Laravel Passport - Personal Access Client signature

[nkzx]

Hello,

I'm having problems with Laravel Passport and more specifically with the generation of Personal Access Tokens.

I'm currently using Laravel Passport and the classic version of OAuth 2 to authorise access to user data for third-party applications.

I now want to generate Personal Access Tokens for another client.
Implementation is quick and efficient, and I can generate tokens without any problems.
Out of curiosity I wanted to check the signature but unfortunately I can't manage to generate the same signature manually.

Here is a sample of the code i used to test :

  public function verifyToken($token, $key){
          $explodedToken = explode('.', $token);
          $header = json_decode(base64_decode($explodedToken[0]));
          $payload = json_decode(base64_decode($explodedToken[1]));
          $headerReEncoded = rtrim(strtr(base64_encode(json_encode($header)), '+/', '-_'), '=');
          $payloadReEncoded = rtrim(strtr(base64_encode(json_encode($payload)), '+/', '-_'), '=');
          $signatureEncoded = rtrim(strtr(base64_encode(hash_hmac('SHA256', "$explodedToken[0].$explodedToken[1]", $key, true)), '+/', '-_'), '=');

        if($explodedToken[0] === $headerReEncoded &&
            $explodedToken[1] === $payloadReEncoded &&
            $explodedToken[2] === $signatureEncoded){
            dump('Token is valid');
        } else {
            dump('Token is invalid');
        }
        dd([
            "original header  :     " => $explodedToken[0],
            "reencoded header :     " => $headerReEncoded,
            "original payload  :    " => $explodedToken[1],
            "reencoded payload :    " => $payloadReEncoded,
            "original signature  :  " => $explodedToken[2],
            "reencoded signature :  " => $signatureEncoded
        ]);

    }
$token = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiI3IiwianRpIjoiMzI1ZDQyMTM1ZjE2MmJhZThkYzQ1YTMzYWRjNDE3NTZmZDU1N2M2NzU0NGYwMTE4MWE4ZmI4ZTFhNzU5MmRiYzQwYjRkMTllM2IyMzA1NWEiLCJpYXQiOjE3NDk3MTY5ODMuODk2NDc5LCJuYmYiOjE3NDk3MTY5ODMuODk2NDgsImV4cCI6MTc4MTI1Mjk4My44NDU2LCJzdWIiOiI1OCIsInNjb3BlcyI6W119.FxM85j9281YI4EOyI6R89pYtyP0QSPLeVQHSxIn-Cv1zHQbZTAVcgdqhj6QEt78353_7bHesHx2etWpEnIPtI0zEP8q0heaDSo87ThoDD9AC7Q0v01l811bYfHJQnWx7NwotnVTks5h4dBGiPOqLcFEEGig3T6oHPRym3QRdxGLvOduwm-eQvD4GzWkP6Q5lK2n7ZTJ2zkis_nyHsJYVyVf1B8ElVBkXO6QFbdJ_S_BrpnH6Dw0BtoOk6c5VH45ith9YyOvLRenEstzjJKWwt4ad9hNJ9qr0UONGqWTeyoSCtnh6pZx9qc5Q17XOFZmscOZ8iJ0SnxaD37jILFfiLIDlP-573SfJ8hXcRFXtLCjW_rZ85EwmCurqw0kjdoVEiT1uKHBb_WeD2Dp4MnNoh2fflx9-ykqeo856adO7OWHLYgaYHM6UhmSnM8IVvOd69ryxRHglp0IvdD_vjeC0wYT1gYbCMD9B32606eeDpzjzPxYKOogJBUibiqCTUzBVm-pquB1rIE5lCNlcR-Ug8iZL_G51hqt_dueeZJlXqWI6Du8t7Vz_noRJ2-COL7v2gwytoke0BM3R3EDW0653v0yhlXOm9AIUDxRYzu35ukG957FyVpaaBdHPqaiza7L2rlRPvmsjOcuhdo-XSpY5D3vqYpLPBwWpQrD7tsFitvQ';
        $key = 'PEyqzg0JwWVrP2fW9Kv1Y1xxzCv5IBlL3RAo8W02';
        $this->verifyToken($token, $key);

The token was generated via the /oauth/personal-access-tokens route.

Any ideas ? algorithm used or function to verify the signature is wrong ?

Thanks