Follow rfc 7515 and strip padding from JWS segments (#324)
* strip off illegal padding
* oops: remove unused import base64
diff --git a/google/auth/_helpers.py b/google/auth/_helpers.py
index 860b827..b32801a 100644
--- a/google/auth/_helpers.py
+++ b/google/auth/_helpers.py
@@ -215,3 +215,20 @@
b64string = to_bytes(value)
padded = b64string + b'=' * (-len(b64string) % 4)
return base64.urlsafe_b64decode(padded)
+
+
+def unpadded_urlsafe_b64encode(value):
+ """Encodes base64 strings removing any padding characters.
+
+ `rfc 7515`_ defines Base64url to NOT include any padding
+ characters, but the stdlib doesn't do that by default.
+
+ _rfc7515: https://tools.ietf.org/html/rfc7515#page-6
+
+ Args:
+ value (Union[str|bytes]): The bytes-like value to encode
+
+ Returns:
+ Union[str|bytes]: The encoded value
+ """
+ return base64.urlsafe_b64encode(value).rstrip(b'=')
diff --git a/google/auth/jwt.py b/google/auth/jwt.py
index 3805f37..bea70ad 100644
--- a/google/auth/jwt.py
+++ b/google/auth/jwt.py
@@ -40,7 +40,6 @@
"""
-import base64
import collections
import copy
import datetime
@@ -86,13 +85,19 @@
header['kid'] = key_id
segments = [
- base64.urlsafe_b64encode(json.dumps(header).encode('utf-8')),
- base64.urlsafe_b64encode(json.dumps(payload).encode('utf-8')),
+ _helpers.unpadded_urlsafe_b64encode(
+ json.dumps(header).encode('utf-8')
+ ),
+ _helpers.unpadded_urlsafe_b64encode(
+ json.dumps(payload).encode('utf-8')
+ ),
]
signing_input = b'.'.join(segments)
signature = signer.sign(signing_input)
- segments.append(base64.urlsafe_b64encode(signature))
+ segments.append(
+ _helpers.unpadded_urlsafe_b64encode(signature)
+ )
return b'.'.join(segments)