Jwt verify in php

Andy · June 25, 2023, 12:23am

Hello i try to verify a jwt token. But its always false. Here is my code i use

function validate_twitch_jwt($jwt) {
    $secretKey = 'XXXXXXXXXXXXXXXXXCXXXXXX=';
    $jwtParts = explode('.', $jwt);

    $header = base64_decode($jwtParts[0]);
    $payload = base64_decode($jwtParts[1]);
    $signature = base64_decode($jwtParts[2]);
    $expectedSignature = hash_hmac('sha256', $jwtParts[0] . '.' . $jwtParts[1], $secretKey, true);

    if ($signature !== $expectedSignature) {
        echo "false";
    }
    else {
        echo "true";
    }
}

BarryCarlyon · June 25, 2023, 12:26am

Use a library GitHub - firebase/php-jwt: PHP package for JWT

A snippet from an older EBS (older as in I don’t use it anymore)

$secret = base64_decode(LIVE_EXTENSION_SECRET);

include(__DIR__ . '/lib/jwt.php');
$j = new JWT();

try {
    $res = $j->decode($token, $secret);
} catch (Exception $e) {
    $output['error'] = 'J An Error Occured';
    $output['error'] = $e->getMessage();
    echo json_encode($output);
    exit;
}

$opaque = $res->opaque_user_id;
$permissions = $res->pubsub_perms;
$channel_id = $res->channel_id;

This snippet may not longer be valid since my copy of the library is from 2017, and the github repo I linked has a much newer/changed version.

Andy · June 25, 2023, 12:50am

to be sure i use the Extension secret from the extension settings page. The one with the = at the end.

BarryCarlyon · June 25, 2023, 12:51am

JWT’s are validatded using the Extension Client Configuration - Extension Secrets yes, generally ends = but may not

Andy · June 25, 2023, 12:58am

Well it says still {"error":"Signature verification failed"}

BarryCarlyon · June 25, 2023, 12:59am

Assuming you are using the current version of the library

Check if it needs or doesn’t need the Extentsion Secret base64 decoding first or not.

Andy · June 25, 2023, 1:03am

seems not

$jwt = JWT::encode($payload, $key, 'HS256');
$decoded = JWT::decode($jwt, new Key($key, 'HS256'));
print_r($decoded);

Andy · June 25, 2023, 1:37am

on jwt.io its possible to verify it. So the problemm must be in my code

BarryCarlyon · June 25, 2023, 1:42am

Make sure you are verifing the token, not desconstructing and reconstructing it then verifying that

Andy · June 25, 2023, 1:47am

Got it. I will post a working code for the new version. The key from twitch has to decoded.

function validate_twitch_jwt($jwt) {
    $secretKey = base64_decode("YOUR_KEY_FROM_TWITCH");
    try {
        $decoded = JWT::decode($jwt, new Key($secretKey, 'HS256'));
        return true;
    } catch (Exception $e) {
        $output['error'] = 'J An Error Occured';
        $output['error'] = $e->getMessage();
        echo json_encode($output);
    }
}