2

In JWT token authentication, it is mentioned the "." is used for splitting the 3 parts of token (header, claim, signature). But in-case if my signature or encoded claim contains the "." it would be difficult the exact content of 3 section. Anybosy came across this situation or what is the way to handle it?

I generated signature using HMACSHA256(encoded json claim), but I'm getting "." in middle of the signature data. when i concatenate all the 3 parts, i'm getting one extra "."

Mathiyazhagan
  • 1,389
  • 3
  • 13
  • 37
  • If the order of this 3 parts is header, claim and signature, you should know that after the second "." the rest is signature, right? – AAlferez Mar 24 '16 at 16:53
  • Yes, Header and Claims are Base64URLEncoder encoded content. My doubt is what if Header/Claims also contains "." – Mathiyazhagan Mar 24 '16 at 17:22
  • From what I see they use *HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)* on the official site – AAlferez Mar 24 '16 at 17:26

1 Answers1

1

The three parts of the JWT token are all base64 encoded and therefore will never contain a dot character.

Even if your claim or signature contains that character, after base64 encoding that part the dot will no longer appear in the output.

MvdD
  • 22,082
  • 8
  • 65
  • 93