Guardian error when creating jwt token

I have this Guardian module:

defmodule Sntx.Guardian do
  use Guardian, otp_app: :sntx

  alias Sntx.Repo
  alias Sntx.User.Account

  def subject_for_token(user, _claims) do
    sub = to_string(
    {:ok, sub}

  def resource_from_claims(claims) do
    user = Repo.get(Account, claims["sub"])
    {:ok, user}

  def after_encode_and_sign(resource, claims, token, _options) do
    with {:ok, _} <- Guardian.DB.after_encode_and_sign(resource, claims["typ"], claims, token) do
      {:ok, token}

  def on_verify(claims, token, _options) do
    with {:ok, _} <- Guardian.DB.on_verify(claims, token) do
      {:ok, claims}

  def on_refresh({old_token, old_claims}, {new_token, new_claims}, _options) do
    with {:ok, _, _} <- Guardian.DB.on_refresh({old_token, old_claims}, {new_token, new_claims}) do
      {:ok, {old_token, old_claims}, {new_token, new_claims}}

  def on_revoke(claims, token, _options) do
    with {:ok, _} <- Guardian.DB.on_revoke(claims, token) do
      {:ok, claims}

Then, if I try to execute Sntx.Guardian.encode_and_sign(%{id: "123"}) I receive this error:

** (CaseClauseError) no case clause matching: 43
    (jose 1.11.5) src/base/jose_base64url.erl:136: :jose_base64url."-decode!/2-lbc$^0/2-0-"/2
    (jose 1.11.5) src/base/jose_base64url.erl:136: :jose_base64url.decode!/2
    (jose 1.11.5) src/jwk/jose_jwk_kty_oct.erl:50: :jose_jwk_kty_oct.from_map/1
    (jose 1.11.5) src/jwk/jose_jwk.erl:304: :jose_jwk.from_map/1
    (jose 1.11.5) lib/jose/jwk.ex:140: JOSE.JWK.from_map/1
    (guardian 2.3.1) lib/guardian/token/jwt.ex:272: Guardian.Token.Jwt.create_token/3
    (guardian 2.3.1) lib/guardian.ex:776: Guardian.returning_tuple/1
    (guardian 2.3.1) lib/guardian.ex:602: Guardian.encode_and_sign/4

I’m really confused about this error. Any idea that what this means?

There is a public repo here: GitHub - zoedsoupe/sntx, on branch feature/blog-posts

The basic cause is that a + character (byte value 43) appears in a string that :jose_jwk.from_map/1 treats as encoded in URL-safe Base64, which doesn’t allow that character. That behavior is directly from the specification for kty = oct.

The root cause is that this incorrectly-encoded value is being set in config/config.exs from an environment variable: sntx/config.exs at feature/blog-posts · zoedsoupe/sntx · GitHub

Not directly answering your question, but just in case

1 Like

Oh thank you! I generated the token with mix guardian.gen.secret but it seem was generated with a + char!

Yeah, that’s a tricky one - the sets of characters used by encode64 and url_encode64 are nearly the same, so you got a bad roll of the dice.

I created an issue on Guardian to address / document this: