Reputation: 863
(Golang) JWT Signature Verification Issue
I'm trying to get my head around JWT tokens in Golang. I'm using github.com/dgrijalva/jwt-go.
What caught me off guard is the fact that I can enter multiple valid signatures.
For example, head over to http://jwt.io - enter MySuperSecretKey for the secret
This token is valid:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0NTc3MzAyODMsInVzZXIiOiJ1c2VyMSJ9.SxshVL42DUH9e7jXUblbB_bTwKxhe4jo70DrvbQMlaU
as well as this one:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0NTc3MzAyODMsInVzZXIiOiJ1c2VyMSJ9.SxshVL42DUH9e7jXUblbB_bTwKxhe4jo70DrvbQMlaV
In fact, if I change the last letter to V, W or X, I get a "Signature Verfied" message.
Can anyone tell me what's going on here?
Upvotes: 2
Views: 3844
Answers (1)
Reputation: 3078
It's the Base64 encoding of the signature which can have the last letter changed to certain targets without affecting the relevant bits.
Try popping both signatures into a base64->hex decoder and you'll get the same results. In fact at https://conv.darkbyte.ru/ both signatures get re-evaluated to base64 SxshVL42DUH9e7jXUblbBbTwKxhe4jo70DrvbQMlaQ==
Upvotes: 5
Related Questions
- Firebase ID token has invalid signature even on jwt
- A token that is invalid in time is returned valid by the JWT library
- JWT (JSON Web Token) automatic prolongation of expiration
- What is the difference between JSON Web Signature (JWS) and JSON Web Token (JWT)?
- How to extract the claims from JWT token
- Verify JWT Token fails in Golang
- Node.js njwt Signature verification failed
- JWT - how is signature calculated
- JWT signature not verifying in PHP