Use base64 URL for JWT generation
Concerned version
Version: %1.9.21 (seems the same in %2.0.5)
Platform: Apache
Summary
For OpenID Connect, it seems that version 1.9.21, even on 2.0.5, use a base64 encoding for JWT payload. However, RFC JWT (https://tools.ietf.org/html/rfc7519) sends us to RFC JWS (https://tools.ietf.org/html/rfc7515) for the base64 encoding definition :
Base64url Encoding Base64 encoding using the URL- and filename-safe character set defined in Section 5 of RFC 4648 [RFC4648], with all trailing '=' characters omitted (as permitted by Section 3.2) and without the inclusion of any line breaks, whitespace, or other additional characters. Note that the base64url encoding of the empty octet sequence is the empty string. (See Appendix C for notes on implementing base64url encoding without padding.)
Should we have base64url encoding and jwt payload, so without "=" padding ?!
Example, one of our customer receives as id_token :
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6InNpZ25LZXkyMDE5MDUyOCJ9.eyJleHAi[....]iLCJzdWIiOiJFNTNENzk2MUI3NTA4NzIxMzYyNEQyNjAyQjEwN0ExMiJ9==.cgFT9U[....]
And he should receive, for him :
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6InNpZ25LZXkyMDE5MDUyOCJ9.eyJleHAi[....]iLCJzdWIiOiJFNTNENzk2MUI3NTA4NzIxMzYyNEQyNjAyQjEwN0ExMiJ9.cgFT9U[....]
The "=" added as padding cause troubles...
Backends used
My partner uses ASP.NET Core Authentication module out of the box (Microsoft.AspNetCore.Authentication), v2.1.2. They cannot read the token due to the padding presence : "Unable to validate the 'id_token'"
Token is validated against a regexp :
/// <summary>
/// JWS - Token format: 'header.payload.signature'. Signature is optional, but '.' is required.
/// </summary>
public const string JsonCompactSerializationRegex = @"^[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\.[A-Za-z0-9-_]*$";
The character "=" is not present on the data payload side !
Possible fixes
Modify encode_base64
to encode_base64url
when it talks about JWT encoding ? (same way for decoding too...)