Skip to content

Unable to generate valid JWT using Bash example #33324

Closed as not planned
Closed as not planned
@lindhe

Description

@lindhe

Code of Conduct

What article on docs.github.com is affected?

https://docs.github.com/en/[email protected]/apps/creating-github-apps/authenticating-with-a-github-app/generating-a-json-web-token-jwt-for-a-github-app#example-using-bash-to-generate-a-jwt

What part(s) of the article would you like to see updated?

The Bash example for generating a JWT does not seem to work.

I'm working with a GitHub Enterprise server version 3.10.12.

Current behavior

Using some censored values here, but to illustrate what the current behavior is when I run it:

$ ./generate-jwt.sh Iv1.c0ffeec0ffeec0ff ./my-app.2024-06-03.private-key.pem
JWT: ewogICAgInR5cCI6IkpXVCIsCiAgICAiYWxnIjoiUlMyNTYiCn0.ewogICAgImlhdCI6MTcxNzUwMTk2MCwKICAgICJleHAiOjE3MTc1MDI2MjAsCiAgICAiaXNzIjpJdjEuYzBmZmVlYzBmZmVlYzBmZgp9.YoShUxrZ-fIwyKm6nXrgluU6jXnElLjijQTvUZOk9eeHb5prP64oAJvFYr7ZCNwHYHRGJnrSLNyw2c8LmAo6IGg9bdi_mrE5qzMZO1ZWLqJP6EMqJ1TCvgPS4zHk8dH6GB5JTp_QJsp6n5Q8Kgloqb-oqSbqxt87Sn1nkxyVsVFiZ_8r-wHemCg1mTEub1Vyz3PZHxfrdh_x-r6YwQ8qD8m-uWhBovZLsNDfIxcVhLtSu6msAPiF3oB4_DhcvSuZaROhHGs7umHMWnLP6sWp0unfy_LUFkEPoWx7pDaU--9yqA75cdxDps7LMDehmg1VESc8llvBtsrVQP-8b-gzqw

$ curl -L -H 'Accept: application/vnd.github+json' -H "Authorization: Bearer ${JWT:?}" -H 'X-GitHub-Api-Version: 2022-11-28' 'https://github.example.com/api/v3/app'
{
  "message": "A JSON web token could not be decoded",
  "documentation_url": "https://docs.github.com/[email protected]/rest"
}

Some notes

One thing that immediately sticks out to me is that the JWT does not start with eyJ0 like I'm used to seeing, but instead ewog. Turns out that's because the script keeps some newlines in the JSON:

$ echo -n '{"typ":"JWT","alg":"RS256"}' | base64
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9

$ echo -en '{\n    "typ":"JWT",\n    "alg":"RS256"\n}' | base64
ewogICAgInR5cCI6IkpXVCIsCiAgICAiYWxnIjoiUlMyNTYiCn0=

I'm not sure if that is legal. Maybe it is.

Additional information

If we can change the script to output eyJhbGci[…] instead of JWT: eyJhbGci[…], I think that would be very useful. Makes it much easier to use that in a script when a JWT is required.

There are also some warnings from ShellCheck that we may want to fix while we're at it:

$ shellcheck generate-jwt.sh

In generate-jwt.sh line 7:
pem=$( cat $2 ) # file path of the private key as second argument
           ^-- SC2086 (info): Double quote to prevent globbing and word splitting.

Did you mean:
pem=$( cat "$2" ) # file path of the private key as second argument


In generate-jwt.sh line 10:
iat=$((${now} - 60)) # Issues 60 seconds in the past
       ^----^ SC2004 (style): $/${} is unnecessary on arithmetic variables.


In generate-jwt.sh line 11:
exp=$((${now} + 600)) # Expires 10 minutes in the future
       ^----^ SC2004 (style): $/${} is unnecessary on arithmetic variables.

For more information:
  https://www.shellcheck.net/wiki/SC2086 -- Double quote to prevent globbing ...
  https://www.shellcheck.net/wiki/SC2004 -- $/${} is unnecessary on arithmeti...

Metadata

Metadata

Assignees

No one assigned

    Labels

    contentThis issue or pull request belongs to the Docs Content teamdevelopersContent related to developersgithub appsContent related to GitHub Appshelp wantedAnyone is welcome to open a pull request to fix this issuestaleThere is no recent activity on this issue or pull request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions