Hi, I recently encountered an issue/problem with the jwt.io debugger tool while I was attempting to validate a signature on a test JWT.
Specifically, when I paste my token into “encoded” input, then past my secret into the “verify signature” input, the debugger tool updates my payload data (stripping out any whitespace) and produces a signature based on the updated data, not based on the data I’d originally supplied.
This is not expected behaviour, some vendors do include whitespace in JWT tokens. You should not be stripping the whitespace from a user supplied encoded token as it makes it impossible to verify the signature using jwt.io if your payload contains any whitespace.
I’ve generated an unused token to demonstrate issue:->
JWT Token:
“eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.ew0KICAiYWN0aXZpdHlPYmplY3RJRCI6ICJmNjg3Y2YxZi00MDUyLTQ5MTctOWIxMi04NjYxNWQ3YjRiZGMiLA0KICAiaW50ZXJhY3Rpb25JZCI6ICJjYmFjOTQxZC04ZmQxLTRhZDctYjIyNS0zMDhlYTg4OTk3NDQiLA0KICAib3JpZ2luYWxEZWZpbml0aW9uSWQiOiAiY2JhYzk0MWQtOGZkMS00YWQ3LWIyMjUtMzA4ZWE4ODk5NzQ0IiwNCiAgImludGVyYWN0aW9uS2V5IjogImRkNjY5YTRjLWRjNWEtYzg4Yi00MDczLWFkYWM5OWIxNjQzMiIsDQogICJpbnRlcmFjdGlvblZlcnNpb24iOiAiMSINCn0.pSicdDjh7ae7Qay2mZ4M2X348YZXQ4or1pF7DwQCVMc”
Secret:
_uCwxyLm_XcR6vIw30jnUpe2DXTVNGIuOlOGxU4w2vRCfcb8UuoX-szna_mDwa0wzp0o7knui5uKDosUkdCPvMm4het5N1oRi0Oa_qYfiTVsYJ3_txnVhjlc-PzOe5lmg_t9wbCZ1s1vbASkHz2EFWZQsch–XpsB93BnqWNuwmmtx3HzbpHBPQYFNGyLNCeTP-k7rhg3Y56ZJPWojNfiNc2WM2WunyDweJh4Pzs5ggR_9wetKfLyLPyobtTSg2
Steps to reproduce:
- Paste token into encoded window.
- Paste priv key into verify signature window
- Compare original payload to updated payload and see its updated.