I'm trying to get my head around JWT tokens in Golang. I'm using github.com/dgrijalva/jwt-go.
What caught me off guard is the fact that I can enter multiple valid signatures.
For example, head over to http://jwt.io - enter MySuperSecretKey for the secret
This token is valid:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0NTc3MzAyODMsInVzZXIiOiJ1c2VyMSJ9.SxshVL42DUH9e7jXUblbB_bTwKxhe4jo70DrvbQMlaU
as well as this one:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0NTc3MzAyODMsInVzZXIiOiJ1c2VyMSJ9.SxshVL42DUH9e7jXUblbB_bTwKxhe4jo70DrvbQMlaV
In fact, if I change the last letter to V, W or X, I get a "Signature Verfied" message.
Can anyone tell me what's going on here?