Wednesday, 19 June 2019

Decoding JWTs

Ever wonder how to decode a JWT token to get at the email address and user name?  Given that you have the openid, email, and profile scopes granted.

Visit for decoder and doc.

Of if you love (trust?) Microsoft, ADFS JWT Decoder.

And the full blown specifation on RFC7519...

And then the openid documentation on how to get name and email.

     // header, payload, signature
     function parseJwt (token) {
            let ary = token.split('.');
            if( ary.len != 3)
                console.log( "not a JWT: " + token );
                return undefined;
            // assume it IS urlEncoded
            let base64Url = ary[1];
            let base64 = base64Url.replace(/-/g, '+').replace(/_/g, '/');
            let txt = Buffer.from(base64, 'base64').toString();
            return JSON.parse( txt ); 

And then

let jwt = parseJwt(tokenStr);
let email = || jwt.upn || 'unknown';
let name =;
console.log( `You are ${name} at ${email}` );

Saturday, 30 March 2019


Hi. Seems since I put up my server I get a swarm of hits on my Apache server trying to exploit WordPress, or pounding on my FTP and SSH services...

Thursday, 21 March 2019

90 day new user estimates

Looking at how many users on Google or Microsoft are using my skills.

Microsoft Google
Art of War 23 540
Safety Moments 54 101
Meditations 12 67
Ambient Sounds 65
AutoMate 5

Art of War wins on Google. Ambient Sounds wins on Microsoft. And hey, for all this effort, at least Google is sending me a T-Shirt. I suspect Colossal Cave will beat them all...

Google tells me on average 15 new users a day try Art of War.

Thursday, 28 February 2019

Cortana Hosting Off Azure

Yesterday I decided to start moving my skills off Azure. Messaging is still handled by bot service, but the bot lives elsewhere. This is in no way a comment on Azure App Services. It has everything to do with me paying for a GoDaddy VM and I want to have everything in one place. Sure, its not scalable in its current form, but who cares when you have insignificant TPS.

The things that Azure App Services give you for free... a SSL certificate so you can use HTTPS (that you must for bots messaging) and a preconfigured IIS web server that is always managed (because its a container). But its the free tier restrictions... you can't set your web app and skill to "always on", so you get unloaded every 20 minutes. That means your skill will timeout when invoked, and that's a really crappy experience. I wonder how many people actually try a skill twice after it craters the first time? You also can't use web jobs to tickle the endpoint.

So, first step, install Apache. In hindsight, I should have paid GoDaddy the managed fee (that was reasonable, $50 or so) to configure Apache - with their bundled 509 Cert. What a pain... I don't miss running my own web servers.

Why run Apache? Because you want the web server to take care of the SSL for you. It is a lot of work to build a bot supporting HTTPS without a web server. So the trick is, get Apache to handle the secure request, and then tunnel it via proxy to a port without SSL.My node.js bots - they don't know anything about SSL.

How to have all my bots run in one place? Multiple proxies that redirect based on different paths. Instead of https://myserver/api/messages, we now have http://myserver/mybot/api/messages. And the latter redirects to different local ports via a proxy to http://localhost:3000/mybot/api/messages.

Then you have a choice of registering the Cortana skill via a Bot Channel Registration (the right way), or swap out the endpoint after creating a Web App Bot. Why would you want to do the latter? Updated: Because there is a bug in Bot Channel Registrations. Do not use Bot Channel Registration until the glitch is fixed. Create a web app bot, configure the Cortana channel, and then change the bots end point (and tombstone the Azure app service).

I will add my web.conf here when I have time. It is magic that I'll never remember. And the next trick is running node as a daemon. My VM is running Ubuntu server - so
bash -c 'nohup node app &>/dev/null & jobs -p %1'

Tuesday, 22 January 2019

Cortana Availability

Ever notice that it can take two invocations to a Cortana skill to get it to work on Azure?

This is because resources are unloaded if they are idle for 20 minutes.  The first invocation; you need to wait for the resources (web app service) to load. You can change this in basic and standard service plans by changing the app service’s settings to “Always On”. 

But if you are using a free tier, what do you do? Set up an availability test that pings your web server every 15 minutes via an Azure web job or Azure monitor. 
But be aware: keeping resources live can consume your credits!

Saturday, 19 January 2019

Two months later...

Hello! It seems I have not posted in almost two months. Life always gets interesting. My in-laws and oldest daughter visited. Then there was the flu, head colds, and administrative issues... so my tinkering slowed down to nothing. I've barely even managed to explore my Christmas present: a Playstation Classic.

I have lots of topics I could write about, because between work and personal enlightenment, I've touched on a lot. I am more than happy to take direction on what to write about - because often times I tell myself no one reads what I write so there is no hurry in getting things down.


I did get to push out work related samples on building against bot framework v4. It is different enough to cause people grief in upgrading, and v4 is slightly more complicated and less documented than v3. I've been thinking about writing a guide or giving some sample "search and replace" scripts to help. But that also seems too close to work to use my own time. So expect to see more Cortana stuff here:

Unfortunately I hit a policy blocker on publishing skills - that has seen all my Cortana pet projects delayed or shelved.  However, I am happy that Safety Moments averages 6 requests a day on Windows.  Thanks to those who are using it!

Google Actions

I am happy about how Art of War is doing.  It gets about 60 users a week and sends about 200 messages. When I have time, I intend to get Colossal Cave launched on Google.  It was so close to being done on Cortana, and the server is written in Java and platform agnostic.