Quote:
Originally Posted by Pellanor
So here's the same signed token with one character changed. Since it's URL encoded, the token has two characters that are different, which I highlighted in red. The signature hasn't changed, so when you decode the token on jwt.io using the provided public key, you can see that it has an invalid signature.
However if I make the same one character change, but sign it with the private key rather that re-using the signature you can see that the entire last segment (after the highlighted characters) of the token has changed to reflect this.
I could use a different private key to sign a modified token, but then it wouldn't match the public key that I'd given out earlier, so you would still get an invalid signature. |
Honestly amazing. Great case of use and answers all my questions. Clearly, I didn't know you could encode so much in a QR.
Thank you for the example and the time!