Bug fix 3.3/jwt base64url encoded (#7905)

* Use base64url encoding and decoding for jwt header and body as specified in the rfc.

* Update changelog.

CHANGELOG

@@ -1,6 +1,8 @@
 v3.3.22 (XXXX-XX-XX)
 --------------------
 
+* Use base64url to encode and decode JWT parts.
+
 * added AQL function `CHECK_DOCUMENT` for document validity checks
 
 * added arangorestore option `--cleanup-duplicate-attributes` to clean up input documents

arangod/Auth/TokenCache.cpp

@@ -244,7 +244,7 @@ std::shared_ptr<VPackBuilder> auth::TokenCache::parseJson(std::string const& str
 
 bool auth::TokenCache::validateJwtHeader(std::string const& header) {
   std::shared_ptr<VPackBuilder> headerBuilder =
-      parseJson(StringUtils::decodeBase64(header), "jwt header");
+      parseJson(StringUtils::decodeBase64U(header), "jwt header");
   if (headerBuilder.get() == nullptr) {
     return false;
   }
@@ -279,7 +279,7 @@ bool auth::TokenCache::validateJwtHeader(std::string const& header) {
 
 auth::TokenCache::Entry auth::TokenCache::validateJwtBody(std::string const& body) {
   std::shared_ptr<VPackBuilder> bodyBuilder =
-      parseJson(StringUtils::decodeBase64(body), "jwt body");
+      parseJson(StringUtils::decodeBase64U(body), "jwt body");
   auth::TokenCache::Entry authResult;
   if (bodyBuilder.get() == nullptr) {
     LOG_TOPIC(TRACE, Logger::AUTHENTICATION) << "invalid JWT body";
@@ -362,8 +362,8 @@ std::string auth::TokenCache::generateRawJwt(VPackSlice const& body) const {
     headerBuilder.add("typ", VPackValue("JWT"));
   }
 
-  std::string fullMessage(StringUtils::encodeBase64(headerBuilder.toJson()) +
-                          "." + StringUtils::encodeBase64(body.toJson()));
+  std::string fullMessage(StringUtils::encodeBase64U(headerBuilder.toJson()) +
+                          "." + StringUtils::encodeBase64U(body.toJson()));
   if (_jwtSecret.empty()) {
     LOG_TOPIC(INFO, Logger::AUTHENTICATION)
         << "Using cluster without JWT Token";