Duende Software
JWKS endpoint escapes '+' as '\u002B' in x5c field #470
Replies: 1 comment 2 replies
-
|
Thanks very much for this detailed bug report! I agree with your reading of the standards. We should not be escaping the plus character in this way, and it does indeed look like it is behavior that we are getting from System.Text.Json. My hypothesis is that this changed when the underlying System.IdentityModel.* libraries changed to use System.Text.Json. My advice for a short-term workaround is to go with middleware (your option 2). Meanwhile, the development team is working on a fix. |
Beta Was this translation helpful? Give feedback.
-
|
You mentioned in your report that you're using IdentityServer 7.2.4. If we fixed this in a 7.4.x patch, are you able to upgrade to 7.4 to use the fix? 7.2 to 7.4 should be a very straightforward upgrade. We had no schema changes, and only very minimal instances of breaking changes - code changes are needed in only very rare cases. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks @josephdecock we can upgrade to 7.4.x and we're currently on .NET 9 so there shouldn't be any compatibility issues on our end. Please let me know when the patch is available and we'll proceed with the upgrade. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
The JWKS endpoint returns \u002B instead of literal + in Base64-encoded x5c certificate values:
"x5c": ["MIIF...CNDO10w\u002BRnuMEzkifo..."]
I think the root cause was raised here: dotnet/runtime#50998
We've identified some potential workarounds. Could you advise which approach you'd recommend?
Environment
References
Beta Was this translation helpful? Give feedback.
All reactions