Description
JWT token consists of three parts and they are concatenated with period('.'). Each part is encoded by base64url. However the entire concatenated string is not base64url encoding because of the period('.') in the middle.
Currently, openapi_core security validator is based on the assumption that token is base64url. So, sometimes it gives false alarm when I use JWT token string. It gives security error from time to time even tough I use correct JWT token.
For example, following token will fail although the token is correct JWT token. Whatever number of padding you add, it will fail because the function does not understand period(.) in the middle.
base64.b64decode('eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE1ODQ2OTQ3NTguNzE3MzczNiwiZXhwIjoxNTg0NzMwNzU4LjcxNzM3MzYsInBheWxvYWQiOnsiZW1haWwiOiJpbmt5dUBwcmV4LmNvbSIsInVzZXJfaWQiOjIsImFjY291bnRfaWQiOjk4MDAxMDF9fQ.LpsGIDIf4sf2Vfi0JiJju2MeI6Wod2MVREOaKTMEthw')
base64.b64decode('eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE1ODQ2OTQ3NTguNzE3MzczNiwiZXhwIjoxNTg0NzMwNzU4LjcxNzM3MzYsInBheWxvYWQiOnsiZW1haWwiOiJpbmt5dUBwcmV4LmNvbSIsInVzZXJfaWQiOjIsImFjY291bnRfaWQiOjk4MDAxMDF9fQ.LpsGIDIf4sf2Vfi0JiJju2MeI6Wod2MVREOaKTMEthw=')
base64.b64decode('eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE1ODQ2OTQ3NTguNzE3MzczNiwiZXhwIjoxNTg0NzMwNzU4LjcxNzM3MzYsInBheWxvYWQiOnsiZW1haWwiOiJpbmt5dUBwcmV4LmNvbSIsInVzZXJfaWQiOjIsImFjY291bnRfaWQiOjk4MDAxMDF9fQ.LpsGIDIf4sf2Vfi0JiJju2MeI6Wod2MVREOaKTMEthw==')
base64.b64decode('eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE1ODQ2OTQ3NTguNzE3MzczNiwiZXhwIjoxNTg0NzMwNzU4LjcxNzM3MzYsInBheWxvYWQiOnsiZW1haWwiOiJpbmt5dUBwcmV4LmNvbSIsInVzZXJfaWQiOjIsImFjY291bnRfaWQiOjk4MDAxMDF9fQ.LpsGIDIf4sf2Vfi0JiJju2MeI6Wod2MVREOaKTMEthw===')
The correct way of handling this token is to split by period and to try decoding each part separately.