YW1wbGUiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2plbmtpbnMuZXhhbXBsZS5jb20vb2lkYyIsImF1ZCI6Imh0dHBzOi8vZXhhbXBsZS5jb20iLCJleHAiOjE3NTU4MDQxMDMsImlhdCI6MTc1NTgwMDUwMywic3ViIjoiaHR0cHM6Ly9qZW5raW5zLmV4YW1wbGUuY29tL2pvYi9qZW5raW5zLXZhbGlkYXRlLWp3dC8iLCJidWlsZF9udW1iZXIiOjF9.Ov8XEe2qKSky9ZTQU6KJWxD4-zSTIu9-z7Vfqee6NtWwJyP9DMAEF00Ss_VdQY85M01adrIEytkToHUNKtYnc8uSiYxXY9GFLdeU0KJ8y3V6BFxx3yclJsEwc30ggHvY1ZZLtGSbXqi4xNddouxP5z3gdW-AlPdkldp4Cjmq4vnGbSaMeuV904F3vS4f8EdJsEYRTMUlQ0qQwTJCeu61xTaqUORKB8KKOTBHetR76PmUwgZXoX48YDJzQrXFRVwRu6-SKE8tHbKLj3jxvuDT_aOrKms8SGbgtdkA98mg_YiQKKK1683L1jnRL8yO1jgIQWs6GnIZxC3A6qCQF1BiTA\n```\n\nWhen split by dot and decoded it has a header, payload and signature.\n\nIn this case, the header is:\n\n```json\n{\n  \"kid\": \"oidc-id-token-example\",\n  \"alg\": \"RS256\"\n}\n```\n\nThe payload is:\n\n```json\n{\n  \"iss\": \"https://jenkins.example.com/oidc\",\n  \"aud\": \"https://example.com\",\n  \"exp\": 1755804103,\n  \"iat\": 1755800503,\n  \"sub\": \"https://jenkins.example.com/job/jenkins-validate-jwt/\",\n  \"build_number\": 1\n}\n```\n\nAnd the signature is the value from the 3rd part of the JWT string.\n\nBefore a JWT can be used it must be validated. In this particular example the JWT can be validated with:\n\n```go\nRSASHA256(\n  base64UrlEncode(header) + \".\" + base64UrlEncode(payload),\n  jenkinsJwtKeySet.getPublicKey(header.kid))\n```\n\nThe above public key should be retrieved from the Jenkins JWKS endpoint (e.g. https://jenkins.example.com/oidc/jwks).\n\nTo see how all of this can be done read the [main.go](main.go) file.\n\nThis project is used to test the jenkins playground at [rgl/jenkins-vagrant](https://github.com/rgl/jenkins-vagrant).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frgl%2Fjenkins-validate-jwt","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frgl%2Fjenkins-validate-jwt","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frgl%2Fjenkins-validate-jwt/lists"}