search

AxaFrance / oidc-client

Light, Secure, Pure Javascript OIDC (Open ID Connect) Client. We provide also a REACT wrapper (compatible NextJS, etc.).
MIT License
582 stars 160 forks source link

parseJwt fails for some JWT because of wrong use of replace() #1268

Closed johakoch closed 8 months ago

johakoch commented 8 months ago

Issue and Steps to Reproduce

The parseJwt() function fails to parse some JWT (with multiple occurences of '-' or '_'). https://github.com/AxaFrance/oidc-client/blob/main/packages/oidc-client/src/parseTokens.ts#L5C76-L5C112 and https://github.com/AxaFrance/oidc-client/blob/main/packages/oidc-client-service-worker/src/utils/tokens.ts#L15C41-L15C77

.replace('-', '+').replace('_', '/')

replace() with string first param only replaces the first occurence.

Use

.replace(/-/g, '+').replace(/_/g, '/')

instead.

Example:

claimsPart = "eyJzZXNzaW9uX3N0YXRlIjoiNzVjYzVlZDItZGYyZC00NTY5LWJmYzUtMThhOThlNjhiZTExIiwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJuYW1lIjoixrTHosOBw6zDhyDlsI_lkI0t44Ob44Or44OYIiwicHJlZmVycmVkX3VzZXJuYW1lIjoidGVzdGluZ2NoYXJhY3RlcnNAaW52ZW50ZWRtYWlsLmNvbSIsImdpdmVuX25hbWUiOiLGtMeiw4HDrMOHIiwiZmFtaWx5X25hbWUiOiLlsI_lkI0t44Ob44Or44OYIn0"

atob(claimsPart.replace('-', '+').replace('_', '/'))

throws error, while

atob(claimsPart.replace(/-/g, '+').replace(/_/g, '/'))

can be decoded to

{"session_state":"75cc5ed2-df2d-4569-bfc5-18a98e68be11","scope":"openid email profile","email_verified":true,"name":"Æ´Ç¢Ã\u0081ìÃ\u0087 å°\u008få\u0090\u008d-ã\u0083\u009bã\u0083«ã\u0083\u0098","preferred_username":"testingcharacters@inventedmail.com","given_name":"Æ´Ç¢Ã\u0081ìÃ\u0087","family_name":"å°\u008få\u0090\u008d-ã\u0083\u009bã\u0083«ã\u0083\u0098"}

Versions

main branch.

Screenshots

Expected

JWT can be decoded properly

Actual

JWT cannot be decoded, but function throws error.

Additional Details

guillaume-chervet commented 8 months ago

Thank you @johakoch to have found that bug !

guillaume-chervet commented 8 months ago

hi @johakoch ,

Version 7.13.16-alpha.1278 should fix it ! Thank you so much, I think it was a recurrent issue. you found a bug i could not reproduce.

johakoch commented 8 months ago

hi @johakoch ,

Version 7.13.16-alpha.1278 should fix it ! Thank you so much, I think it was a recurrent issue. you found a bug i could not reproduce.

You're welcome. Now you have a test case :-)

guillaume-chervet commented 8 months ago

Yeah definitely

Maingart commented 8 months ago

@guillaume-chervet, hello!

Is it fix this bug?

https://github.com/AxaFrance/oidc-client/issues/1265

guillaume-chervet commented 8 months ago

hi @Maingart , it is hard for me to reproduce the referenced bug. You can try 7.13.16-alpha.1278 version and tell me if it resolve it to help me.