Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Intermittent failures with the following error when the URL-safe backend JWT token encoding was used. #3544

Closed
janithcmw opened this issue Jan 26, 2025 · 1 comment

Comments

@janithcmw
Copy link

Description

Hi All,

I have extended the 'APIMgtGatewayUrlSafeJWTGeneratorImpl' class to generate a custom backend JWT and was able to successfully pass the required attribute to the backend as well.

But immediately the following error appears in the GW logs.

ERROR {org.apache.synapse.transport.passthru.ServerWorker} - Error processing POST request for : /path/of/my/api. java.lang.IllegalArgumentException: Illegal base64 character 5f
	at java.base/java.util.Base64$Decoder.decode0(Base64.java:746)
	at java.base/java.util.Base64$Decoder.decode(Base64.java:538)
	at java.base/java.util.Base64$Decoder.decode(Base64.java:561)
	at org.wso2.carbon.apimgt.gateway.handlers.security.jwt.JWTValidator.generateAndRetrieveJWTToken_aroundBody4(JWTValidator.java:322)
	at org.wso2.carbon.apimgt.gateway.handlers.security.jwt.JWTValidator.generateAndRetrieveJWTToken(JWTValidator.java:1)
	at org.wso2.carbon.apimgt.gateway.handlers.security.jwt.JWTValidator.authenticate_aroundBody0(JWTValidator.java:257)
	at org.wso2.carbon.apimgt.gateway.handlers.security.jwt.JWTValidator.authenticate(JWTValidator.java:1)
	at org.wso2.carbon.apimgt.gateway.handlers.security.oauth.OAuthAuthenticator.authenticate_aroundBody4(OAuthAuthenticator.java:298)
	at org.wso2.carbon.apimgt.gateway.handlers.security.oauth.OAuthAuthenticator.authenticate(OAuthAuthenticator.java:1)
	at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate_aroundBody56(APIAuthenticationHandler.java:546)
	at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate(APIAuthenticationHandler.java:1)
	at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest_aroundBody46(APIAuthenticationHandler.java:416)
	at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest(APIAuthenticationHandler.java:1)
	at org.apache.synapse.api.API.process(API.java:403)
	at org.apache.synapse.api.AbstractApiHandler.apiProcessNonDefaultStrategy(AbstractApiHandler.java:108)
	at org.apache.synapse.api.AbstractApiHandler.identifyAPI(AbstractApiHandler.java:128)
	at org.apache.synapse.api.AbstractApiHandler.dispatchToAPI(AbstractApiHandler.java:60)
	at org.apache.synapse.api.rest.RestRequestHandler.dispatchToAPI(RestRequestHandler.java:90)
	at org.apache.synapse.api.rest.RestRequestHandler.process(RestRequestHandler.java:76)
	at org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:54)
	at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:352)
	at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(SynapseMessageReceiver.java:101)
	at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)
	at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(ServerWorker.java:399)
	at org.apache.synapse.transport.passthru.ServerWorker.processEntityEnclosingRequest(ServerWorker.java:458)
	at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:206)
	at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at java.base/java.lang.Thread.run(Thread.java:829)

It seems the above is a decoding error when it comes to the encoding types default and URL safe of base64. This was noticed because in the failed backend JWT token the symbol '' was there and as per the background search, it is expected to observe "" on the URL-safe encoding but not with the default encoding.

So it seems the GW is trying to decode the URL safe encoding with default encoding but to be compatible with the URL-safe encoding following configurations are also used in the 'deployment.toml' file.

[apim.jwt]
enable = true
encoding = "base64url"
...

Best Regards,
Janith.

Steps to Reproduce

  1. Write a custom JWT generator by extending the 'APIMgtGatewayUrlSafeJWTGeneratorImpl'.
  2. Observe the backend JWT token and validate whether there is any unexpected character which is not accepted by the base64 URL safe encoding but not with the default base64 encoding.
  3. Invoke an API multiple times, Intermittently the pointed error can be seen.

Version

APIM-4.2.0

Environment Details (with versions)

No response

@npamudika
Copy link

Fixed via wso2/carbon-apimgt@2b3498c

@npamudika npamudika added this to the 4.5.0-M2 milestone Feb 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants