follow rfc 7515 : strip padding from JWS segments #324
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
googlebot
added
the
cla: yes
I think the naming comes from the fact that it adds in the "missing" padding automatically. But honestly I'm not picky.
Yeah, it follows the spec now. This function was ported form oauth2client which was ported from the google apiclient and then from the nameless arts before. Google infrastructure was using paddingless urlencoded strings before the JWT RFC (2015), so that might posit on possible explanation. At any rate, this is a great change- thank you for doing it. I'm merging. :) |
theacodes
approved these changes
Feb 15, 2019
|
Thanks for the historical details and for the merge! |
hiranya911
added a commit
to firebase/firebase-admin-python
that referenced
this pull request
Feb 19, 2019
hiranya911
added a commit
to firebase/firebase-admin-python
that referenced
this pull request
Feb 20, 2019
* Added snippets for email action links API * Fixing a lint error; Fixing a regression caused by googleapis/google-auth-library-python#324 * Fixing order of exported methods * Applying feedback from docs team; Updating snippets based on code review comments
bors bot
referenced
this pull request
in mozilla/normandy
Feb 26, 2019
1760: Scheduled weekly dependency update for week 08 r=peterbe a=pyup-bot ### Update [botocore](https://pypi.org/project/botocore) from **1.12.96** to **1.12.101**. <details> <summary>Changelog</summary> ### 1.12.101 ``` ======== * api-change:``athena``: Update athena client to latest version * api-change:``glue``: Update glue client to latest version * api-change:``stepfunctions``: Update stepfunctions client to latest version * api-change:``cloud9``: Update cloud9 client to latest version ``` ### 1.12.100 ``` ======== * api-change:``kinesis-video-archived-media``: Update kinesis-video-archived-media client to latest version * api-change:``workdocs``: Update workdocs client to latest version * api-change:``codebuild``: Update codebuild client to latest version * api-change:``cloudwatch``: Update cloudwatch client to latest version * api-change:``organizations``: Update organizations client to latest version * api-change:``kinesisvideo``: Update kinesisvideo client to latest version * api-change:``kinesis-video-media``: Update kinesis-video-media client to latest version * api-change:``transfer``: Update transfer client to latest version ``` ### 1.12.99 ``` ======= * api-change:``codecommit``: Update codecommit client to latest version * api-change:``directconnect``: Update directconnect client to latest version * api-change:``medialive``: Update medialive client to latest version ``` ### 1.12.98 ``` ======= * api-change:``iot``: Update iot client to latest version * api-change:``ssm``: Update ssm client to latest version * api-change:``ds``: Update ds client to latest version * enhancement:Paginator: Add additional paginators for CloudFormation * api-change:``efs``: Update efs client to latest version ``` ### 1.12.97 ``` ======= * api-change:``athena``: Update athena client to latest version * api-change:``secretsmanager``: Update secretsmanager client to latest version ``` </details> <details> <summary>Links</summary> - PyPI: https://pypi.org/project/botocore - Changelog: https://pyup.io/changelogs/botocore/ - Repo: https://github.com/boto/botocore </details> ### Update [jmespath](https://pypi.org/project/jmespath) from **0.9.3** to **0.9.4**. <details> <summary>Changelog</summary> ### 0.9.4 ``` ===== * Fix ``min_by``/``max_by`` with empty lists `(`issue 151 <https://github.com/jmespath/jmespath.py/pull/151>`__) * Fix reverse type for ``null`` type (`issue 145 <https://github.com/jmespath/jmespath.py/pull/145>`__) ``` </details> <details> <summary>Links</summary> - PyPI: https://pypi.org/project/jmespath - Changelog: https://pyup.io/changelogs/jmespath/ - Repo: https://github.com/jmespath/jmespath.py </details> ### Update [MarkupSafe](https://pypi.org/project/MarkupSafe) from **1.1.0** to **1.1.1**. *The bot wasn't able to find a changelog for this release. [Got an idea?](https://github.com/pyupio/changelogs/issues/new)* <details> <summary>Links</summary> - PyPI: https://pypi.org/project/markupsafe - Changelog: https://pyup.io/changelogs/markupsafe/ - Homepage: https://palletsprojects.com/p/markupsafe/ </details> ### Update [pluggy](https://pypi.org/project/pluggy) from **0.8.1** to **0.9.0**. <details> <summary>Changelog</summary> ### 0.9.0 ``` ========================= Features -------- - `189 <https://github.com/pytest-dev/pluggy/issues/189>`_: ``PluginManager.load_setuptools_entrypoints`` now accepts a ``name`` parameter that when given will load only entry points with that name. ``PluginManager.load_setuptools_entrypoints`` also now returns the number of plugins loaded by the call, as opposed to the number of all plugins loaded by all calls to this method. Bug Fixes --------- - `187 <https://github.com/pytest-dev/pluggy/issues/187>`_: Fix internal ``varnames`` function for PyPy3. ``` </details> <details> <summary>Links</summary> - PyPI: https://pypi.org/project/pluggy - Changelog: https://pyup.io/changelogs/pluggy/ - Repo: https://github.com/pytest-dev/pluggy </details> ### Update [py](https://pypi.org/project/py) from **1.7.0** to **1.8.0**. <details> <summary>Changelog</summary> ### 1.8.0 ``` ================== - add ``"importlib"`` pyimport mode for python3.5+, allowing unimportable test suites to contain identically named modules. - fix ``LocalPath.as_cwd()`` not calling ``os.chdir()`` with ``None``, when being invoked from a non-existing directory. ``` </details> <details> <summary>Links</summary> - PyPI: https://pypi.org/project/py - Changelog: https://pyup.io/changelogs/py/ - Docs: http://py.readthedocs.io/ </details> ### Update [google-auth](https://pypi.org/project/google-auth) from **1.6.2** to **1.6.3**. <details> <summary>Changelog</summary> ### 1.6.3 ``` ------ 02-15-2019 9:31 PST Implementation Changes +++++++++++++ - follow rfc 7515 : strip padding from JWS segments 324 (`324 <https://github.com/googleapis/google-auth-library-python/pull/324>`_) - Add retry to _metadata.ping() (`323 <https://github.com/googleapis/google-auth-library-python/pull/323>`_) ``` </details> <details> <summary>Links</summary> - PyPI: https://pypi.org/project/google-auth - Changelog: https://pyup.io/changelogs/google-auth/ - Repo: https://github.com/GoogleCloudPlatform/google-auth-library-python </details> ### Update [boto3](https://pypi.org/project/boto3) from **1.9.96** to **1.9.101**. <details> <summary>Changelog</summary> ### 1.9.101 ``` ======= * api-change:``athena``: [``botocore``] Update athena client to latest version * api-change:``glue``: [``botocore``] Update glue client to latest version * api-change:``stepfunctions``: [``botocore``] Update stepfunctions client to latest version * api-change:``cloud9``: [``botocore``] Update cloud9 client to latest version ``` ### 1.9.100 ``` ======= * api-change:``kinesis-video-archived-media``: [``botocore``] Update kinesis-video-archived-media client to latest version * api-change:``workdocs``: [``botocore``] Update workdocs client to latest version * api-change:``codebuild``: [``botocore``] Update codebuild client to latest version * api-change:``cloudwatch``: [``botocore``] Update cloudwatch client to latest version * api-change:``organizations``: [``botocore``] Update organizations client to latest version * api-change:``kinesisvideo``: [``botocore``] Update kinesisvideo client to latest version * api-change:``kinesis-video-media``: [``botocore``] Update kinesis-video-media client to latest version * api-change:``transfer``: [``botocore``] Update transfer client to latest version ``` ### 1.9.99 ``` ====== * api-change:``codecommit``: [``botocore``] Update codecommit client to latest version * api-change:``directconnect``: [``botocore``] Update directconnect client to latest version * api-change:``medialive``: [``botocore``] Update medialive client to latest version ``` ### 1.9.98 ``` ====== * api-change:``iot``: [``botocore``] Update iot client to latest version * api-change:``ssm``: [``botocore``] Update ssm client to latest version * api-change:``ds``: [``botocore``] Update ds client to latest version * enhancement:Paginator: [``botocore``] Add additional paginators for CloudFormation * api-change:``efs``: [``botocore``] Update efs client to latest version ``` ### 1.9.97 ``` ====== * api-change:``athena``: [``botocore``] Update athena client to latest version * api-change:``secretsmanager``: [``botocore``] Update secretsmanager client to latest version ``` </details> <details> <summary>Links</summary> - PyPI: https://pypi.org/project/boto3 - Changelog: https://pyup.io/changelogs/boto3/ - Repo: https://github.com/boto/boto3 </details> ### Update [flake8](https://pypi.org/project/flake8) from **3.7.5** to **3.7.7**. <details> <summary>Changelog</summary> ### 3.7.7 ``` ------------------- You can view the `3.7.7 milestone`_ on GitLab for more details. Bugs Fixed ~~~~~~~~~~ - Fix crahes in plugins causing ``flake8`` to hang while unpickling errors (See also `GitLab!308`_, `GitLab505`_) .. all links .. _3.7.7 milestone: https://gitlab.com/pycqa/flake8/milestones/30 .. issue links .. _GitLab505: https://gitlab.com/pycqa/flake8/issues/505 .. merge request links .. _GitLab!308: https://gitlab.com/pycqa/flake8/merge_requests/308 ``` ### 3.7.6 ``` ------------------- You can view the `3.7.6 milestone`_ on GitLab for more details. Bugs Fixed ~~~~~~~~~~ - Fix ``--per-file-ignores`` for multi-letter error codes (See also `GitLab!303`_, `GitLab507`_) - Improve flake8 speed when only 1 filename is passed (See also `GitLab!305`_) .. all links .. _3.7.6 milestone: https://gitlab.com/pycqa/flake8/milestones/29 .. issue links .. _GitLab507: https://gitlab.com/pycqa/flake8/issues/507 .. merge request links .. _GitLab!303: https://gitlab.com/pycqa/flake8/merge_requests/303 .. _GitLab!305: https://gitlab.com/pycqa/flake8/merge_requests/305 ``` </details> <details> <summary>Links</summary> - PyPI: https://pypi.org/project/flake8 - Changelog: https://pyup.io/changelogs/flake8/ - Repo: https://gitlab.com/pycqa/flake8 </details> ### Update [jsonschema](https://pypi.org/project/jsonschema) from **2.6.0** to **3.0.0**. <details> <summary>Changelog</summary> ### 3.0.0 ``` ------ * Support for Draft 6 and Draft 7 * Draft 7 is now the default * New ``TypeChecker`` object for more complex type definitions (and overrides) * Falling back to isodate for the date-time format checker is no longer attempted, in accordance with the specification ``` </details> <details> <summary>Links</summary> - PyPI: https://pypi.org/project/jsonschema - Changelog: https://pyup.io/changelogs/jsonschema/ - Repo: https://github.com/Julian/jsonschema </details> ### Update [pytest](https://pypi.org/project/pytest) from **4.2.1** to **4.3.0**. <details> <summary>Changelog</summary> ### 4.3.0 ``` ========================= Deprecations ------------ - `4724 <https://github.com/pytest-dev/pytest/issues/4724>`_: ``pytest.warns()`` now emits a warning when it receives unknown keyword arguments. This will be changed into an error in the future. Features -------- - `2753 <https://github.com/pytest-dev/pytest/issues/2753>`_: Usage errors from argparse are mapped to pytest's ``UsageError``. - `3711 <https://github.com/pytest-dev/pytest/issues/3711>`_: Add the ``--ignore-glob`` parameter to exclude test-modules with Unix shell-style wildcards. Add the ``collect_ignore_glob`` for ``conftest.py`` to exclude test-modules with Unix shell-style wildcards. - `4698 <https://github.com/pytest-dev/pytest/issues/4698>`_: The warning about Python 2.7 and 3.4 not being supported in pytest 5.0 has been removed. In the end it was considered to be more of a nuisance than actual utility and users of those Python versions shouldn't have problems as ``pip`` will not install pytest 5.0 on those interpreters. - `4707 <https://github.com/pytest-dev/pytest/issues/4707>`_: With the help of new ``set_log_path()`` method there is a way to set ``log_file`` paths from hooks. Bug Fixes --------- - `4651 <https://github.com/pytest-dev/pytest/issues/4651>`_: ``--help`` and ``--version`` are handled with ``UsageError``. - `4782 <https://github.com/pytest-dev/pytest/issues/4782>`_: Fix ``AssertionError`` with collection of broken symlinks with packages. ``` </details> <details> <summary>Links</summary> - PyPI: https://pypi.org/project/pytest - Changelog: https://pyup.io/changelogs/pytest/ - Homepage: https://docs.pytest.org/en/latest/ </details> Co-authored-by: pyup-bot <github-bot@pyup.io> Co-authored-by: Mike Cooper <mythmon@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Preface
So, I was writing something that used this library to sign JWTs in GCP to authenticate with Vault using the GCP engine. While I was able to generate tokens (parsing them locally) just fine, I was failing authentication with an error regarding illegal byte sequences during base-64 decoding.
Turns out the vault plugin, which is written in Go, uses a
RawUrlEncodingto decode the incoming JWT. My tokens were failing to decode because each segment included the=padding. Oh.Why this PR
According to the RFC 7515:
and unfortunately taking a look at the python stdlib
urlsafe_b64encodefunction's docs:Also, it's kinda funny that there's a function
padded_urlsafe_b64decode, perhaps missing anun-in its name, to re-pad unpadded segments on the decoding side noting:As I've learnt recently, it appears to follow the spec. Is there historical knowledge I might not know as to why this was implemented differently?
What
This PR:
='s from encoded chunks during creation