Fix ID token verification (#87)
diff --git a/google/auth/_helpers.py b/google/auth/_helpers.py
index 5a6c3a8..de86bee 100644
--- a/google/auth/_helpers.py
+++ b/google/auth/_helpers.py
@@ -14,6 +14,7 @@
"""Helper functions for commonly used utilities."""
+import base64
import calendar
import datetime
@@ -194,3 +195,19 @@
return []
return scopes.split(' ')
+
+
+def padded_urlsafe_b64decode(value):
+ """Decodes base64 strings lacking padding characters.
+
+ Google infrastructure tends to omit the base64 padding characters.
+
+ Args:
+ value (Union[str, bytes]): The encoded value.
+
+ Returns:
+ bytes: The decoded value
+ """
+ b64string = to_bytes(value)
+ padded = b64string + b'=' * (-len(b64string) % 4)
+ return base64.urlsafe_b64decode(padded)
diff --git a/google/auth/jwt.py b/google/auth/jwt.py
index 7abe4c2..0884b3d 100644
--- a/google/auth/jwt.py
+++ b/google/auth/jwt.py
@@ -96,7 +96,7 @@
def _decode_jwt_segment(encoded_section):
"""Decodes a single JWT segment."""
- section_bytes = base64.urlsafe_b64decode(encoded_section)
+ section_bytes = _helpers.padded_urlsafe_b64decode(encoded_section)
try:
return json.loads(section_bytes.decode('utf-8'))
except ValueError:
@@ -124,7 +124,7 @@
encoded_header, encoded_payload, signature = token.split(b'.')
signed_section = encoded_header + b'.' + encoded_payload
- signature = base64.urlsafe_b64decode(signature)
+ signature = _helpers.padded_urlsafe_b64decode(signature)
# Parse segments
header = _decode_jwt_segment(encoded_header)