Authorization API signs JWTs as RS256 when HS256 is selected

yoojin.lee · September 7, 2017, 9:03am

I do believe that /oauth/token does indeed support HS256.

This endpoint requires a “client_secret” parameter in the payload if the client is configured for HS256 and OIDC unsupported.

RS256 does not require the client secret

https://auth0.com/docs/api/authentication#client-credentials

As a proof of concept I performed the following steps:

Auth0 Client Configuration:
Auth0 → Clients → [client] → Settings → Advanced Settings:
JsonWebToken Signature Algorithm : HS256
OIDC Conformant : unchecked

curl --request POST \
  --url 'https://[DOMAIN]/oauth/token' \
  --header 'content-type: application/json' \
  --data  '{"grant_type":"http:\/\/auth0.com\/oauth\/grant-type\/password-realm","client_id":"[CLIENTID]", "client_secret":"[CLIENT SECRET]", "realm":"Username-Password-Authentication", "scope":"openid","username":"[USERNAME]","password":"[PASSWORD]"}'

Topic		Replies	Views
Server returns RS256 but HS256 is selected Help rs256 , hs256 , ios , token-validation , algorithm	6	6163	March 2, 2018
Getting RS256 token instead of HS256 Help jwt	7	5381	June 25, 2022
How does signing a token work? (Invalid Signature Error) Help jwt , auth0 , hs256	1	7426	March 9, 2020
Difference Between RS256 and HS256 JWT Signing Algorithms Knowledge Articles jwt-security , jwt , signing , rs256 , hs256	1	33786	February 26, 2021
How to get access token with HMAC algorithm? Help	8	5731	January 29, 2021

Authorization API signs JWTs as RS256 when HS256 is selected

Related Topics