Auth0 JWT Token validation in PHP

Question

I'm attempting to send an Auth0 JWT from my client to my server and have the token validated. I send the token_id returned from the auth0 authentication to my server via AuthHttp headers and i can obtain it without an issue within PHP.

Short and Simple:

• Angular 2 Auth0 JWT gets sent to the PHP server.
• How do i validate the signature is correct?

I have the Secret ID, i have the JWT helper class with the encode and decode.

How do i check the header and body = the signature of the JWT sent over, if that's even the correct way to do it.

Edit:

I pass in my token which is

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczpcL1wvbG93aWUuZXUuYXV0aDAuY29tXC8iLCJzdWIiOiJnb29nbGUtb2F1dGgyfDEwNDY4ODk4NjgxNzEwNjQ3Mjc5MCIsImF1ZCI6IlYwWWVaREliYmVGdEJ4Z3F2UkNzVkFjWWxscXpaZGlNIiwiZXhwIjoxNDc4NzMxNjIzLCJpYXQiOjE0Nzg2OTU2MjN9._uyKrxJ0lPR-tEPjOFiI5ygeiM689gqURcIfG4sWkWc

In which i then get the body of this token and make it into an array

 Array ( [iss] => https://lowie.eu.auth0.com/ [sub] => google-oauth2|104688986817106472790 [aud] => V0YeZDIbbeFtBxgqvRCsVAcYllqzZdiM [exp] => 1478731623 [iat] => 1478695623 ) 

Once i have the array, this is my payload right?

// Here's an image of the token being verified as right https://gyazo.com/93777863d988d8c6ef0fc4ea50755949

so why does the below code not give me the same token?

$jwt = JWT::encode($bodyArray, "SuperSecureSecretSecret");

yet i receive this back

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL2xvd2llLmV1LmF1dGgwLmNvbS8iLCJzdWIiOiJnb29nbGUtb2F1dGgyfDEwNDY4ODk4NjgxNzEwNjQ3Mjc5MCIsImF1ZCI6IlYwWWVaREliYmVGdEJ4Z3F2UkNzVkFjWWxscXpaZGlNIiwiZXhwIjoxNDc4NzMxNjIzLCJpYXQiOjE0Nzg2OTU2MjN9.6lEg_0h0zytQZVBqDe-ZIS5PoSkFAJhWtRYSgaDCesY

Answer 1

You should use an existing library that supports the type of JWT signature you're using. For a quick reference on your available options for PHP check the Libraries section in jwt.io .

Using an existing library is preferred in most situations, however, it's also important to do some assessment on the quality of the library.

For JWT signature validation read this article ( Critical vulnerabilities in JSON Web Token libraries ) to ensure that your usage of the libraries does not lead to possible vulnerabilities.

---

Update:

The tokens are different because they are signed with different keys and the payload also differs; the iss in one is "https://lowie.eu.auth0.com/" and on the other is "https:\\/\\/lowie.eu.auth0.com\\/" . You can check that by decoding the payload with a Base64 decoder and look at the raw output.

More importantly, you should not be creating any tokens, just validating that they are valid and were issued by the trusted issuer to which you delegated the actual authentication process.