Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clarify that the vp_token is **URL Safe** Base64 encoded, rather than a Base 64 encoded #236

Closed
samuelgoto opened this issue Aug 26, 2024 · 4 comments · Fixed by #270
Closed

Clarify that the vp_token is **URL Safe** Base64 encoded, rather than a Base 64 encoded #236

samuelgoto opened this issue Aug 26, 2024 · 4 comments · Fixed by #270
Assignees
@Sakurann
Labels
has-PR
Milestone
Final 1.0

Comments

@samuelgoto
Copy link
Contributor

samuelgoto commented Aug 26, 2024
edited
Loading

I ran into this issue while parsing the response by reading the spec, so figured others would too.

From:

https://openid.net/specs/openid-4-verifiable-presentations-1_0.html#section-6.1

It says:

Each Verifiable Presentation MUST be represented as a JSON string (that is a Base64url encoded value)

Which is correct, but incomplete. I think it should say something like:

Each Verifiable Presentation MUST be represented as a JSON string (that is a [URL Safe] Base64url encoded value)

For implementers, that's the difference between decoding as:

// From https://stackoverflow.com/questions/28100601/decode-url-safe-base64-in-javascript-browser-side
atob(data.replace(/_/g, '/').replace(/-/g, '+'))

Rather than:

atob(data)
@jogu
Copy link
Collaborator

jogu commented Aug 27, 2024

It says base64url (rather than base64) which by definition is url safe I think? Did I miss something?

@bc-pi
Copy link
Member

bc-pi commented Aug 27, 2024

Yeah, the definition is a bit awkward to track down but it does say "base64url" and in https://openid.net/specs/openid-4-verifiable-presentations-1_0.html#name-terminology it has

and the term "Base64url Encoding" defined by JSON Web Signature (JWS) [RFC7515]

which RFC7515 in turn says at https://datatracker.ietf.org/doc/html/rfc7515#section-2 :

Base64url Encoding
Base64 encoding using the URL- and filename-safe character set
defined in Section 5 of RFC 4648 [RFC4648], with all trailing '='
characters omitted (as permitted by Section 3.2) and without the
inclusion of any line breaks, whitespace, or other additional
characters. Note that the base64url encoding of the empty octet
sequence is the empty string. (See Appendix C for notes on
implementing base64url encoding without padding.)

@samuelgoto
Copy link
Contributor Author

The text in this specific section seems worth clarifying, IMHO:

https://openid.net/specs/openid-4-verifiable-presentations-1_0.html#section-6.1

Each Verifiable Presentation MUST be represented as a JSON string (that is a Base64url encoded value)

Maybe something like the following?

Each Verifiable Presentation MUST be represented as a JSON string (that is a URL Safe Base64url encoded value)

@c2bo
Copy link
Member

c2bo commented Aug 27, 2024

Currently Terminology says

[...] the term "JOSE Header" and the term "Base64url Encoding" defined by JSON Web Signature (JWS) [[RFC7515] [...]

Should we go the route of sd-jwt and explicitly introduce

base64url denotes the URL-safe base64 encoding without padding defined in Section 2 of [[RFC7515].

in terminology?

I think that would make things easier for an implementer/reader.

This was referenced Sep 26, 2024
Merged
Merged
@Sakurann Sakurann self-assigned this Sep 26, 2024
@Sakurann Sakurann added this to the Final 1.0 milestone Sep 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Sakurann Sakurann

Labels
has-PR
Projects
None yet
Milestone
Final 1.0
Development

Successfully merging a pull request may close this issue.

clarify base64url definition openid/OpenID4VP
7 participants
@jogu @samuelgoto @c2bo @Sakurann @bc-pi and others