Hello folks,

The payload (and other parts) of a JSON Web Token (JWT, a popular and
growing auth standard: https://tools.ietf.org/html/rfc7519) is base64

Unfortunately, the payload encoding (specified in
https://tools.ietf.org/html/rfc7515) is defined as the "URL safe"
variant. This variant allows for the lossless omission of base64
padding ("=" or "=="), which the haproxy b64dec convertor doesn't
appear to be able cope with. The result of

  log-format %[<variable>,b64dec]

... when faced with such an unpadded string is just "-", which I take
to mean decoding failed. I believe it's failing on line 84 of

I've tried and failed to use a regex convertor to add padding to the
end, based on looking at the string's remainder after matching
clusters with '(.{4})+'. Annoyingly I can't make this work in the
regsub convertor as I believe it would require the use of grouping
parentheses, which aren't permitted by the parser currently.

I'm personally interested in this for logging the contents of JWT
payloads for audit. Is anyone else working with JWT in haproxy, in
this or any other context, and could share any tactics for dealing
with this problem?

Many thanks!

Reply via email to