"Illegal base64 character" in ThoughtSpot Authentication
My authentication integration is failing with the error "Illegal base64 character 2d" for certain usernames. I would like to know how best to work around the issue.
I am using a custom authentication service to facilitate authentication from my application to the ThoughtSpot GUI. The technique I am using uses the POST /api/rest/2.0/auth/token/full and POST /tspublic/v1/session/login/token methods of the ThoughtSpot API.
The response from the
auth/token/full endpoint is a Base64-encoded string that includes the user's username along with a session token. Our system's usernames have a standard format that includes a tilde (~) character. When the tilde character appears after 38 characters, standard Base64 encoding produces a plus sign:
However, the auth/token/full endpoint is encoding the plus sign as a hyphen instead. See the attached Postman screenshot.
When I redirect to the /tspublic/v1/session/login/token, including the response token as the auth_token form parameter, I get the "Illegal base64 character 2d" error.
Why is the auth/token/full endpoint returning a Base64 string with an invalid character? Is it using the base64url standard? Or is it mistakenly flagging a plus sign as whitespace and replacing it with a hyphen character?
This is tracked as Case 00372423 in the ThoughtSpot community.
5 Replies
Creating a thread to group responses.
Hello @oobug :
We were able to reproduce the error and this will need a patch to fix the issue.
Until the fix is applied, could you please use tspublic/v1/session/auth/token API to generate the token. We will keep you posted via Support ticket once the fix is applied to your cluster.
Do you know whether the issue is that plus signs are being incorrectly escaped or whether the endpoint is using the
base64url encoding that uses - and _ characters in place of + and /? With my current integration, it's easier for me to put in a workaround of replacing characters than it is to change the API endpoints I'm using.Hi @oobug :
Workaround: You can proceed with replacing - with +, once the token is generated and it will continue to work.
Fix: While decoding we will need to change Base64.getDecoder() to Base64.getUrlDecoder() which should solve the problem.
We are working on the fix and will update once this is in place.
Thanks for all the assistance with this!