The main native client I’m using is set to receive HS256 tokens. However, when I log in, these get sent out as RS256 and I’m getting an unauthorised error whenever I call the API I want to get access to.
I’ve tried accessing oauth/token endpoint with my credentials as listed on here ([text]Resource Owner Password Flow “authentication-request”) - that hasn’t worked either. The audience is set and the scope has all options selected (openid profile offline_access), so that’s not the issue.
Not sure how to solve this as only a jwt token in HS256 format will be accepted by the server.
There’s a few things worth mentioning here, in particular:
- for OIDC conformant client or requests (a request with
audience is equivalent to OIDC conformance) the ID tokens issued for public clients are forced to RS256 no matter the setting you selected. A native application is considered a public client hence the behavior.
- you should not be sending ID tokens to an API as a method of authoriation; see Access Tokens
With the above in mind you should be configuring the API in Auth0, selecting the signing algorithm at the API settings to be HS256 and then using an access token to call the API. At this time, an access token issued to your own API/audience will be a JWT token and it will honor the signing algorithm chosen at the API settings.