Closed as not planned
Description
Code of Conduct
- I have read and agree to the GitHub Docs project's Code of Conduct
What article on docs.github.com is affected?
What part(s) of the article would you like to see updated?
The Bash example for generating a JWT does not seem to work.
I'm working with a GitHub Enterprise server version 3.10.12
.
Current behavior
Using some censored values here, but to illustrate what the current behavior is when I run it:
$ ./generate-jwt.sh Iv1.c0ffeec0ffeec0ff ./my-app.2024-06-03.private-key.pem
JWT: ewogICAgInR5cCI6IkpXVCIsCiAgICAiYWxnIjoiUlMyNTYiCn0.ewogICAgImlhdCI6MTcxNzUwMTk2MCwKICAgICJleHAiOjE3MTc1MDI2MjAsCiAgICAiaXNzIjpJdjEuYzBmZmVlYzBmZmVlYzBmZgp9.YoShUxrZ-fIwyKm6nXrgluU6jXnElLjijQTvUZOk9eeHb5prP64oAJvFYr7ZCNwHYHRGJnrSLNyw2c8LmAo6IGg9bdi_mrE5qzMZO1ZWLqJP6EMqJ1TCvgPS4zHk8dH6GB5JTp_QJsp6n5Q8Kgloqb-oqSbqxt87Sn1nkxyVsVFiZ_8r-wHemCg1mTEub1Vyz3PZHxfrdh_x-r6YwQ8qD8m-uWhBovZLsNDfIxcVhLtSu6msAPiF3oB4_DhcvSuZaROhHGs7umHMWnLP6sWp0unfy_LUFkEPoWx7pDaU--9yqA75cdxDps7LMDehmg1VESc8llvBtsrVQP-8b-gzqw
$ curl -L -H 'Accept: application/vnd.github+json' -H "Authorization: Bearer ${JWT:?}" -H 'X-GitHub-Api-Version: 2022-11-28' 'https://github.example.com/api/v3/app'
{
"message": "A JSON web token could not be decoded",
"documentation_url": "https://docs.github.com/[email protected]/rest"
}
Some notes
One thing that immediately sticks out to me is that the JWT does not start with eyJ0
like I'm used to seeing, but instead ewog
. Turns out that's because the script keeps some newlines in the JSON:
$ echo -n '{"typ":"JWT","alg":"RS256"}' | base64
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9
$ echo -en '{\n "typ":"JWT",\n "alg":"RS256"\n}' | base64
ewogICAgInR5cCI6IkpXVCIsCiAgICAiYWxnIjoiUlMyNTYiCn0=
I'm not sure if that is legal. Maybe it is.
Additional information
If we can change the script to output eyJhbGci[…]
instead of JWT: eyJhbGci[…]
, I think that would be very useful. Makes it much easier to use that in a script when a JWT is required.
There are also some warnings from ShellCheck that we may want to fix while we're at it:
$ shellcheck generate-jwt.sh
In generate-jwt.sh line 7:
pem=$( cat $2 ) # file path of the private key as second argument
^-- SC2086 (info): Double quote to prevent globbing and word splitting.
Did you mean:
pem=$( cat "$2" ) # file path of the private key as second argument
In generate-jwt.sh line 10:
iat=$((${now} - 60)) # Issues 60 seconds in the past
^----^ SC2004 (style): $/${} is unnecessary on arithmetic variables.
In generate-jwt.sh line 11:
exp=$((${now} + 600)) # Expires 10 minutes in the future
^----^ SC2004 (style): $/${} is unnecessary on arithmetic variables.
For more information:
https://www.shellcheck.net/wiki/SC2086 -- Double quote to prevent globbing ...
https://www.shellcheck.net/wiki/SC2004 -- $/${} is unnecessary on arithmeti...