From 8b37a8f7fe019b4a2a4d888d2801ae0f9730e48d Mon Sep 17 00:00:00 2001
From: Travis Spencer <travis@curity.io>
Date: Sat, 28 Sep 2019 13:14:19 +0200
Subject: [PATCH] Issue #4128 - Add missing padding and use URL decoder

Signed-off-by: Travis Spencer <travis@curity.io>
---
 .../security/openid/OpenIdCredentials.java    | 33 +++++++++++++++++--
 1 file changed, 30 insertions(+), 3 deletions(-)

diff --git a/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdCredentials.java b/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdCredentials.java
index 85df9e28b040..230396b85995 100644
--- a/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdCredentials.java
+++ b/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdCredentials.java
@@ -25,6 +25,7 @@
 import java.net.HttpURLConnection;
 import java.net.URL;
 import java.nio.charset.StandardCharsets;
+import java.util.Arrays;
 import java.util.Base64;
 import java.util.Map;
 
@@ -158,9 +159,9 @@ protected Map<String, Object> decodeJWT(String jwt) throws IOException
         if (sections.length != 3)
             throw new IllegalArgumentException("JWT does not contain 3 sections");
 
-        Base64.Decoder decoder = Base64.getDecoder();
-        String jwtHeaderString = new String(decoder.decode(sections[0]), StandardCharsets.UTF_8);
-        String jwtClaimString = new String(decoder.decode(sections[1]), StandardCharsets.UTF_8);
+        Base64.Decoder decoder = Base64.getUrlDecoder();
+        String jwtHeaderString = new String(decoder.decode(padJWTSection(sections[0])), StandardCharsets.UTF_8);
+        String jwtClaimString = new String(decoder.decode(padJWTSection(sections[1])), StandardCharsets.UTF_8);
         String jwtSignature = sections[2];
 
         Map<String, Object> jwtHeader = (Map)JSON.parse(jwtHeaderString);
@@ -175,6 +176,32 @@ and the Token Endpoint (which it is in this flow), the TLS server validation
         return (Map)JSON.parse(jwtClaimString);
     }
 
+    private static byte[] padJWTSection(String unpaddedEncodedJwtSection)
+    {
+        int length = unpaddedEncodedJwtSection.length();
+        int remainder = length % 4;
+
+        if (remainder == 1)
+            // A valid base64-encoded string will never be have an odd number of characters.
+            throw new IllegalArgumentException("Not valid Base64-encoded string");
+
+        byte[] paddedEncodedJwtSection;
+
+        if (remainder > 0)
+        {
+            int paddingNeeded = (4 - remainder) % 4;
+
+            paddedEncodedJwtSection = Arrays.copyOf(unpaddedEncodedJwtSection.getBytes(), length + paddingNeeded);
+            Arrays.fill(paddedEncodedJwtSection, length, paddedEncodedJwtSection.length, (byte)'=');
+        }
+        else
+        {
+            paddedEncodedJwtSection = unpaddedEncodedJwtSection.getBytes();
+        }
+
+        return paddedEncodedJwtSection;
+    }
+
     private Map<String, Object> claimAuthCode(String authCode) throws IOException
     {
         if (LOG.isDebugEnabled())