What’s In Your Wallet?

UPDATE: Use http://openidtest.uninett.no/jwt instead. The Google link below is okay, but I really get annoyed with all the web traffic that occurs every time you hit any page belonging to Google. And, in this case, every time you test a token. Fiddler just clogs up with a ton of web sessions. Openidtest uses javascript within the page. And it works with any browser I’ve tried.

https://developers.google.com/commerce/wallet/digital/docs/jwtdecoder – for those times when you want to see what’s in your wallet…or…er…just decode a JWT (JSON Web Token)…any JWT…without having to wire up something for testing. For instance, I just threw a brand new blank Windows Phone 8 project into a solution. So far I’d only added a Live Sign In button and wanted to verify that the same UID is being generated from there as is from a Windows 8 app. I have a JWT decoder in my server-side code but still need to wire it up to the WP8 client. The server is expecting more info than just a JWT. You have to appreciate when major competitors – unwittingly or not – work together to help the little guy, yeah?

BTW, if you do sign in with the same Microsoft Account, the UID will be the same. Some more on JWTs related to that subject in an upcoming post.

UPDATE: The decoder doesn’t validate that the JWT is actually signed. This brings up an important point: JWTs are not encrypted. They are signed, but all that means is that the data hasn’t been altered in transit. If you’re going to work with JWTs then SSL is a must…or if you couldn’t (for whatever unfathomable reason) use SSL, some sort of public/private key encryption from client to server.