Add -d/--decode flag to decode the JWT (#162)

di · web-flow · commit a892b5ff3112 · 2024-01-11T17:36:49.000-05:00
* Add -d/--decode flag to decode the JWT

* Update README.md

* Fix inconsistency between Python versions

* Just print strings, and no signature
diff --git a/README.md b/README.md
@@ -32,7 +32,7 @@ Top-level:
 
 <!-- @begin-id-help@ -->
 ```
-usage: id [-h] [-V] [-v] audience
+usage: id [-h] [-V] [-v] [-d] audience
 
 a tool for generating OIDC identities
 
@@ -44,6 +44,7 @@ optional arguments:
   -V, --version  show program's version number and exit
   -v, --verbose  run with additional debug logging; supply multiple times to
                  increase verbosity (default: 0)
+  -d, --decode   decode the OIDC token into JSON (default: False)
 ```
 <!-- @end-id-help@ -->
 
diff --git a/id/__init__.py b/id/__init__.py
@@ -18,6 +18,7 @@
 
 from __future__ import annotations
 
+import base64
 from typing import Callable
 
 __version__ = "1.2.1"
@@ -77,3 +78,14 @@ def detect_credential(audience: str) -> str | None:
         if credential is not None:
             return credential
     return None
+
+
+def decode_oidc_token(token: str) -> tuple[str, str, str]:
+    # Split the token into its three parts: header, payload, and signature
+    header, payload, signature = token.split(".")
+
+    # Decode base64-encoded header and payload
+    decoded_header = base64.urlsafe_b64decode(header + "==").decode("utf-8")
+    decoded_payload = base64.urlsafe_b64decode(payload + "==").decode("utf-8")
+
+    return decoded_header, decoded_payload, signature
diff --git a/id/__main__.py b/id/__main__.py
@@ -44,6 +44,12 @@ def _parser() -> argparse.ArgumentParser:
         default=0,
         help="run with additional debug logging; supply multiple times to increase verbosity",
     )
+    parser.add_argument(
+        "-d",
+        "--decode",
+        action="store_true",
+        help="decode the OIDC token into JSON",
+    )
     parser.add_argument(
         "audience",
         type=str,
@@ -66,9 +72,15 @@ def main() -> None:
 
     logger.debug(f"parsed arguments {args}")
 
-    from . import detect_credential
+    from . import decode_oidc_token, detect_credential
 
-    print(detect_credential(args.audience))
+    token = detect_credential(args.audience)
+    if token and args.decode:
+        header, payload, signature = decode_oidc_token(token)
+        print(header)
+        print(payload)
+    else:
+        print(token)
 
 
 if __name__ == "__main__":  # pragma: no cover
