-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenIdCredentials can't decode JWT ID token #4128
Labels
Bug
For general bugs on Jetty side
Comments
travisspencer
added a commit
to travisspencer/jetty.project
that referenced
this issue
Sep 28, 2019
travisspencer
added a commit
to travisspencer/jetty.project
that referenced
this issue
Sep 28, 2019
travisspencer
added a commit
to travisspencer/jetty.project
that referenced
this issue
Sep 28, 2019
Signed-off-by: Travis Spencer <travis@curity.io>
Standards are soooo good, we may as well have lots of them for hte same thing.... NOT! |
travisspencer
added a commit
to travisspencer/jetty.project
that referenced
this issue
Sep 30, 2019
Signed-off-by: Travis Spencer <travis@curity.io>
travisspencer
added a commit
to travisspencer/jetty.project
that referenced
this issue
Oct 5, 2019
Signed-off-by: Travis Spencer <travis@curity.io>
lachlan-roberts
added a commit
that referenced
this issue
Oct 7, 2019
Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
lachlan-roberts
added a commit
that referenced
this issue
Oct 7, 2019
Issue #4128 - Add missing padding and use URL decoder
lachlan-roberts
added a commit
that referenced
this issue
Nov 18, 2019
Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
lachlan-roberts
added a commit
that referenced
this issue
Nov 20, 2019
joakime
changed the title
OpenIdCredetials can't decode JWT ID token
OpenIdCredentials can't decode JWT ID token
Nov 20, 2019
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Testing the new OpenID Connect authentication mechanism, I've run into what I think is a bug. My OpenID Connect Provider (OP) is Curity, an OP that's passed all the OpenID Foundation's certification tests.
I can login using this OP. However, in some cases, the OpenIdCredentials gets hung up on the ID token JWT that's returned.
For instance, here's an example of a token (that is valid) which hangs up the component:
eyJraWQiOiIxNTU1OTM0ODQ3IiwieDV0IjoiOWdCOW9zRldSRHRSMkhtNGNmVnJnWTBGcmZRIiwiYWxnIjoiUlMyNTYifQ.eyJhdF9oYXNoIjoiQTA0NUoxcE5YRk1nYzlXN2wxSk1fUSIsImRlbGVnYXRpb25faWQiOiJjZTBhNjRlNS0xYWY3LTQ2MzEtOGUzNC1mNDE5N2JkYzVjZTAiLCJhY3IiOiJ1cm46c2U6Y3VyaXR5OmF1dGhlbnRpY2F0aW9uOmh0bWwtZm9ybTpodG1sLXByaW1hcnkiLCJzX2hhc2giOiIwc1FtRG9YY3FwcnM4NWUzdy0wbHdBIiwiYXpwIjoiNzZiZTc5Y2ItM2E1Ni00ZTE3LTg3NzYtNDI1Nzc5MjRjYzc2IiwiYXV0aF90aW1lIjoxNTY5NjU4MDk1LCJleHAiOjE1Njk2NjE5OTUsIm5iZiI6MTU2OTY1ODM5NSwianRpIjoiZjJkNWI2YzEtNTIxYi00Y2Y5LThlNWEtOTg5NGJhNmE0MzkyIiwiaXNzIjoiaHR0cHM6Ly9ub3JkaWNhcGlzLmN1cml0eS5pby9-IiwiYXVkIjoiNzZiZTc5Y2ItM2E1Ni00ZTE3LTg3NzYtNDI1Nzc5MjRjYzc2Iiwic3ViIjoibmlrb3MiLCJpYXQiOjE1Njk2NTgzOTUsInB1cnBvc2UiOiJpZCJ9.Wd458zNmXggpkDN6vbS3-aiajh4-VbkmcStLYUqahYJUp9p-AUI_RZttWvwh3UDMG9rWww_ya8KFK_SkPfKooEaSNOjOhw0ox4d-9lgti3J49eRyO20RViXvRHyLVtcjv5IaqvMXgwW60Thubv19OION7DstyArffcxNNSpiqDq6wjd0T2DJ3gSXXlJHLTWrry3svqu1j_GCbHc04XYGicxsusKgc3n22dh4I6p4trdo0Gu5Un0bZ8Yov7IzWItqTgm9X5r9gZlAOLcAuK1WTwkzAwZJ24HgvxKmuYfV_4ZCg_VPN2Op8YPuRAQOgUERpeTv1RDFTOG9GKZIMBVR0A
The error is around base-64 decoding, which OpenID Connect does in a "special" way (see RFC 7515). Specifically, the stack trace is this:
In section 2 of RFC 7515 (which OpenID Connect references), it says that base64-encoded parts of the JWT should have the padding removed. This means that the decoder (this new
OpenIdCredentials
class) must first add the padding back before callingjava.util.Base64.Decoder
.The text was updated successfully, but these errors were encountered: