Comment 3 for bug 1433372

Dolph Mathews (dolph) wrote :

As it turns out, the output of base64.urlsafe_b64encode() is not actually URL-safe if the result includes padding. The padding character is '=' which must be percent-encoded.

The result is that "valid" tokens are being made URL-friendly by some defensive code in keystonemiddleware, and are thus made unusable by keystone during validation.

If keystone emitted URL-safe tokens in the first place, the defensive code in keystonemiddleware wouldn't be triggered, and everything works properly.

Unfortunately, PKI and PKIZ tokens exhibit a similar symptom, but apparently due to a different cause.