Hi @andre.hermanto93. My apologies, I thought you wanted to force a full login after the token expires. If you want the ‘last time you were logged in with’ prompt, and depending on the age of your tenant, I believe you need to use the prompt=login option per this post:
For the signing algorithm, it is strongly suggested to use RS256, which uses PKI instead of a shared a secret. In fact, I believe RS256 is mandatory if your want to use JWTs instead of opaque tokens.