OIDC auth uses incorrect base64 decoding

[ericchiang]

We had a customer report the following error with this client:

Traceback (most recent call last): 
File ".../k8s_client.py", line 6, in <module> 
config.load_kube_config() 
File ".../venv/lib/python3.6/site-packages/kubernetes/config/kube_config.py", line 473, in load_kube_config 
loader.load_and_set(config) 
File ".../venv/lib/python3.6/site-packages/kubernetes/config/kube_config.py", line 354, in load_and_set 
self._load_authentication() 
File ".../venv/lib/python3.6/site-packages/kubernetes/config/kube_config.py", line 185, in _load_authentication 
if self._load_oid_token(): 
File ".../venv/lib/python3.6/site-packages/kubernetes/config/kube_config.py", line 236, in _load_oid_token 
base64.b64decode(parts[1]).decode('utf-8') 
File ".../python/3.6.5/Frameworks/Python.framework/Versions/3.6/lib/python3.6/base64.py", line 87, in b64decode 
return binascii.a2b_base64(s) 
binascii.Error: Incorrect padding

Which appears to originate from here:

python-base/config/kube_config.py

Line 236 in 789de6a

base64.b64decode(parts[1]).decode('utf-8')

jwt_attributes = json.loads(
    base64.b64decode(parts[1]).decode('utf-8')
)

JWTs aren't encoded using standard base64 encoding, they use URL encoding without the final padding

   Base64url Encoding
      Base64 encoding using the URL- and filename-safe character set
      defined in Section 5 of RFC 4648 [RFC4648], with all trailing '='
      characters omitted (as permitted by Section 3.2) and without the
      inclusion of any line breaks, whitespace, or other additional
      characters.  Note that the base64url encoding of the empty octet
      sequence is the empty string.  (See Appendix C for notes on
      implementing base64url encoding without padding.)

https://tools.ietf.org/html/rfc7515#section-2

So "hello world" should become aGVsbG8gd29ybGQ, not aGVsbG8gd29ybGQ= https://play.golang.org/p/vFrVzr9uyAQ

Python's default base64 library doesn't handle this encoding and spits out the same exception our customer's seeing:

$ python3 -c 'import base64; base64.b64decode("aGVsbG8gd29ybGQ")'
Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/usr/lib64/python3.6/base64.py", line 87, in b64decode
    return binascii.a2b_base64(s)
binascii.Error: Incorrect padding

[kvaps]

@bpicolo, your fix is working, thanks!

cd /usr/lib/python3.*/site-packages/kubernetes/config
curl -sL https://github.com/kubernetes-client/python-base/pull/79.diff | patch -p2

[UWTech]

Is this getting merged into mainline soon?

I'm still seeing this error, and I cloned last week. Do we have an ETA there?

Thanks.

[tiga1583]

We are experiencing the same issue. When will it merged into main line?