Suggestion: Better errors for incorrectly formatted JWT


#1

Hi there,

this just cost me a couple of hours while building my GitHub app, so I’m hoping by posting here somethingcan be done to save others a similar experience. The docs on authentication (https://developer.github.com/apps/building-integrations/setting-up-and-registering-github-apps/about-authentication-options-for-github-apps/) link to the debugger on https://jwt.io/. However, the debugger there is more lenient in its validation than GitHub. In particular, if the token is base64 rather than base64url encoded, jwt.io will accept it, but GitHub will not. Since GitHub links to this as the validator, this caused me a whole lot of confusion, since jwt.io claimed the token is valid, but GitHub did not accept it.

I would suggest one of the following courses of action:

  1. Fix the validator at https://github.com/jsonwebtoken/jsonwebtoken.github.io - I would do so myself, but unfortunately my experience with frontend development is limited, so I doubt I could put together a well-looking error message there. However, it should be a fairly straightforward task for anybody who’s done such development.
  2. Give a better error message than “Invalid credentials” from the GitHub endpoint. E.g. detect if it contains the invalid characters ‘+’ or ‘/’ and give a helpful message instead.

#2

Thanks for the helpful feedback, @Keno – I’ll pass this along to the team so that they can consider making improvements. :bow: