Express-openid-connect: unexpected JWT alg received, expected HS256, got: RS256

I am trying to use express-openid-connect: 2.7.3 with HSHS256 signing algorithm. I am getting this error:

BadRequestError: unexpected JWT alg received, expected HS256, got: RS256
    at /node_modules/express-openid-connect/middleware/auth.js:121:19

I have this config:

server.js

app.use(
    auth({
      authRequired: true,
      idpLogout: true,
      idTokenSigningAlg: 'HS256',
      issuerBaseURL: process.env.ISSUER_BASE_URL,
      clientID: process.env.CLIENT_ID,
      authorizationParams: {
        response_type: "code",
        audience: process.env.AUDIENCE,
        scope: "openid profile email",
      },
    })
  );

.env

CLIENT_ID=Kr***********************WhTI
BASE_URL=http://localhost:3000
CLIENT_SECRET=wd************************************************tRLg99
AUDIENCE=https://my-audience
SECRET=0y************************ySlx
ISSUER_BASE_URL=https://mydomain.auth0.com
PORT=3000

What I am missing?

Hello @lissett.diaz welcome to the community!

There could be several things going on - First, can you verify that you have updated the signing algorithm in the application settings? You can do so by navigating to the application (client_id) in your Auth0 dashboard ā†’ Advanced ā†’ OAuth.

What type of app is the application (web, SPA, etc.)?

Let us know!

Hi @tyf thank for answering.

This is what I have:

1 Like

Thanks for confirming! Strange as Iā€™m unable to reproduce on my end currently :thinking: I did notice that your client id is that of a SPA application, what happens if you create a Web App in Auth0 and use that instead here?

If you are using an API registered in Auth0 you will need to have the algorithm set to HS256 there as well.

Additionally, you may want to consider using RS256 if possible:

Resolved in another thread - Application needs to be set to Web Application in Auth0 Dashboard settings.