fix: DPoP ath

italia · Aug 25, 2023 · cc2aaf1 · cc2aaf1
1 parent 64f5fb6
commit cc2aaf1
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 3 deletions.
diff --git a/pyeudiw/oauth2/dpop/__init__.py b/pyeudiw/oauth2/dpop/__init__.py
@@ -29,7 +29,7 @@ def proof(self):
             "htm": "GET",
             "htu": self.htu,
             "iat": iat_now(),
-            "ath": base64.urlsafe_b64encode(hashlib.sha256(self.token.encode()).digest()).decode()
+            "ath": base64.urlsafe_b64encode(hashlib.sha256(self.token.encode()).digest()).rstrip(b'=').decode()
         }
         jwt = self.signer.sign(
             data,
@@ -109,6 +109,6 @@ def validate(self) -> bool:
         DPoPTokenPayloadSchema(**payload)
 
         _ath = hashlib.sha256(self.dpop_token.encode())
-        _ath_b64 = base64.urlsafe_b64encode(_ath.digest()).decode()
+        _ath_b64 = base64.urlsafe_b64encode(_ath.digest()).rstrip(b'=').decode()
         proof_valid = _ath_b64 == payload['ath']
         return dpop_valid and proof_valid
diff --git a/pyeudiw/tests/oauth2/test_dpop.py b/pyeudiw/tests/oauth2/test_dpop.py
@@ -90,7 +90,7 @@ def test_create_validate_dpop_http_headers(wia_jws, private_jwk=PRIVATE_JWK):
     payload = unpad_jwt_payload(proof)
     assert payload["ath"] == base64.urlsafe_b64encode(
         hashlib.sha256(wia_jws.encode()
-    ).digest()).decode()
+    ).digest()).rstrip(b'=').decode()
     assert payload["htm"] in ["GET", "POST", "get", "post"]
     assert payload["htu"] == "https://example.org/redirect"
     assert payload["jti"]