Igor VANIAN Igor VANIAN -3 years ago 164
PHP Question

PHP JWT Invalid signature

Given this code:

function base64url_encode($data) {
return rtrim(strtr(base64_encode($data), '+/', '-_'), '=');

$key = 'secret';

//setting the header: 'alg' => 'HS256' indicates that this token is signed using HMAC-SHA256
$header = array(
'alg' => 'HS256',
'typ' => 'JWT'

// Returns the JSON representation of the header
$header = json_encode($header);

//encodes the $header with base64.
$header = base64url_encode($header);

$payload = array("a" => "b");

$payload = json_encode($payload);
$payload = base64url_encode($payload);

$signature = hash_hmac('SHA256','$header.$payload', $key, true);
$signature = base64url_encode($signature);

echo "$header.$payload.$signature";

Returns the following JWT:


But the signature is not verified at https://jwt.io/
The payload is decrypted well though... What may be the problem ?

Answer Source

You are using single quotes around $header.payload when calculating the HMAC, rather than double quotes; the former uses the literal string and does not expand the variables:

$signature = hash_hmac('SHA256', "$header.$payload", $key, true);
Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download