2

I'm trying to get my head around JWT tokens in Golang. I'm using github.com/dgrijalva/jwt-go.

What caught me off guard is the fact that I can enter multiple valid signatures.

For example, head over to http://jwt.io - enter MySuperSecretKey for the secret

This token is valid:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0NTc3MzAyODMsInVzZXIiOiJ1c2VyMSJ9.SxshVL42DUH9e7jXUblbB_bTwKxhe4jo70DrvbQMlaU

as well as this one:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0NTc3MzAyODMsInVzZXIiOiJ1c2VyMSJ9.SxshVL42DUH9e7jXUblbB_bTwKxhe4jo70DrvbQMlaV

In fact, if I change the last letter to V, W or X, I get a "Signature Verfied" message.

Can anyone tell me what's going on here?

Improve this question
1

1 Answer 1

Reset to default
5

It's the Base64 encoding of the signature which can have the last letter changed to certain targets without affecting the relevant bits.

Try popping both signatures into a base64->hex decoder and you'll get the same results. In fact at https://conv.darkbyte.ru/ both signatures get re-evaluated to base64 SxshVL42DUH9e7jXUblbBbTwKxhe4jo70DrvbQMlaQ==

Improve this answer
2
  • 1
    Thanks, that was it, very useful website btw.!
    – zeroc8
    Commented Mar 14, 2016 at 11:26
  • Be careful where you paste your secrets. All conversion is done on the server side (conv.darkbyte.ru). Check network log in Developer Tools...
    – David
    Commented Jun 29, 2022 at 11:54

Not the answer you're looking for? Browse other questions tagged or ask your own question.