Forum Discussion

Rajendra605's avatar
Rajendra605
Icon for Microsoft rankMicrosoft
Mar 18, 2024

extract appid from decoded jwttoken

I have   below ymal . where I am using PowerShell script to extract app from Jw token after decoding it . I am not able to get exact app id ( guid )   from the decoded object.  it is coming as  ***

Could someone suggest me  how to extract appid from jwt token.

 

parameters:
- name: jwttoken
default: ''
steps:
- powershell: |
$encodedToken = '${{ parameters.jwttoken }}'
Write-Host $encodedToken
$tokenParts = $encodedToken -split '\.'
$tokenPayload = $tokenParts[1]
#Fix padding as needed, keep adding "=" until string length modulus 4 reaches 0
while ($tokenPayload.Length % 4) { Write-Verbose "Invalid length for a Base-64 char array or string, adding ="; $tokenPayload += "=" }
$decodedPayload = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($tokenPayload))
$tokenObject = $decodedPayload | ConvertFrom-Json
$appId = $tokenObject.appid
Write-Host $appId

  • LainRobertson's avatar
    LainRobertson
    Silver Contributor

    Rajendra605 

     

    Hi, Rajendra.

     

    From having a read of the following article, I quickly knocked up two functions that reliably (for me) decide the JWT. The appid field is in "proper" GUID notation.

     

    I tested using certificate-based authentication (i.e. servicePrincipal + certificate).

     

    For testing purposes, I obtained a token (stored in $Token) using Get-AzAccessToken.

     

    From your sample code, what I'm seeing missing is the reversal of the two special character replacements - as per the reference documentation below.

     

    Reference

     

     

    PowerShell functions

    function Get-NormalisedTokenSection
    {
        [cmdletbinding()]
        param(
            [parameter(Mandatory=$true)][ValidateNotNullOrEmpty()][string] $TokenSection
        )
    
        $Value = $TokenSection.Replace("_", "/").Replace("-", "+");
    
        switch ($Value.Length % 4)
        {
            1 {
                $Value += "===";
                break;
            }
    
            2 {
                $Value += "==";
                break;
            }
    
            3 {
                $Value += "=";
                break;
            }
        }
    
        [string]::new([System.Convert]::FromBase64String($Value)) | ConvertFrom-Json;
    }
    
    function Get-TokenSections
    {
        [cmdletbinding()]
        param(
            [parameter(Mandatory=$true)][ValidateNotNullOrEmpty()][string] $Token
        )
    
        if (3 -ne ($Sections = $Token.Split(".")).Length)
        {
            throw("Invalid access token.");
        }
    
        [PSCustomObject] @{
            Header = Get-NormalisedTokenSection -TokenSection $Sections[0];
            Claim = Get-NormalisedTokenSection -TokenSection $Sections[1];
        }
    }

     

     

    Output (scoped down to just the appid)

     

     

    Cheers,

    Lain

    • Rajendra605's avatar
      Rajendra605
      Icon for Microsoft rankMicrosoft

      LainRobertson ,

       

      even I am using replacement , I am getting same issue . 

      $TokenSection.Replace("_", "/").Replace("-", "+");

       

      actually when I am passing hard coded value in $tokensection variable , then I am able to appid in guid format else I am getting ***

      • LainRobertson's avatar
        LainRobertson
        Silver Contributor

        Rajendra605 

         

        The only other diagnostic I can think of is to compare tokens, as the only kind I compared against is an Azure JWT.

         

        You're not using the value from a header, are you, which begins with "Bearer "?

         

        Perhaps purely for the sake of testing, you can fetch a token using the Az.Accounts module, using Get-AzAccessToken, and use the Token property of the returned object to test your existing user-defined function.

         

        Cheers,

        Lain

Resources