fix: Do not add padding in Client-Side CAB tokens. (#1728)

huangjiahua · web-flow · commit 8a75ccd1c091 · 2025-04-22T12:58:11.000-04:00
* fix: Do not add padding in Client-Side CAB tokens.

Change-Id: I1dc0dfeb7e29e902ad3442cae28d10383816f58b

* Add unit test assertions to verify the generated token has no padding.

Change-Id: I7b948a13a075d7afeac19f96b9372f23b60d4eda

* Add comment to explain why padding is removed.

Change-Id: I0882e0c5d99310b179ace493b937669520626263

* Run mvn format.

Change-Id: I8e3c59c42fceeaf593fa08e85b40754d57e71a45
diff --git a/cab-token-generator/java/com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactory.java b/cab-token-generator/java/com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactory.java
@@ -206,8 +206,13 @@ public AccessToken generateToken(CredentialAccessBoundary accessBoundary)
 
     byte[] encryptedRestrictions = this.encryptRestrictions(rawRestrictions, sessionKey);
 
+    // withoutPadding() is used to stay consistent with server-side CAB
+    // withoutPadding() avoids additional URL encoded token issues (i.e. extra equal signs `=` in
+    // the path)
     String tokenValue =
-        intermediateToken + "." + Base64.getUrlEncoder().encodeToString(encryptedRestrictions);
+        intermediateToken
+            + "."
+            + Base64.getUrlEncoder().withoutPadding().encodeToString(encryptedRestrictions);
 
     return new AccessToken(tokenValue, intermediateTokenExpirationTime);
   }
diff --git a/cab-token-generator/javatests/com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactoryTest.java b/cab-token-generator/javatests/com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactoryTest.java
@@ -744,6 +744,11 @@ public void generateToken_withAvailablityCondition_success() throws Exception {
     CabToken cabToken = parseCabToken(token);
     assertEquals("accessToken", cabToken.intermediateToken);
 
+    // Base64 encoding output by default has `=` padding at the end if the input length
+    // is not a multiple of 3. Here we verify the use of `withoutPadding` that removes
+    // this padding.
+    assertFalse(cabToken.encryptedRestriction.contains(String.valueOf("=")));
+
     // Checks the encrypted restriction is the correct proto format of the CredentialAccessBoundary.
     ClientSideAccessBoundary clientSideAccessBoundary =
         decryptRestriction(
@@ -794,6 +799,11 @@ public void generateToken_withoutAvailabilityCondition_success() throws Exceptio
     CabToken cabToken = parseCabToken(token);
     assertEquals("accessToken", cabToken.intermediateToken);
 
+    // Base64 encoding output by default has `=` padding at the end if the input length
+    // is not a multiple of 3. Here we verify the use of `withoutPadding` that removes
+    // this padding.
+    assertFalse(cabToken.encryptedRestriction.contains(String.valueOf("=")));
+
     // Checks the encrypted restriction is the correct proto format of the CredentialAccessBoundary.
     ClientSideAccessBoundary clientSideAccessBoundary =
         decryptRestriction(
