4

Google currently exposes, at https://www.googleapis.com/oauth2/v2/certs, the following certificate values

{
 "keys": [
  {
   "kty": "RSA",
   "alg": "RS256",
   "use": "sig",
   "kid": "90adc60c0f9f503265a5ebc2c404c88e59882083",
   "n": "u_EOLEKRMNuTA_UPh9R-LTQkF1TNGE6XRVbgvh081A5VtKNFe8b2CmoGvgrm_ochjX0robr8LwpOUSHO779yJANgvwuATHJ4SKYHzN2Gr0yBsC7MyL9CI_eXik4RGiNlEU6mgoy7GGnLtY5-A6OPo-I-4HEttP81LJrmSYh6Y2k=",
   "e": "AQAB"
  },
  {
   "kty": "RSA",
   "alg": "RS256",
   "use": "sig",
   "kid": "5886590f72b8e40668c55fa366c19efb2a22d635",
   "n": "x9mePRk3StM-Tg32S_E8OyBYD8uIHhPPa6U8jkHbpnRf2jEImk1ndIwIoJQCrHl1IsKpY1j81fyQKul0u1Frvb-LFGFVY3L7zSR4hnwzuU_05JtKZRfK-87Kj8JVMJbt34SKRmUitPH4QA23b6g-ORUMYjqWgNWufV6OPy8GYNE=",
   "e": "AQAB"
  }
 ]
}

I'm trying to access Google APIs using oic and jwkest, and get the error

DeSerializationNotPossible: Not base64url encoded

The problem occurs because the n parameters of both keys end in a = character. IIUC, they should be Base64URL encoded according to JSON Web Algorighms draft, and Base64URL strips the = characters, according to the JSON Web Signature draft.

Is this error in the Python libraries I'm using, or is this indeed Google not conforming to the specification? If the latter: where can I report it?

Community
  • 1
  • 1
Martin v. Löwis
  • 124,830
  • 17
  • 198
  • 235
  • um wow. Best place I have found to get some official type of technical response would be the Google Oauth2 community on Google+ https://plus.google.com/u/0/communities/107137198518854169493 From what I have heard there isn't really a dev team for Oauth2 right now its considered stable. I haven't found any place a report issues. try G+ someone there might be able to help, if not I can see if I can find someone to ping at google. – Linda Lawton - DaImTo Dec 15 '14 at 08:30
  • good find; I have not experienced problems with it so far because I use clients that have implemented a padding method that will not break on it; it certainly does not seem compliant to me – Hans Z. Dec 17 '14 at 06:48
  • It turns out that the author of jwkest has now dropped the validity check from his implementation. So with the next release, the actual problem should be gone. – Martin v. Löwis Dec 17 '14 at 08:22

1 Answers1

0

You are correct that Google isn't compliant with (the now RFCs) JWA and JWS in using regular base64 rather than base64url. However, I believe they've already been made aware of the issue and fixed it with a new version of the JWKS endpoint: https://www.googleapis.com/oauth2/v3/certs, which has the same keys as v2 but encoded properly per spec. You should be able to consume the v3 endpoint with the libraries you're using.

Community
  • 1
  • 1
Brian Campbell
  • 2,293
  • 12
  • 13