search

TNG / keycloak-mock

A Java library to test REST endpoints secured by Keycloak via OpenID connect.
Apache License 2.0
120 stars 27 forks source link

Base64 encoding issue when processing JWKS due to trailing '=' characters #144

Closed nbaars closed 1 year ago

nbaars commented 1 year ago

When using the mock to interact with a Go library the parsing fails:

but could not unmarshal as JSON: illegal base64 data at input byte

The JWKS is as follows:

{
  "keys": [
    {
      "kid": "keyId",
      "use": "sig",
      "alg": "RS256",
      "kty": "RSA",
      "n": "AKzaf4nijuwtAn9ieZaz-iGXBp1pFm6dJMAxRO6ax2CV9cBFeThxrKJNFmDY7j7gKRnrgWxvgJKSd3hAm_CGmXHbTM8cPi_gsof-CsOohv7LH0UYbr0UpCIJncTiRrKQto7q_NOO4Jh1EBSLMPX7MzttEhh35Ue9txHLq3zkdkR6BR6nGS7QxEg7FzYzA4IooV59OPr-TvlDxbEpwc1wkRZDGavo-WjngAt7m_BEQtHnav3whitbrMmi_1tWY8cQbO9D4FuQTM7yvACLSv94G2TCvsjm_gGJmOJyRBkI1r-uEIfhz9-VIKlswqapKSul-Hoxv5NycucRa4xi4N39dfM=",
      "e": "AQAB"
    }
  ]
}

The n however uses a base-64 encoding with a trailing = which is not allowed according to the spec, see: https://datatracker.ietf.org/doc/html/rfc7515#appendix-C:

Base64url Encoding Base64 encoding using the URL- and filename-safe character set defined in Section 5 of RFC 4648 [RFC4648], with all trailing '=' characters omitted (as permitted by Section 3.2) and without the inclusion of any line breaks, whitespace, or other additional characters. Note that the base64url encoding of the empty octet sequence is the empty string. (See Appendix C for notes on implementing base64url encoding without padding.)