Valid JWT token with wrong Base64 encoding?

Question

When I was trying to decode the 2nd part of a JWT token, which should be a base64 encoded string, I found several characters missing in the end:

echo "eyJ0ZW5hbnRfaWQiOiJzdXBlcmNoYXJnaW5nIiwiYXVkIjoiIiwidmVyc2lvbiI6MH0" | base64 -D
{"tenant_id":"supercharging","aud":"","version":

The correct base64 encoded string should be:

echo "eyJ0ZW5hbnRfaWQiOiJzdXBlcmNoYXJnaW5nIiwiYXVkIjoiIiwidmVyc2lvbiI6MH0K" |
base64 -D
{"tenant_id":"supercharging","aud":"","version":0}

So I tried to paste it in the debugger https://jwt.io/, for example:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0ZW5hbnRfaWQiOiJzdXBlcmNoYXJnaW5nIiwiYXVkIjoiIiwidmVyc2lvbiI6MH0.oxpfv0W9GYjt2QlG4lqMcoRYdlBTg9_YF6ITGRrxBAQ

it's a valid JWT token, and I also tried:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0ZW5hbnRfaWQiOiJzdXBlcmNoYXJnaW5nIiwiYXVkIjoiIiwidmVyc2lvbiI6MH0K.oxpfv0W9GYjt2QlG4lqMcoRYdlBTg9_YF6ITGRrxBAQ

it's also a valid JWT token. Is it a bug with jwt.io or am I missing something here?

Answer 1

There's nothing wrong with jwt.io and the shorter string is also fine.

The shorter version (67 characters) is probably just missing a padding character (=) to be correct Base64. The length of a Base64 string is supposed to be a multiple of 4 and might be filled up with one or two padding characters to reach that size. But JWT uses Base64Url encoding, which does not require padding.

Each 4 Base64(Url) characters encode 3 bytes. On the end of the Base64(Url) string you have the sequence biI6 which is n": after decoding and then MH0 to encode the rest of the JSON which is 0}. M and the first 2 bits of H are decoded to 0 and the last 4 bits of H and the first 4 bits of 0 are decoded to }. The remaining 2 bits will be ignored. If you add K to the string, you have enough bits for one more byte and get an addional linefeed (LF) character on the end after decoding, which is obviously not needed for a valid JSON. You could also add a = instead to satisfy your Base64 decoder.