Express-openid-connect: unexpected JWT alg received, expected HS256, got: RS256

lissett.diaz · July 26, 2022, 8:14pm

I am trying to use express-openid-connect: 2.7.3 with HSHS256 signing algorithm. I am getting this error:

BadRequestError: unexpected JWT alg received, expected HS256, got: RS256
    at /node_modules/express-openid-connect/middleware/auth.js:121:19

I have this config:

server.js

app.use(
    auth({
      authRequired: true,
      idpLogout: true,
      idTokenSigningAlg: 'HS256',
      issuerBaseURL: process.env.ISSUER_BASE_URL,
      clientID: process.env.CLIENT_ID,
      authorizationParams: {
        response_type: "code",
        audience: process.env.AUDIENCE,
        scope: "openid profile email",
      },
    })
  );

.env

CLIENT_ID=Kr***********************WhTI
BASE_URL=http://localhost:3000
CLIENT_SECRET=wd************************************************tRLg99
AUDIENCE=https://my-audience
SECRET=0y************************ySlx
ISSUER_BASE_URL=https://mydomain.auth0.com
PORT=3000

What I am missing?

tyf · July 26, 2022, 9:47pm

Hello @lissett.diaz welcome to the community!

There could be several things going on - First, can you verify that you have updated the signing algorithm in the application settings? You can do so by navigating to the application (client_id) in your Auth0 dashboard → Advanced → OAuth.

What type of app is the application (web, SPA, etc.)?

Let us know!

lissett.diaz · July 26, 2022, 10:36pm

Hi @tyf thank for answering.

This is what I have:

tyf · July 26, 2022, 11:44pm

Thanks for confirming! Strange as I’m unable to reproduce on my end currently I did notice that your client id is that of a SPA application, what happens if you create a Web App in Auth0 and use that instead here?

If you are using an API registered in Auth0 you will need to have the algorithm set to HS256 there as well.

Additionally, you may want to consider using RS256 if possible:

tyf · July 28, 2022, 12:45am

Resolved in another thread - Application needs to be set to Web Application in Auth0 Dashboard settings.

tyf · August 12, 2022, 12:45am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
OpenIDConnect playground algorithm issue Help community-topic , other	2	7	October 9, 2024
id_token retrieved in RS256 instead of HS256 (Auth0, Swift) Help auth0 , rs256 , hs256 , authorization , swift	2	5005	March 2, 2018
Expected the ID token to be signed with HS256 JWT.io jwt	1	4266	October 9, 2021
Authorization API signs JWTs as RS256 when HS256 is selected Help token , rs256 , hs256 , algorithm	7	11415	March 2, 2018
Hello I am unable to make work the quickstart for nodejs api Help node-auth0 , sdks-quickstarts	5	1700	July 13, 2023

Express-openid-connect: unexpected JWT alg received, expected HS256, got: RS256

Related Topics