[Bug] If JWT contains a '-', it will cause an explanation token exception: java.lang.IllegalArgumentException: Illegal base64 character 2d #937
Description
Library version used
1.20.0
Java version
JDK 1.8
Scenario
PublicClient (AcquireTokenInteractive, AcquireTokenByUsernamePassword)
Is this a new or an existing app?
None
Issue description and reproduction steps
login by username and password will Exception
UsernamePasswordCredential credential = new UsernamePasswordCredentialBuilder().clientId(CLIENT_ID).tenantId(TENANT_GUID).username(userName).password(password).build();
if (null == scopesForUser || null == credential) {
log.error("Unexpected error");
}
graphClientForUser = new GraphServiceClient(credential, scopesForUser);
User user = graphClientForUser.me().get();
log.info("UserId: " + user.getId());
log.info("UserName: " + user.getDisplayName());
log.info("UserPrincipalName"+user.getUserPrincipalName());
Exception Info:
Caused by: java.lang.IllegalArgumentException: Illegal base64 character 2d at java.util.Base64$Decoder.decode0(Base64.java:714) at java.util.Base64$Decoder.decode(Base64.java:526) at java.util.Base64$Decoder.decode(Base64.java:549) at com.microsoft.aad.msal4j.TokenRequestExecutor.createAuthenticationResultFromOauthHttpResponse(TokenRequestExecutor.java:122) at com.microsoft.aad.msal4j.TokenRequestExecutor.executeTokenRequest(TokenRequestExecutor.java:42) at com.microsoft.aad.msal4j.AbstractApplicationBase.acquireTokenCommon(AbstractApplicationBase.java:74) at com.microsoft.aad.msal4j.AcquireTokenByAuthorizationGrantSupplier.execute(AcquireTokenByAuthorizationGrantSupplier.java:63) at com.microsoft.aad.msal4j.AuthenticationResultSupplier.get(AuthenticationResultSupplier.java:69) at com.microsoft.aad.msal4j.AuthenticationResultSupplier.get(AuthenticationResultSupplier.java:18) at java.util.concurrent.CompletableFuture$AsyncSupply.run$$$capture(CompletableFuture.java:1604) at java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java) at --- Async.Stack.Trace --- (captured by IntelliJ IDEA debugger) at java.util.concurrent.CompletableFuture$AsyncSupply.<init>(CompletableFuture.java:1590) at java.util.concurrent.CompletableFuture.asyncSupplyStage(CompletableFuture.java:1618) at java.util.concurrent.CompletableFuture.supplyAsync(CompletableFuture.java:1843) at com.microsoft.aad.msal4j.AbstractApplicationBase.executeRequest(AbstractApplicationBase.java:53) at com.microsoft.aad.msal4j.PublicClientApplication.acquireToken(PublicClientApplication.java:51) ... 78 more
JWT Payload
{
"aud": "036f55e4-0b6a-4a8c-a105-9e788d6f5dc1",
"iss": "https://login.microsoftonline.com/6701846e-693c-4a8e-93e5-9f5d3c5ee5b8/v2.0",
"iat": 1744357952,
"nbf": 1744357952,
"exp": 1744361852,
"name": "Sharepoint 測試管理员(测试Site)帳號",
"oid": "fa181c47-64fc-4530-9606-bfceb3c49724",
"preferred_username": "Hssitsit_testsiteadmin@testdomain.com",
"rh": "1.AWQAboQBZzxpjkqT5Z9dPF7luORVbwNqC4xKoQWeeI1vXcFkANlkAA.",
"sid": "003ebe99-ac74-2055-8c81-49ea0a5c3d2b",
"sub": "zYoayDbZ8gFQ9BUXrWUriwxqPhhEepzpOHZCqGkoA8Q",
"tid": "6701846e-693c-4a8e-93e5-9f5d3c5ee5b8",
"uti": "RaMVTbOekUaVMcHe-UC6AA",
"ver": "2.0"
}
Relevant code snippets
Expected behavior
No response
Identity provider
Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)
Regression
No response
Solution and workarounds
com.microsoft.aad.msal4j.TokenRequestExecutor#createAuthenticationResultFromOauthHttpResponse
idTokenJson = new String(Base64.getDecoder().decode(tokens.getIDTokenString().split("\\.")[1]), StandardCharsets.UTF_8);
change to :
idTokenJson = new String(Base64.getDecoder().decode(tokens.getIDTokenString().split("\\.")[1]).replace(
-’,‘+’).replace('_', '/'), StandardCharsets.UTF_8);