diff --git a/src/Serialization/Compact.php b/src/Serialization/Compact.php index abe1704..8f4677d 100644 --- a/src/Serialization/Compact.php +++ b/src/Serialization/Compact.php @@ -103,6 +103,11 @@ public function deserialize($jwt) list($encodedHeader, $encodedPayload, $encodedSignature) = array_pad(explode('.', $jwt, 3), 3, null); + // Store the encoded unsigned value for verification later. We do this because JSON can change order or spacing and such and + // and still have the same value. However, the signature algorithms don't handle that concept. So we keep the original value + // to use to verify the signature. + $token->setTokenBody($encodedHeader . "." . $encodedPayload); + $decodedHeader = $this->encoding->decode($encodedHeader); $decodedPayload = $this->encoding->decode($encodedPayload); $decodedSignature = $this->encoding->decode($encodedSignature); diff --git a/src/Token.php b/src/Token.php index ef3115c..3c5c458 100644 --- a/src/Token.php +++ b/src/Token.php @@ -24,6 +24,11 @@ class Token */ private $signature; + /** + * @var tokenBody + */ + private $tokenBody; + public function __construct() { $this->header = new Header(); @@ -78,4 +83,20 @@ public function setSignature($signature) { $this->signature = $signature; } + + /** + * @param string $body + */ + public function setTokenBody($body) + { + $this->tokenBody = $body; + } + + /** + * @return string + */ + public function getTokenBody() + { + return $this->tokenBody; + } } diff --git a/src/Verification/EncryptionVerifier.php b/src/Verification/EncryptionVerifier.php index 6c2aba6..e42f03b 100644 --- a/src/Verification/EncryptionVerifier.php +++ b/src/Verification/EncryptionVerifier.php @@ -58,7 +58,7 @@ public function verify(Token $token) )); } - if (!$this->encryption->verify($this->signer->getUnsignedValue($token), $token->getSignature())) { + if (!$this->encryption->verify($token->getTokenBody(), $token->getSignature())) { throw new InvalidSignatureException; } }