<div dir="ltr">It&#39;s base 64 url encoded, not base 64 encoded, so some padding is removed. I&#39;ve just checked the payload you have above that is missing using <a href="http://kjur.github.io/jsjws/tool_b64udec.html">http://kjur.github.io/jsjws/tool_b64udec.html</a> and it&#39;s working just fine.</div><div class="gmail_extra"><br><div class="gmail_quote">On 10 May 2016 at 01:49, Fabricio Milone <span dir="ltr">&lt;<a href="mailto:fabricio.milone@shinetech.com" target="_blank">fabricio.milone@shinetech.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi everyone,<div><br clear="all"><div><div>I&#39;ve been experiencing some random issues when trying to decode the returned idToken from the /protocol/openid-connect/token call. </div><div><br></div><div>I&#39;ve found that sometimes the returned idToken is not multiple of 4 and has no padding at the end of the payload section (where mappers are added). So the result is that I&#39;m losing the last 2 characters of the last mapper value.</div></div><div><br></div><div>This is one example of a failing token (payload only):</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">eyJqdGkiOiI4NWNlOGVlZS00N2Y5LTQzOTMtODc4Yi1iMjRiNTA0YWIzMWYiLCJleHAiOjE0NjI3NjY3MjMsIm5iZiI6MCwiaWF0IjoxNDYyNzY2NDIzLCJpc3MiOiJodHRwczovL2lkbS1zMi5zYi5kZXYuc2JldGVudi5jb20vYXV0aC9yZWFsbXMvZWxlY3RyaWNzaGVlcCIsImF1ZCI6ImVzIiwic3ViIjoiMDNlZGMzNzQtYzgyMC00ZDFhLWJhN2YtM2Y0NzlmOGRiMmM4IiwidHlwIjoiSUQiLCJhenAiOiJlcyIsInNlc3Npb25fc3RhdGUiOiIxY2I0Mjk3Zi04ODA3LTQ4ZWUtODBhNS1hMTI5NzRhN2EyYmQiLCJuYW1lIjoiZm5hbWUgbG5hbWUiLCJjdXN0SWQiOiIyNTY3NTgxIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYW50aHRlc3QiLCJnaXZlbl9uYW1lIjoiZm5hbWUiLCJmYW1pbHlfbmFtZSI6ImxuYW1lIiwiZW1haWwiOiJub2JvZGF5QHNwb3J0c2JldC5jb20uYXUiLCJ0b2tlbiI6Ims4Z3NaKzlsV0dlZUVob212d09ocFk5bXlmeXdOQi9CWE1GWXBEQjErZTdHREJRa0h1R1BSYjJHOE4xYjFRdzJyUHdOVitvTTJzUUlMVVlXYXUvSHFFZ3JWUVhGeGdQd2dTVXl6UUtxaEYydW9KN3JzTFJkSFcza3ZRRy9JMUc1WlFtRnlnRE1va2NUIn0</blockquote><div><br></div><div>787 chars (should be 788)</div><div><br></div><div>if you try to decode it, you&#39;ll get:</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">{&quot;jti&quot;:&quot;85ce8eee-47f9-4393-878b-b24b504ab31f&quot;,&quot;exp&quot;:1462766723,&quot;nbf&quot;:0,&quot;iat&quot;:1462766423,&quot;iss&quot;:&quot;<a href="https://idm-s2.sb.dev.sbetenv.com/auth/realms/electricsheep" target="_blank">https://idm-s2.sb.dev.sbetenv.com/auth/realms/electricsheep</a>&quot;,&quot;aud&quot;:&quot;es&quot;,&quot;sub&quot;:&quot;03edc374-c820-4d1a-ba7f-3f479f8db2c8&quot;,&quot;typ&quot;:&quot;ID&quot;,&quot;azp&quot;:&quot;es&quot;,&quot;session_state&quot;:&quot;1cb4297f-8807-48ee-80a5-a12974a7a2bd&quot;,&quot;name&quot;:&quot;fname lname&quot;,&quot;custId&quot;:&quot;2567581&quot;,&quot;preferred_username&quot;:&quot;anthtest&quot;,&quot;given_name&quot;:&quot;fname&quot;,&quot;family_name&quot;:&quot;lname&quot;,&quot;email&quot;:&quot;<a href="mailto:noboday@sportsbet.com.au" target="_blank">noboday@sportsbet.com.au</a>&quot;,&quot;token&quot;:&quot;k8gsZ+9lWGeeEhomvwOhpY9myfywNB/BXMFYpDB1+e7GDBQkHuGPRb2G8N1b1Qw2rPwNV+oM2sQILUYWau/HqEgrVQXFxgPwgSUyzQKqhF2uoJ7rsLRdHW3kvQG/I1G5ZQmFygDMokcT</blockquote><div><br></div><div>Which is incomplete. The last two chars (which are <b>&quot;}</b>) are missing at the end.</div><div><br></div><div>So now, if I take the correct complete json and try to encode using another library (as the one used here: <a href="https://www.base64encode.org/" target="_blank">https://www.base64encode.org/</a>), I&#39;ll get:</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">eyJqdGkiOiI4NWNlOGVlZS00N2Y5LTQzOTMtODc4Yi1iMjRiNTA0YWIzMWYiLCJleHAiOjE0NjI3NjY3MjMsIm5iZiI6MCwiaWF0IjoxNDYyNzY2NDIzLCJpc3MiOiJodHRwczovL2lkbS1zMi5zYi5kZXYuc2JldGVudi5jb20vYXV0aC9yZWFsbXMvZWxlY3RyaWNzaGVlcCIsImF1ZCI6ImVzIiwic3ViIjoiMDNlZGMzNzQtYzgyMC00ZDFhLWJhN2YtM2Y0NzlmOGRiMmM4IiwidHlwIjoiSUQiLCJhenAiOiJlcyIsInNlc3Npb25fc3RhdGUiOiIxY2I0Mjk3Zi04ODA3LTQ4ZWUtODBhNS1hMTI5NzRhN2EyYmQiLCJuYW1lIjoiZm5hbWUgbG5hbWUiLCJjdXN0SWQiOiIyNTY3NTgxIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYW50aHRlc3QiLCJnaXZlbl9uYW1lIjoiZm5hbWUiLCJmYW1pbHlfbmFtZSI6ImxuYW1lIiwiZW1haWwiOiJub2JvZGF5QHNwb3J0c2JldC5jb20uYXUiLCJ0b2tlbiI6Ims4Z3NaKzlsV0dlZUVob212d09ocFk5bXlmeXdOQi9CWE1GWXBEQjErZTdHREJRa0h1R1BSYjJHOE4xYjFRdzJyUHdOVitvTTJzUUlMVVlXYXUvSHFFZ3JWUVhGeGdQd2dTVXl6UUtxaEYydW9KN3JzTFJkSFcza3ZRRy9JMUc1WlFtRnlnRE1va2NUIn0<b>=</b></blockquote><div><br></div><div>(788 chars, which is ok)</div><div><br></div><div>Note the equal sign at the end.</div><div><br></div><div>I&#39;m wondering why Keycloak is not adding those paddings, is that a bug on the lib you are using to encode the payload?</div><div><br></div><div>As for now, I&#39;m using a workaround that checks for the length of the token and adds the missing padding when needed before try to decode it.</div><div><br></div><div>







<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><span>while</span><span> (payload.length() % </span><span>4</span><span> != </span><span>0</span><span>) payload += </span><span>&quot;=&quot;</span><span>;</span></blockquote></div><div><br></div><div>That works but it is not ideal. </div><div><br></div><div><b>Should I create a bug on Keycloak&#39;s issue tracker?</b></div><div><br></div><div>Thanks in advance.</div><div><br></div><div>Regards, </div><div>Fab</div>-- <br><div><div dir="ltr"><div><span style="font-size:12.8px;font-family:Verdana,Arial,Helvetica,sans-serif"><b><font color="#000000">Fabricio Milone</font></b></span></div><div><span style="font-size:12.8px;font-family:Verdana,Arial,Helvetica,sans-serif"><font color="#000000">Developer</font></span></div><span style="font-size:12.8px;font-family:Verdana,Arial,Helvetica,sans-serif"><b><font color="#009900"><div><span style="font-size:12.8px;font-family:Verdana,Arial,Helvetica,sans-serif"><b><font color="#009900"><br></font></b></span></div>Shine Consulting </font></b></span><span style="font-size:12.8px;font-family:Verdana,Arial,Helvetica,sans-serif"><p style="font-size:13.3px;color:rgb(0,153,0);margin:0pt"><span style="color:rgb(0,0,0)">30/600 Bourke Street</span></p><p style="font-size:13.3px;color:rgb(0,153,0);margin:0pt"><span style="color:rgb(0,0,0)">Melbourne VIC 3000</span></p><p style="font-size:13.3px;color:rgb(0,153,0);margin:0pt"><span style="color:rgb(0,0,0)">T: 03 8488 9939</span></p><p style="font-size:13.3px;color:rgb(0,153,0);margin:0pt"><span style="color:rgb(0,0,0)">M: 04 3200 4006</span></p><p style="font-size:13.3px;color:rgb(0,153,0);margin:0pt"><span style="color:rgb(0,0,0)"><br></span></p></span><span style="font-size:13.3px;font-family:Verdana,Arial,Helvetica,sans-serif"><span style="font-size:13.3px"><p style="margin:0pt"><a href="http://www.shinetech.com/" style="color:rgb(51,51,51)" target="_blank">www.shinetech.com</a><font color="#333333">  </font><i style="color:rgb(51,51,51)"><b>a</b></i><font color="#333333"> passion for excellence</font></p></span></span></div></div>
</div></div>
<br>_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></blockquote></div><br></div>