search

nats-io / natscli

The NATS Command Line Interface
Apache License 2.0
480 stars 95 forks source link

Add a JWT decoder #1061

Open philpennock opened 4 months ago

philpennock commented 4 months ago

Proposed change

There is no one standard JWT decoder which is local and trusted, and asking people to install additional tools is awkward. Using base64 to handle base64url format sometimes works and sometimes has subtle bugs, or non-portable tool expectations. The NATS CLI already has to be able to parse .creds files anyway.

In a similar vein to nats auth nkey it would be good to have a command which can display JWTs:

  1. from an arbitrary .creds file
  2. for a NATS_CONTEXT's .creds file
  3. for the creds for the current context (as overridden by env or cmdline flag)
  4. for an arbitrary JWT on the command-line
  5. for a file containing an arbitrary JWT

It should probably have:

  1. a mode to just display raw JSON, no color, no pretty, just "turn this X into the JSON signed payload"
  2. a mode to pretty-print as plain JSON (color optional?)
  3. a mode to pretty-print with comments, such as converting Unix epoch seconds timestamps to a display format time
  4. where the JWT is signed by a key in the nsc trust store, perhaps a means to verify signatures?

Use case

Helping people to see what is in their accounts and users in NATS, and debug what exactly is in the creds as currently used.

In particular nats mumble jwt show current --json | jq .permissions seems it would be something it's useful to be able to ask people to run.

(Bonus points if the jwt mode also has JSON walking, whether jq or jmespath or whatever)

Contribution

Not currently intending to but could be talked into it.