Sign in Subscribe
advanced

When base64 encoding goes wrong

Base64 encoding is easy, except when different commands automatically add unexpected values to the thing you want to encode.

Gabor Javorszky

1 min read
Old orange segment screen displaying a lot of numbers in a table.
Photo by Chris Stein on Unsplash

Spoiler: it doesn’t go wrong, but the issue we faced was subtle.

We’re working with Keycloak as an OIDC provider. I needed to launch that into a Kubernetes cluster and connect it to our NGINX Ingress Controller so it can use that as an auth source.

Documentation says I need to take the client secret from Keycloak, base64 encode it, use that to create a kubernetes secret, and use that secret in the relevant ingress controller config map.

Except it wasn’t working.

$ echo "lmadflmk3322l19xnn2" | base64
bG1hZGZsbWszMzIybDE5eG5uMgo=

Formally the encoded string was correct, it was only ASCII, no disallowed characters, but the API still didn’t like it.

It took about 15 minutes of thinking about it, because I’ve run into this previously. There are two ways of base64 encoding something, so I started investigating. Turns out it wasn’t that issue, but it did lead me down the path of fixing it.

The client secret from Keycloak is already a base64 encoded binary value that the terminals and websites can’t print out safely, so we need to provide a double encoded version of that value. If you look above, the usual way of encoding something is echo thing | base64. And that one will add a newline at the end. Adding a newline to a base64 encoded value and then base64 encoding it again will, understandably, result in the wrong binary value the other way.

This is the fix by the way:

$ echo -n lmadflmk3322l19xnn2 | base64
bG1hZGZsbWszMzIybDE5eG5uMg==

See how these two aren’t the same?

bG1hZGZsbWszMzIybDE5eG5uMg== // good
bG1hZGZsbWszMzIybDE5eG5uMgo= // bad

When you decode them, you get these:

# good
$ echo bG1hZGZsbWszMzIybDE5eG5uMg== | base64 --decode
lmadflmk3322l19xnn2%
$ _

# bad
$ echo bG1hZGZsbWszMzIybDE5eG5uMgo= | base64 --decode
lmadflmk3322l19xnn2

$ _

Did you notice the extra newline at the end of the bad solution? Or the lack of the newline and the extra % at the end of the value in the good solution?

Anyways, protip: use echo -n thing | base64n to encode your secrets.

Until next time!

Sign up for more like this.

Enter your email
Subscribe