Auth Inspector (SAML & OIDC)

About

Auth Inspector adds a dedicated panel to Chrome DevTools that captures and explains your authentication traffic in real time. It watches SAML (Redirect & POST bindings) and OIDC (authorize, token, userinfo, introspect, revoke, end_session, JWKS) so you can see exactly what’s being sent and received—without digging through raw network payloads.

Built for identity engineers, SREs, and developers who debug login flows across multiple IdPs and apps (Keycloak broker, Okta, Azure AD, Ping, custom IdPs, etc.).

What it does
- SAML made readable: Pretty-prints XML and shows a human-friendly summary (Issuer, Destination, InResponseTo, Status, Assertions, Subject, Conditions, Audience, AuthnContext, and Attributes).
- OIDC decoded: Parses /authorize params (scopes, PKCE, response mode/type) and decodes JWT header/payload for ID and access tokens (issuer, subject, aud, azp, nonce, acr, amr, auth_time, exp/iat, realm/client roles, groups, organization, locale, and other user attributes).
- Tabs for Parsed / Decoded / Raw: Start with a clean summary, switch to decoded details, and drop to raw when you need wire-level data.
- Safe by default: Raw bearer tokens and large secrets are redacted. Parsed/Decoded views show fields you need for debugging—but never the original token string.
- Fast filtering: Filter by protocol (SAML/OIDC), host, and free-text. Quick toggle to show only the current site.
- Export: One-click copy of the current session’s events (with sensitive fields still redacted).

How to use
1. Open Chrome DevTools (F12) → Auth Inspector tab.
2. Run your SAML/OIDC flow in the page.
3. Watch events appear as cards. Click Parsed, Decoded, or Raw tabs for detail.
4. Use host/text filters or pause to focus on what matters.
5. Copy what you need into tickets or notes—safely.

Permissions
- DevTools only. The extension runs inside the DevTools panel and reads the Network log for the inspected tab.
- No host permissions and no remote requests from the extension.
- Optional clipboard use for copy buttons.

Privacy
- No data collection. No telemetry. No cloud.
- All parsing and redaction happen locally in your browser.
- Exports happen only when you explicitly copy.