go-mockid/public/index.html

<meta
  name="google-signin-client_id"
  content="128764648444-nk2ss16gmals7rhsk2kj0i0ove0v0tnk.apps.googleusercontent.com"
/>
<!-- https://developers.google.com/identity/sign-in/web/sign-in -->
<!-- https://developers.google.com/identity/sign-in/web/quick-migration-guide -->
<!-- Note: You can also specify your app's client ID with the client_id parameter of the gapi.auth2.init() method. -->

<pre><code>
<h1>Tokens for Testing</h1>
Compatible with

* OAuth2
* OpenID Connect (OIDC)
* JOSE (Signed Access Tokens)
  * JWT
  * JWK
  * JWS

<h1>Resources</h1>

  * https://mock.pocketid.app/access_token
  * https://mock.pocketid.app/authorization_header
  * https://xxx.mock.pocketid.app/.well-known/openid-configuration
  * https://xxx.mock.pocketid.app/.well-known/jwks.json
  * https://mock.pocketid.app/key.jwk.json

<h2>Get a token</h2>

Get a verifiable access token

  https://mock.pocketid.app/access_token

For example:

  TOKEN=$(curl -fL https://mock.pocketid.app/access_token)

You can set the expiration (`exp`) with query parameters:

  * https://mock.pocketid.app/access_token?exp=90d (+90 days)
  * https://mock.pocketid.app/access_token?exp=3h (+3 hours)
  * https://mock.pocketid.app/access_token?exp=15m (+15 minutes)
  * https://mock.pocketid.app/access_token?exp=1565739000 (exactly 2019-08-13 5:30pm)

(you can also get the whole header)

  https://mock.pocketid.app/authorization_header

For example:

  HEADER=$(curl -fL https://mock.pocketid.app/authorization_header)
  # Authorization: Bearer &lt;token&gt;

<h3>The Token, Decoded</h3>

The Token will look like this:

  <font
    color="red">eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsImtpZCI6IlU1Ym0tQUxtSVFOQ3hfMlFPT1piSm5Ec0d1aEd4WkRnV053alNqck5IbzQifQ</font>.<font
    color="blue">eyJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjQwODAvIiwic3ViIjoiZHVtbXkiLCJleHAiOjE1NjI4NzEyNTh9</font>.<font
    color="green">PWK2eTDQcVCpT_weogKuh4bHInnjqY6TGSnQzwEIc133WnJ1eUmLjq799COxSW7Dr6Khm1Po-CAXGVwCADIBEw</font>

The <font color="red">first part</font> is the JWS protected header.

Decoded, it looks like this:

  {"typ":"JWT","alg":"ES256","kid":"U5bm-ALmIQNCx_2QOOZbJnDsGuhGxZDgWNwjSjrNHo4"}

The <font color="blue">second part</font> is the JWS payload of JWT claims.

Decoded, it looks like this:

  {"iss":"http://localhost:4080/","sub":"dummy","exp":1562871258}

The <font color="green">third part</font> is the signature.

It can't be "decoded", per se. It's two positive 32-bit BigInts called <em>R</em> and <em>S</em>, padded with zeros to fill out all the bytes.

<h2>Validate the Issuer</h2>

The token be signed and verifiable.

If the token issuer (iss) is "https://mock.pocketid.app/"

  * the key url (jwks_uri) will be found at "https://mock.pocketid.app/.well-known/openid-configuration"
  * which will point to "https://mock.pocketid.app/.well-known/jwks.json"
  * where there will be a key whose thumbprint (kid) matches that in the token

The public key found there will look like this:

  { "crv":"P-256"
  , "x":"ToL2HppsTESXQKvp7ED6NMgV4YnwbMeONexNry3KDNQ"
  , "y":"Tt6Q3rxU37KAinUV9PLMlwosNy1t3Bf2VDg5q955AGc"
  }

<h3>Get the Private Key</h3>

In truth, there's only one private key right now.

  https://mock.pocketid.app/key.jwk.json

You shouldn't use it for automated testing, because it will change, but it looks like this:

  { "crv":"P-256"
  , "x":"ToL2HppsTESXQKvp7ED6NMgV4YnwbMeONexNry3KDNQ"
  , "y":"Tt6Q3rxU37KAinUV9PLMlwosNy1t3Bf2VDg5q955AGc"
  , "d":"GYAwlBHc2mPsj1lp315HbYOmKNJ7esmO3JAkZVn9nJs"
  }

</code></pre>

<script src="https://apis.google.com/js/platform.js" async defer></script>
<div
  class="g-signin2"
  data-onsuccess="onSignIn"
  data-scope="profile email https://www.googleapis.com/auth/spreadsheets.readonly https://www.googleapis.com/auth/drive.readonly"
></div>
<a href="#" onclick="signOut();">Sign out</a>
<script src="app.js"></script>