fix(runs): tolerate base64 padding when decoding forwarded JWT claims

AWS ALB's x-amzn-oidc-data JWT pads the base64url payload, which strict
RawURLEncoding rejects — so the cookie/UI path silently dropped the user's claims
(email, name) and fell back to subject-only. Decode with padding tolerance. This
surfaced once `profile`/`email` scopes enlarged the payload so its length stopped
being padding-free. Also removed the temporary AUTHDEBUG diagnostic.

Signed-off-by: Kevin Su <pingsutw@apache.org>

Author: pingsutw

runs/service/identity.go

@@ -59,7 +59,7 @@ func identityFromJWT(token string) *common.EnrichedIdentity {
 	if len(parts) != 3 {
 		return nil
 	}
-	payload, err := base64.RawURLEncoding.DecodeString(parts[1])
+	payload, err := decodeJWTSegment(parts[1])
 	if err != nil {
 		return nil
 	}
@@ -78,6 +78,20 @@ func identityFromJWT(token string) *common.EnrichedIdentity {
 	return id
 }
 
+// decodeJWTSegment base64url-decodes a JWT segment, tolerating both the unpadded
+// form (per the JWT spec) and the padded form some issuers — notably AWS ALB's
+// x-amzn-oidc-data — emit. Without this, a payload whose length isn't a multiple of
+// 4 fails strict RawURLEncoding and the claims (email, name) are silently dropped.
+func decodeJWTSegment(seg string) ([]byte, error) {
+	if b, err := base64.RawURLEncoding.DecodeString(seg); err == nil {
+		return b, nil
+	}
+	if pad := len(seg) % 4; pad != 0 {
+		seg += strings.Repeat("=", 4-pad)
+	}
+	return base64.URLEncoding.DecodeString(seg)
+}
+
 // subjectOnlyIdentity builds a minimal EnrichedIdentity carrying just the subject.
 // Mirrors the cloud transformer fallback; used when only the subject is available.
 func subjectOnlyIdentity(subject string) *common.EnrichedIdentity {

runs/service/identity_test.go

@@ -14,6 +14,21 @@ func jwt(payloadJSON string) string {
 	return enc(`{"alg":"RS256"}`) + "." + enc(payloadJSON) + ".sig"
 }
 
+// jwtPadded builds a JWT whose payload uses padded base64url, as AWS ALB's
+// x-amzn-oidc-data does. The decoder must tolerate the padding.
+func jwtPadded(payloadJSON string) string {
+	enc := func(s string) string { return base64.RawURLEncoding.EncodeToString([]byte(s)) }
+	return enc(`{"alg":"ES256"}`) + "." + base64.URLEncoding.EncodeToString([]byte(payloadJSON)) + ".sig"
+}
+
+func TestIdentityFromJWT_ToleratesPadding(t *testing.T) {
+	id := identityFromJWT(jwtPadded(`{"sub":"00u1","given_name":"Kevin","family_name":"Su","email":"kevin@union.ai"}`))
+	assert.Equal(t, "00u1", id.GetUser().GetId().GetSubject())
+	assert.Equal(t, "Kevin", id.GetUser().GetSpec().GetFirstName())
+	assert.Equal(t, "Su", id.GetUser().GetSpec().GetLastName())
+	assert.Equal(t, "kevin@union.ai", id.GetUser().GetSpec().GetEmail())
+}
+
 func TestIdentityFromHeaders(t *testing.T) {
 	tests := []struct {
 		name                         string

runs/service/run_service.go

@@ -334,7 +334,7 @@ func (s *RunService) CreateRun(
 	executedBy := identityFromHeaders(req.Header())
 	executedBy = s.enricher.enrich(ctx, accessTokenFromHeaders(req.Header()), executedBy)
 
-	// Persist task spec and create run model
+	// Persist task spec and create a run model
 	run, err := s.persistRunModel(ctx, runId, taskID, taskSpec, inputPrefix, runOutputBase, runSpec, request.GetSource(), triggerName, triggerTaskName, triggerRevision, triggerType, executedBy)
 	if err != nil {
 		logger.Errorf(ctx, "Failed to create run: %v", err)