Skip to content
Advertisement

Unable to decode JWT tokens PHP

I tried to decode the given token with the code below. The key is supposed to be base64 encoded. However when I attempt to decode it tells me I have invalid signature. The token is generated from a system using Java and I have to decode it in PHP.

Token:

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJyZXN1bHQiOiJzdWNjZWVkZWQiLCJpc3MiOiJ4eXoubmUuanAiLCJwcm9maWxlSWRlbnRpZmllciI6IioqKioqKio0NTY3IiwiZXhwIjoxNTk3MjAxNzQyLCJub25jZSI6ImRlNTRlODE3YmQ4NjM4MTI5ZWQ2ZDkxNDA1YTkwMTUyYWIzNTE4N2NkYWMxMDIxNmQ5NWI5NmUzYjgyMjAxNTFhZmU0ZDE4NWZlMzYzNTExNWMwNDFhOWY4OTNjMGZmMGFmZjFkYzBjODgyMDhmMjEwN2ZlMzk5Mzg3ZDMzZGMyZTllY2E5ODA0NDNmZjJiNjZiZDM1ZDk1YjAzY2ExMjIiLCJyZWZlcmVuY2VJZCI6IlRFU1QxMjM1ZjMzNTc3MzBlYjcxIn0.fvEsTg6OcCx2iBPMP-7e9AZtEviDqAEfTMZJib7UVQg

Decoding script

use FirebaseJWTJWT;
$encodedString = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJyZXN1bHQiOiJzdWNjZWVkZWQiLCJpc3MiOiJ4eXoubmUuanAiLCJwcm9maWxlSWRlbnRpZmllciI6IioqKioqKio0NTY3IiwiZXhwIjoxNTk3MjAxNzQyLCJub25jZSI6ImRlNTRlODE3YmQ4NjM4MTI5ZWQ2ZDkxNDA1YTkwMTUyYWIzNTE4N2NkYWMxMDIxNmQ5NWI5NmUzYjgyMjAxNTFhZmU0ZDE4NWZlMzYzNTExNWMwNDFhOWY4OTNjMGZmMGFmZjFkYzBjODgyMDhmMjEwN2ZlMzk5Mzg3ZDMzZGMyZTllY2E5ODA0NDNmZjJiNjZiZDM1ZDk1YjAzY2ExMjIiLCJyZWZlcmVuY2VJZCI6IlRFU1QxMjM1ZjMzNTc3MzBlYjcxIn0.fvEsTg6OcCx2iBPMP-7e9AZtEviDqAEfTMZJib7UVQg";
$key = base64_encode("testing1234453656347nsmvfdbsrtgjnfsjhNJFDJFujragrg");
$decoded = JWT::decode($encodedString, $key, array('HS256'));

It decodes just fine on jwt.io with the secret base64 encoded option selected. What am I doing wrong here?

Advertisement

Answer

When the key is already Base64 encoded, you have to decode it before you pass it to JWT::decode:

$key = base64_decode("testing1234453656347nsmvfdbsrtgjnfsjhNJFDJFujragrg");

This is what JWT.io is doing when the checkbox “secret base64 encoded” is checked.

It literally means: “the secret in the input field is base64 encoded and therefore needs to be decoded”.

And I can confirm that the tokens signature can be verified with this secret and “secret base64 encoded” checked.

The token is generated from a system using Java and I have to decode it in PHP.

This should generally be irrelevant. JWT is based on language independent standards.

User contributions licensed under: CC BY-SA
9 People found this is helpful
Advertisement