I do believe that /oauth/token
does indeed support HS256.
This endpoint requires a “client_secret” parameter in the payload if the client is configured for HS256 and OIDC unsupported.
RS256 does not require the client secret
https://auth0.com/docs/api/authentication#client-credentials
As a proof of concept I performed the following steps:
Auth0 Client Configuration:
Auth0 → Clients → [client] → Settings → Advanced Settings:
JsonWebToken Signature Algorithm : HS256
OIDC Conformant : unchecked
curl --request POST \
--url 'https://[DOMAIN]/oauth/token' \
--header 'content-type: application/json' \
--data '{"grant_type":"http:\/\/auth0.com\/oauth\/grant-type\/password-realm","client_id":"[CLIENTID]", "client_secret":"[CLIENT SECRET]", "realm":"Username-Password-Authentication", "scope":"openid","username":"[USERNAME]","password":"[PASSWORD]"}'