Merge pull request #4129 from travisspencer/fix-4128

Issue #4128 - Add missing padding and use URL decoder
jetty · Oct 7, 2019 · acf4eef · acf4eef
2 parents d4270d9 + 8b37a8f
commit acf4eef
Showing 1 changed file with 30 additions and 3 deletions.
diff --git a/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdCredentials.java b/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdCredentials.java
@@ -25,6 +25,7 @@
 import java.net.HttpURLConnection;
 import java.net.URL;
 import java.nio.charset.StandardCharsets;
+import java.util.Arrays;
 import java.util.Base64;
 import java.util.Map;
 
@@ -158,9 +159,9 @@ protected Map<String, Object> decodeJWT(String jwt) throws IOException
         if (sections.length != 3)
             throw new IllegalArgumentException("JWT does not contain 3 sections");
 
-        Base64.Decoder decoder = Base64.getDecoder();
-        String jwtHeaderString = new String(decoder.decode(sections[0]), StandardCharsets.UTF_8);
-        String jwtClaimString = new String(decoder.decode(sections[1]), StandardCharsets.UTF_8);
+        Base64.Decoder decoder = Base64.getUrlDecoder();
+        String jwtHeaderString = new String(decoder.decode(padJWTSection(sections[0])), StandardCharsets.UTF_8);
+        String jwtClaimString = new String(decoder.decode(padJWTSection(sections[1])), StandardCharsets.UTF_8);
         String jwtSignature = sections[2];
 
         Map<String, Object> jwtHeader = (Map)JSON.parse(jwtHeaderString);
@@ -175,6 +176,32 @@ and the Token Endpoint (which it is in this flow), the TLS server validation
         return (Map)JSON.parse(jwtClaimString);
     }
 
+    private static byte[] padJWTSection(String unpaddedEncodedJwtSection)
+    {
+        int length = unpaddedEncodedJwtSection.length();
+        int remainder = length % 4;
+
+        if (remainder == 1)
+            // A valid base64-encoded string will never be have an odd number of characters.
+            throw new IllegalArgumentException("Not valid Base64-encoded string");
+
+        byte[] paddedEncodedJwtSection;
+
+        if (remainder > 0)
+        {
+            int paddingNeeded = (4 - remainder) % 4;
+
+            paddedEncodedJwtSection = Arrays.copyOf(unpaddedEncodedJwtSection.getBytes(), length + paddingNeeded);
+            Arrays.fill(paddedEncodedJwtSection, length, paddedEncodedJwtSection.length, (byte)'=');
+        }
+        else
+        {
+            paddedEncodedJwtSection = unpaddedEncodedJwtSection.getBytes();
+        }
+
+        return paddedEncodedJwtSection;
+    }
+
     private Map<String, Object> claimAuthCode(String authCode) throws IOException
     {
         if (LOG.isDebugEnabled())