[update] how-to guide: jwt debugger more algos

tedi-software · tedi-software · commit 59f63b2cb3fa · 2025-04-13T19:40:41.000-07:00
diff --git a/docs/assets/js/jwt-debugger.js b/docs/assets/js/jwt-debugger.js
@@ -1,109 +1,139 @@
 
-// JWT Debugger
+// // JWT Debugger
+
 
 document.addEventListener('DOMContentLoaded', function () {
     const jwtInput = document.getElementById('jwtInput');
     const headerInput = document.getElementById('jwtHeaderInput');
     const payloadInput = document.getElementById('jwtPayloadInput');
     const secretInput = document.getElementById('jwtSecretInput');
-    const encodedOutput = document.getElementById('jwtEncoded');
+    const publicKeyInput = document.getElementById('jwtPublicKeyInput');
+    const privateKeyInput = document.getElementById('jwtPrivateKeyInput');
     const encodingSelect = document.getElementById('secretEncoding');
+    const algorithmSelect = document.getElementById('jwtAlgorithm');
+    const encodedOutput = document.getElementById('jwtEncoded');
     const verifyStatus = document.getElementById('jwtVerifyStatus');
-
+  
     document.getElementById('decode-jwt')?.addEventListener('click', decodeJWT);
     document.getElementById('verify-jwt')?.addEventListener('click', verifyJWT);
     document.getElementById('encode-jwt')?.addEventListener('click', encodeJWT);
-
+  
+    function getAlgorithm() {
+      return algorithmSelect?.value || 'HS256';
+    }
+  
+    function getKeyForSign(alg) {
+      if (alg.startsWith('HS')) {
+        const secret = secretInput.value.trim();
+        const encoding = encodingSelect.value;
+        const keyObj = {};
+        keyObj[encoding] = secret;
+        return keyObj;
+      } else if (alg.startsWith('RS') || alg.startsWith('PS') || alg.startsWith('ES')) {
+        return privateKeyInput.value.trim();
+      } else {
+        throw new Error(`Unsupported algorithm for signing: ${alg}`);
+      }
+    }
+  
+    function getKeyForVerify(alg) {
+      if (alg.startsWith('HS')) {
+        const secret = secretInput.value.trim();
+        const encoding = encodingSelect.value;
+        const keyObj = {};
+        keyObj[encoding] = secret;
+        return keyObj;
+      } else if (alg.startsWith('RS') || alg.startsWith('PS') || alg.startsWith('ES')) {
+        return publicKeyInput.value.trim();
+      } else {
+        throw new Error(`Unsupported algorithm for verification: ${alg}`);
+      }
+    }
+  
     function decodeJWT() {
-        const jwt = jwtInput.value.trim();
-        const parts = jwt.split('.');
-        if (parts.length !== 3) {
-            return showError('Invalid JWT format (expected 3 parts)');
-        }
-
-        try {
-            const header = KJUR.jws.JWS.readSafeJSONString(b64urlDecode(parts[0]));
-            const payload = KJUR.jws.JWS.readSafeJSONString(b64urlDecode(parts[1]));
-
-            headerInput.value = JSON.stringify(header, null, 2);
-            payloadInput.value = JSON.stringify(payload, null, 2);
-            showStatus('', '✅ Decoded successfully (not verified)');
-        } catch (err) {
-            showError('Failed to decode JWT: ' + err.message);
-        }
+      const jwt = jwtInput.value.trim();
+      const parts = jwt.split('.');
+      if (parts.length !== 3) {
+        return showError('Invalid JWT format (expected 3 parts)');
+      }
+  
+      try {
+        const header = KJUR.jws.JWS.readSafeJSONString(b64urlDecode(parts[0]));
+        const payload = KJUR.jws.JWS.readSafeJSONString(b64urlDecode(parts[1]));
+  
+        headerInput.value = JSON.stringify(header, null, 2);
+        payloadInput.value = JSON.stringify(payload, null, 2);
+        showStatus('', '✅ Decoded successfully (not verified)');
+      } catch (err) {
+        showError('Failed to decode JWT: ' + err.message);
+      }
     }
-
+  
     function verifyJWT() {
-        try {
-            const jwt = jwtInput.value.trim();
-            const secret = secretInput.value.trim();
-            const encoding = encodingSelect.value;
-            if (!jwt || !secret) {
-                return showError('JWT and secret are required.');
-            }
-
-            const keyObj = {};
-            keyObj[encoding] = secret;
-
-            const isValid = KJUR.jws.JWS.verify(jwt, keyObj, ['HS256']);
-
-            if (isValid) {
-                const [headerB64, payloadB64] = jwt.split('.');
-                const header = KJUR.jws.JWS.readSafeJSONString(b64urlDecode(headerB64));
-                const payload = KJUR.jws.JWS.readSafeJSONString(b64urlDecode(payloadB64));
-
-                headerInput.value = JSON.stringify(header, null, 2);
-                payloadInput.value = JSON.stringify(payload, null, 2);
-                showStatus(true, '✅ Signature is valid');
-            } else {
-                showStatus(false, '❌ Signature is invalid');
-            }
-        } catch (err) {
-            showError('Verification failed: ' + err.message);
+      try {
+        const jwt = jwtInput.value.trim();
+        const key = getKeyForVerify(getAlgorithm());
+        const alg = getAlgorithm();
+  
+        const isValid = KJUR.jws.JWS.verify(jwt, key, [alg]);
+  
+        if (isValid) {
+          const [headerB64, payloadB64] = jwt.split('.');
+          const header = KJUR.jws.JWS.readSafeJSONString(b64urlDecode(headerB64));
+          const payload = KJUR.jws.JWS.readSafeJSONString(b64urlDecode(payloadB64));
+  
+          headerInput.value = JSON.stringify(header, null, 2);
+          payloadInput.value = JSON.stringify(payload, null, 2);
+          showStatus(true, '✅ Signature is valid');
+        } else {
+          showStatus(false, '❌ Signature is invalid');
         }
+      } catch (err) {
+        showError('Verification failed: ' + err.message);
+      }
     }
-
+  
     function encodeJWT() {
-        try {
-            const header = JSON.parse(headerInput.value.trim());
-            const payload = JSON.parse(payloadInput.value.trim());
-            const secret = secretInput.value.trim();
-            const encoding = encodingSelect.value;
-
-            const sHeader = JSON.stringify(header);
-            const sPayload = JSON.stringify(payload);
-
-            const keyObj = {};
-            keyObj[encoding] = secret;
-
-            const jwt = KJUR.jws.JWS.sign(header.alg || 'HS256', sHeader, sPayload, keyObj);
-
-            jwtInput.value = jwt;
-            showStatus('', '✅ JWT encoded successfully');
-        } catch (err) {
-            showError('Encoding failed: ' + err.message);
-        }
+      try {
+        const header = JSON.parse(headerInput.value.trim());
+        const payload = JSON.parse(payloadInput.value.trim());
+        const alg = getAlgorithm();
+  
+        header.alg = alg; // force-match selected alg
+        const sHeader = JSON.stringify(header);
+        const sPayload = JSON.stringify(payload);
+        const key = getKeyForSign(alg);
+  
+        const jwt = KJUR.jws.JWS.sign(alg, sHeader, sPayload, key);
+  
+        jwtInput.value = jwt;
+        if (encodedOutput) encodedOutput.innerText = jwt;
+        showStatus('', '✅ JWT encoded successfully');
+      } catch (err) {
+        showError('Encoding failed: ' + err.message);
+      }
     }
-
+  
     function b64urlDecode(str) {
-        str = str.replace(/-/g, '+').replace(/_/g, '/');
-        while (str.length % 4 !== 0) str += '=';
-        return atob(str);
+      str = str.replace(/-/g, '+').replace(/_/g, '/');
+      while (str.length % 4 !== 0) str += '=';
+      return atob(str);
     }
-
+  
     function showError(msg) {
-        verifyStatus.innerText = '❌ ' + msg;
-        verifyStatus.className = 'text-danger font-weight-bold';
+      verifyStatus.innerText = '❌ ' + msg;
+      verifyStatus.className = 'text-danger font-weight-bold';
     }
-
+  
     function showStatus(valid, msg) {
-        verifyStatus.innerText = valid === true
-            ? '✅ Signature is valid'
-            : valid === false
-                ? '❌ Signature is invalid'
-                : msg || '';
-        verifyStatus.className = valid === true
-            ? 'text-success font-weight-bold'
-            : 'text-danger font-weight-bold';
+      verifyStatus.innerText = valid === true
+        ? '✅ Signature is valid'
+        : valid === false
+        ? '❌ Signature is invalid'
+        : msg || '';
+      verifyStatus.className = valid === true
+        ? 'text-success font-weight-bold'
+        : 'text-danger font-weight-bold';
     }
-});
+  });
+  
diff --git a/docs/pages/how-to-jwt-debugger.md b/docs/pages/how-to-jwt-debugger.md
@@ -3,7 +3,7 @@ layout: page
 title: JWT Debugger
 parent: How-To Guides
 permalink: /how-to/jwt-debugger
-description: Inspect, verify, and create JSON Web Tokens securely in your browser — no server required.
+description: Inspect, verify, and create JSON Web Tokens securely using all the following algorithms RSA, RSAPSS, HMAC, EC. Multi-algo, security-grade JWT debugger.
 nav_order: 12
 ---
 
@@ -19,6 +19,17 @@ Or, create a new one by editing the header and payload and providing a secret.
 {: .highlight }
 > **Private and Secure:** Fully client-side — nothing leaves your browser !
 
+---
+
+## **Token & Key Format Summary**
+{: .fs-5 }
+
+| **Format** | **Name**              | **Purpose**                                         | **Used For**                                   | **Format Type**              | **Popularity**  |
+|:-----------|:----------------------|:----------------------------------------------------|:-----------------------------------------------|:-----------------------------|:----------------|
+| `JWT`      | JSON Web Token        | Signed (and optionally encrypted) claims            | ID tokens, access tokens, stateless sessions   | Compact, signed data format  | very high     |
+| `JWE`      | JSON Web Encryption   | Encrypted JWT (confidential claims)                 | Privacy-sensitive data, secure token transport | Encrypted token format       | niche         |
+| `JWKS`     | JSON Web Key Set      | Public key distribution format                      | RS256/PS256 token verification                 | JSON container for keys      | medium        |
+
 
 ---
 
@@ -30,53 +41,104 @@ Or, create a new one by editing the header and payload and providing a secret.
     </tr>
   </thead>
   <tbody>
-    <tr>
-    <td style="vertical-align: top;">
-    <textarea id="jwtInput"
-        style="width: 100%; height: 100%; min-height: 460px; font-family: monospace; color: #789"
-        class="mb-2"
-        placeholder="Paste or generate JWT..."></textarea>
-    </td>
-    <td style="vertical-align: top; height: 100%;">
-    <div style="display: flex; flex-direction: column; height: 100%;">
-        <label class="mb-1 font-weight-bold">Header</label>
-        <textarea id="jwtHeaderInput"
-        class="w-100 mb-2"
-        style="flex: 1; min-height: 200px; resize: vertical; font-family: monospace; color: #789;"
-        placeholder='{"alg":"HS256","typ":"JWT"}'></textarea>
-
-        <label class="mb-1 font-weight-bold">Payload</label>
-        <textarea id="jwtPayloadInput"
-            class="w-100 mb-2"
-            style="flex: 1; min-height: 200px; resize: vertical; font-family: monospace; color: #789;"
-            placeholder='{"sub":"1234567890","name":"John Doe"}'>
-        </textarea>
+        <tr>
+            <td style="vertical-align: top;">
+                <textarea id="jwtInput"
+                    style="width: 100%; height: 100%; min-height: 460px; font-family: monospace; color: #789"
+                    class="mb-2"
+                    placeholder="Paste or generate JWT...">
+                </textarea>
+            </td>
+            <td style="vertical-align: top; height: 100%;">
+                <div style="display: flex; flex-direction: column; height: 100%;">
+                    <label class="mb-1 font-weight-bold">Header</label>
+                    <textarea id="jwtHeaderInput"
+                    class="w-100 mb-2"
+                    style="flex: 1; min-height: 200px; resize: vertical; font-family: monospace; color: #789;"
+                    placeholder='{"alg":"HS256","typ":"JWT"}'></textarea>
 
-        <label class="mb-1 font-weight-bold">Secret (for HS256)</label>
-        <input id="jwtSecretInput"
-        type="text"
-        class="w-100 mb-2"
-        style="font-family: monospace; color: #789" placeholder="your-secret-key" />
+                    <label class="mb-1 font-weight-bold">Payload</label>
+                    <textarea id="jwtPayloadInput"
+                        class="w-100 mb-2"
+                        style="flex: 1; min-height: 200px; resize: vertical; font-family: monospace; color: #789;"
+                        placeholder='{"sub":"1234567890","name":"John Doe"}'>
+                    </textarea>
+                </div>
+            </td>
+        </tr>
+        <tr>
+            <td style="vertical-align: top; height: 100%;">
+                <div style="display: flex; flex-direction: column; height: 100%;">
+                    <label class="mb-1 font-weight-bold">Algorithm</label>
+                    <select id="jwtAlgorithm" class="w-100 mb-2">
+                        <option value="HS256" selected>HS256 [HMAC+SHA-256]</option>
+                        <option value="HS384">HS384 [HMAC+SHA-384]</option>
+                        <option value="HS512">HS512 [HMAC+SHA-512]</option>
+                        <option value="RS256">RS256 [RSA+SHA-256]</option>
+                        <option value="RS384">RS384 [RSA+SHA-384]</option>
+                        <option value="RS512">RS512 [RSA+SHA-512]</option>
+                        <option value="ES256">ES256 [ECDSA+SHA-256)</option>
+                        <option value="ES384">ES384 [ECDSA+SHA-384]</option>
+                        <option value="ES512">ES512 [ECDSA+SHA-512]</option>
+                        <option value="PS256">PS256 [RSAPSS+SHA-256]</option>
+                        <option value="PS384">PS384 [RSAPSS+SHA-384]</option>
+                        <option value="PS512">PS512 [RSAPSS+SHA-512]</option>
+                    </select>
+                </div>
+            </td>
+            <td style="vertical-align: bottom; height: 100%;">
+                <div style="display: flex; flex-direction: column; height: 100%;">
+                    <label class="mb-1 font-weight-bold">Secret (for HS)</label>
+                    <input id="jwtSecretInput"
+                    type="text"
+                    class="w-100 mb-2"
+                    style="font-family: monospace; color: #789" placeholder="your-secret-key" />
 
-        <label class="mb-1 font-weight-bold">Secret Encoding</label>
-        <select id="secretEncoding" class="mb-2">
-            <option value="utf8">UTF-8</option>
-            <option value="b64">Base64</option>
-            <option value="hex">Hex</option>
-        </select>
-    </div>
-    </td>
-    </tr>
+                    <label class="mb-1 font-weight-bold">Secret Encoding</label>
+                    <select id="secretEncoding" class="mb-2">
+                        <option value="utf8">UTF-8</option>
+                        <option value="b64">Base64</option>
+                        <option value="hex">Hex</option>
+                    </select>
+                </div>
+            </td>
+        </tr>
+        <tr>
+            <td style="vertical-align: bottom; height: 100%;">
+                <div style="display: flex; flex-direction: column; height: 100%;">
+                    <label class="mb-1 font-weight-bold">Public Key (RS|ES|PS)</label>
+                    <textarea id="jwtPublicKeyInput"
+                        class="w-100 mb-2"
+                        style="flex: 1; min-height: 200px; resize: vertical; font-family: monospace; color: #789;"
+                        placeholder='{"alg":"HS256","typ":"JWT"}'>
+                    </textarea>
+                </div>
+            </td>
+            <td style="vertical-align: bottom; height: 100%;">
+                <div style="display: flex; flex-direction: column; height: 100%;">
+                    <label class="mb-1 font-weight-bold">Private Key (RS|ES|PS)</label>
+                    <textarea id="jwtPrivateKeyInput"
+                        class="w-100 mb-2"
+                        style="flex: 1; min-height: 200px; resize: vertical; font-family: monospace; color: #789;"
+                        placeholder='{"sub":"1234567890","name":"John Doe"}'>
+                    </textarea>
+                </div>
+            </td>
+            
+        </tr>
+        <tr>
+            <td><label class="mb-1 font-weight-bold">* Public and Private keys must be in PEM format.</label></td>
+        </tr>
     <tr>
         <td colspan="2">
             <div class="mt-2">
             <button id="decode-jwt" class="btn btn-blue mr-2">Decode</button>
-            <button id="verify-jwt" class="btn btn-yellow mr-2">Verify Signature</button>
-            <button id="encode-jwt" class="btn btn-green mr-2">Encode JWT</button>
+            <button id="verify-jwt" class="btn btn-purple mr-2">Verify</button>
+            <button id="encode-jwt" class="btn btn-green mr-2">Encode</button>
             </div>
         </td>
     </tr>
-        <tr>
+    <tr>
         <td colspan="2">
             <div id="jwtVerifyStatus" class="font-weight-bold mt-3 text-sm"></div>
         </td>
