Auth0 Home Blog Docs

Getting an invalid algorithm error after calling delegation for username and password users



On my Android app I’m using the method delegationWithIdToken() after logging the user.

The login process works great, both with email+password and Facebook. When The user logs in with Facebook the delegation method works, and I receive my access token, but when the user logs in with email+password, the delegation returns the error with description:

"invalid algorithm", (error code: "invalid_token").

What algorithm is it talking about? How can I work around this?


The underlying issue is likely being caused by the following combination of factors:

  • you are calling /oauth/token in order to perform a resource owner password credentials (ROPC) grant.
  • you are doing the above from a native client application which is generally considered to be a public client as it can’t perform client authentication (aka securely maintain a client secret).
  • the JsonWebToken Signature Algorithm setting of your native client application is set to HS256.
  • you are calling /delegation with the ID token returned from the ROPC grant,

The combination of the above means that when the public client performs a ROPC grant at the /oauth/token endpoint the issued JWT token will forcibly be signed using RS256 even though the client settings requested HS256. This is documented here (see the diffs by switching between legacy and OIDC tabs):

(For OIDC-conformant) The ID token will be forcibly signed using RS256 if requested by a public client.

Later, when you call delegation with the ID token sent will be validated taking in consideration the client settings which leads to the invalid algorithm error as delegation expected HS256 and the token uses RS256. At this point, this is not planned to be changed so the recommended approach to resolve this situation is to configure your native/public client applications to use RS256 in the client settings.