extract appid from decoded jwttoken

Microsoft

I have   below ymal . where I am using PowerShell script to extract app from Jw token after decoding it . I am not able to get exact app id ( guid )   from the decoded object.  it is coming as  ***

Could someone suggest me  how to extract appid from jwt token.

 

parameters:
- name: jwttoken
default: ''
steps:
- powershell: |
$encodedToken = '${{ parameters.jwttoken }}'
Write-Host $encodedToken
$tokenParts = $encodedToken -split '\.'
$tokenPayload = $tokenParts[1]
#Fix padding as needed, keep adding "=" until string length modulus 4 reaches 0
while ($tokenPayload.Length % 4) { Write-Verbose "Invalid length for a Base-64 char array or string, adding ="; $tokenPayload += "=" }
$decodedPayload = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($tokenPayload))
$tokenObject = $decodedPayload | ConvertFrom-Json
$appId = $tokenObject.appid
Write-Host $appId

3 Replies

@Rajendra605 

 

Hi, Rajendra.

 

From having a read of the following article, I quickly knocked up two functions that reliably (for me) decide the JWT. The appid field is in "proper" GUID notation.

 

I tested using certificate-based authentication (i.e. servicePrincipal + certificate).

 

For testing purposes, I obtained a token (stored in $Token) using Get-AzAccessToken.

 

From your sample code, what I'm seeing missing is the reversal of the two special character replacements - as per the reference documentation below.

 

Reference

 

 

PowerShell functions

function Get-NormalisedTokenSection
{
    [cmdletbinding()]
    param(
        [parameter(Mandatory=$true)][ValidateNotNullOrEmpty()][string] $TokenSection
    )

    $Value = $TokenSection.Replace("_", "/").Replace("-", "+");

    switch ($Value.Length % 4)
    {
        1 {
            $Value += "===";
            break;
        }

        2 {
            $Value += "==";
            break;
        }

        3 {
            $Value += "=";
            break;
        }
    }

    [string]::new([System.Convert]::FromBase64String($Value)) | ConvertFrom-Json;
}

function Get-TokenSections
{
    [cmdletbinding()]
    param(
        [parameter(Mandatory=$true)][ValidateNotNullOrEmpty()][string] $Token
    )

    if (3 -ne ($Sections = $Token.Split(".")).Length)
    {
        throw("Invalid access token.");
    }

    [PSCustomObject] @{
        Header = Get-NormalisedTokenSection -TokenSection $Sections[0];
        Claim = Get-NormalisedTokenSection -TokenSection $Sections[1];
    }
}

 

 

Output (scoped down to just the appid)

LainRobertson_0-1710818895467.png

 

 

Cheers,

Lain

@LainRobertson ,

 

even I am using replacement , I am getting same issue . 

$TokenSection.Replace("_", "/").Replace("-", "+");

 

actually when I am passing hard coded value in $tokensection variable , then I am able to appid in guid format else I am getting ***

@Rajendra605 

 

The only other diagnostic I can think of is to compare tokens, as the only kind I compared against is an Azure JWT.

 

You're not using the value from a header, are you, which begins with "Bearer "?

 

Perhaps purely for the sake of testing, you can fetch a token using the Az.Accounts module, using Get-AzAccessToken, and use the Token property of the returned object to test your existing user-defined function.

 

Cheers,

Lain