verify signature

[stokito]

here is a script that can also make a verification of signature https://gist.github.com/stokito/f2d7ea0b300f14638a9063559384ec89

I guess you may want to reuse this logic. Also in my version is fixed a problem when the base64 is failing with a message:

base64: invalid input
parse error: Invalid numeric literal at EOF at line 1, column 1

this happens because JWT uses Base64 URL encoding and we need to make an additional step and replace - to + and _ to / with command tr -- '-_ ' '+/='

[emcrisostomo]

Thanks for your contribution @stokito. I'll have a look at it ASAP.

[stokito]

no worry, in fact to verify signature there is just a simple line:

echo -n "$JWT_BODY" | openssl dgst -sha256 -verify "${PUB_KEY_FILE}" -signature ${SIG_FILE}

It supports only RS256 tokens but I checked that all public OAuth providers uses only it. The base64 urlencode is a bug so it would be nice to fix it. TBH my script was just a playground and I developed and tested another script for OpenWrt (a small Linux for routers) https://gist.github.com/stokito/43afca84fc34d1d362bf210cd941a366 which is more fresh.

One key change is that my script is adopted for ash/dash which is more simpler but is available by default on almost all platforms while your is uses zsh which is too big for small routers