From 9f5b8c4e2b7712537c8ba27c4501ec5ef46c4627 Mon Sep 17 00:00:00 2001 From: Steffen Hanikel Date: Tue, 5 Jun 2018 14:04:27 +0200 Subject: [PATCH] Correctly pad oidc tokens According to the JWT spec base64 padding characters are stripped. Fixes #65 --- config/kube_config.py | 6 ++++-- config/kube_config_test.py | 4 ++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/config/kube_config.py b/config/kube_config.py index b1e2136e..4fff743a 100644 --- a/config/kube_config.py +++ b/config/kube_config.py @@ -231,13 +231,15 @@ def _load_oid_token(self): if len(parts) != 3: # Not a valid JWT return None + padding = (4 - len(parts[1]) % 4) * '=' + if PY3: jwt_attributes = json.loads( - base64.b64decode(parts[1]).decode('utf-8') + base64.b64decode(parts[1] + padding).decode('utf-8') ) else: jwt_attributes = json.loads( - base64.b64decode(parts[1] + "==") + base64.b64decode(parts[1] + padding) ) expire = jwt_attributes.get('exp') diff --git a/config/kube_config_test.py b/config/kube_config_test.py index 5eb4c332..68ea95c7 100644 --- a/config/kube_config_test.py +++ b/config/kube_config_test.py @@ -87,11 +87,11 @@ def _raise_exception(st): TEST_OIDC_TOKEN = "test-oidc-token" TEST_OIDC_INFO = "{\"name\": \"test\"}" -TEST_OIDC_BASE = _base64(TEST_OIDC_TOKEN) + "." + _base64(TEST_OIDC_INFO) +TEST_OIDC_BASE = _base64(TEST_OIDC_TOKEN).strip('=') + "." + _base64(TEST_OIDC_INFO).strip('=') TEST_OIDC_LOGIN = TEST_OIDC_BASE + "." + TEST_CLIENT_CERT_BASE64 TEST_OIDC_TOKEN = "Bearer %s" % TEST_OIDC_LOGIN TEST_OIDC_EXP = "{\"name\": \"test\",\"exp\": 536457600}" -TEST_OIDC_EXP_BASE = _base64(TEST_OIDC_TOKEN) + "." + _base64(TEST_OIDC_EXP) +TEST_OIDC_EXP_BASE = _base64(TEST_OIDC_TOKEN).strip('=') + "." + _base64(TEST_OIDC_EXP).strip('=') TEST_OIDC_EXPIRED_LOGIN = TEST_OIDC_EXP_BASE + "." + TEST_CLIENT_CERT_BASE64 TEST_OIDC_CA = _base64(TEST_CERTIFICATE_AUTH)