Auth0 lock client returns hs256 but need a rs256

When i’m logging in on my client I receive a hs256 token but my ASP.NET Web Api backend only supports RS256.

I did choose RS256 when you go to your client and then advanced settings → oauth. Can someone please explains me why I receive a hs256 token instead of rs256.

If it matters my front-end is written in Angular.


I re-saved my settings of saving my token as a RS256.

Client settings

Api settings

If I do a post call like this I do get a correct RS256 token:
alt text

I used this sample and I changed the client settings to my client setting. So I can succesfully login, but if I then log my token I get an HS256 token instead of an RS256. What is going wrong?

I’m not aware of any situation where choosing RS256 as the signing algorithm for the client application would not be respected when issuing the ID token so although a long-shot can you double-check that you saved your changes when you switched the algorithm type. I sometimes fail to do this when doing some tests around client applications and it would be the simplest explanation to the behavior you’re experiencing.

Also have in mind that this setting is meant to affect the signing algorithm of the ID Token. If you’re also using API Authorization related features (which may be the case as you mention the use of an ASP.NET Web API) then the signing algorithm of the access token issued to the API in question is chosen at the API settings level and is not affected by the client application setting you mentioned.


Thanks for double-checking and providing more information. I checked your configuration and the client you mentioned DFhBr4aH8uAIelzdD5... is indeed correctly configured, however, I noticed that you have more than one client application configured, more specifically, you have an additional client application named angular-test that is still configured to use HS256. Are you using more than one client in your tests?

@jmangelo ,I checked this and you were right. I’m literally feeling stupid right now.
Now I do get a RS256 token back, but it still doesn’t give me authorization. Any idea why this happens?

An example of the token from the client:


Which results in:
![jwt decoded][1]