The crypto token validation docs are wrong

[bshaffer]

trafficstars

see https://github.com/bshaffer/oauth2-server-php/issues/317:

The docs specify that you should base64_decode the signature before passing it to openssl_verify. This will fail because the signature is not base64 encoded, it is "url safe base64 encoded", so the decode needs to be Jwt::urlSafeB64Decode, or its contents:

    $b64 = str_replace(array('-', '_'), array('+', '/'), $b64);
    return base64_decode($b64);

[wpromatt]

+1