fail use jwt_parser:base64_decode to decode when upgrade kong 3.4.2 to 3.6.0

[lubw7]

Is there an existing issue for this?

• I have searched the existing issues

Kong version ($ kong version)

kong 3.6

Current Behavior

In Kong 3.6.0
When I use kong.plugins.jwt.jwt_parser:base64_decode, it will meet exception : nil,invalid input.
2024/03/01 16:14:10 [debug] 1277#0: *1286 [lua] sso.lua:119: jwt_decoder:base64_decode(key) = nilinvalid input

Expected Behavior

In Kong 3.4.2
When I use kong.plugins.jwt.jwt_parser:base64_decode, it will decode successfully.

☺☺☺♣♥�☺0�☺H��:18:34 [debug] 1259#0: *150 [lua] sso.lua:119: jwt_decoder:base64_decode(key) = 0�☺"0
☻�☺☺�y¶@�K♠��%/{���▲(�Ԕ��/�♥[�73Ql9�I� H���♣��I‼1       �o��:��g�߹�ZU�'2�d`��J�H3�)
�▲ؿ
鷂rO��L������ ��g▲��P���Ô�#�����v!���6TL�z26^��xq��     �v4����M∟4:{♣���tξ(����↕�[܋�t����[e�r�d��g�e=♠y��T�hs▼�6I�yN7�����→}‼^����↔¶�ǽx��s1���4��f�E�→,F��.��►e1���n���r_☻♥☺☺

Steps To Reproduce

1. Require jwt_parser

local jwt_decoder = require "kong.plugins.jwt.jwt_parser"
local DEBUG, ERR, INFO, log = ngx.DEBUG, ngx.ERR, ngx.INFO, ngx.log

2. use jwt_parser:base64_decode

local test_key = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsbxk6rmBw/+8b2qwQnxKcK8VRRJcSQGCHjwzCzYmMa+XuRL0iaDmOIpXvXmqSMDGM/CdjoQhGfyotnnw3fROjBnOpnNeiX6UPYsJSLzozx1pv7gvRkyfv6hpp9pMn6UWt4IkFsHpeM/V1Spxvgbr+S9clXn+0saM529fK9BFPxjyHk2Jv+SHy9fnjre/5sFVyGxeAM36RVcw3u/D7v7gKigCjhR1Qc3FMJKDrZE5AQQOJELYMrWvaBUxVYjRwQpuEGt/OHbvJZEpABhIYd2lbby1BNtq96loup/SBxJ3jam0MUsf8aB87+vB4QiaX5gwTTLRw2IcnEal+DuZgnNaQQIDAQAB"
log(DEBUG, "jwt_decoder:base64_decode(key) = ", jwt_decoder:base64_decode(test_key))

3. check the log, you can see:
   2024/03/01 16:14:10 [debug] 1277#0: *1286 [lua] sso.lua:119: jwt_decoder:base64_decode(key) = nilinvalid input

Anything else?

#11569 refactor the code about jwt_parser:base64_decode, so is it expected that such an error will occur?

[chobits]

Not sure whether if #11569 affectted it, we need to check

[chronolaw]

We have created a ticket to track this issue (KAG-3952), thanks for your report.

[chronolaw]

jwt token should be encoded with Base64URL algorithm, which means that we should replace '+' to '-' and '/' to '-'.

The variable test_key includes invalid char /, so kong think it is a wrong base64url string.

[chronolaw]

You can change the code like this:

local input = "..."
input = input:gsub("+", "-"):gsub("/", "_")
print(jwt_decoder:base64_decode(input))

[lubw7]

Thanks, the problem has already been solved.

You can change the code like this:

local input = "..."
input = input:gsub("+", "-"):gsub("/", "_")
print(jwt_decoder:base64_decode(input))

[lubw7]

@chronolaw Will this change be added to the source code？

You can change the code like this:

local input = "..."
input = input:gsub("+", "-"):gsub("/", "_")
print(jwt_decoder:base64_decode(input))