Hello folks, The payload (and other parts) of a JSON Web Token (JWT, a popular and growing auth standard: https://tools.ietf.org/html/rfc7519) is base64 encoded.
Unfortunately, the payload encoding (specified in https://tools.ietf.org/html/rfc7515) is defined as the "URL safe" variant. This variant allows for the lossless omission of base64 padding ("=" or "=="), which the haproxy b64dec convertor doesn't appear to be able cope with. The result of log-format %[<variable>,b64dec] ... when faced with such an unpadded string is just "-", which I take to mean decoding failed. I believe it's failing on line 84 of src/base64.c. I've tried and failed to use a regex convertor to add padding to the end, based on looking at the string's remainder after matching clusters with '(.{4})+'. Annoyingly I can't make this work in the regsub convertor as I believe it would require the use of grouping parentheses, which aren't permitted by the parser currently. I'm personally interested in this for logging the contents of JWT payloads for audit. Is anyone else working with JWT in haproxy, in this or any other context, and could share any tactics for dealing with this problem? Many thanks! Jonathan