- json_decode: documentation ( source)
- hash_hmac: documentation ( source)
- print_r: documentation ( source)
- explode: documentation ( source)
- strtoupper: documentation ( source)
<?php
$secret="rfig34r8gw4i3ve49hfvowgrv9wu3robwer";
$signed = "LgW-AUQF8gdSfmrGTb3rGUJxzH-3Lck2K0hDMO_d-Fg.eyJhbGdvcml0aG0iOiJITUFDLVNIQTI1NiIsImlzc3VlZF9hdCI6MTQ1MzExNjAwMiwicGFnZSI6eyJpZCI6IjM4MTM5OTczMDgyNyIsImFkbWluIjp0cnVlLCJsaWtlZCI6dHJ1ZX0sInVzZXIiOnsiY291bnRyeSI6ImdiIiwibG9jYWxlIjoiZW5fR0IiLCJhZ2UiOnsibWluIjoyMX19fQ";
list($encoded_sig, $payload) = explode('.', $signed_request, 2);
// decode the data
$sig = self::base64_url_decode($encoded_sig);
$data = json_decode(self::base64_url_decode($payload), true);
if (strtoupper($data['algorithm']) !== 'HMAC-SHA256') {
die('Unknown algorithm. Expected HMAC-SHA256');
}
// check sig
$expected_sig = hash_hmac('sha256', $payload, $secret, $raw = true);
if ($sig !== $expected_sig) {
die('Bad Signed JSON signature!');
}
print_r($data);