Authorization API signs JWTs as RS256 when HS256 is selected

yoojin.lee · September 7, 2017, 9:03am

I do believe that /oauth/token does indeed support HS256.

This endpoint requires a “client_secret” parameter in the payload if the client is configured for HS256 and OIDC unsupported.

RS256 does not require the client secret

https://auth0.com/docs/api/authentication#client-credentials

As a proof of concept I performed the following steps:

Auth0 Client Configuration:
Auth0 → Clients → [client] → Settings → Advanced Settings:
JsonWebToken Signature Algorithm : HS256
OIDC Conformant : unchecked

curl --request POST \
  --url 'https://[DOMAIN]/oauth/token' \
  --header 'content-type: application/json' \
  --data  '{"grant_type":"http:\/\/auth0.com\/oauth\/grant-type\/password-realm","client_id":"[CLIENTID]", "client_secret":"[CLIENT SECRET]", "realm":"Username-Password-Authentication", "scope":"openid","username":"[USERNAME]","password":"[PASSWORD]"}'

Topic		Replies	Views
Changing signing algorithm doesn't work Help dashboard , algorithm	3	5188	March 2, 2018
Server returns RS256 but HS256 is selected Help rs256 , hs256 , ios , token-validation , algorithm	6	6163	March 2, 2018
id_token retrieved in RS256 instead of HS256 (Auth0, Swift) Help auth0 , rs256 , hs256 , authorization , swift	2	5010	March 2, 2018
Expected the ID token to be signed with HS256 JWT.io jwt	1	4277	October 9, 2021
Still get RS256 token JWT.io	3	2585	April 22, 2022

Authorization API signs JWTs as RS256 when HS256 is selected

Related topics