Add comment to explain why padding is removed.

huangjiahua · huangjiahua · commit 03154a129a8f · 2025-04-15T16:53:55.000Z
Change-Id: I0882e0c5d99310b179ace493b937669520626263
diff --git a/cab-token-generator/java/com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactory.java b/cab-token-generator/java/com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactory.java
@@ -206,6 +206,8 @@ public AccessToken generateToken(CredentialAccessBoundary accessBoundary)
 
     byte[] encryptedRestrictions = this.encryptRestrictions(rawRestrictions, sessionKey);
 
+    // withoutPadding() is used to stay consistent with server-side CAB
+    // withoutPadding() avoids additional URL encoded token issues (i.e. extra equal signs `=` in the path)
     String tokenValue =
         intermediateToken + "." + Base64.getUrlEncoder().withoutPadding().encodeToString(encryptedRestrictions);
 
diff --git a/cab-token-generator/javatests/com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactoryTest.java b/cab-token-generator/javatests/com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactoryTest.java
@@ -745,7 +745,9 @@ public void generateToken_withAvailablityCondition_success() throws Exception {
     CabToken cabToken = parseCabToken(token);
     assertEquals("accessToken", cabToken.intermediateToken);
 
-    // Verifies the encrypted restriction has no padding
+    // Base64 encoding output by default has `=` padding at the end if the input length
+    // is not a multiple of 3. Here we verify the use of `withoutPadding` that removes
+    // this padding.
     assertFalse(cabToken.encryptedRestriction.contains(String.valueOf("=")));
 
     // Checks the encrypted restriction is the correct proto format of the CredentialAccessBoundary.
@@ -798,7 +800,9 @@ public void generateToken_withoutAvailabilityCondition_success() throws Exceptio
     CabToken cabToken = parseCabToken(token);
     assertEquals("accessToken", cabToken.intermediateToken);
 
-    // Verifies the encrypted restriction has no padding
+    // Base64 encoding output by default has `=` padding at the end if the input length
+    // is not a multiple of 3. Here we verify the use of `withoutPadding` that removes
+    // this padding.
     assertFalse(cabToken.encryptedRestriction.contains(String.valueOf("=")));
 
     // Checks the encrypted restriction is the correct proto format of the CredentialAccessBoundary.
