Skip to content

base64url encoding

October 17, 2014

It’s often more convenient to manage data in text format rather than binary data (for example a string column in a database, or a string rendered into a HTTP response). Common examples in security are digital signatures and encryption. Signing and encrypting typically produce bytes of data and in a web application sometimes it’s just easier to manage that data as text.

Base64 is a useful tool for doing this encoding. The only problem is that base64 encoding uses characters that do not work well in URLs and sometimes HTTP headers (e.g. the +, / and = characters are either reserved or have special meaning in URLs). URL encoding is designed to address that problem, but it’s sometimes error prone (e.g. double encoding) or the tooling just doesn’t do the right thing (IIS decodes %2F into a / before it arrives into the application and thus confuses the ASP.NET routing framework). It is very useful to put these sorts of values in a URL, but it’s also frustrating that it’s problematic and that we have to work around these issues again and again.

While reading the JWT specs they faced the same problem and they addressed it by using base64url encoding (which is almost the same, yet different than base64 encoding). Base64url encoding is basically base64 encoding except they use non-reserved URL characters (e.g. – is used instead of + and _ is used instead of /) and they omit the padding characters. I’ve been using this for some time now and am quite happy with it as a replacement for base64 encoding.

Unfortunately there’s no implementation (that I know of) in the .NET framework for this, so we’ve built our own in our Thinktecture.IdentityModel security helper library. You can use our helpers by using the NuGet, or you can grab the code from here, or you can just copy from the snippet below.

public static class Base64Url
    public static string Encode(byte[] arg)
        string s = Convert.ToBase64String(arg); // Standard base64 encoder
        s = s.Split('=')[0]; // Remove any trailing '='s
        s = s.Replace('+', '-'); // 62nd char of encoding
        s = s.Replace('/', '_'); // 63rd char of encoding
        return s;

    public static byte[] Decode(string arg)
        string s = arg;
        s = s.Replace('-', '+'); // 62nd char of encoding
        s = s.Replace('_', '/'); // 63rd char of encoding
        switch (s.Length % 4) // Pad with trailing '='s
            case 0: break; // No pad chars in this case
            case 2: s += "=="; break; // Two pad chars
            case 3: s += "="; break; // One pad char
            default: throw new Exception("Illegal base64url string!");
        return Convert.FromBase64String(s); // Standard base64 decoder

Edit: Turns out there are two places in .NET where this sort of functionality is available: 1) ASP.NET’s HttpServerUtility.UrlTokenEncode, and 2) Katana’s Microsoft.Owin.Security assembly with the Base64UrlTextEncoder class.

Boston .NET Architecture Group, October 2014

October 15, 2014

Very last minute, but I’ll be speaking at the Boston .NET Architecture Group tonight (October 15th, 2014) at 6pm. The topic is “Unifying Authentication and Authorization with OpenID Connect and Thinktecture IdentityServer v3“.

Hope to see you there.

Demos — IT/DevConnections 2014

September 17, 2014

Here are the demos from my sessions at IT/DevConnections 2014:

Thanks to everyone that attended!

Thinktecture IdentityManager beta 1

September 8, 2014

Dominick and I have been quite busy on IdentityServer v3 as well as IdentityManager. We’re making good progress and this post is to announce beta 1 of IdentityManager.

A brief recap of what IdentityManager is all about:

IdentityManager is a tool for developers and/or administrators to manage the identity information for users of their applications. This includes creating users, editing user information (passwords, email, claims, etc.) and deleting users. It provides a modern replacement for the ASP.NET WebSite Administration tool that used to be built into Visual Studio.

Some features that IdentityManager provides:

  • A browser based user interface as well as a RESTful API for managing user identity data
  • Allows creating, deleting, and managing user identity data
    • Claims as well as strongly typed properties are supported
  • Allows managing role definitions
  • Special support for MembershipReboot and ASP.NET Identity identity management systems
    • Extensible API to allow for additional identity management systems such as ActiveDirectory, WAAD, LDAP and/or ASP.NET Membership (if you’re interesting in contributing, this would be a great area to help out with!)
  • Designed as OWIN middleware to allow for flexible hosting
  • Security model to authorize local users or users from an external OAuth2 authorization server
  • Open source (BSD3)

Here are some updated screen shots:





Feel free to check out the documentation, the code, and please provide feedback. Thanks.

IT/DevConnections 2014

July 18, 2014

I will be speaking at IT/DevConnections in September, 2014 in Las Vegas. Here is the link to my sessions. They include:

Additionally I will be doing a full day workshop on Identity and Access Control for Modern Applications.

Hope to see you there.


Demos — NDC Oslo, 2014

June 5, 2014

Here is the link for the slides and demos for my session on OWIN and Katana at NDC Oslo, 2014:

Thanks for attending!

Edit: The video is also posted here:


NDC Oslo, 2014

May 25, 2014

I’ll be speaking at NDC in Oslo this June (2014). Dominick and I are also doing a 2-day workshop on security (go figure).