search

wso2 / product-microgateway

Choreo Connect is a cloud-native, open-source, and developer-centric API gateway.
https://wso2.com/choreo/choreo-connect/
Apache License 2.0
293 stars 252 forks source link

correct base64 url encoding for backend jwt #2374

Open suksw opened 2 years ago

suksw commented 2 years ago

Description:

The backend jwt created by enforcer includes "=" in its base64 url encoding. As per https://datatracker.ietf.org/doc/html/rfc7515#section-2 trailing '=' characters must be omitted. 

Base64url Encoding
      Base64 encoding using the URL- and filename-safe character set
      defined in Section 5 of RFC 4648 [RFC4648], with all trailing '='
      characters omitted (as permitted by Section 3.2) and without the
      inclusion of any line breaks, whitespace, or other additional
      characters.  Note that the base64url encoding of the empty octet
      sequence is the empty string.

A warning related to this also appears when trying to decode the backend jwt via a web jwt decoder.

Steps to reproduce:

  1. Add the following to config.toml 
    [enforcer]
[enforcer.jwtGenerator]
enabled = true
encoding = "base64url"
  2. Start choreo connect with apim
  3. Create, deploy and publish an API
  4. Invoke the API from devportal
  5. Get the jwt token received at the backend and check the encoding

We can use the following to fix this

Base64.getEncoder().withoutPadding().encodeToString(someByteArray);

Affected Product Version:

Environment details (with versions):

Optional Fields

Related Issues:

Suggested Labels:

Suggested Assignees:

pubudu538 commented 2 years ago

@Amila-Rukshan is working on this.

Amila-Rukshan commented 2 years ago

This will be fixed from https://github.com/wso2/carbon-apimgt/pull/11153. It will be available in wso2/carbon-apimgt next GA.