Incorrect implementation of JWT token expiration check.

[janicalubos]

Describe the bug

Sometime Headlamp backend is not able to determine JWT token expiration. In log appears error (version v0.24.1):

{"level":"error","source":"/headlamp/backend/cmd/headlamp.go","line":697,"error":"illegal base64 data at input byte 570","time":"2024-10-25T10:39:32Z","message":"failed to decode payload"}

Problem is that JWT token is using base64url encoding (https://jwt.io/introduction) and in code https://github.com/headlamp-k8s/headlamp/blob/v0.24.1/backend/cmd/headlamp.go in function isTokenAboutToExpire is used funtion base64.RawStdEncoding.DecodeString instead of base64.RawURLEncoding.

In main branch bug moved to function func decodePayload(payload string) (map[string]interface{}, error) , still is used bad function for base64url decoding

When JWT token in second part contains character - or _, standard base64 decoding fail.

To Reproduce

Steps to reproduce the bug:

1. Install headlamp in K8s cluster with keycloak/oidc integration with short access token validity
2. Log in headlamp
3. Wait some time to access token expiration
4. Check log of headlamp - there will be errors in log about base64 decoding
5. In headlamp UI after some action user is redirected to login window

Environment (please provide info about your environment):

• Installation type: In-Cluster
• Headlamp Version: 0.24.1
• Other:

Are you able to fix this issue?

No

Do you want to help fix this issue? Please see our contribution docs. For any non-trivial contributions, we advise you to join our our slack channel to discuss the implementation with Headlamp's core developers.

Additional Context

[joaquimrocha]

@yolossn Seems like we still have this change in main. Maybe related to the OIDC issues?