Hi
On 1/9/23 19:49, Sara Golemon wrote:
I've been working with JWTs lately and that means working with Base64URL
format. (Ref: https://www.rfc-editor.org/rfc/rfc4648#section-5 )
This is essentially the same thing as normal Base64, but instead of '+' and
'/', it uses '-' and '_', respectively. It also allows leaving off the
training '=' padding characters.
With JWTs you likely also want a constant time encoder that is not
susceptible for cache-timing leaks [1]. For this reason
https://github.com/paragonie/constant_time_encoding is a most-have
dependency for my projects and I generally use the functions of that
library by default, unless there is a reason not to (high performance
required). That library also includes a b32 implementation that cmb wished.
There's also
https://www.php.net/manual/en/function.sodium-bin2base64.php which is
constant-time and supports b64url, unfortunately it's not guaranteed to
be available.
Best regards
Tim Düsterhus
[1] It's likely more important for encrypted tokens, than only for
signed ones.
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: https://www.php.net/unsub.php
