I am totally new to this, so please bear with my question if it's utterly stupid. I am learning how to verify signature using https://jwt.io
The following is what I am doing
Generated Public/Private Key Pair
Private Key
-----BEGIN EC PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,4A6A48288A531DCA
m2glcvku6rdV8z0QBsBc3Hc72vG4NN3wIPnqdC47FTA3y9WiD7Ukh4m3ZpL2mraz
7PSblIe8ob/aaG9TYViIb4QRYZFg8z3jR6WeNEhC2EbC2CwkSSH3ug8ViQ+1i8d1
kMnQDK1i/s0BZvxlhKPuSy2kOIjelWctkDHvJyvU/WQ=
-----END EC PRIVATE KEY-----
Public Key
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHpqkegB/A/12vqfApHOaFXaJcHkyhNw1u9XnZe2+hiDT698U4c3iet5VyTo3D1DOe7Xi5dG07UorsMvWCmSbvU=
I used this website to generate ECDSA-256 pair of keys with passphrase as H2
Create a JSON Web Token (JWT)
I used http://jwtbuilder.jamiekurtz.com/ to generate the token
I used the private key to sign the JWT
. The following is the token
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJIYXJpdCIsImlhdCI6MTU4Nzc1MjM3NCwiZXhwIjoxNjE5Mjg4Mzc0LCJhdWQiOiJodHRwczovL3d3dy5oYXJpdC5kZXYiLCJzdWIiOiJjb250YWN0QGhhcml0LmNvbSIsIkdpdmVuTmFtZSI6Ikhhcml0IiwiU3VybmFtZSI6IkhpbWFuc2h1In0.pmvGfBXH4603YMGYDB6qOXlQjhfdPulvbODrK70ihS0
Verify
I go to the website https://jwt.io and below is the video of what I tried
Question
How JWT is verifying and telling it as a valid signature when the secret is empty. I have not even provided the secret yet.
What am I missing?
When you paste a token on the left side and then change the secret or key in the input field in the right column, a new signature is calculated and then automatically verified. And the secret can also be empty, not advisable but possible.
Please observe what happens to the signature part of your token in the left column. You'll notice that it changed!
This often leads to misunderstandings, people asked here why their token was verified with a given secret, but their API said it's invalid. But they didn't notice that the signature was recalculated when they entered the secret.
If you want to check if the token can be verified with a given secret, you always need to first paste the secret into the input field in the right column (under VERIFY SIGNATURE) and then paste the token to the left column.