Comments (4)
Thanks for the report. The spec indeed mentions the preferred encoding to be url-safe base64, which refers to base64 with an URL-safe alphabet, according to the relevant RFC. This base64-variant still uses = as padding char, which is indeed a self-own from the base64 spec, no doubt about it.
So, while not being a bug, I think the current situation could be improved. My suggestion:
- make serialization not use padding in biscuit rust
- continue accepting padding when deserializing in biscuit rust
- modify the spec accordingly (libs should not use padding when serializing, but must accept both padded and unpadded values)
Optionally we could add a padded variant for encoding but i don't think it's warranted.
wdyt?
from biscuit-rust.
I changed the title to reflect the nature of the issue. For my use-cases, I've solved this issue by discarding all the =
characters doing the issuance process. I think anyone who uses biscuits to authenticate browser based clients will have to do the same. This usability improvement would be nice.
modify the spec accordingly (libs should not use padding when serializing, but must accept both padded and unpadded values)
Yeah, I think the spec change would be great. My only concern would be maintaining backwards compatibility for applications that are already deployed - I guess accepting both padded and un-padded values should take care of that?
from biscuit-rust.
accepting padded and non padded in deserialization, but only producing non padded base64 should be fine. The option would only add unneeded complexity and require a new major version since it changes the public API, so let's not add an option for that
from biscuit-rust.
accepting padded and non padded in deserialization, but only producing non padded base64 should be fine.
This is only fine if you are assuming people are only using Rust right?
For example, if we are using a Rust token issuer that starts to not pad base64, will the clients/consumers from other languages be able to parse it? I'm fine with making this change, but I just want to make sure we understand that it can break backwards compatibility.
from biscuit-rust.
Related Issues (20)
- Parsing chained method calls HOT 1
- Datalog boolean expression == does not evaluate properly HOT 3
- CLI long execution time HOT 3
- boolean logic should be lazy
- samples validation failure HOT 3
- Make biscuit-auth token::RootKeyProviter public HOT 3
- use separate version git tags for the different crates
- Detect free variables in expressions
- `RUSTSEC-2022-0093` security advisory
- Support heterogeneous sets
- `query_exactly_one()`
- Can't query facts added with authorizer_merge! HOT 2
- Non-deterministic output of `Authorizer.dump_code()` HOT 1
- Hidden state in `Authorizer` HOT 1
- Merging block builders with scope annotations
- Consider adding `impl TryFrom<Fact> for String` HOT 1
- Create new release HOT 1
- Proposal: add generic interface for external key registries HOT 2
- Cleanup free variables detection HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from biscuit-rust.