kirktrue commented on code in PR #19946: URL: https://github.com/apache/kafka/pull/19946#discussion_r2141198529
########## clients/src/test/java/org/apache/kafka/common/security/oauthbearer/ClientJwtValidatorTest.java: ########## @@ -26,4 +35,21 @@ protected JwtValidator createJwtValidator(AccessTokenBuilder builder) { return new ClientJwtValidator(); } + @Test + void testJwtRequiresBase64UrlDecoding() throws Exception { + String header = "{\"alg\":\"HS256\",\"typ\":\"JWT\"}"; + String payload = "{\"sub\": \"jdoe\", \"exp\": 0, \"iat\": 0, \"data\":\">>>___<<<---\"}"; + String signature = "dummysignature"; + String jwt = createJwt(header, payload, signature); + + // Verify that decoding the payload fails for "plain" base 64, but works with URL-safe base 64. + String urlEndodedPayload = Base64.getUrlEncoder().encodeToString(Utils.utf8(payload)); + assertThrows(IllegalArgumentException.class, () -> Base64.getDecoder().decode(urlEndodedPayload)); + assertDoesNotThrow(() -> Base64.getUrlDecoder().decode(urlEndodedPayload)); + + try (JwtValidator validator = createJwtValidator()) { + validator.configure(getSaslConfigs(), OAUTHBEARER_MECHANISM, getJaasConfigEntries()); + validator.validate(jwt); Review Comment: Yes. Changed. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org