Auth0.js v8 always returns RS256 id_token

Using both Auth0Lock and Auth0.js v8. When using Auth0Lock to authenticate I receive both access_token and id_token as HS256. When doing the same with Auth0.js v8 (with the same client) I receive the access_token as HS256 and id_token as RS256. It’s a bit weird as i expect the id_token to be HS256 as well. Any help is appreciated as it seems that I’m missing something.

A definitive answer would require knowing the exact configuration and methods used to initiate the authentication in both libraries; in addition, some client application configuration settings could also be relevant. I’m also assuming that you’re using both libraries directly from within your client application and not through the hosted login page.

Having said that and based on the information provided the explanation could be one of the following:

  • the Auth0.js configuration being used includes the use of an audience parameter which implies the request will be processed in OIDC compliant mode.
  • the Auth0.js method being used is the client.login method which makes use of /oauth/token endpoint which also means an OIDC compliant response.

In an OIDC compliant response the signing algorithm used for the ID Token is forced to RS256 if the client application performing the request is considered a public client (this reference docs also explains the reasoning behind the forced use of RS256).

Since Lock is likely making use of legacy flows which don’t trigger OIDC compliance you’ll see the different behavior (the support for OIDC and API Authorization in Lock is still not completed/documented, although there’s already some support at the code level, so I’m also assuming you’re not making use of undocumented features).

We are using the client.login method of Auth0.js v8.
So per my understanding of your answer above:
The client.login method of Auth0.js v8 enforces the OIDC compliant response with the RS256 by default?

  1. Is it possible to overridden client.login to return HS256 id_token in any way?

  2. If i change the client setting to use RS256 will Auth0Lock also start to return RS256 id_tokens?

I might need to migrate to RS256 if there is no way to override client.login of Auth0.js v8 to use HS256.

1. For non-public clients the client.login should honor the chosen algorithm so it would return HS256 if configured, however, if you have a public client then there’s not way about it. 2. Yes, just tried it myself.