JWT base64url encoding (#7899)

Lars Maier · neunhoef · commit dd040ac1e350 · 2019-01-08T16:53:35.000+01:00
* Use base64url encoding and decoding for jwt header and body as specified in the rfc.

* Added changelog.
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,6 +1,8 @@
 devel
 -----
 
+* Use base64url to encode and decode JWT parts.
+
 * updated bundled curl library to version 7.63
 
 * Added --server.jwt-secret-keyfile option.
diff --git a/arangod/Auth/TokenCache.cpp b/arangod/Auth/TokenCache.cpp
@@ -252,7 +252,7 @@ std::shared_ptr<VPackBuilder> auth::TokenCache::parseJson(std::string const& str
 
 bool auth::TokenCache::validateJwtHeader(std::string const& header) {
   std::shared_ptr<VPackBuilder> headerBuilder =
-      parseJson(StringUtils::decodeBase64(header), "jwt header");
+      parseJson(StringUtils::decodeBase64U(header), "jwt header");
   if (headerBuilder.get() == nullptr) {
     return false;
   }
@@ -287,7 +287,7 @@ bool auth::TokenCache::validateJwtHeader(std::string const& header) {
 
 auth::TokenCache::Entry auth::TokenCache::validateJwtBody(std::string const& body) {
   std::shared_ptr<VPackBuilder> bodyBuilder =
-      parseJson(StringUtils::decodeBase64(body), "jwt body");
+      parseJson(StringUtils::decodeBase64U(body), "jwt body");
   if (bodyBuilder.get() == nullptr) {
     LOG_TOPIC(TRACE, Logger::AUTHENTICATION) << "invalid JWT body";
     return auth::TokenCache::Entry::Unauthenticated();
@@ -369,8 +369,8 @@ std::string auth::TokenCache::generateRawJwt(VPackSlice const& body) const {
     headerBuilder.add("typ", VPackValue("JWT"));
   }
 
-  std::string fullMessage(StringUtils::encodeBase64(headerBuilder.toJson()) +
-                          "." + StringUtils::encodeBase64(body.toJson()));
+  std::string fullMessage(StringUtils::encodeBase64U(headerBuilder.toJson()) +
+                          "." + StringUtils::encodeBase64U(body.toJson()));
   if (_jwtSecret.empty()) {
     LOG_TOPIC(INFO, Logger::AUTHENTICATION)
         << "Using cluster without JWT Token";
