3

I tried to decode the given token with the code below. The key is supposed to be base64 encoded. However when I attempt to decode it tells me I have invalid signature. The token is generated from a system using Java and I have to decode it in PHP.

Token:

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJyZXN1bHQiOiJzdWNjZWVkZWQiLCJpc3MiOiJ4eXoubmUuanAiLCJwcm9maWxlSWRlbnRpZmllciI6IioqKioqKio0NTY3IiwiZXhwIjoxNTk3MjAxNzQyLCJub25jZSI6ImRlNTRlODE3YmQ4NjM4MTI5ZWQ2ZDkxNDA1YTkwMTUyYWIzNTE4N2NkYWMxMDIxNmQ5NWI5NmUzYjgyMjAxNTFhZmU0ZDE4NWZlMzYzNTExNWMwNDFhOWY4OTNjMGZmMGFmZjFkYzBjODgyMDhmMjEwN2ZlMzk5Mzg3ZDMzZGMyZTllY2E5ODA0NDNmZjJiNjZiZDM1ZDk1YjAzY2ExMjIiLCJyZWZlcmVuY2VJZCI6IlRFU1QxMjM1ZjMzNTc3MzBlYjcxIn0.fvEsTg6OcCx2iBPMP-7e9AZtEviDqAEfTMZJib7UVQg

Decoding script

use \Firebase\JWT\JWT;
$encodedString = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJyZXN1bHQiOiJzdWNjZWVkZWQiLCJpc3MiOiJ4eXoubmUuanAiLCJwcm9maWxlSWRlbnRpZmllciI6IioqKioqKio0NTY3IiwiZXhwIjoxNTk3MjAxNzQyLCJub25jZSI6ImRlNTRlODE3YmQ4NjM4MTI5ZWQ2ZDkxNDA1YTkwMTUyYWIzNTE4N2NkYWMxMDIxNmQ5NWI5NmUzYjgyMjAxNTFhZmU0ZDE4NWZlMzYzNTExNWMwNDFhOWY4OTNjMGZmMGFmZjFkYzBjODgyMDhmMjEwN2ZlMzk5Mzg3ZDMzZGMyZTllY2E5ODA0NDNmZjJiNjZiZDM1ZDk1YjAzY2ExMjIiLCJyZWZlcmVuY2VJZCI6IlRFU1QxMjM1ZjMzNTc3MzBlYjcxIn0.fvEsTg6OcCx2iBPMP-7e9AZtEviDqAEfTMZJib7UVQg";
$key = base64_encode("testing1234453656347nsmvfdbsrtgjnfsjhNJFDJFujragrg");
$decoded = JWT::decode($encodedString, $key, array('HS256'));

It decodes just fine on jwt.io with the secret base64 encoded option selected. What am I doing wrong here?

jps
  • 20,041
  • 15
  • 75
  • 79
Ayaskant Mishra
  • 439
  • 1
  • 3
  • 10

2 Answers2

5

When the key is already Base64 encoded, you have to decode it before you pass it to JWT::decode:

$key = base64_decode("testing1234453656347nsmvfdbsrtgjnfsjhNJFDJFujragrg");

This is what JWT.io is doing when the checkbox "secret base64 encoded" is checked.

It literally means: "the secret in the input field is base64 encoded and therefore needs to be decoded".

And I can confirm that the tokens signature can be verified with this secret and "secret base64 encoded" checked.

The token is generated from a system using Java and I have to decode it in PHP.

This should generally be irrelevant. JWT is based on language independent standards.

jps
  • 20,041
  • 15
  • 75
  • 79
  • Apprecite the help. I really didn't want to believe this but I am working with an API that is string that has not been originally base64 encoded. Wouldn't my JWT key be garbage value? Wouldn't this be something that can be broken by a change in the interpreter or compiler? – Ayaskant Mishra Aug 12 '20 at 20:08
  • I'm not really sure what you're asking. The secret in your question is certainly not something that was really base64 encoded (if this is what you mean) but for base64 it doesn't matter, as long as all the characters are valid base64 characters. And the secret itself in HMAC-SHA256 has also no specified format, just a bunch of bits (unlike for example RS256). It's all fine, I don't see what could break here. – jps Aug 12 '20 at 20:15
0

As per new implementation, you will need to include the use \Firebase\JWT\Key; statement and using the JWT::decode() method with the provided parameters with an instance of the Key class, you can effectively decode a JWT token.

use \Firebase\JWT\JWT;
use \Firebase\JWT\Key;

$encodedString = "";
$key = base64_decode("testing1234453656347nsmvfdbsrtgjnfsjhNJFDJFujragrg");
$decoded = JWT::decode($encodedString, new Key($key, 'HS256'));
Hemant
  • 61
  • 3