maybe someone will be able to help me, I am trying out the new direct Storefront/Store-API communication to Appsystem Backend, released in SW6.5.5: https://developer.shopware.com/docs/guides/plugins/apps/clientside-to-app-backend. Generally it works, but I am not able to verify the JWT signature, maybe I am missing something.
As a verifier I generate
base64( hmacSha256( base64( header ) . base64( payload ), appSecret ) ).
However, it does not output the same signature as delivered in the shopware-app-token header. The verification is described somehow vague in the link above, I also tried using hmacSha256 ( shopId, appSecret ) instead of appSecret, but it still does not verify properly. Any ideas on what might be wrong here?
So the problem was that I tried to use the app secret instead of the shop secret, since it was indicated like this in the documentation. I guess, the documentation should be changed at this point for more clarity.