From 6bafd7b14485628fe318102f856b777b912ff2c5 Mon Sep 17 00:00:00 2001
From: jasquat <2487833+jasquat@users.noreply.github.com>
Date: Wed, 3 Jan 2024 16:14:14 -0500
Subject: [PATCH] use urlsafe_base64decode for keycloak id tokens to support
 certain utf8 characters w/ burnettk (#852)

Co-authored-by: jasquat <jasquat@users.noreply.github.com>
---
 .../spiffworkflow_backend/routes/authentication_controller.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/routes/authentication_controller.py b/spiffworkflow-backend/src/spiffworkflow_backend/routes/authentication_controller.py
index cfaeff5ce..a270dd10b 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/routes/authentication_controller.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/routes/authentication_controller.py
@@ -456,7 +456,9 @@ def _parse_id_token(token: str) -> Any:
 
     payload = parts[1]
     padded = payload + "=" * (4 - len(payload) % 4)
-    decoded = base64.b64decode(padded)
+
+    # https://lists.jboss.org/pipermail/keycloak-user/2016-April/005758.html
+    decoded = base64.urlsafe_b64decode(padded)
     return json.loads(decoded)