In Auth0-SPA-JS, why do I get an "invalid algorithm" error?

Question: In Auth0-SPA-JS, Why do I get an “invalid algorithm” error?

Answer:

The SDK only supports JWTs that use the RS256 signing algorithm. If you’re getting this error, it’s likely that the Auth0 application you’re authenticating with is set up to sign tokens using HS256 .

The way around this error is to change the settings for your Auth0 application to sign tokens using RS256. To do this:

  • Log in to your dashboard
  • Open the settings page for the application you’re using
  • Scroll to the bottom and click Show advanced settings
  • Click the OAuth tab
  • Ensure the JsonWebToken Signature Algorithm value is set to RS256
  • Click Save

The next time you try to authenticate, you should not receive this error.

Supporting Documentation:

Documentation: https://auth0.github.io/auth0-spa-js/index.html
Blog post: https://auth0.com/blog/introducing-auth0-single-page-apps-spa-js-sdk/ (when and how to use the new SDK in your JS apps)
Repo: GitHub - auth0/auth0-spa-js: Auth0 authentication for Single Page Applications (SPA) with PKCE
Community Announcement: http://community.auth0.com/t/js-solution-to-support-authorization-code-in-spas-product-roadmap-launched/23178

1 Like