Skip to content
This repository has been archived by the owner on Mar 13, 2022. It is now read-only.

OIDC auth uses incorrect base64 decoding #65

Closed
ericchiang opened this issue Apr 27, 2018 · 3 comments · Fixed by #79
Closed

OIDC auth uses incorrect base64 decoding #65

ericchiang opened this issue Apr 27, 2018 · 3 comments · Fixed by #79

Comments

@ericchiang
Copy link

ericchiang commented Apr 27, 2018
edited

We had a customer report the following error with this client:

Traceback (most recent call last): 
File ".../k8s_client.py", line 6, in <module> 
config.load_kube_config() 
File ".../venv/lib/python3.6/site-packages/kubernetes/config/kube_config.py", line 473, in load_kube_config 
loader.load_and_set(config) 
File ".../venv/lib/python3.6/site-packages/kubernetes/config/kube_config.py", line 354, in load_and_set 
self._load_authentication() 
File ".../venv/lib/python3.6/site-packages/kubernetes/config/kube_config.py", line 185, in _load_authentication 
if self._load_oid_token(): 
File ".../venv/lib/python3.6/site-packages/kubernetes/config/kube_config.py", line 236, in _load_oid_token 
base64.b64decode(parts[1]).decode('utf-8') 
File ".../python/3.6.5/Frameworks/Python.framework/Versions/3.6/lib/python3.6/base64.py", line 87, in b64decode 
return binascii.a2b_base64(s) 
binascii.Error: Incorrect padding

Which appears to originate from here:

python-base/config/kube_config.py

Line 236 in 789de6a

base64.b64decode(parts[1]).decode('utf-8') 

jwt_attributes = json.loads(
    base64.b64decode(parts[1]).decode('utf-8')
)

JWTs aren't encoded using standard base64 encoding, they use URL encoding without the final padding

   Base64url Encoding
      Base64 encoding using the URL- and filename-safe character set
      defined in Section 5 of RFC 4648 [RFC4648], with all trailing '='
      characters omitted (as permitted by Section 3.2) and without the
      inclusion of any line breaks, whitespace, or other additional
      characters.  Note that the base64url encoding of the empty octet
      sequence is the empty string.  (See Appendix C for notes on
      implementing base64url encoding without padding.)

https://tools.ietf.org/html/rfc7515#section-2

So "hello world" should become aGVsbG8gd29ybGQ, not aGVsbG8gd29ybGQ= https://play.golang.org/p/vFrVzr9uyAQ

Python's default base64 library doesn't handle this encoding and spits out the same exception our customer's seeing:

$ python3 -c 'import base64; base64.b64decode("aGVsbG8gd29ybGQ")'
Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/usr/lib64/python3.6/base64.py", line 87, in b64decode
    return binascii.a2b_base64(s)
binascii.Error: Incorrect padding
hanikesn added a commit to flix-tech/python-base that referenced this issue Jun 5, 2018
@hanikesn
Correctly pad oidc tokens
9f5b8c4 
According to the JWT spec base64 padding characters are stripped.
Fixes kubernetes-client#65
@hanikesn hanikesn mentioned this issue Jun 5, 2018
Closed
@bpicolo bpicolo mentioned this issue Jul 30, 2018
Merged
@kvaps
Copy link

kvaps commented Feb 18, 2019
edited

@bpicolo, your fix is working, thanks!

cd /usr/lib/python3.*/site-packages/kubernetes/config
curl -sL https://github.com/kubernetes-client/python-base/pull/79.diff | patch -p2

@kvaps kvaps mentioned this issue Feb 18, 2019
Closed
@UWTech
Copy link

UWTech commented Mar 13, 2019

Is this getting merged into mainline soon?

I'm still seeing this error, and I cloned last week. Do we have an ETA there?

Thanks.

@tiga1583
Copy link

We are experiencing the same issue. When will it merged into main line?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix base64 padding for kube config
Correctly pad oidc tokens flix-tech/python-base
4 participants
@ericchiang @UWTech @kvaps @tiga1583