DuendeSoftware
diff --git a/‎src/Pages/Home/JwtDecoder/JwtDecoder.cshtml
Lines changed: 242 additions & 15 deletions b/‎src/Pages/Home/JwtDecoder/JwtDecoder.cshtml
Lines changed: 242 additions & 15 deletions
diff --git a/‎src/Pages/Shared/_Layout.cshtml
Lines changed: 1 addition & 1 deletion b/‎src/Pages/Shared/_Layout.cshtml
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/wwwroot/css/site.css
Lines changed: 12 additions & 0 deletions b/‎src/wwwroot/css/site.css
Lines changed: 12 additions & 0 deletions
@@ -23,34 +23,40 @@
             Always be cautious when pasting JWTs, as they may contain credentials or sensitive information.
         </div>
     </div>
-    <div class="jwt-decoder-container container">
+    <div class="jwt-decoder-container container-fluid container-lg">
         <div class="row align-items-stretch">
-            <div class="col-6">
+            <div class="col-12 col-md-6 pb-4 pb-md-0">
                 <h3>Encoded JWT</h3>
                 <div class="h-100 d-flex flex-column">
                     <div class="form-group flex-grow-1">
                         <label for="jwt-input" class="sr-only">Paste your JWT here...</label>
-                        <textarea id="jwt-input" class="form-control bg-dark text-light p-2 h-100" rows="8" cols="70" placeholder="Paste your JWT here..."></textarea>
+                        <div id="jwt-input" class="form-control bg-dark text-light p-2 h-100 jwt-input-editable" contenteditable="true" rows="8" style="min-height: 10em;" placeholder="Paste your JWT here..."></div>
                     </div>
                     <div class="form-group">
                         <label for="jwks-url">Issuer, Discovery Document or JWKs URI</label>
-                        <input type="url" class="form-control mb-2 mr-sm-2" id="jwks-url" name="jwks-url" value="https://demo.duendesoftware.com" aria-describedby="jwks-url-help" />
+                        <input type="url" class="form-control mb-2 mr-sm-2" id="jwks-url" name="jwks-url" aria-describedby="jwks-url-help" />
                         <small id="jwks-url-help" class="form-text text-muted">
                             Optionally, you can provide the issuer, discovery document or JWKs URI to validate the JWT's signature.
-                            If you leave this field empty, the JWT will only be decoded without validation.
+                            If you leave this field empty, the tool will use the value of the 'iss' claim.
                         </small>
                     </div>
                 </div>
             </div>
-            <div class="col-6">
+            <div class="col-12 col-md-6 pb-4 pb-md-0">
                 <h3>Decoded JWT</h3>
+                <div class="form-check">
+                    <input class="form-check-input" type="checkbox" value="1" id="explainClaims">
+                    <label class="form-check-label" for="explainClaims">
+                        Show claim information
+                    </label>
+                </div>
                 <div class="jwt-decoded-output">
                     <h4>Header</h4>
-                    <pre id="jwt-header" class="bg-dark text-light p-2">&nbsp;</pre>
+                    <pre id="jwt-header" class="jwt-decoded jwt-header bg-dark p-2">&nbsp;</pre>
                     <h4>Payload</h4>
-                    <pre id="jwt-payload" class="bg-dark text-light p-2">&nbsp;</pre>
+                    <pre id="jwt-payload" class="jwt-decoded jwt-payload bg-dark p-2">&nbsp;</pre>
                     <h4>Signature</h4>
-                    <pre id="jwt-signature" class="bg-dark text-light p-2">&nbsp;</pre>
+                    <pre id="jwt-signature" class="jwt-decoded jwt-signature bg-dark p-2">&nbsp;</pre>
                     <div class="jwt-signature-validation-result alert alert-success align-items-center d-none">
                         <i class="glyphicon glyphicon-ok-sign" style="font-size: 3em" title="Valid signature"></i>
                         <div class="result-message mx-3">This JWT has a valid signature.</div>
@@ -88,11 +94,198 @@
             loadedFrom: null
         };
         
+        let decodedJwt = {
+            header: null,
+            payload: null,
+            signature: null
+        };
+        
+        let explainClaims = false;
+        
+        function defaultJsonStringifyReplacer(key, value) {
+            if (value === null || value === undefined) {
+                return '';
+            }
+            return value;
+        }
+        
+        function expandedJsonStringifyReplacer(key, value) {
+            if (value === null || value === undefined) {
+                return '';
+            }
+            
+            // Add explanations for common JWT claims using a comment-like syntax
+            switch (key) {
+                // header claims
+                case 'alg':
+                    return value + ' // ' + explainAlgorithm(value) + 'Algorithm used to sign the JWT';
+                case 'kid':
+                    return value + ' // Key ID, identifying which key was used to sign the JWT';
+                case 'typ':
+                    return value + ' // Type of the token, typically "JWT"';
+                case 'cty':
+                    return value + ' // Content type, similar to MIME type, indicating the media type of the JWT.';
+                case 'jwk':
+                    if (typeof value === 'object') {
+                        return JSON.stringify(value, defaultJsonStringifyReplacer) + ' // JWK, a JSON Web Key representing the public key used to verify the JWT signature';
+                    }
+                    return value + ' // JWK, a JSON Web Key representing the public key used to verify the JWT signature';
+                case 'jku':
+                    return value + ' // JWK Set URL, a URL pointing to the JSON Web Key Set containing the public key used to verify the JWT signature';
+                case 'x5u':
+                    return value + ' // X.509 URL, a URL pointing to an X.509 certificate chain used to verify the JWT signature';
+                case 'x5c':
+                    if (Array.isArray(value)) {
+                        return JSON.stringify(value, defaultJsonStringifyReplacer) + ' // X.509 certificate chain used to verify the JWT signature';
+                    }
+                    return value + ' // X.509 certificate chain used to verify the JWT signature';
+                case 'x5t':
+                    return value + ' // X.509 certificate SHA-1 thumbprint, a hash of the X.509 certificate used to verify the JWT signature';
+                case 'x5t#S256':
+                    return value + ' // X.509 certificate SHA-256 thumbprint, a hash of the X.509 certificate used to verify the JWT signature';
+                case 'crit':
+                    if (Array.isArray(value)) {
+                        return JSON.stringify(value, defaultJsonStringifyReplacer) + ' // Critical header parameters that must be understood by the recipient';
+                    }
+                    return value + ' // Critical header parameters that must be understood by the recipient';
+                    
+                // payload claims
+                case 'iss':
+                    return value + ' // Issuer of the JWT, typically the authorization server';
+                case 'aud':
+                    return value + ' // Recipient(s) for which the JWT is intended';
+                case 'iat':
+                    return value + ' // ' + convertEpoch(value) + 'Issued at time, in seconds since epoch';
+                case 'exp':
+                    return value + ' // ' + convertEpoch(value) + 'Expiration time, in seconds since epoch';
+                case 'nbf':
+                    return value + ' // ' + convertEpoch(value) + 'Not before time, in seconds since epoch';
+                case 'jti':
+                    return value + ' // JWT ID, a unique identifier for the JWT';
+                case 'at_hash':
+                    return value + ' // Hash of the access token, used to verify the integrity of the access token';
+                case 'c_hash':
+                    return value + ' // Hash of the authorization code, used to verify the integrity of the authorization code';
+                case 'nonce':
+                    return value + ' // Nonce (number used only once), a unique value used to associate a client session with an ID Token, preventing replay attacks';
+                case 'acr':
+                    return value + ' // Authentication Context Class Reference, indicating the authentication method used';
+                case 'amr':
+                    if (Array.isArray(value)) {
+                        return JSON.stringify(value, defaultJsonStringifyReplacer) + ' // Authentication Methods References, indicating the methods used for authentication';
+                    }
+                    return value + ' // Authentication Methods References, indicating the methods used for authentication';
+                    
+                // OIDC claims
+                case 'sub':
+                    return value + ' // Subject identifier';
+                case 'name':
+                    return value + ' // Display name of the user';
+                case 'given_name':
+                    return value + ' // Given name(s) or first name(s) of the user';
+                case 'family_name':
+                    return value + ' // Surname(s) or last name(s) of the user';
+                case 'middle_name':
+                    return value + ' // Middle name(s) of the user';
+                case 'nickname':
+                    return value + ' // Casual name of the user';
+                case 'preferred_username':
+                    return value + ' // Preferred username of the user, often used for login';
+                case 'birthdate':
+                    return value + ' // Birthdate of the user, typically in ISO 8601 format (YYYY-MM-DD)';
+                case 'gender':
+                    return value + ' // Gender of the user';
+                case 'email':
+                    return value + ' // Email address of the user';
+                case 'email_verified':
+                    return value + ' // Indicates whether the email address has been verified (true/false)';
+                case 'phone_number':
+                    return value + ' // Phone number of the user';
+                case 'phone_number_verified':
+                    return value + ' // Indicates whether the phone number has been verified (true/false)';
+                case 'address':
+                    if (typeof value === 'object') {
+                        return JSON.stringify(value, defaultJsonStringifyReplacer) + ' // Address of the user, typically an object with street, city, state, postal code, and country';
+                    }
+                    return value + ' // Address of the user, typically an object with street, city, state, postal code, and country';
+                case 'locale':
+                    return value + ' // Locale of the user, typically a language code like "en-US"';
+                case 'zoneinfo':
+                    return value + ' // Time zone of the user, typically a string like "America/New_York"';
+                case 'profile':
+                    return value + ' // URL of the user\'s profile, often a link to their social media or personal page';
+                case 'picture':
+                    return value + ' // URL of the user\'s profile picture';
+                case 'website':
+                    return value + ' // URL of the user\'s personal website or profile';
+            }
+                        
+            return value;
+        }
+        
+        function explainAlgorithm(alg) {
+            switch (alg) {
+                case 'RS256':
+                    return 'RSA with SHA-256. ';
+                case 'RS384':
+                    return 'RSA with SHA-384. ';
+                case 'RS512':
+                    return 'RSA with SHA-512. ';
+                case 'ES256':
+                    return 'ECDSA with P-256 curve. ';
+                case 'ES384':
+                    return 'ECDSA with P-384 curve. ';
+                case 'ES512':
+                    return 'ECDSA with P-521 curve. ';
+                case 'PS256':
+                    return 'RSA-PSS with SHA-256. ';
+                case 'PS384':
+                    return 'RSA-PSS with SHA-384. ';
+                case 'PS512':
+                    return 'RSA-PSS with SHA-512. ';
+                case 'HS256':
+                    return 'HMAC with SHA-256 shared secret. ';
+                case 'HS384':
+                    return 'HMAC with SHA-384 shared secret. ';
+                case 'HS512':
+                    return 'HMAC with SHA-512 shared secret. ';
+                case 'none':
+                    return 'No signature algorithm. This JWT is unsigned and should not be trusted. ';
+                default:
+                    return 'Unknown algorithm. ';
+            }
+        }
+        
+        function convertEpoch(epoch) {
+            if (typeof epoch === 'number') {
+                const date = new Date(epoch * 1000);
+                return date.toISOString() + '. ';
+            }
+            
+            return '';
+        }
+        
+        let jsonStringifyReplacer = defaultJsonStringifyReplacer;
+        
         $(document).ready(initializeJwtDecoder);
         
         async function initializeJwtDecoder() {
+            const explainClaimsCheckbox = $('#explainClaims');
+            explainClaims = explainClaimsCheckbox.is(':checked');
+            explainClaimsCheckbox.on('change', function() {
+                explainClaims = this.checked;
+                jsonStringifyReplacer = explainClaims ? expandedJsonStringifyReplacer : defaultJsonStringifyReplacer;
+                updateClaimsExplanation();
+            });
+            
             $('#jwt-input').on('input', async function() {
-                const jwt = $(this).val();
+                decodedJwt = {
+                    header: null,
+                    payload: null,
+                    signature: null
+                };
+                
+                const jwt = $(this).text();
                 if (jwt) {
                     try {
                         const parts = jwt.split('.');
@@ -101,7 +294,13 @@
                             const payload = JSON.parse(atob(parts[1]));
                             const signature = parts[2];
 
+                            decodedJwt = {
+                                header: header,
+                                payload: payload,
+                                signature: signature
+                            };
                             await showDecodedJwt(parts, header, payload, signature);
+                            colorJwtInput($(this), parts);
                         } else {
                             showError('Invalid JWT format. A JWT should have three parts separated by dots.');
                         }
@@ -115,22 +314,50 @@
 
             await showDecodedJwt(null, null, null, ' ');
         }
+
+        function colorJwtInput(target, parts) {
+            let html = '';
+            if (parts.length > 0) {
+                html += `<span class="text-danger">${parts[0] || ''}</span>`;
+            }
+            if (parts.length > 1) {
+                html += `<span class="text-success">.${parts[1] || ''}</span>`;
+            }
+            if (parts.length > 2) {
+                html += `<span class="text-warning">.${parts.slice(2).join('.') || ''}</span>`;
+            }
+            target.html(html);
+        }
         
         async function showDecodedJwt(jwtParts, header, payload, signature) {
             clearError();
             hideSignatureValidationResults();
             
-            $('#jwt-header').text(header ? JSON.stringify(header, null, 2) : ' ');
-            $('#jwt-payload').text(payload ? JSON.stringify(payload, null, 2) : ' ');
+            $('#jwt-header').text(header ? JSON.stringify(header, jsonStringifyReplacer, 2) : ' ');
+            $('#jwt-payload').text(payload ? JSON.stringify(payload, jsonStringifyReplacer, 2) : ' ');
             $('#jwt-signature').text(signature || ' ');
             
             if (jwtParts && Array.isArray(jwtParts) && jwtParts.length === 3) {
-                await attemptSignatureValidation(header, jwtParts);
+                await attemptSignatureValidation(header, payload, jwtParts);
             }
         }
         
-        async function attemptSignatureValidation(header, jwtParts) {
-            const jwksUrl = $('#jwks-url').val().trim();
+        function updateClaimsExplanation() {
+            if (!decodedJwt.payload) {
+                return;
+            }
+
+            $('#jwt-header').text(decodedJwt.header ? JSON.stringify(decodedJwt.header, jsonStringifyReplacer, 2) : ' ');
+            $('#jwt-payload').text(decodedJwt.payload ? JSON.stringify(decodedJwt.payload, jsonStringifyReplacer, 2) : ' ');
+        }
+        
+        async function attemptSignatureValidation(header, payload, jwtParts) {
+            let jwksUrl = $('#jwks-url').val().trim();
+            if (!jwksUrl && payload && payload.iss) {
+                // If no JWKs URL is provided, use the issuer from the payload.
+                jwksUrl = payload.iss;
+                $('#jwks-url').val(jwksUrl);
+            }
             
             if (jwksUrl) {
                 await loadJwks(jwksUrl);
 
@@ -22,7 +22,7 @@
 <body>
     <partial name="_Nav" />
 
-    <div class="container body-container">
+    <div class="container-fluid container-lg body-container">
         @RenderBody()
     </div>
 
 
@@ -111,3 +111,15 @@ a.navbar-brand .icon-banner {
 .jwt-decoder-container .row {
   height: 40vh;
 }
+.jwt-decoder-container .jwt-decoded {
+  text-wrap: auto;
+}
+.jwt-decoder-container .jwt-decoded.jwt-header {
+  color: #fc3939;
+}
+.jwt-decoder-container .jwt-decoded.jwt-payload {
+  color: #13b955;
+}
+.jwt-decoder-container .jwt-decoded.jwt-signature {
+  color: #efa31d;
+}