search

mendix / docs

Mendix documentation repository
https://docs.mendix.com
Creative Commons Attribution 4.0 International
140 stars 719 forks source link

oidc-sso #7734

Closed tsrikanth2511 closed 4 months ago

tsrikanth2511 commented 4 months ago

Please use the form below, leaving the prefilled data to help us. Thank you.

Marketplace module link: oidc sso

Page link: oidc-sso

Document link: oidc.md

:warning: Important: This issue is being reported here due to uncertainty regarding the proper channel for bug reports. It is intended to bring attention to the problem and seek further guidance on where such issues should be formally addressed.

Bug Report: OIDC SSO module - Illegal Base64 Character in JWT Payload

Description

A user reported an issue with accessing our application which uses the OIDC Connect module. The error log contained a stack trace with an IllegalArgumentException for an illegal base64 character, specifically the underscore character (_).

The issue originates from the getDecodedPayload method in the AzureRoleParse Java action. This method attempts to decode the payload of a JWT token, which is returned as a base64 encoded string by the jwt.getPayload method. However, the payload string contains underscore characters, which are not recognized by the standard Base64 decoder.

Here is the relevant part of the stack trace:

com.mendix.modules.microflowengine.MicroflowException: com.mendix.systemwideinterfaces.MendixRuntimeException: java.lang.IllegalArgumentException: Illegal base64 character 5f
at SSO.Azure_TokenProcessing_CustomATP (JavaAction : 'AzureRoleParse')
at {"name":"OIDC.CallCustomMicroflow","type":"JavaAction"}
at OIDC.webCallback (JavaAction : 'CallCustomMicroflow')
...
Caused by: java.lang.IllegalArgumentException: Illegal base64 character 5f
at java.base/java.util.Base64$Decoder.decode0(Unknown Source)
at java.base/java.util.Base64$Decoder.decode(Unknown Source)
at java.base/java.util.Base64$Decoder.decode(Unknown Source)
at oidc.actions.AzureRoleParse.getDecodedPayload(AzureRoleParse.java:72)
oidc.actions.AzureRoleParse.executeAction(AzureRoleParse.java:45) at oidc.actions.AzureRoleParse.executeAction(AzureRoleParse.java:28) at com.mendix.systemwideinterfaces.core.UserAction.execute(UserAction.java:58) at com.mendix.basis.actionmanagement.CoreActionHandlerImpl.doCall(CoreActionHandlerImpl.scala:71) at com.mendix.basis.actionmanagement.CoreActionHandlerImpl.call(CoreActionHandlerImpl.scala:48) at

Possible Solution

JWT (JSON Web Tokens) are defined in RFC 7519. According to this specification, the payload of a JWT is Base64Url encoded. Therefore, a URL-safe Base64 decoder should be used instead of the standard Base64 decoder. In Java, this can be done using Base64.getUrlDecoder().

Here is the suggested code change:

public java.lang.String getDecodedPayload(){
    DecodedJWT jwt=JWT.decode(AccessToken);
    String payload= jwt.getPayload(); 

    // JWT uses Base64Url encoding, which is a variant of Base64.
    // Base64Url replaces '+' with '-', '/' with '_', and removes any padding '='.
    // So, we should use Base64.getUrlDecoder() instead of Base64.getDecoder() to handle this.
    byte[] decodedBytes = Base64.getUrlDecoder().decode(payload);
    String decodedPayload = new String(decodedBytes);
    return decodedPayload;
}

References

Please let me know if you need any further assistance.

Karuna-Mendix commented 4 months ago

Hi @tsrikanth2511, Thank you for reporting this. I have reported the issue to the developers. However, the best way to report such bugs is through support.mendix.com. Please note that - I will be closing this current issue. To ensure the best support from the developers, please submit your report again via support.mendix.com. Developers are already informed. Thank you for your cooperation.

tsrikanth2511 commented 4 months ago

Hi @Karuna-Mendix thanks for the response. I have created a support ticket.