x-amzn-oidc-data is not a JSON Web Token

[oxisto]

Hi AWS docs team,

In the ELB load balancers documentation (

elb-application-load-balancers-user-guide/doc_source/listener-authenticate-users.md

Lines 154 to 159 in 1e6652d

	`x-amzn-oidc-data`
	The user claims, in JSON web tokens \(JWT\) format\.
	Access tokens and user claims are different from ID tokens\. Access tokens and user claims only allow access to server resources, while ID tokens carry additional information to authenticate a user\. The Application Load Balancer authenticates the user and only passes access tokens and claims to the backend but does not pass the ID token information\.
	Applications that require the full user claims can use any standard JWT library to verify the JWT tokens\. These tokens follow the JWT format but are not ID tokens\. The JWT format includes a header, payload, and signature that are base64 URL encoded and includes padding characters at the end\. The JWT signature is ECDSA \+ P\-256 \+ SHA256\.

) you refer to the x-amzn-oidc-data token being a JWT (JSON Web Token) and that this could be parsed by any standard JWT library.

However, this is simply not true. The problem is that this token includes additional base64 padding, which is not allowed according to the JWT and JWS RFC's. The JWT RFC refers to the JWS RFC (7515) for the usage of Base64url Encoding and RFC 7515's definition of Base64url Encoding states that no padding is used (see https://datatracker.ietf.org/doc/html/rfc7515#section-2).

Deviating from the standard (while still claiming that this is a "JWT") puts JWT library implementations, such as golang-jwt in a tough spot, because for various reasons, such as security, we want to enforce the RFC / standard as close as humanly possible. On the other hand, we get demands from users using AWS services to support malformed tokens (for example see golang-jwt/jwt#92).

This is probably not the right place to start this discussion but for the lack of other means to communicate, I am trying my luck here. Please feel free to forward this to any team who might be more suitable.

[joshbean]

Closing this issue or pull request in advance of archiving this repo. For more information about the decision to archive this repo (and others in the 'awsdocs' org), see the announcement on the AWS News Blog.