jsonwebtoken icon indicating copy to clipboard operation
jsonwebtoken copied to clipboard

Published 20 hours ago verified publisher icon Keats

Urlsafe base64 hmac keys

Open andrewbaxter opened this issue 1 year ago • 2 comments

In the ACME RFC (https://datatracker.ietf.org/doc/html/rfc8555#section-7.3.4) it says

The MAC key SHOULD be provided in base64url-encoded form, to maximize compatibility between non-ACME provisioning systems and ACME clients.

Right now from_base64_secret does base64-standard decoding. Is this common for other protocols that use HMAC keys?

I think a url-safe base64 method would be useful, since ACME users will have url-safe base64 strings from ACME providers and they'd be able to bridge that to this library without needing an extra direct dependency just to hand the key over. Url-safe base64 also aligns with a lot of the rest of the JOSE specs so I'd expect that to be common.

Sorry, this is a pretty trivial issue, but what about something like from_urlsafe_base64_secret or from_base64_hmac?

andrewbaxter avatar Jan 12 '24 13:01 andrewbaxter

I don't know how common that is but there are some people using b64 encoded hmac secrets. It would be ok to add a from_urlsafe_base64_secret

Keats avatar Jan 13 '24 17:01 Keats

https://github.com/andrewbaxter/fork-jsonwebtoken/pull/3 targeted at the acme/jws branch

andrewbaxter avatar Jan 17 '24 11:01 andrewbaxter