Skip to content

Instantly share code, notes, and snippets.

@corbanb

corbanb/pre-request-jwt.js

Last active July 22, 2024 13:12
Show Gist options
  • Save corbanb/db03150abbe899285d6a86cc480f674d to your computer and use it in GitHub Desktop.
Save corbanb/db03150abbe899285d6a86cc480f674d to your computer and use it in GitHub Desktop.
Download ZIP
JWT tokenize - Postman Pre-Request Script
Raw
pre-request-jwt.js
function base64url(source) {
// Encode in classical base64
encodedSource = CryptoJS.enc.Base64.stringify(source);
// Remove padding equal characters
encodedSource = encodedSource.replace(/=+$/, '');
// Replace characters according to base64url specifications
encodedSource = encodedSource.replace(/\+/g, '-');
encodedSource = encodedSource.replace(/\//g, '_');
return encodedSource;
}
function addIAT(request) {
var iat = Math.floor(Date.now() / 1000) + 257;
data.iat = iat;
return data;
}
var header = {
"typ": "JWT",
"alg": "HS256"
};
var data = {
"fname": "name",
"lname": "name",
"email": "[email protected]",
"password": "abc123$"
};
data = addIAT(data);
var secret = 'myjwtsecret';
// encode header
var stringifiedHeader = CryptoJS.enc.Utf8.parse(JSON.stringify(header));
var encodedHeader = base64url(stringifiedHeader);
// encode data
var stringifiedData = CryptoJS.enc.Utf8.parse(JSON.stringify(data));
var encodedData = base64url(stringifiedData);
// build token
var token = encodedHeader + "." + encodedData;
// sign token
var signature = CryptoJS.HmacSHA256(token, secret);
signature = base64url(signature);
var signedToken = token + "." + signature;
postman.setEnvironmentVariable("payload", signedToken);
@niwsmbulai1989
Copy link

niwsmbulai1989 commented Aug 4, 2020
edited
Loading

var jwtSecret = xxxx
var app_key=yyyy

// Set headers for JWT
var header = {
'alg': 'HS256'
};

// Prepare timestamp in seconds
var currentTimestamp = Math.floor(Date.now() / 1000)

var data = {
'iss': app_key,
'iat': currentTimestamp,
}

function base64url(source) {
// Encode in classical base64
encodedSource = CryptoJS.enc.Base64.stringify(source)

// Remove padding equal characters
encodedSource = encodedSource.replace(/=+$/, '')

// Replace characters according to base64url specifications
encodedSource = encodedSource.replace(/\+/g, '-')
encodedSource = encodedSource.replace(/\//g, '_')

return encodedSource

}

// encode header
var stringifiedHeader = CryptoJS.enc.Utf8.parse(JSON.stringify(header))
var encodedHeader = base64url(stringifiedHeader)

// encode data
var stringifiedData = CryptoJS.enc.Utf8.parse(JSON.stringify(data))
var encodedData = base64url(stringifiedData)

// build token
var token = ${encodedHeader}.${encodedData}

// sign token
var signature = CryptoJS.HmacSHA256(token, jwtSecret)
signature = base64url(signature)
var signedToken = ${token}.${signature}

pm.environment.set('jwt', signedToken)
'

this error :
`Array
(
[error] => stdClass Object
(
[status] => 1
[message] => Headers missing or invalid.
)

[status_code] => 401
)`

@harkal18
Copy link

harkal18 commented Nov 4, 2020

thanks for this code snippet ;)

@btskyy
Copy link

btskyy commented Feb 9, 2021

This was helpful. I am curious though, what is the reasoning for + 257 on line 16?

@TangGuoHua
Copy link

TangGuoHua commented Sep 10, 2021
edited
Loading

didnt work secret for google JWT

i trying RS256
this one generated by your prescript:

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI5IjkzYzA1ZWQ2NTc4NDRiYWM1ZjBmZGFmYTFhZThjMTdlNjFiZjU4ZDAifQ
.
eyJpc2MiOiJ2YWluZ2xvcnktbG9yZS10ZXN0MkB2YWluZ2xvcnktbG9yZS5pYW0uZ3NlcnZpY2VhY2NvdW50LmNvbSIsInN1YiI6InZhaW5nbG9yeS1sb3JlLXRlc3QyQHZhaW5nbG9yeS1sb3JlLmlhbS5nc2VydmljZWFjY291bnQuY29tIiwiYXVkIjoiaHR0cHM6Ly93d3cuZ29vZ2xlYXBpcy5jb20vb2F1dGgyL3Y0L3Rva2VuIiwic2NvcGUiOiJodHRwczovL3d3dy5nb29nbGVhcGlzLmNvbS9hdXRoL2RldnN0b3JhZ2UucmVhZF9vbmx5IiwiaWF0IjoxNTUzMDk2ODc0LCJleHAiOjE1NTMxMDA0NzR9
.
ZaCoMgyjg85nlOgm_dg7ydMe5aZwdR6fj_I5VRKZT7w

and this one by jwt.io:

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI5IjkzYzA1ZWQ2NTc4NDRiYWM1ZjBmZGFmYTFhZThjMTdlNjFiZjU4ZDAifQ
.
eyJpc2MiOiJ2YWluZ2xvcnktbG9yZS10ZXN0MkB2YWluZ2xvcnktbG9yZS5pYW0uZ3NlcnZpY2VhY2NvdW50LmNvbSIsInN1YiI6InZhaW5nbG9yeS1sb3JlLXRlc3QyQHZhaW5nbG9yeS1sb3JlLmlhbS5nc2VydmljZWFjY291bnQuY29tIiwiYXVkIjoiaHR0cHM6Ly93d3cuZ29vZ2xlYXBpcy5jb20vb2F1dGgyL3Y0L3Rva2VuIiwic2NvcGUiOiJodHRwczovL3d3dy5nb29nbGVhcGlzLmNvbS9hdXRoL2RldnN0b3JhZ2UucmVhZF9vbmx5IiwiaWF0IjoxNTUzMDk2ODc0LCJleHAiOjE1NTMxMDA0NzR9
.
Y3-ftstpQEyXHFwtanyIyMFBmqdxr5GMWvLlOtuyzwdFzfOQK4sbfkVYejPQQdnxNH3Ve-PzKMtNO80-djODCKkMk-ZRtyQpidpAS89TNYoGBoGz6N1Ojg84GFdTb15W96-QINPG2MxIk43Ccshjs2VvTyvwG8T2Xo-b8i91t0_z-Q_GgsDSlaJuS0L-bd0ve8sL3wqgp3BXodh0XqpZ5_6_3JbecJAwLCrlNoK8WcwOAi5519Ef9FR_pJJFmu5Oi_jzPAzMqo_13FAe-ej9moy4k3EC45kevwiLDnIBkU2n76f5djjdTrI5UxwtUOkgLg_emYVURzFf5rDSZ_ESJh

third part of secret is not the same.
can you help with this?

JWT.io says for secret

RSASHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload)

I am trying to RS256 too.
could you share the script ? thanks.

@henry-ppoint
Copy link

thanks for this code snippet ;)

@SrikanthKuruva
Copy link

didnt work secret for google JWT

i trying RS256 this one generated by your prescript:

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI5IjkzYzA1ZWQ2NTc4NDRiYWM1ZjBmZGFmYTFhZThjMTdlNjFiZjU4ZDAifQ
.
eyJpc2MiOiJ2YWluZ2xvcnktbG9yZS10ZXN0MkB2YWluZ2xvcnktbG9yZS5pYW0uZ3NlcnZpY2VhY2NvdW50LmNvbSIsInN1YiI6InZhaW5nbG9yeS1sb3JlLXRlc3QyQHZhaW5nbG9yeS1sb3JlLmlhbS5nc2VydmljZWFjY291bnQuY29tIiwiYXVkIjoiaHR0cHM6Ly93d3cuZ29vZ2xlYXBpcy5jb20vb2F1dGgyL3Y0L3Rva2VuIiwic2NvcGUiOiJodHRwczovL3d3dy5nb29nbGVhcGlzLmNvbS9hdXRoL2RldnN0b3JhZ2UucmVhZF9vbmx5IiwiaWF0IjoxNTUzMDk2ODc0LCJleHAiOjE1NTMxMDA0NzR9
.
ZaCoMgyjg85nlOgm_dg7ydMe5aZwdR6fj_I5VRKZT7w

and this one by jwt.io:

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI5IjkzYzA1ZWQ2NTc4NDRiYWM1ZjBmZGFmYTFhZThjMTdlNjFiZjU4ZDAifQ
.
eyJpc2MiOiJ2YWluZ2xvcnktbG9yZS10ZXN0MkB2YWluZ2xvcnktbG9yZS5pYW0uZ3NlcnZpY2VhY2NvdW50LmNvbSIsInN1YiI6InZhaW5nbG9yeS1sb3JlLXRlc3QyQHZhaW5nbG9yeS1sb3JlLmlhbS5nc2VydmljZWFjY291bnQuY29tIiwiYXVkIjoiaHR0cHM6Ly93d3cuZ29vZ2xlYXBpcy5jb20vb2F1dGgyL3Y0L3Rva2VuIiwic2NvcGUiOiJodHRwczovL3d3dy5nb29nbGVhcGlzLmNvbS9hdXRoL2RldnN0b3JhZ2UucmVhZF9vbmx5IiwiaWF0IjoxNTUzMDk2ODc0LCJleHAiOjE1NTMxMDA0NzR9
.
Y3-ftstpQEyXHFwtanyIyMFBmqdxr5GMWvLlOtuyzwdFzfOQK4sbfkVYejPQQdnxNH3Ve-PzKMtNO80-djODCKkMk-ZRtyQpidpAS89TNYoGBoGz6N1Ojg84GFdTb15W96-QINPG2MxIk43Ccshjs2VvTyvwG8T2Xo-b8i91t0_z-Q_GgsDSlaJuS0L-bd0ve8sL3wqgp3BXodh0XqpZ5_6_3JbecJAwLCrlNoK8WcwOAi5519Ef9FR_pJJFmu5Oi_jzPAzMqo_13FAe-ej9moy4k3EC45kevwiLDnIBkU2n76f5djjdTrI5UxwtUOkgLg_emYVURzFf5rDSZ_ESJh

third part of secret is not the same. can you help with this?

JWT.io says for secret

RSASHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload)

I am facing the same hurdle. any solution to overcome this?

@kendraodrunia
Copy link

didnt work secret for google JWT
i trying RS256 this one generated by your prescript:

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI5IjkzYzA1ZWQ2NTc4NDRiYWM1ZjBmZGFmYTFhZThjMTdlNjFiZjU4ZDAifQ
.
eyJpc2MiOiJ2YWluZ2xvcnktbG9yZS10ZXN0MkB2YWluZ2xvcnktbG9yZS5pYW0uZ3NlcnZpY2VhY2NvdW50LmNvbSIsInN1YiI6InZhaW5nbG9yeS1sb3JlLXRlc3QyQHZhaW5nbG9yeS1sb3JlLmlhbS5nc2VydmljZWFjY291bnQuY29tIiwiYXVkIjoiaHR0cHM6Ly93d3cuZ29vZ2xlYXBpcy5jb20vb2F1dGgyL3Y0L3Rva2VuIiwic2NvcGUiOiJodHRwczovL3d3dy5nb29nbGVhcGlzLmNvbS9hdXRoL2RldnN0b3JhZ2UucmVhZF9vbmx5IiwiaWF0IjoxNTUzMDk2ODc0LCJleHAiOjE1NTMxMDA0NzR9
.
ZaCoMgyjg85nlOgm_dg7ydMe5aZwdR6fj_I5VRKZT7w

and this one by jwt.io:

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI5IjkzYzA1ZWQ2NTc4NDRiYWM1ZjBmZGFmYTFhZThjMTdlNjFiZjU4ZDAifQ
.
eyJpc2MiOiJ2YWluZ2xvcnktbG9yZS10ZXN0MkB2YWluZ2xvcnktbG9yZS5pYW0uZ3NlcnZpY2VhY2NvdW50LmNvbSIsInN1YiI6InZhaW5nbG9yeS1sb3JlLXRlc3QyQHZhaW5nbG9yeS1sb3JlLmlhbS5nc2VydmljZWFjY291bnQuY29tIiwiYXVkIjoiaHR0cHM6Ly93d3cuZ29vZ2xlYXBpcy5jb20vb2F1dGgyL3Y0L3Rva2VuIiwic2NvcGUiOiJodHRwczovL3d3dy5nb29nbGVhcGlzLmNvbS9hdXRoL2RldnN0b3JhZ2UucmVhZF9vbmx5IiwiaWF0IjoxNTUzMDk2ODc0LCJleHAiOjE1NTMxMDA0NzR9
.
Y3-ftstpQEyXHFwtanyIyMFBmqdxr5GMWvLlOtuyzwdFzfOQK4sbfkVYejPQQdnxNH3Ve-PzKMtNO80-djODCKkMk-ZRtyQpidpAS89TNYoGBoGz6N1Ojg84GFdTb15W96-QINPG2MxIk43Ccshjs2VvTyvwG8T2Xo-b8i91t0_z-Q_GgsDSlaJuS0L-bd0ve8sL3wqgp3BXodh0XqpZ5_6_3JbecJAwLCrlNoK8WcwOAi5519Ef9FR_pJJFmu5Oi_jzPAzMqo_13FAe-ej9moy4k3EC45kevwiLDnIBkU2n76f5djjdTrI5UxwtUOkgLg_emYVURzFf5rDSZ_ESJh

third part of secret is not the same. can you help with this?
JWT.io says for secret
RSASHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload)

I am facing the same hurdle. any solution to overcome this?

I am also facing the same issue. Has anyone found a solution to this?

@pradeepbihanidd
Copy link

In my case changed secret to base64 worked perfectly. Those who are facing problem can try this out

var signature = CryptoJS.HmacSHA256(token, CryptoJS.enc.Base64.parse(secret));

@gehengfeng
Copy link

reference this:
https://www.postman.com/postman/workspace/postman-team-collections/request/8140651-fa914e7e-362a-4698-8a5a-0c81dfebf5f9?tab=scripts

`var navigator = {};
var window = {};
eval(pm.environment.get("jsrsasign-js"));

var scope = pm.environment.get('scope');
var iss = pm.environment.get('iss');
var privateKey = pm.environment.get('privateKey');

const header = {"alg" : "RS256", "typ" : "JWT"};

const claimSet =
{
"iss": iss,
"scope": scope ,
"aud":"https://oauth2.googleapis.com/token",
"exp":KJUR.jws.IntDate.get("now + 1hour").toString(),
"iat": KJUR.jws.IntDate.get("now").toString()
}

console.log(header: ${ JSON.stringify(header)});
console.log(claim set: ${ JSON.stringify(claimSet) });
console.log(Private Key: ${ privateKey });

// let jws = new KJUR.jws.JWS();
var jwt = KJUR.jws.JWS.sign(null, header, claimSet, privateKey);
console.log(jwt);

pm.environment.set('jwt', jwt);`

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment