<html><head><meta http-equiv="Content-Type" content="text/html; charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Hi Nat,<div class=""><br class=""></div><div class="">As per discussion on the FAPI WG call, I'm struggling to understand where in the specs it says that the base64url encoding of s_hash (and c_hash and at_hash) are not padded with '='.</div><div class=""><br class=""></div><div class="">I fully accept that for all practical purposes these should not be padded, but I can't find where in the specs it says that. One vendor is padding s_hash and believes they are compliant with the spec as written.</div><div class=""><br class=""></div><div class=""><a href="http://openid.net/specs/openid-connect-core-1_0.html" class="">http://openid.net/specs/openid-connect-core-1_0.html</a> says simply "base64url encoded". It doesn't appear to reference any specific spec for base64url.</div><div class=""><br class=""></div><div class="">The canonical reference for base64url is I believe <a href="https://tools.ietf.org/html/rfc4648#section-5" class="">https://tools.ietf.org/html/rfc4648#section-5</a></div><div class=""><br class=""></div><div class="">This states:</div><div class=""><br class=""></div><div class=""><blockquote type="cite" class=""><pre class="newpage" style="font-size: 13.333333015441895px; margin-top: 0px; margin-bottom: 0px; break-before: page;"> The pad character "=" is typically percent-encoded when used in an
URI [<a href="https://tools.ietf.org/html/rfc4648#ref-9" title=""Uniform Resource Identifier (URI): Generic Syntax"" class="">9</a>], but if the data length is known implicitly, this can be
avoided by skipping the padding; see <a href="https://tools.ietf.org/html/rfc4648#section-3.2" class="">section 3.2</a>.
</pre></blockquote></div><div class=""><pre class="newpage" style="font-size: 13.333333015441895px; margin-top: 0px; margin-bottom: 0px; break-before: page;"><br class=""></pre><pre class="newpage" style="font-size: 13.333333015441895px; margin-top: 0px; margin-bottom: 0px; break-before: page;"><div style="font-family: Helvetica; font-size: 12px; white-space: normal;" class="">and section 3.2 states:</div><div style="font-family: Helvetica; font-size: 12px; white-space: normal;" class=""><br class=""></div><div style="font-family: Helvetica; font-size: 12px; white-space: normal;" class=""><blockquote type="cite" class=""><pre class="newpage" style="font-size: 13.333333015441895px; margin-top: 0px; margin-bottom: 0px; break-before: page;"> Implementations MUST include appropriate pad characters at the end of
encoded data unless the specification referring to this document
explicitly states otherwise.
</pre></blockquote><div class=""><pre class="newpage" style="font-size: 13.333333015441895px; margin-top: 0px; margin-bottom: 0px; break-before: page;"><br class=""></pre></div></div><div style="font-family: Helvetica; font-size: 12px; white-space: normal;" class="">This clearly states the value should be padded, as OIDC does not explicitly say padding should be skipped.</div><div style="font-family: Helvetica; font-size: 12px; white-space: normal;" class=""><br class=""></div><div style="font-family: Helvetica; font-size: 12px; white-space: normal;" class="">I searched further and found <a href="https://tools.ietf.org/html/rfc7515" class="">https://tools.ietf.org/html/rfc7515</a>. This does explicitly state:</div><div style="font-family: Helvetica; font-size: 12px; white-space: normal;" class=""><br class=""></div><div style="font-family: Helvetica; font-size: 12px; white-space: normal;" class=""><blockquote type="cite" class=""><pre class="newpage" style="font-size: 13.333333015441895px; margin-top: 0px; margin-bottom: 0px; break-before: page;"> Base64url Encoding
Base64 encoding using the URL- and filename-safe character set
defined in <a href="https://tools.ietf.org/html/rfc4648#section-5" class="">Section 5 of RFC 4648</a> [<a href="https://tools.ietf.org/html/rfc4648" title=""The Base16, Base32, and Base64 Data Encodings"" class="">RFC4648</a>], with all trailing '='
characters omitted (as permitted by <a href="https://tools.ietf.org/html/rfc7515#section-3.2" class="">Section 3.2</a>) and without the
inclusion of any line breaks, whitespace, or other additional
characters. Note that the base64url encoding of the empty octet
sequence is the empty string. (See <a href="https://tools.ietf.org/html/rfc7515#appendix-C" class="">Appendix C</a> for notes on
implementing base64url encoding without padding.)
</pre></blockquote><div class=""><pre class="newpage" style="font-size: 13.333333015441895px; margin-top: 0px; margin-bottom: 0px; break-before: page;"><br class=""></pre><pre class="newpage" style="font-size: 13.333333015441895px; margin-top: 0px; margin-bottom: 0px; break-before: page;"><br class=""></pre><pre class="newpage" style="font-size: 13.333333015441895px; margin-top: 0px; margin-bottom: 0px; break-before: page;"><pre class="newpage" style="margin-top: 0px; margin-bottom: 0px; break-before: page;"><div style="font-family: Helvetica; font-size: 12px; white-space: normal;" class="">So it appears we have two RFCs, which defines base64url differently.</div><div style="font-family: Helvetica; font-size: 12px; white-space: normal;" class=""><br class=""></div><div style="font-family: Helvetica; font-size: 12px; white-space: normal;" class="">OIDC Core does not appear to explicitly state which definition of base64url it is using - can you point at anything I've missed?</div><div style="font-family: Helvetica; font-size: 12px; white-space: normal;" class=""><br class=""></div><div style="font-family: Helvetica; font-size: 12px; white-space: normal;" class="">I think perhaps the FAPI definition of s_hash should explicitly reference rfc7515's definition.</div><div style="font-family: Helvetica; font-size: 12px; white-space: normal;" class=""><br class=""></div><div style="font-family: Helvetica; font-size: 12px; white-space: normal;" class="">Thanks</div><div style="font-family: Helvetica; font-size: 12px; white-space: normal;" class=""><br class=""></div><div style="font-family: Helvetica; font-size: 12px; white-space: normal;" class="">Joseph</div><div style="font-family: Helvetica; font-size: 12px; white-space: normal;" class=""><br class=""></div><div class=""><br class=""></div></pre></pre></div></div></pre></div></body></html>