.decode returns null when token has a = sign

[jmansor]

Hi!

I've got a JWT string (sadly cannot share it) that contains an = sign. When I pass it to .decode it returns null. I've tried a few other decoding tools and the same JWT string is correctly parsed. Weird thing is that, if I remove the = sign, .decode parses it correctly but then the string is not valid when considering the secret. Is this a bug? what am I missing?

Using version 8.4.0.

[panva]

Hi @jmansor

The bug lies with the producer of your JWT. = (padding) is to be omitted from base64url encoding in compact JWS, ergo JWT as well.

[jmansor]

I see, that's what I suspected, thanks @panva. It should be safe to remove all = from the string before passing it to .decode just for the sake of getting it correctly parsed, right? I mean, this is probably what the other decode tools I've tried are doing.