- changed milestone to Errata
Reference JWS definition of base64url encoding
Issue #1251
resolved
It turns out that RFC 4648 that defines the base64url character set does NOT require the omission of padding characters. According to that specification, padding character =
is allowed. The JWS RFC 7515 does define and additional restriction to base64url encoding that requires that the padding character be omitted.
Recommending that we make an errata update to reference the JWS definition for base64url encoding within the core spec to be explicitly clear that all OIDC uses of base64url encoding are required to omit the padding characters.
Comments (5)
-
-
- changed status to open
-
-
assigned issue to
I agree that we should add this clarification.
-
assigned issue to
-
-
- changed status to resolved
Addressed by the now-merged PR
- Log in to comment