Fix base64 encoding for JWT token (#3367)

azure-sdk · weshaggard · web-flow · commit f26eb2c21008 · 2026-02-06T09:35:41.000-08:00
The eng/common/scripts/login-to-github.ps1 script was failing because it was using the standard Base64 encoded
  signature returned by Azure Key Vault directly in the JWT, instead of converting it to Base64URL format (which
  replaces + with -, / with _, and removes trailing =).

  I have fixed the script by adding the necessary character replacements and also added a 10-second clock skew buffer
  to the iat (issued at) claim to ensure validity.

  The script now runs successfully and logs in as azure-sdk-automation[bot].

  Changes made:

   - Modified eng/common/scripts/login-to-github.ps1:
    - Converted the signature from Azure Key Vault to Base64URL format.
    - Subtracted 10 seconds from the iat claim to account for potential clock skew.

  Verification:

   - Ran the script and confirmed it successfully resolved the installation ID for "Azure" and obtained an access
  token.
   - gh auth status output confirms successful login.

Co-authored-by: Wes Haggard &lt;Wes.Haggard@microsoft.com&gt;
diff --git a/eng/common/scripts/login-to-github.ps1 b/eng/common/scripts/login-to-github.ps1
@@ -57,9 +57,17 @@ function New-GitHubAppJwt {
     [Parameter(Mandatory)] [string] $AppId
   )
 
-  function Base64UrlEncode($json) {
-    $bytes = [System.Text.Encoding]::UTF8.GetBytes($json)
-    $base64 = [Convert]::ToBase64String($bytes)
+  function Base64UrlEncode {
+    param(
+      [string]$Data,
+      [switch]$IsBase64String
+    )
+    if ($IsBase64String) {
+      $base64 = $Data
+    } else {
+      $bytes = [System.Text.Encoding]::UTF8.GetBytes($Data)
+      $base64 = [Convert]::ToBase64String($bytes)
+    }
     return $base64.TrimEnd('=') -replace '\+', '-' -replace '/', '_'
   }
 
@@ -70,7 +78,7 @@ function New-GitHubAppJwt {
   }
   $Now = [int][double]::Parse((Get-Date -UFormat %s))
   $Payload = @{
-      iat = $Now
+      iat = $Now - 10 # 10 seconds clock skew
       exp = $Now + 600  # 10 minutes
       iss = $AppId
   }
@@ -97,7 +105,7 @@ function New-GitHubAppJwt {
     throw "Azure Key Vault response does not contain a signature. Response: $($SignResultJson | ConvertTo-Json -Compress)"
   }
 
-  $Signature = $SignResultJson.signature
+  $Signature = Base64UrlEncode -Data $SignResultJson.signature -IsBase64String
   return "$UnsignedToken.$Signature"
 }
 

Original file line number	Diff line number	Diff line change
`@@ -57,9 +57,17 @@ function New-GitHubAppJwt {`
`57`	`57`	`[Parameter(Mandatory)] [string] $AppId`
`58`	`58`	`)`
`59`	`59`
`60`		`- function Base64UrlEncode($json) {`
`61`		`- $bytes = [System.Text.Encoding]::UTF8.GetBytes($json)`
`62`		`- $base64 = [Convert]::ToBase64String($bytes)`
	`60`	`+ function Base64UrlEncode {`
	`61`	`+ param(`
	`62`	`+ [string]$Data,`
	`63`	`+ [switch]$IsBase64String`
	`64`	`+ )`
	`65`	`+ if ($IsBase64String) {`
	`66`	`+ $base64 = $Data`
	`67`	`+ } else {`
	`68`	`+ $bytes = [System.Text.Encoding]::UTF8.GetBytes($Data)`
	`69`	`+ $base64 = [Convert]::ToBase64String($bytes)`
	`70`	`+ }`
`63`	`71`	`return $base64.TrimEnd('=') -replace '\+', '-' -replace '/', '_'`
`64`	`72`	`}`
`65`	`73`
`@@ -70,7 +78,7 @@ function New-GitHubAppJwt {`
`70`	`78`	`}`
`71`	`79`	`$Now = [int][double]::Parse((Get-Date -UFormat %s))`
`72`	`80`	`$Payload = @{`
`73`		`- iat = $Now`
	`81`	`+ iat = $Now - 10 # 10 seconds clock skew`
`74`	`82`	`exp = $Now + 600 # 10 minutes`
`75`	`83`	`iss = $AppId`
`76`	`84`	`}`
`@@ -97,7 +105,7 @@ function New-GitHubAppJwt {`
`97`	`105`	`throw "Azure Key Vault response does not contain a signature. Response: $($SignResultJson \| ConvertTo-Json -Compress)"`
`98`	`106`	`}`
`99`	`107`
`100`		`- $Signature = $SignResultJson.signature`
	`108`	`+ $Signature = Base64UrlEncode -Data $SignResultJson.signature -IsBase64String`
`101`	`109`	`return "$UnsignedToken.$Signature"`
`102`	`110`	`}`
`103`	`111`