Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/direct-actions/jwt

GitHub Action to Decode, Encode, Sign & Verify JSON Web Tokens (JWTs) with options including masking, JSON object dump & more.
https://github.com/direct-actions/jwt

action jwt

Last synced: 3 days ago
JSON representation

GitHub Action to Decode, Encode, Sign & Verify JSON Web Tokens (JWTs) with options including masking, JSON object dump & more.

Awesome Lists containing this project

README 

          
# jwt

GitHub Action to Decode, Encode, Sign & Verify RFC-7519 compliant JSON Web

Tokens (JWTs) with options including masking, JSON object dump & more.



# Usage

## Decoding

To decode & verify an existing token, pass it via the `jwt` input parameter.

```

    - name: JSON Web Token (JWT)

      uses: direct-actions/jwt@v1

      with:

        enable-display: true

        jwt: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

```

Setting `enable-display: true` will display a dump of the token fields, metadata,

and status of verification.



## Encoding

To encode a token, simply pass the payload in either YAML or JSON format - it

will be converted to compact/minify'd JSON before being encoded.

```

    - name: JSON Web Token (JWT)

      id: jwt

      uses: direct-actions/jwt@v1

      with:

        enable-display: true

        payload: |

          sub: '1234567890'

          name: John Doe

          iat: 1516239022

        secret: 'your-256-bit-secret'

```

The JWT is accessible via the `jwt` output (ex: `steps.jwt.outputs.jwt`).



## Encoding with dynamic payload

Since the payload is JSON, the [jq Direct action](https://github.com/direct-actions/jq)

makes for a very convenient way to build out a dynamic payload.

```

    - id: jq

      uses: direct-actions/jq@v1

      with:

        input-command: uuidgen

        filter: |

          def now_plus_minutes($minutes):

            now | round + (60 * $minutes)

            ;

          {

            exp: now_plus_minutes(60 * 24 * 7),  # now + 1 week

            iat: now_plus_minutes(0),            # now

            jti: .,                              # use UUID generated by input-command

            nbf: now_plus_minutes(60),           # now + 1 hour

          }

        raw-input: true



    - name: JSON Web Token (JWT) - Encode custom token

      uses: ./

      with:

        payload: ${{ steps.jq.outputs.output }}

        secret: RaNDoM+S3cR3t

```



## Masking

GitHub Actions seems to have hardcoded in masking of any string beginning with

the default/most common HS256 JWT header (`eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9`).

To dump a JWT to the Actions console, I simply base64 them,

(`echo '${{ steps.jwt-encode.outputs.jwt }}' | openssl base64 -e -A`), or you

can override the default header and insert a bogus key/value at the beginning:

```

    header: |

      abc: def

      alg: ${ALGORITHM}

      typ: JWT

```

To force masking, use the `enable-mask-jwt: true` input.



# Limitations / TODO

- Currently, this action only supports the common HS256 symmetric key signing

 cipher. I would like to add public key signing, but there is no roadmap.

- Even when `enable-mask-signature` is enabled, the Base64 (non-url-safe)

 version of the signature is not masked. This needs to be fixed.

- Error out instead of failing on invalid input