Admin portal incorrectly says API/Terraform-created clients are configured for RS256 JWT signing

Help
,
1

Steps to Reproduce:

  1. Create a SPA client using the POST /api/v2/clients API with the following payload:
{
    "name": "clientApiTest",
    "app_type": "spa"
}

Response will not show any specific value for jwt_configuration.alg:

    "jwt_configuration": {
        "lifetime_in_seconds": 36000,
        "secret_encoded": false
    }

  1. View the client in the Admin portal under Applicaitons, scroll down to Advanced > OAuth section. The "JSON Web Token (JWT) Signature Algorithm) dropdown will show RS256

    image
    image590×249 13.9 KB

  2. Use one of Auth0’s SDKs to complete an OAuth flow for the client. The returned JWT will be signed with HS256 even though the Admin Portal says RS256.

The client can be set to RS256 either with a Management API call to PATCH /api/v2/clients/:id or by using the Admin Portal to set it to HS256, save, then set back to RS256 and save again, but the expectation is that if it’s truly set to HS256 by default the Admin Portal would not say it’s RS256!

2 Likes
2

This can also be reproduced using Terraform auth0 provider, by creating an auth0_client resource and not specifying jwt_configuration.alg. As confirmed here, the provider doesn’t provide any default to the API leading to this same behavior of the client being configured for HS256 but neither the API nor the Admin Portal telling you this (and in fact the Admin Portal telling you it’s RS256!)

1 Like