JWT payload JSON encoding

Alexander_Pastuhov · November 1, 2023, 8:55am

JSON in JWT's is normally not properly encoded, so "/" is sent as "/". You are however encoding it into proper JSON as "\/" - and that breaks validation, the initial re-encoding part that tests for extraneous spaces and such, because it's unexpected.

For instance, this is a part of Azure JWT's payload:

eyJhdWQiOiJiNjczMjE0Yi0zN2IxLTQxMmYtYjQzNy1kNzgxN2U5NWQzMzgiLCJpc3MiOiJodHRwczovL2xvZ2luLm1pY3Jvc29mdG9ubGluZS5jb20vZTB [beginning of the middle part of JWT]

Which Un-MIME's into:

{"aud":"b673214b-37b1-412f-b437-d7817e95d338","iss":"https://login.microsoftonline.com/

As you can see, all /'s are sent as-is.

Sphinx really has to do the same, if only for compatibility.

wlandgraf · November 1, 2023, 2:11pm

I'm not sure what you mean, JWT support in Sparkle is there for years, never raised such problem before, so I don't think it's wrong.

Please provide steps to reproduce the issue.

Alexander_Pastuhov · November 1, 2023, 10:04pm

Generally, JSON parsing works either way, hence nobody noticed. But in our code, we parse, canonicalize and encode it back to compare with the original, which failed for me here. I can work around this, no prob, but just wanted to highlight that this is a deviation from the standard JWT, so it may give rise to random issues for random users and is generally not too good to be non-standard.

wlandgraf · November 3, 2023, 2:35pm

I still not sure what do you mean by this.

I can work around this, no prob, but just wanted to highlight that this is a deviation from the standard JWT,

Nor by this.