As it turns out, the output of base64.urlsafe_b64encode() is not actually URL-safe if the result includes padding. The padding character is '=' which must be percent-encoded.
The result is that "valid" tokens are being made URL-friendly by some defensive code in keystonemiddleware, and are thus made unusable by keystone during validation.
As it turns out, the output of base64. urlsafe_ b64encode( ) is not actually URL-safe if the result includes padding. The padding character is '=' which must be percent-encoded.
The result is that "valid" tokens are being made URL-friendly by some defensive code in keystonemiddleware, and are thus made unusable by keystone during validation.
https:/ /travis- ci.org/ dolph/keystone- deploy/ builds/ 54734386
If keystone emitted URL-safe tokens in the first place, the defensive code in keystonemiddleware wouldn't be triggered, and everything works properly.
Unfortunately, PKI and PKIZ tokens exhibit a similar symptom, but apparently due to a different cause.