From d500f81895a52936549619e0a9079b17f5d375cd Mon Sep 17 00:00:00 2001
From: Thomas Fink <53316058+ThomasAFink@users.noreply.github.com>
Date: Mon, 27 Jan 2025 14:58:55 +0100
Subject: [PATCH] fix(ZMS-3550): change testAccess try fix UTF8
 KeycloakInstance.php (#802)

---
 .../Middleware/OAuth/KeycloakInstance.php     | 27 +++++++++++--------
 1 file changed, 16 insertions(+), 11 deletions(-)

diff --git a/zmsslim/src/Slim/Middleware/OAuth/KeycloakInstance.php b/zmsslim/src/Slim/Middleware/OAuth/KeycloakInstance.php
index cdd3bff4b..0b6fcfca0 100644
--- a/zmsslim/src/Slim/Middleware/OAuth/KeycloakInstance.php
+++ b/zmsslim/src/Slim/Middleware/OAuth/KeycloakInstance.php
@@ -101,9 +101,9 @@ private function testAccess(AccessToken $token)
             'event' => 'oauth_token_validation',
             'timestamp' => date('c')
         ]);
-
+    
         list($header, $payload, $signature) = explode('.', $token->getToken());
-
+    
         if (empty($header)) {
             $this->logger->error('Token validation failed', [
                 'event' => 'oauth_token_validation_failed',
@@ -128,11 +128,16 @@ private function testAccess(AccessToken $token)
             ]);
             throw new \BO\Slim\Exception\OAuthFailed();
         }
-
+    
         $realmData = $this->provider->getBasicOptionsFromJsonFile();
-        $accessTokenPayload = json_decode(base64_decode($payload), true);
+        
+        // Fix: Properly handle base64url encoding before JSON decoding
+        $payload = str_replace(['-', '_'], ['+', '/'], $payload);
+        $payload = base64_decode($payload . str_repeat('=', 4 - (strlen($payload) % 4)));
+        $accessTokenPayload = json_decode($payload, true);
+        
         $clientRoles = array();
-
+    
         if ($accessTokenPayload === null) {
             $this->logger->error('Token validation failed', [
                 'event' => 'oauth_token_validation_failed',
@@ -142,7 +147,7 @@ private function testAccess(AccessToken $token)
             ]);
             throw new \BO\Slim\Exception\OAuthFailed();
         }
-
+    
         if (!isset($accessTokenPayload['resource_access']) || !is_array($accessTokenPayload['resource_access'])) {
             $this->logger->error('Token validation failed', [
                 'event' => 'oauth_token_validation_failed',
@@ -153,7 +158,7 @@ private function testAccess(AccessToken $token)
             ]);
             throw new \BO\Slim\Exception\OAuthFailed();
         }
-
+    
         if (!isset($accessTokenPayload['resource_access'][\App::IDENTIFIER])) {
             $this->logger->error('Token validation failed', [
                 'event' => 'oauth_token_validation_failed',
@@ -164,10 +169,10 @@ private function testAccess(AccessToken $token)
             ]);
             throw new \BO\Slim\Exception\OAuthFailed();
         }
-
+    
         $resourceAccess = $accessTokenPayload['resource_access'];
         $appIdentifierRoles = $resourceAccess[\App::IDENTIFIER]['roles'] ?? null;
-
+    
         if (!$appIdentifierRoles || !is_array($appIdentifierRoles)) {
             $this->logger->error('Token validation failed', [
                 'event' => 'oauth_token_validation_failed',
@@ -178,7 +183,7 @@ private function testAccess(AccessToken $token)
             ]);
             throw new \BO\Slim\Exception\OAuthFailed();
         }
-
+    
         if (is_array($accessTokenPayload['resource_access'])) {
             $clientRoles = array_values($accessTokenPayload['resource_access'][\App::IDENTIFIER]['roles']);
         }
@@ -193,7 +198,7 @@ private function testAccess(AccessToken $token)
             ]);
             throw new \BO\Slim\Exception\OAuthFailed();
         }
-
+    
         \App::$log->info('Token validation successful', [
             'event' => 'oauth_token_validation_success',
             'timestamp' => date('c')