Save the original jwt token body for use in signature verification

src/Serialization/Compact.php

@@ -103,6 +103,11 @@ public function deserialize($jwt)
 
         list($encodedHeader, $encodedPayload, $encodedSignature) = array_pad(explode('.', $jwt, 3), 3, null);
 
+        // Store the encoded unsigned value for verification later. We do this because JSON can change order or spacing and such and
+        // and still have the same value. However, the signature algorithms don't handle that concept. So we keep the original value
+        // to use to verify the signature.
+        $token->setTokenBody($encodedHeader . "." . $encodedPayload);
+
         $decodedHeader    = $this->encoding->decode($encodedHeader);
         $decodedPayload   = $this->encoding->decode($encodedPayload);
         $decodedSignature = $this->encoding->decode($encodedSignature);

src/Token.php

@@ -24,6 +24,11 @@ class Token
      */
     private $signature;
 
+    /**
+     * @var tokenBody
+     */
+    private $tokenBody;
+
     public function __construct()
     {
         $this->header  = new Header();
@@ -78,4 +83,20 @@ public function setSignature($signature)
     {
         $this->signature = $signature;
     }
+
+    /**
+     * @param string $body
+     */
+    public function setTokenBody($body)
+    {
+       $this->tokenBody = $body;
+    }
+
+    /**
+     * @return string
+     */
+    public function getTokenBody()
+    {
+       return $this->tokenBody;
+    }
 }

src/Verification/EncryptionVerifier.php

@@ -58,7 +58,7 @@ public function verify(Token $token)
             ));
         }
 
-        if (!$this->encryption->verify($this->signer->getUnsignedValue($token), $token->getSignature())) {
+        if (!$this->encryption->verify($token->getTokenBody(), $token->getSignature())) {
             throw new InvalidSignatureException;
         }
     }