JWT parsing fails with 'illegal base64 data' due to RawStdEncoding vs RawURLEncoding

[Mike-Crowley]

Summary

AzureHound fails to parse certain valid Azure AD/Entra ID JWTs with the error:

failed to create new Azure client: illegal base64 data at input byte 1107

Root Cause

In client/rest/utils.go line 90, ParseBody() uses base64.RawStdEncoding to decode the JWT payload:

} else if bytes, err := base64.RawStdEncoding.DecodeString(parts[1]); err != nil {

Per RFC 7519, JWTs use base64url encoding (RFC 4648 §5), which uses - and _ characters instead of + and /. RawStdEncoding rejects - and _ as illegal characters.

Fix

Replace base64.RawStdEncoding with base64.RawURLEncoding on line 90 of client/rest/utils.go:

} else if bytes, err := base64.RawURLEncoding.DecodeString(parts[1]); err != nil {

Reproduction

1. Authenticate to an Azure tenant via az login --tenant <tenant-id>
2. Get a Graph token: az account get-access-token --resource https://graph.microsoft.com
3. Run: azurehound.exe list --jwt "<token>" -o output.json

This fails when the base64-encoded JWT payload contains - or _ characters, which depends on the claim values (user display name, tenant name, etc.). Some tenants produce tokens that happen to avoid these characters, making the bug intermittent.

Environment

• AzureHound v2.11.0 (Windows amd64)
• Tokens obtained via Azure CLI (az account get-access-token)

References

This is a well-known class of bug in Go JWT libraries:

• another --- illegal base64 data at input byte dgrijalva/jwt-go#293
• jws: base64Encode / base64Decode: Why not just use base64.RawURLEncoding? golang/oauth2#190

[Mike-Crowley]

Update: Some additional findings after further testing:

1. The bug only affects the --jwt code path — app registration auth (-a/-s) works fine since it bypasses ParseBody().

2. Gotcha with environment variables: If AZUREHOUND_JWT is set (e.g. from a previous attempt), AzureHound will use it even when -a/-s flags are provided, causing the same illegal base64 data error. This is because config.JWT is checked first in NewClient() (client/client.go line 43). Clearing the env var resolves this.

3. Workaround: Use app registration auth instead of --jwt:

   azurehound list -a <app-id> -s <secret> -t <tenant-id> -o output.json
   

The underlying fix is still the same — base64.RawStdEncoding → base64.RawURLEncoding in client/rest/utils.go line 90.

[Mike-Crowley]

Closing as duplicate of #160. Added workaround details and root cause analysis to that issue.