[Bug] 'Illegal base64 character 2d' occurs when decoding token values in TokenRequestExecutor.createAuthenticationResultFromOauthHttpResponse for specific accounts

[proj2k]

Library version used

1.19.1

Java version

1.8

Scenario

ConfidentialClient - web site (AcquireTokenByAuthCode)

Is this a new or an existing app?

None

Issue description and reproduction steps

While using msal4j OAuth authentication, for specific users, the error 'java.lang.IllegalArgumentException: Illegal base64 character 2d' occurred.
The error location is as follows:

class TokenRequestExecutor {
...
  private AuthenticationResult createAuthenticationResultFromOauthHttpResponse(HTTPResponse oauthHttpResponse) throws ParseException {
  ...
  idTokenJson = new String(Base64.getDecoder().decode(tokens.getIDTokenString().split("\\.")[1]), StandardCharsets.UTF_8);
  ...
  }
}

For your reference, this error does not occur in version 1.18.0 which uses Base64.getUrlEncoder().
Thank you

Relevant code snippets

Expected behavior

No response

Identity provider

Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)

Regression

No response

Solution and workarounds

No response

[Avery-Dunn]

Thanks for bringing this to our attention! Seems like the change was made in this PR: #894

Previously we parsed the ID token using the Base64.decodeToString method from the nimbus-jose-jwt, and the naming/decompiled code suggests they only dealt with regular base64 but maybe the dependency was doing something extra to handle URL encoding: https://javadoc.io/doc/com.nimbusds/nimbus-jose-jwt/latest/com/nimbusds/jose/util/Base64.html

We'll have a fix using a URL decoder out in the next release. Not ETA yet, but I'll update this thread with more info when we have it.

[bgavrilMS]

Hi @Avery-Dunn - I think this is because you used base64 decoding. But jwts are encoded with base64URL protocol. See here for a comparison:

https://stackoverflow.com/questions/55389211/string-based-data-encoding-base64-vs-base64url