admin管理员组文章数量:1355529
Summarized questions
- Can a JWT token's payload with an underscore character be valid? To my understanding it cannot, since it has to be base64 encoded.
- If not, why does firebase sometimes generate such a token and why is the firebase Admin SDK able to verify and decode it?
- If yes, where is that documented and how can I read the payload in javascript on the client (without verifying it), since
atobwill fail on such a string.
Some context
I'm using firebase for authentication. I'd like to read (not verify) the id token's payload. I need it to show/hide stuff from the UI, and I used the method describe in the in the firebase documentation.
However in certain cases (I only experience it when I log in with my facebook account), the payload of the token contains an _ and is therefore not base64 decoded. Hence the error I get when calling atob on it.
How is this possible? My understanding from reading the JWT documentation is that the payload has to be base64 encoded. All character actually are valid base64 characters, except for that underscore.
The token however is successfully verified and decoded when I send it to a firebase function and call admin.auth().verifyIdToken(idToken) on it.
Summarized questions
- Can a JWT token's payload with an underscore character be valid? To my understanding it cannot, since it has to be base64 encoded.
- If not, why does firebase sometimes generate such a token and why is the firebase Admin SDK able to verify and decode it?
- If yes, where is that documented and how can I read the payload in javascript on the client (without verifying it), since
atobwill fail on such a string.
Some context
I'm using firebase for authentication. I'd like to read (not verify) the id token's payload. I need it to show/hide stuff from the UI, and I used the method describe in the in the firebase documentation.
However in certain cases (I only experience it when I log in with my facebook account), the payload of the token contains an _ and is therefore not base64 decoded. Hence the error I get when calling atob on it.
How is this possible? My understanding from reading the JWT documentation is that the payload has to be base64 encoded. All character actually are valid base64 characters, except for that underscore.
The token however is successfully verified and decoded when I send it to a firebase function and call admin.auth().verifyIdToken(idToken) on it.
- Please post the full token – Nikoloz Shvelidze Commented Mar 3, 2018 at 11:05
1 Answer
Reset to default 13Can a JWT token's payload with an underscore character be valid? To my understanding it cannot, since it has to be base64 encoded.
JWT tokens are base64url encoded, which is slightly different to base64. It changes + to - and / with _ and removes the trailing =
If not, why does firebase sometimes generate such a token and why is the firebase Admin SDK able to verify and decode it?
_ is a valid char. See above
If yes, where is that documented
RFC 7519 JSON Web Token
A JWT is represented as a sequence of URL-safe parts separated by period ('.') characters. Each part contains a base64url-encoded value.
how can I read the payload in javascript on the client (without verifying it), since atob will fail on such a string.
Just replace - with + and _ with / to get a base64. See an example function extracted from here
function Base64DecodeUrl(str){
str = (str + '===').slice(0, str.length + (str.length % 4));
return str.replace(/-/g, '+').replace(/_/g, '/');
}
版权声明:本文标题:javascript - How could firebase send a JWT token which payload contains an underscore character? - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1743979145a2571002.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论