Correctly pad oidc tokens

According to the JWT spec base64 padding characters are stripped. Fixes kubernetes-client#65
flix-tech · Jun 5, 2018 · 9f5b8c4 · 9f5b8c4
1 parent 789de6a
commit 9f5b8c4
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 4 deletions.
diff --git a/config/kube_config.py b/config/kube_config.py
@@ -231,13 +231,15 @@ def _load_oid_token(self):
         if len(parts) != 3:  # Not a valid JWT
             return None
 
+        padding = (4 - len(parts[1]) % 4) * '='
+
         if PY3:
             jwt_attributes = json.loads(
-                base64.b64decode(parts[1]).decode('utf-8')
+                base64.b64decode(parts[1] + padding).decode('utf-8')
             )
         else:
             jwt_attributes = json.loads(
-                base64.b64decode(parts[1] + "==")
+                base64.b64decode(parts[1] + padding)
             )
 
         expire = jwt_attributes.get('exp')

diff --git a/config/kube_config_test.py b/config/kube_config_test.py
@@ -87,11 +87,11 @@ def _raise_exception(st):
 
 TEST_OIDC_TOKEN = "test-oidc-token"
 TEST_OIDC_INFO = "{\"name\": \"test\"}"
-TEST_OIDC_BASE = _base64(TEST_OIDC_TOKEN) + "." + _base64(TEST_OIDC_INFO)
+TEST_OIDC_BASE = _base64(TEST_OIDC_TOKEN).strip('=') + "." + _base64(TEST_OIDC_INFO).strip('=')
 TEST_OIDC_LOGIN = TEST_OIDC_BASE + "." + TEST_CLIENT_CERT_BASE64
 TEST_OIDC_TOKEN = "Bearer %s" % TEST_OIDC_LOGIN
 TEST_OIDC_EXP = "{\"name\": \"test\",\"exp\": 536457600}"
-TEST_OIDC_EXP_BASE = _base64(TEST_OIDC_TOKEN) + "." + _base64(TEST_OIDC_EXP)
+TEST_OIDC_EXP_BASE = _base64(TEST_OIDC_TOKEN).strip('=') + "." + _base64(TEST_OIDC_EXP).strip('=')
 TEST_OIDC_EXPIRED_LOGIN = TEST_OIDC_EXP_BASE + "." + TEST_CLIENT_CERT_BASE64
 TEST_OIDC_CA = _base64(TEST_CERTIFICATE_AUTH)