test-jwt-server

A JWT server for testing, DO NOT use in production.

This server accepts arbitrary payload from GET/POST and generate a signed JWT supporting 3 signature modes:

• /jwt signed with shared secret (HS256)
  GET /key.shared to get the hard-coded shared secret.
• /jwt.salted signed with shared secret and salt (HS256)
  A randomly generated salt field is put in each JWT payload.
  The signature is key computed with payload.salt + '.' + SHARED_SECRET.
• /jwt.rsa signed with RSA private/public key pair (RS256)
  GET /key.public to get the hard-coded public key.

Installation

Environment: Node v6+

npm install -g test-jwt-server
test-jwt-server  # listen on port 8000 by default 
# visit `http://localhost:8000/` 
 
# change port to listen on 
test-jwt-server -p 9000
test-jwt-server --port 9000
# visit `http://localhost:9000/` 

Usage with Docker

Environment: Docker 1.10+

Clone this repo.

export IMAGE=test-jwt-server1
docker build -t $IMAGE .
docker run -it -p 8000:8000 -d $IMAGE
# visit `http://localhost:8000/` 

test-jwt-server in the container will be listening on port 8000, use Docker's -p option to map a different port on host to 8000, e.g.:

docker run -it -p 9000:8000 -d $IMAGE
# visit `http://localhost:9000/` 

This command line map the host's port 9000 to port 8000 of the container.

Usage

/ endpoint will list all routes and descriptions.

The server will

• parse the querystring in GET request or
• parse body in POST request as JWT payload (claims in JWT parlance).

Use /payload endpoint to test and build the payload before generating the JWT.
See ljharb/qs to see how to build complex object with querystring.

With HTTPie, these yield the same result:

$ http --body GET 'http://localhost:8000/payload?items[]=1.1&items[]=2.2&items[]=3.3&foo.bar=42&user=me&iat=1000'
 
$ http --body POST http://localhost:8000/payload <<'EOF'
{
    "items": ["1.1","2.2","3.3"],
    "foo": {
        "bar": "42"
    },
    "user": "me",
    "iat": 1000
}
EOF

Due to limitation of querystring, custom fields will always be strings. Use POST to when you need numeric fields.

$ http --body POST http://localhost:8000/payload <<'EOF'
{
    "items": [1.1, 2.2, 3.3],
    "foo": {
      "bar": 42
    },
    "user": "me",
    "iat": 1000
}
EOF

JWT Validators

Generated JWT can be validated with 3rd party validators.

JSON Web Tokens - jwt.io
Online JWT generator and verifyer

JWT RFCs

RFC 7515 - JSON Web Signature (JWS)
RFC 7516 - JSON Web Encryption (JWE)
RFC 7517 - JSON Web Key (JWK)
RFC 7518 - JSON Web Algorithms (JWA)
RFC 7519 - JSON Web Token (JWT)

TODO

• Swagger
  Example YAML Generated UI