kirktrue commented on code in PR #19946:
URL: https://github.com/apache/kafka/pull/19946#discussion_r2141198529


##########
clients/src/test/java/org/apache/kafka/common/security/oauthbearer/ClientJwtValidatorTest.java:
##########
@@ -26,4 +35,21 @@ protected JwtValidator createJwtValidator(AccessTokenBuilder 
builder) {
         return new ClientJwtValidator();
     }
 
+    @Test
+    void testJwtRequiresBase64UrlDecoding() throws Exception {
+        String header = "{\"alg\":\"HS256\",\"typ\":\"JWT\"}";
+        String payload = "{\"sub\": \"jdoe\", \"exp\": 0, \"iat\": 0, 
\"data\":\">>>___<<<---\"}";
+        String signature = "dummysignature";
+        String jwt = createJwt(header, payload, signature);
+
+        // Verify that decoding the payload fails for "plain" base 64, but 
works with URL-safe base 64.
+        String urlEndodedPayload = 
Base64.getUrlEncoder().encodeToString(Utils.utf8(payload));
+        assertThrows(IllegalArgumentException.class, () -> 
Base64.getDecoder().decode(urlEndodedPayload));
+        assertDoesNotThrow(() -> 
Base64.getUrlDecoder().decode(urlEndodedPayload));
+
+        try (JwtValidator validator = createJwtValidator()) {
+            validator.configure(getSaslConfigs(), OAUTHBEARER_MECHANISM, 
getJaasConfigEntries());
+            validator.validate(jwt);

Review Comment:
   Yes. Changed.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to