JSON Web Tokens (JWTs) are powerful and convenient tools for securing APIs. Their format is standardized; they are cryptographically protected, self-contained and simply very handy. Since JWTs are commonly unencrypted, you can easily parse them and inspect their structure and content. You can use convenient online tools for that purpose. Let me share a personal tip: Check out OAuth.Tools.
OAuth.Tools is a free online tool provided by Curity. It offers incredible features for anyone working with or interested in OAuth and OpenID Connect. These protocols are commonly used to “outsource login.” OAuth is much more than just the access token. As such, you can use OAuth.Tools to decode or create JWTs with different characteristics, fetch tokens from a server, revoke tokens or add an access token to external API calls and check the behavior.
Configuration
The Curity Playground
OAuth.Tools provides a preconfigured environment and workspace, the Curity Playground. As the name suggests, you can use that to play around with the tool. It also includes some examples that you can easily run without the need for any configuration or installation.
The examples demonstrate how to use various flows and provide a quick start. For example, to decode a JWT, simply click “Demo: JWT Token” and copy and paste the value in the code field. For other flows, the Curity Playground is configured with demo clients. To fetch a token, for example, you can try out the “Demo: Code Flow” configured with a client. You can find the clients in the workspace settings. They enable anyone to run an OAuth flow quickly without prior knowledge or manual configuration.
Customize Settings
You may use OAuth.Tools with any OAuth-compliant server. The only requirement is that the OAuth services must be accessible over the internet.
From the main menu, you can create, import, export or share configurations via links. In that way, the workspace configuration becomes portable. You can return to it at another point or share your work with a colleague.
A workspace represents the integration with a service, such as the Curity Playground. In the settings, you specify the different URLs and endpoints for the service. Preferably, you use a discovery service like the OIDC service discovery or WebFinger to automatically retrieve some of the settings. You then only have to enter the client details you received from the service provider. Refer to the service provider’s documentation for how to register an OAuth client (sometimes referred to as app registration).
Features
Great Overview
Next to the main menu is the list of flows. A flow is basically a task, like a request or a series of requests (in the case of the code flow, for example). “Decode JWT,” “Create JWT” and OAuth-related requests like “Code Flow” or “Client Credentials Flow” are all examples of tasks that OAuth.Tools supports. Even new features like verifiable credential issuance (VCI) are supported. You can organize your work by grouping flows.
The main window shows two panes. The left pane is the configuration pane where you enter the flow details. The right pane shows the result — the body of a request. For example, when decoding JWTs, you enter the encoded JWT in the left pane and OAuth.Tools lists the details in the right pane.
Helpful Insights
Both panes in the main window provide very useful information. For example, OAuth.Tools highlights the different parts of a JWT — the header, the payload (data) and the signature — in the input field. If you provide a signature verification key next to the JWT, OAuth.Tools validates its signature and prints a nice green box in the result pane.
When validating JWTs, you can also select a type and OAuth.Tools will let you know if the provided JWT meets the requirements for that type. For example, if a JWT is supposed to be an access token, it should contain an aud and scope claim. OAuth.Tools displays a warning if those claims are missing. With that feature, you can parse a JWT, validate its signature and quickly verify that it also complies with standards and best practices.
OAuth.Tools provides helpful information in many cases beyond JWT decoding. When creating a flow, it allows you to set common settings using UI elements. For example, it allows you to enable the PKCE (proof key for code exchange) or create a signed request (JWT Secured Authorization Request) with single switches. OAuth.Tools is educational, as it does not require much knowledge about the protocol, but you will eventually gain some.
The strength of OAuth.Tools lie within the details. If available, OAuth.Tools lists request details like all the query parameters. For example, the code flow is a two-step flow where the first step starts in the front channel, the browser. OAuth.Tools shows how the browser receives an authorization code and allows you to swap it for tokens. You may copy and paste requests and run them in the browser or terminal instead. In addition, OAuth.Tools prints server responses — consequently, OAuth.Tools is handy for testing and debugging OAuth and OpenID Connect integrations.
Try It Out
What I like about OAuth.Tools is its completeness. Not only does it support many flows, but it also provides the necessary supporting features. For example, whenever a key is required, you can simply press a button to create one. Also, when a flow requires a token, you can select an appropriate one that comes from another flow. This means you can create a code flow to get a token and run an introspection flow to list its details. There are even shortcuts for that!
Whatever your business with OAuth is, whether you are an experienced user or a novice, you should try out OAuth.Tools.
