<pre><code> <h1>Tokens for Testing</h1> Compatible with * OAuth2 * OpenID Connect (OIDC) * JOSE (Signed Access Tokens) * JWT * JWK * JWS <h1>Resources</h1> * https://mock.pocketid.app/access_token * https://mock.pocketid.app/authorization_header * https://xxx.mock.pocketid.app/.well-known/openid-configuration * https://xxx.mock.pocketid.app/.well-known/jwks.json * https://mock.pocketid.app/key.jwk.json * POST https://xxx.mock.pocketid.app/api/jwks { "kty":"EC", "crv":"P-256", "x":"xxx", "y":"yyy" } * GET https://xxx.mock.pocketid.app/.well-known/jwks.json <h2>Get a token</h2> Get a verifiable access token https://mock.pocketid.app/access_token For example: TOKEN=$(curl -fL https://mock.pocketid.app/access_token) You can set the expiration (`exp`) with query parameters: * https://mock.pocketid.app/access_token?exp=90d (+90 days) * https://mock.pocketid.app/access_token?exp=3h (+3 hours) * https://mock.pocketid.app/access_token?exp=15m (+15 minutes) * https://mock.pocketid.app/access_token?exp=1565739000 (exactly 2019-08-13 5:30pm) (you can also get the whole header) https://mock.pocketid.app/authorization_header For example: HEADER=$(curl -fL https://mock.pocketid.app/authorization_header) # Authorization: Bearer <token> <h3>The Token, Decoded</h3> The Token will look like this: <font color="red">eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsImtpZCI6IlU1Ym0tQUxtSVFOQ3hfMlFPT1piSm5Ec0d1aEd4WkRnV053alNqck5IbzQifQ</font>.<font color="blue">eyJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjQwODAvIiwic3ViIjoiZHVtbXkiLCJleHAiOjE1NjI4NzEyNTh9</font>.<font color="green">PWK2eTDQcVCpT_weogKuh4bHInnjqY6TGSnQzwEIc133WnJ1eUmLjq799COxSW7Dr6Khm1Po-CAXGVwCADIBEw</font> The <font color="red">first part</font> is the JWS protected header. Decoded, it looks like this: {"typ":"JWT","alg":"ES256","kid":"U5bm-ALmIQNCx_2QOOZbJnDsGuhGxZDgWNwjSjrNHo4"} The <font color="blue">second part</font> is the JWS payload of JWT claims. Decoded, it looks like this: {"iss":"http://localhost:4080/","sub":"dummy","exp":1562871258} The <font color="green">third part</font> is the signature. It can't be "decoded", per se. It's two positive 32-bit BigInts called <em>R</em> and <em>S</em>, padded with zeros to fill out all the bytes. <h2>Validate the Issuer</h2> The token be signed and verifiable. If the token issuer (iss) is "https://mock.pocketid.app/" * the key url (jwks_uri) will be found at "https://mock.pocketid.app/.well-known/openid-configuration" * which will point to "https://mock.pocketid.app/.well-known/jwks.json" * where there will be a key whose thumbprint (kid) matches that in the token The public key found there will look like this: { "crv":"P-256" , "x":"ToL2HppsTESXQKvp7ED6NMgV4YnwbMeONexNry3KDNQ" , "y":"Tt6Q3rxU37KAinUV9PLMlwosNy1t3Bf2VDg5q955AGc" } <h3>Get the Private Key</h3> In truth, there's only one private key right now. https://mock.pocketid.app/key.jwk.json You shouldn't use it for automated testing, because it will change, but it looks like this: { "crv":"P-256" , "x":"ToL2HppsTESXQKvp7ED6NMgV4YnwbMeONexNry3KDNQ" , "y":"Tt6Q3rxU37KAinUV9PLMlwosNy1t3Bf2VDg5q955AGc" , "d":"GYAwlBHc2mPsj1lp315HbYOmKNJ7esmO3JAkZVn9nJs" } </code></pre>