[Openid-specs-fapi] padding of s_hash with =
nat at sakimura.org
Wed Feb 7 04:56:49 UTC 2018
I agree that the OpenID Connect errata should include the referred
definition in RFC7515, and FAPI Part 1 and 2 should include RFC7515 as
well as RFC7516, RFC7517, RFC7518, and RFC7519 in the clause 3. As far
as FAPI is concerned, RFC7515 should be included in the normative
reference as well, though it is included indirectly through OIDC
The precedence of the referencing is Normative Reference > Definition in
the document series > Author Intention > Other Standards.
OpenID Connect does not reference RFC4648 but normatively references
RFC7515 (as JWS). So, clearly, the definition in RFC7515 takes a
precedence over that of RFC4648.
Research Fellow, Nomura Research Institute
Chairman of the Board, OpenID Foundation
On 2018-02-07 04:24, Joseph Heenan wrote:
> Hi Nat,
> Thanks. I agree it is defined there, but OIDC Core doesn't appear to state that this is the definition it is using!
> (It is unhelpful that RFC7515 and RFC4648 both define the term 'base64url', but in different ways.)
> On 7 Feb 2018, at 12:07, Nat Sakimura <nat at sakimura.org> wrote:
> It is defined in RFC7515
> Base64url Encoding
> Base64 encoding using the URL- and filename-safe character set defined in Section 5 of RFC 4648 [RFC4648], with all trailing '=' characters omitted (as permitted by Section 3.2) and without the inclusion of any line breaks, whitespace, or other additional characters. Note that the base64url encoding of the empty octet sequence is the empty string. (See Appendix C for notes on implementing base64url encoding without padding.)
> Outlook for Android  から取得
> On Wed, Feb 7, 2018 at 9:56 AM +0900, "Joseph Heenan" <joseph at authlete.com> wrote:
> Hi Nat,
> As per discussion on the FAPI WG call, I'm struggling to understand where in the specs it says that the base64url encoding of s_hash (and c_hash and at_hash) are not padded with '='.
> I fully accept that for all practical purposes these should not be padded, but I can't find where in the specs it says that. One vendor is padding s_hash and believes they are compliant with the spec as written.
> http://openid.net/specs/openid-connect-core-1_0.html  says simply "base64url encoded". It doesn't appear to reference any specific spec for base64url.
> The canonical reference for base64url is I believe https://tools.ietf.org/html/rfc4648#section-5 
> This states:
> The pad character "=" is typically percent-encoded when used in an
> URI [9 ], but if the data length is known implicitly, this can be
> avoided by skipping the padding; see section 3.2 .
> and section 3.2 states:
> Implementations MUST include appropriate pad characters at the end of
> encoded data unless the specification referring to this document
> explicitly states otherwise.
> This clearly states the value should be padded, as OIDC does not explicitly say padding should be skipped.
> I searched further and found https://tools.ietf.org/html/rfc7515 . This does explicitly state:
> Base64url Encoding
> Base64 encoding using the URL- and filename-safe character set
> defined in Section 5 of RFC 4648  [RFC4648 ], with all trailing '='
> characters omitted (as permitted by Section 3.2 ) and without the
> inclusion of any line breaks, whitespace, or other additional
> characters. Note that the base64url encoding of the empty octet
> sequence is the empty string. (See Appendix C  for notes on
> implementing base64url encoding without padding.)
> So it appears we have two RFCs, which defines base64url differently.
> OIDC Core does not appear to explicitly state which definition of base64url it is using - can you point at anything I've missed?
> I think perhaps the FAPI definition of s_hash should explicitly reference rfc7515's definition.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-fapi