What is the correct way to decode JWT(id_token)?

Question

After referring the JWT(id_token) decoding docs

I'm confused whether the major service providers will follow the same technique...

Microsoft oauth2.0 client in git project getUserEmailFromIdToken() function did not pad the extra = signs based on the size eg $extrapadds = $jwtTokenSize % 4;

and Yahoo OAuth2.0 openid id_token docs also didn't mention anywhere. not even the basic string substitutes for "-" and "_" as "+" and "/"

is it because these service providers(microsoft and yahoo) didn't follow the standards or did they somehow found a way to avoid such scenarios

Please clarify me... and share a code if possible explaining the right way to decode the JWT id_token

Answer 1

To use a base64 decoder on a base64url encoded token (which is what the JWT is), the padding is not really required, just recommended by spec; see Why does base64 encoding require padding if the input length is not divisible by 3?

Also: decoder implementations may be able to deal with the padding themselves.

The Yahoo docs are really wrong as base64 encoding is different from base64url encoding and the spec dictates base64url: https://www.rfc-editor.org/rfc/rfc7519#section-3 Yahoo is not a really OPenID Connect provider (yet) so that may be why it wasn't fixed before Yahoo Oauth2/OpenIDconnect