Generating a JWT with kty=oct can fail because of incorrect Base64 encoding

Question

Generating a JWT with kty=oct can fail because of incorrect Base64 encoding

al2o3cr opened this issue a year ago · 0 comments

al2o3cr commented a year ago

Steps to Reproduce

Generate a secret using mix guardian.gen.secret
Set that secret for use with JWTs with secret_key: %{"k" => System.get_env("THAT_SECRET_KEY"), "kty" => "oct"}
Try signing a key

Expected Result

It should work. :)

Actual Result

Sometimes, the generated secret has a + in it which isn't allowed according to the spec and crashes the URL-safe base64 decoder.

The root cause is the use of Base.encode64 in guardian.gen.secret. Switching that to Base.url_encode64 would solve this issue but probably break something else...

Additional backstory and discussion in this Elixir Forum thread; thanks to the original poster for bringing this up.