2

After referring the JWT(id_token) decoding docs

I'm confused whether the major service providers will follow the same technique...

Microsoft oauth2.0 client in git project getUserEmailFromIdToken() function did not pad the extra = signs based on the size eg $extrapadds = $jwtTokenSize % 4;

and Yahoo OAuth2.0 openid id_token docs also didn't mention anywhere. not even the basic string substitutes for "-" and "_" as "+" and "/"

is it because these service providers(microsoft and yahoo) didn't follow the standards or did they somehow found a way to avoid such scenarios

Please clarify me... and share a code if possible explaining the right way to decode the JWT id_token

Vertexwahn
  • 7,709
  • 6
  • 64
  • 90
Crystal Paladin
  • 579
  • 5
  • 26

1 Answers1

1

To use a base64 decoder on a base64url encoded token (which is what the JWT is), the padding is not really required, just recommended by spec; see Why does base64 encoding require padding if the input length is not divisible by 3?

Also: decoder implementations may be able to deal with the padding themselves.

The Yahoo docs are really wrong as base64 encoding is different from base64url encoding and the spec dictates base64url: https://www.rfc-editor.org/rfc/rfc7519#section-3 Yahoo is not a really OPenID Connect provider (yet) so that may be why it wasn't fixed before Yahoo Oauth2/OpenIDconnect

Community
  • 1
  • 1
Hans Z.
  • 50,496
  • 12
  • 102
  • 115
  • 1
    Agreed with Hans. I'm guessing you posted this on the GitHub repo as well :). See my answer there (which echoes Hans): https://github.com/jasonjoh/php-tutorial/issues/6 – Jason Johnston Mar 04 '16 at 20:01
  • @Hans Z. by saying "Yahoo is not a really OPenID Connect provider (yet)", do you still think it is coz your [previous post](http://stackoverflow.com/a/27789250/5917094) is on Jan 2015 and today is Mar 2016. If you have any references to check if yahoo / microsoft / google is an openid connect provider, please do share it here... It'll be of great help – Crystal Paladin Mar 05 '16 at 11:44
  • @JasonJohnston The Explanation in github clarified me... you could share the same explanation here for future references and it might help someone who has the same doubt – Crystal Paladin Mar 05 '16 at 11:50
  • @Hans Z. I've referred "https://developer.yahoo.com/openid/" and they(yahoo) claim that they support openID. the saying goes like this -> "That's why we are a huge supporter of OpenID" in the second paragraph... Please edit your later part of the answer... It might mislead people... – Crystal Paladin Mar 05 '16 at 12:04
  • that's OpenID 2.0, which is really different from OpenID Connect as also explained in the article that I linked to – Hans Z. Mar 05 '16 at 14:56