Jwt.io debug tool problem report

Hi, I recently encountered an issue/problem with the jwt.io debugger tool while I was attempting to validate a signature on a test JWT.

Specifically, when I paste my token into “encoded” input, then past my secret into the “verify signature” input, the debugger tool updates my payload data (stripping out any whitespace) and produces a signature based on the updated data, not based on the data I’d originally supplied.

This is not expected behaviour, some vendors do include whitespace in JWT tokens. You should not be stripping the whitespace from a user supplied encoded token as it makes it impossible to verify the signature using jwt.io if your payload contains any whitespace.

I’ve generated an unused token to demonstrate issue:->

JWT Token:
“eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.ew0KICAiYWN0aXZpdHlPYmplY3RJRCI6ICJmNjg3Y2YxZi00MDUyLTQ5MTctOWIxMi04NjYxNWQ3YjRiZGMiLA0KICAiaW50ZXJhY3Rpb25JZCI6ICJjYmFjOTQxZC04ZmQxLTRhZDctYjIyNS0zMDhlYTg4OTk3NDQiLA0KICAib3JpZ2luYWxEZWZpbml0aW9uSWQiOiAiY2JhYzk0MWQtOGZkMS00YWQ3LWIyMjUtMzA4ZWE4ODk5NzQ0IiwNCiAgImludGVyYWN0aW9uS2V5IjogImRkNjY5YTRjLWRjNWEtYzg4Yi00MDczLWFkYWM5OWIxNjQzMiIsDQogICJpbnRlcmFjdGlvblZlcnNpb24iOiAiMSINCn0.pSicdDjh7ae7Qay2mZ4M2X348YZXQ4or1pF7DwQCVMc”

Secret:
_uCwxyLm_XcR6vIw30jnUpe2DXTVNGIuOlOGxU4w2vRCfcb8UuoX-szna_mDwa0wzp0o7knui5uKDosUkdCPvMm4het5N1oRi0Oa_qYfiTVsYJ3_txnVhjlc-PzOe5lmg_t9wbCZ1s1vbASkHz2EFWZQsch–XpsB93BnqWNuwmmtx3HzbpHBPQYFNGyLNCeTP-k7rhg3Y56ZJPWojNfiNc2WM2WunyDweJh4Pzs5ggR_9wetKfLyLPyobtTSg2

Steps to reproduce:

  1. Paste token into encoded window.
  2. Paste priv key into verify signature window
  3. Compare original payload to updated payload and see its updated.

Orig Payload decoded:
{
“activityObjectID”: “f687cf1f-4052-4917-9b12-86615d7b4bdc”,
“interactionId”: “cbac941d-8fd1-4ad7-b225-308ea8899744”,
“originalDefinitionId”: “cbac941d-8fd1-4ad7-b225-308ea8899744”,
“interactionKey”: “dd669a4c-dc5a-c88b-4073-adac99b16432”,
“interactionVersion”: “1”
}

jwt.io Updated Payload decoded:
{“activityObjectID”:“f687cf1f-4052-4917-9b12-86615d7b4bdc”,“interactionId”:“cbac941d-8fd1-4ad7-b225-308ea8899744”,“originalDefinitionId”:“cbac941d-8fd1-4ad7-b225-308ea8899744”,“interactionKey”:“dd669a4c-dc5a-c88b-4073-adac99b16432”,“interactionVersion”:“1”}

Expected Signature:
pSicdDjh7ae7Qay2mZ4M2X348YZXQ4or1pF7DwQCVMc

Actual Signature produced by jwt.io:
IiesxVwZG838IzSpzIw2ya-_zdYwlB2Aa2VdQGf_YFI