Changing signing algorithm doesn't work

I have selected HS256 algorithm:

![alt text][1]

And, I saved changes:
![alt text][2]

I got a new token, but when I read info shows RS256:
![alt text][3]

This is the code that I use for login:

      realm: 'Username-Password-Authentication',
      responseType: 'token',
      username: credentials.username,
      password: credentials.password,
      scope: 'openid profile email'

As specified in the documentation the Auth0.js v8 webAuth.client.login method performs a resource owner password credentials (ROPC) grant using the /oauth/token endpoint.

(…) database connections, using /oauth/token.

The documentation for ROPC then indicates that /oauth/token endpoint is the equivalent endpoint to /oauth/ro when you are using the currently recommended OpenID Connect (OIDC) compliant endpoints.

If you look further at the authentication response notes available in the documentation for the OIDC compliant response you’ll see the following:

The ID token will be forcibly signed using RS256 if requested by a public client.

In conclusion, what you’re observing is the expected behavior as I’m assuming you’re performing that call from what can be considered a public client.

The Auth0 documenttion is most terrible documentation in my life. Thank you for the answer.

1 Like