search

Kong / kong

🦍 The Cloud-Native API Gateway and AI Gateway.
https://konghq.com/install/#kong-community
Apache License 2.0
39.17k stars 4.8k forks source link

fail use jwt_parser:base64_decode to decode when upgrade kong 3.4.2 to 3.6.0 #12676

Closed lubw7 closed 7 months ago

lubw7 commented 8 months ago

Is there an existing issue for this?

Kong version ($ kong version)

kong 3.6

Current Behavior

In Kong 3.6.0 When I use kong.plugins.jwt.jwt_parser:base64_decode, it will meet exception : nil,invalid input. 2024/03/01 16:14:10 [debug] 1277#0: *1286 [lua] sso.lua:119: jwt_decoder:base64_decode(key) = nilinvalid input

Expected Behavior

In Kong 3.4.2 When I use kong.plugins.jwt.jwt_parser:base64_decode, it will decode successfully.

☺☺☺♣♥�☺0�☺H��:18:34 [debug] 1259#0: *150 [lua] sso.lua:119: jwt_decoder:base64_decode(key) = 0�☺"0
☻�☺☺�y¶@�K♠��%/{���▲(�Ԕ��/�♥[�73Ql9�I� H���♣��I‼1       �o��:��g�߹�ZU�'2�d`��J�H3�)
�▲ؿ
鷂rO��L������ ��g▲��P���Ô�#�����v!���6TL�z26^��xq��     �v4����M∟4:{♣���tξ(����↕�[܋�t����[e�r�d��g�e=♠y��T�hs▼�6I�yN7�����→}‼^����↔¶�ǽx��s1���4��f�E�→,F��.��►e1���n���r_☻♥☺☺

Steps To Reproduce

  1. Require jwt_parser 
    local jwt_decoder = require "kong.plugins.jwt.jwt_parser"
local DEBUG, ERR, INFO, log = ngx.DEBUG, ngx.ERR, ngx.INFO, ngx.log
  2. use jwt_parser:base64_decode 
    local test_key = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsbxk6rmBw/+8b2qwQnxKcK8VRRJcSQGCHjwzCzYmMa+XuRL0iaDmOIpXvXmqSMDGM/CdjoQhGfyotnnw3fROjBnOpnNeiX6UPYsJSLzozx1pv7gvRkyfv6hpp9pMn6UWt4IkFsHpeM/V1Spxvgbr+S9clXn+0saM529fK9BFPxjyHk2Jv+SHy9fnjre/5sFVyGxeAM36RVcw3u/D7v7gKigCjhR1Qc3FMJKDrZE5AQQOJELYMrWvaBUxVYjRwQpuEGt/OHbvJZEpABhIYd2lbby1BNtq96loup/SBxJ3jam0MUsf8aB87+vB4QiaX5gwTTLRw2IcnEal+DuZgnNaQQIDAQAB"
log(DEBUG, "jwt_decoder:base64_decode(key) = ", jwt_decoder:base64_decode(test_key))
  3. check the log, you can see: 2024/03/01 16:14:10 [debug] 1277#0: *1286 [lua] sso.lua:119: jwt_decoder:base64_decode(key) = nilinvalid input

Anything else?

https://github.com/Kong/kong/pull/11569 refactor the code about jwt_parser:base64_decode, so is it expected that such an error will occur?

chobits commented 7 months ago

Not sure whether if https://github.com/Kong/kong/pull/11569 affectted it, we need to check

chronolaw commented 7 months ago

We have created a ticket to track this issue (KAG-3952), thanks for your report.

chronolaw commented 7 months ago

jwt token should be encoded with Base64URL algorithm, which means that we should replace '+' to '-' and '/' to '-'.

The variable test_key includes invalid char /, so kong think it is a wrong base64url string.

chronolaw commented 7 months ago

You can change the code like this:

local input = "..."
input = input:gsub("+", "-"):gsub("/", "_")
print(jwt_decoder:base64_decode(input))
lubw7 commented 7 months ago

Thanks, the problem has already been solved.

You can change the code like this:

local input = "..."
input = input:gsub("+", "-"):gsub("/", "_")
print(jwt_decoder:base64_decode(input))
lubw7 commented 5 months ago

@chronolaw Will this change be added to the source code?

You can change the code like this:

local input = "..."
input = input:gsub("+", "-"):gsub("/", "_")
print(jwt_decoder:base64_decode(input))