This repository has been archived by the owner on Jun 15, 2023. It is now read-only.
x-amzn-oidc-data
is not a JSON Web Token
#42
Labels
x-amzn-oidc-data
is not a JSON Web Token
#42
Hi AWS docs team,
In the ELB load balancers documentation (
elb-application-load-balancers-user-guide/doc_source/listener-authenticate-users.md
Lines 154 to 159 in 1e6652d
x-amzn-oidc-data
token being a JWT (JSON Web Token) and that this could be parsed by any standard JWT library.However, this is simply not true. The problem is that this token includes additional base64 padding, which is not allowed according to the JWT and JWS RFC's. The JWT RFC refers to the JWS RFC (7515) for the usage of
Base64url Encoding
and RFC 7515's definition ofBase64url Encoding
states that no padding is used (see https://datatracker.ietf.org/doc/html/rfc7515#section-2).Deviating from the standard (while still claiming that this is a "JWT") puts JWT library implementations, such as
golang-jwt
in a tough spot, because for various reasons, such as security, we want to enforce the RFC / standard as close as humanly possible. On the other hand, we get demands from users using AWS services to support malformed tokens (for example see golang-jwt/jwt#92).This is probably not the right place to start this discussion but for the lack of other means to communicate, I am trying my luck here. Please feel free to forward this to any team who might be more suitable.
The text was updated successfully, but these errors were encountered: