New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Handling malformed JWT (includes padding) #92
Comments
iirc AWS Cognito returns 3 tokens: refresh, id and access token. Can you clarify which of the id or access tokens is malformed? If possible, it'd be ideal to get sample tokens (for both id and access) so we can plug them into tests and then fix the behaviour. If not, I'll see if I can dig up old tokens. |
From the Amazon docs, I don't think it's any of those -- it's an additional JWT. The load balancer handles the refresh and access tokens (although it does pass the access token through), but also adds a user claims token. That's the one that's causing problems. The access token validates correctly. The actual tokens contain some details from our app that I can't share, so providing real tokens will be a bit of a challenge. I could try to generate some equivalents, though, if that would work? Basically the payload and signature fields have '=' padding characters -- the header does not, on the examples I've seen, but this could just be chance given the length of the content. |
Sorry for the slow update... I've created an example JWT based on the Cognito token. The token itself: To validate that, you can use this key:
I can validate that token successfully using 3.2.1 (although it's expired), but switching to 3.2.2 or later causes the error The test code I'm using is basically:
|
Thanks for providing a repro. I'll take a closer look to see if this can be fixed in a backwards-compatible way following #33 |
Hi @mfridman not sure if you got a chance to review this, but hoping we can resolve this soon. I am also running into issues where some repos are stuck at v3.2.1, and would love to upgrade. I think the cleanest solution is to revert back specifically for the encoding, but then it will be a potential loss of optimization. Thus next option is to somehow switch between the old and new encodings. I quickly forked and implemented a quick PoC - it involves the creation of a global boolean, and using a function to set the value of the boolean to switch between using the current RawURLEncoding, or the previously used URLEncoding. Not a big fan of this solution, but could not see a better way to propogate this flag down without breaking changes: ajermaky@87f13f9 Below are metrics before and after the change. Note that before and after the change, the allocations are essentially identical - only enabling padding do we see that increase in allocations. Thus the change proposed above will allow the default behavior to keep the new optimizations, while giving an option for backwards compatibilty at the cost of a couple allocs. Let me know if we should be going down a different route for this. Willing to help move this forward!
|
@ajermaky I'm not sure about extending the package API this way as it won't scale nicely on changes or new value requirements (because the general problem to solve here is configuring the codec) but we're also limited on what we can configure, so I can be on board with this solution if @mfridman and @oxisto agree to save compatibility and be able to provide a fix to this problem A suggestion I'd like to make though, since this will be public on a package level is to either:
|
@lggomez Firstly, thank you for the suggestions! And I do agree that this isn't really solving the problem, just putting a band-aid on the problem. If I may suggest, can we instead rollback the changes specific to the Codec change that occured in #33? We would lose optimization in exchange for compatibility, without introducing new changes. (Again feel like this is the cleanest). Then we can open up a new issue specifically on applying optimization/making the codec backwards compatible, and close this issue out? |
Created a PR here to undo change: #117 |
Closed by #117 |
I'm trying to integrate with Amazon Cognito behind an AWS load balancer. Cognito supplies a JWT, but the token includes padding. Yes, this makes it a malformed token, but it's not a token which I can change. (Specifically, when running behind an Application Load Balancer, I need to validate the
x-amzn-oidc-data
header. Infuriatingly, they also provide a second JWT, which is not malformed, but doesn't include some specific details which I need...)v3.2.2 included PR#33, which changes how the library handles this situation. Prior to the change, the Base64 text was correctly parsed, as the decoded expected padding (and this was added if it was missing). Now, the base64 parser returns an error ("illegal base64 data").
Stripping the padding before passing to the library allows the base64 deserialisation to succeed, but the signature then fails to validate.
Currently my only option (other than looking for a different library) seems to be to stick to v3.2.1... Any other suggestions would be very welcome!
The text was updated successfully, but these errors were encountered: