Summarized questions
- Can a JWT token's payload with an underscore character be valid? To my understanding it cannot, since it has to be base64 encoded.
- If not, why does firebase sometimes generate such a token and why is the firebase Admin SDK able to verify and decode it?
- If yes, where is that documented and how can I read the payload in javascript on the client (without verifying it), since
atobwill fail on such a string.
Some context
I'm using firebase for authentication. I'd like to read (not verify) the id token's payload. I need it to show/hide stuff from the UI, and I used the method describe in the in the firebase documentation.
However in certain cases (I only experience it when I log in with my facebook account), the payload of the token contains an _ and is therefore not base64 decoded. Hence the error I get when calling atob on it.
How is this possible? My understanding from reading the JWT documentation is that the payload has to be base64 encoded. All character actually are valid base64 characters, except for that underscore.
The token however is successfully verified and decoded when I send it to a firebase function and call admin.auth().verifyIdToken(idToken) on it.
Summarized questions
- Can a JWT token's payload with an underscore character be valid? To my understanding it cannot, since it has to be base64 encoded.
- If not, why does firebase sometimes generate such a token and why is the firebase Admin SDK able to verify and decode it?
- If yes, where is that documented and how can I read the payload in javascript on the client (without verifying it), since
atobwill fail on such a string.
Some context
I'm using firebase for authentication. I'd like to read (not verify) the id token's payload. I need it to show/hide stuff from the UI, and I used the method describe in the in the firebase documentation.
However in certain cases (I only experience it when I log in with my facebook account), the payload of the token contains an _ and is therefore not base64 decoded. Hence the error I get when calling atob on it.
How is this possible? My understanding from reading the JWT documentation is that the payload has to be base64 encoded. All character actually are valid base64 characters, except for that underscore.
The token however is successfully verified and decoded when I send it to a firebase function and call admin.auth().verifyIdToken(idToken) on it.
- Please post the full token – Nikoloz Shvelidze Commented Mar 3, 2018 at 11:05
1 Answer
Reset to default 13Can a JWT token's payload with an underscore character be valid? To my understanding it cannot, since it has to be base64 encoded.
JWT tokens are base64url encoded, which is slightly different to base64. It changes + to - and / with _ and removes the trailing =
If not, why does firebase sometimes generate such a token and why is the firebase Admin SDK able to verify and decode it?
_ is a valid char. See above
If yes, where is that documented
RFC 7519 JSON Web Token
A JWT is represented as a sequence of URL-safe parts separated by period ('.') characters. Each part contains a base64url-encoded value.
how can I read the payload in javascript on the client (without verifying it), since atob will fail on such a string.
Just replace - with + and _ with / to get a base64. See an example function extracted from here
function Base64DecodeUrl(str){
str = (str + '===').slice(0, str.length + (str.length % 4));
return str.replace(/-/g, '+').replace(/_/g, '/');
}