Description
When receiving JWT tokens signed by AWS Application Load Balancer (ALB) in the x-amzn-oidc-data header, I'm encountering verification issue due to AWS sending padded tokens.
Technical Details
-
Root Cause: AWS ALB appears to pad the JWT tokens it sends with = in the x-amzn-oidc-data header. Some more detailed explanation of the issue here (not my blog, many thanks to whoever did it)
-
Reproduction Scenario:
- The
x-amzn-oidc-data header contains a JWT with padding characters
- When attempting to read/parse the JWT with padding, the JWT library fails
- When padding is removed to allow successful parsing, signature verification fails
-
Technical Dilemma:
- With padding: Cannot successfully read/parse the JWT
- Without padding: Can read the token but signature verification fails
What I've done so far
- The padding is consistently present in tokens from AWS ALB
- The standard JWT library behavior expects tokens without this padding
- The signature verification specifically fails when padding is removed
I've found two libraries that support this weird thing AWS does ([one here](https://github.com/lestrrat-go/jwx/pull/1328/files, and other here), unfortunately neither of them .NET. A bit old, but people seem to be using workarounds. Would you be able to implement support for this?
Description
When receiving JWT tokens signed by AWS Application Load Balancer (ALB) in the
x-amzn-oidc-dataheader, I'm encountering verification issue due to AWS sending padded tokens.Technical Details
Root Cause: AWS ALB appears to pad the JWT tokens it sends with
=in thex-amzn-oidc-dataheader. Some more detailed explanation of the issue here (not my blog, many thanks to whoever did it)Reproduction Scenario:
x-amzn-oidc-dataheader contains a JWT with padding charactersTechnical Dilemma:
What I've done so far
I've found two libraries that support this weird thing AWS does ([one here](https://github.com/lestrrat-go/jwx/pull/1328/files, and other here), unfortunately neither of them .NET. A bit old, but people seem to be using workarounds. Would you be able to implement support for this?