Re: base64 URL decode - for jwt

Yeah - the UTF-8 vs. EBCDIC - especially SHA-256-ing it - took me a while.

In the end I even had a overlapping DS where a "binary" character field was overlapped with an UTF-8 character field, because I didn't find a way to "move" the value without mixing it up - but I think that was only the SHA-256 API.

Mihael has implemented JWT auth in ILEastic - maybe his code can help you?

-> https://github.com/sitemule/ILEastic/blob/master/plugins/jwt/jwt.rpgmod

I hacked that together the other way around - creating a JWT to authenticate to a web service. But basically it's the same.

Of course I can try to look at your code - maybe GitHub? Or an account on PUB400?

I'm not at the office this week, but next week I can look how I implemented it myself.

Regards,
Daniel

Am 05.03.2025 um 19:50 schrieb Jay Vaughn <jeffersonvaughn@xxxxxxxxx>:

yeah this is definitely the piece I cannot hack.

I did a base64 encode in another project and before the encoding I'd
declare an rpg variable as varchar(256) and ccsid(1208)
then base64 encode would work fine.

but

base64_decode will result in a blob...

and even though I'm doing a...

set o_token = cast( qsys2.base64_decode(trim(i_token))
as varchar(2048) ccsid 1208);

It is still not legible. (even if I remove the ccsid 1208 - it is not
legible.

Daniel, are you able to reference any live code and tell me which part I'm
missing here?

thanks

Jay

On Wed, Mar 5, 2025 at 11:36 AM Daniel Gross <daniel@xxxxxxxx> wrote:

JWTs are UTF-8 by default - so what you see is most probably the binary
representation of UTF-8 chars.

Somewhere on the way, you have to translate it from UTF-8 to EBCDIC, if
you want to have it readable.

But the third part of the JWT - the signature - is always relying on the
UTF-8 representation - so if you want to check it (and that's the idea
behind JWT) you have to check it over the UTF-8 strings.

HTH
Daniel

Am 05.03.2025 um 16:38 schrieb Jay Vaughn <jeffersonvaughn@xxxxxxxxx>:

appreciate both of your inputs - I have this coded correctly in an SQL
function... I pass in a char(1000) token and it parse the header/body out
(between the two periods in the token), then converts char's as needed,
then does a mod 4 in a loop to get the correct number of "=" appended....
I can assure this is working because in debug I pull that result string

out

and put it in a browser with a base64decode tool and it decodes the

values

correctly.. .

But as my steps in my SQL fun proceed to the ...

values varchar(qsys2.base64_decode(trim(i_token)),32000) into o_token...

I have nothing but gibberish in o_token....

and if I call the udf from ACS, I also see gibberish...

If I don't put the varchar(x,32000) around the base64 it says it is too
large (and i think it produces a blob).

any advice on this last piece?

thanks

Jay

On Wed, Mar 5, 2025 at 1:09 AM Daniel Gross <daniel@xxxxxxxx> wrote:
Hi Jack,
with all due respect - but no.
URL encoding a string and then Base64 encoding it, is not what Base64URL
means.
Base64URL is a sub-scheme of Base64 and is used to encode chunks of

binary

information in a way, that can be transmitted inside an URL.
Therefore the Base64 encoding is applied, but the sextet code points,

that

would normally result in the characters "+" (111110) and "/" (111111)

are

replaced with the URL safe characters "-" and "_". The valueless padding
character "=" in omitted (or optional).
Let's say you would encode the following string (without the quotes
hopefully the UTF-8 chars come thru correctly):
"ϏϿ"
If we were going your way to URL encode that first, and then Base64-ing

it:

URL Encode: %CF%8F%CF%BF
Base64: JUNGJThGJUNGJUJG
Also Base64 first and URL encode the result is wrong:
Base64: z4/Pvw==
URL Encode: z4%2FPvw%3D%3D
In fact the correct result is:
Base64URL: z4_Pvw
or alternatively: z4_Pvw==
The Base64URL encoding can be created by Base64 encoding, and then:
replace "+" with "-"
replace "/" with "_"
strip off "=" and the end
Therefor decoding it, is applying these steps backwards.
Kind regards,
Daniel

Am 04.03.2025 um 23:25 schrieb Jack Woehr via MIDRANGE-L <

midrange-l@xxxxxxxxxxxxxxxxxx>:

apologies, safelinks apparently crapped up my post.
The point is that if you urlencode a url and then base64 encode it,

that's what you're looking for, what you're calling "base64url".

And then you can reverse the steps to reverse the process.
________________________________
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> on behalf of

Jack Woehr via MIDRANGE-L <midrange-l@xxxxxxxxxxxxxxxxxx>

Sent: Tuesday, March 4, 2025 15:21
To: midrange-l@xxxxxxxxxxxxxxxxxx <midrange-l@xxxxxxxxxxxxxxxxxx>
Cc: Jack Woehr <jack.woehr@xxxxxxxxxxx>
Subject: Re: base64 URL decode - for jwt
CAUTION: This email originated from outside of the organization. Do not

click links or open attachments unless you recognize the sender and know
the content is safe.

I think you misunderstood my example.
Maybe this makes it clearer:
$ php -a
Interactive shell
php > $url = 'https://foo.bar.com/woof?arf=%22some string"';
php > $urlencoded = urlencode($url);
php > var_dump($urlencoded);
string(58) "https%3A%2F%2Ffoo.bar.com

%2Fwoof%3Farf%3D%22some+string%22"

php > $urlencoded_base64encoded = base64_encode($urlencoded);
php > var_dump($urlencoded_base64encoded);
string(80)

"aHR0cHMlM0ElMkYlMkZmb28uYmFyLmNvbSUyRndvb2YlM0ZhcmYlM0QlMjJzb21lK3N0cmluZyUyMg=="

php > print(urldecode(base64_decode($urlencoded_base64encoded)));
https://foo.bar.com/woof?arf=%22some<

https://foo.bar.com/woof?arf=%22some> string"

________________________________
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> on behalf of

Daniel Gross <daniel@xxxxxxxx>

Sent: Tuesday, March 4, 2025 14:06
To: midrange-l@xxxxxxxxxxxxxxxxxx <midrange-l@xxxxxxxxxxxxxxxxxx>
Subject: Re: base64 URL decode - for jwt
Hi Jack,
base64 != base64url
Jack Woehr
Independent Consulting Programmer
303-847-8442
jack.woehr@xxxxxxxxxxx
http://www.procern.com/<http://www.procern.com/>
Stay Connected!
Not Just MSP, We Also MSSP.
 NON-DISCLOSURE NOTICE: This communication including any and all

attachments is for the intended recipient(s) only and may contain
confidential and privileged information. If you are not the intended
recipient of this communication, any disclosure, copying further
distribution or use of this communication is prohibited. If you received
this communication in error, please contact the sender and

delete/destroy

all copies of this communication immediately.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing

list

To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l<

https://lists.midrange.com/mailman/listinfo/midrange-l>

or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l<

https://archive.midrange.com/midrange-l>.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription

related questions.

Jack Woehr
Independent Consulting Programmer
303-847-8442
jack.woehr@xxxxxxxxxxx
http://www.procern.com/
Stay Connected!
Not Just MSP, We Also MSSP.
 NON-DISCLOSURE NOTICE: This communication including any and all

attachments is for the intended recipient(s) only and may contain
confidential and privileged information. If you are not the intended
recipient of this communication, any disclosure, copying further
distribution or use of this communication is prohibited. If you received
this communication in error, please contact the sender and

delete/destroy

all copies of this communication immediately.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing

list

To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription

related questions.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing

list

To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription

related

questions.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing

list

To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription

related questions.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related questions.