Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:119247
Return-Path: <tim@bastelstu.be>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 6464 invoked from network); 9 Jan 2023 20:12:01 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 9 Jan 2023 20:12:01 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 5F01C1804F7
	for <internals@lists.php.net>; Mon,  9 Jan 2023 12:11:59 -0800 (PST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS,
	T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS24940 176.9.0.0/16
X-Spam-Virus: No
X-Envelope-From: <tim@bastelstu.be>
Received: from chrono.xqk7.com (chrono.xqk7.com [176.9.45.72])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Mon,  9 Jan 2023 12:11:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bastelstu.be;
	s=mail20171119; t=1673295117;
	bh=H8FAe3gvWNu0BCDPVNELiKVWBM1qFmexNkvxJ1grhWA=;
	h=Date:Subject:To:References:From:In-Reply-To:From;
	b=bkOFeU8DXp8WwcOqGZhsgbdqakwjJ67nm007qmySi6OMjxyxpZ6WI2SErifgRyeZJ
	 FsyS0jz/+mhthZQlg7y9b4657NYAcM+tWIvu2Tph7tb9MU1xCKL0E9877KC6xNct8W
	 zjcC0p/ADbuJyFHstz0sv4nPHrgKrKZjZ1m/dwMTmwu1YQNZmt8JQNo5vuNPfCHE7Y
	 K/mv2D66L9oKRMIqJ0KajwPES6ddwddDbpwU9nh0/O4we1ZcvUor/JLRoG72OFVath
	 Fk2wC+Uv9A1LH4aI1tP3yfZdBZsaCpau4oVCpib2JgrIhg61RuJ02MJeG2aCRxBmWf
	 YdG2RjwYdKXuw==
Message-ID: <df7b363b-b178-36ec-9765-fbeed7ecfef7@bastelstu.be>
Date: Mon, 9 Jan 2023 21:11:54 +0100
MIME-Version: 1.0
Content-Language: en-US
To: Sara Golemon <pollita@php.net>, PHP internals <internals@lists.php.net>
References: <CAESVnVo3NyM_RGybyLQSko0F=fBSnSWG3gkVZtU-DS8W=79fdA@mail.gmail.com>
In-Reply-To: <CAESVnVo3NyM_RGybyLQSko0F=fBSnSWG3gkVZtU-DS8W=79fdA@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Subject: Re: [PHP-DEV] base64url format
From: tim@bastelstu.be (=?UTF-8?Q?Tim_D=c3=bcsterhus?=)

Hi

On 1/9/23 19:49, Sara Golemon wrote:
> I've been working with JWTs lately and that means working with Base64URL
> format. (Ref: https://www.rfc-editor.org/rfc/rfc4648#section-5 )
> This is essentially the same thing as normal Base64, but instead of '+' and
> '/', it uses '-' and '_', respectively. It also allows leaving off the
> training '=' padding characters.
> 

With JWTs you likely also want a constant time encoder that is not 
susceptible for cache-timing leaks [1]. For this reason 
https://github.com/paragonie/constant_time_encoding is a most-have 
dependency for my projects and I generally use the functions of that 
library by default, unless there is a reason not to (high performance 
required). That library also includes a b32 implementation that cmb wished.

There's also 
https://www.php.net/manual/en/function.sodium-bin2base64.php which is 
constant-time and supports b64url, unfortunately it's not guaranteed to 
be available.

Best regards
Tim Düsterhus

[1] It's likely more important for encrypted tokens, than only for 
signed ones.