Getting RS256 token instead of HS256

giovannilaperna · June 8, 2022, 4:29pm

I’ve the same problem mentioned here

I changed the JSON Web Token (JWT) Signature Algorithm under the App advanced setting from RS256 to HS256 but I still get a RS256 token.

The tenant name is esc-py

The application name is esc-py

An example token is this:

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjdBY0xoTmN2dHFOVi1qNXNJU0prNSJ9.eyJpc3MiOiJodHRwczovL2VzYy1weS51cy5hdXRoMC5jb20vIiwic3ViIjoic21zfDYyODAyZDgwNDI0NWZiMTNkMzIwYTY2YyIsImF1ZCI6WyJodHRwczovL2VzYy1weS51cy5hdXRoMC5jb20vYXBpL3YyLyIsImh0dHBzOi8vZXNjLXB5LnVzLmF1dGgwLmNvbS91c2VyaW5mbyJdLCJpYXQiOjE2NTQ3MDUxMzEsImV4cCI6MTY1NDc5MTUzMSwiYXpwIjoicVlPaktSU1lMd0ZNSEZ2UG5DMVNzdTIxSWFBREJBQmUiLCJzY29wZSI6Im9wZW5pZCBwcm9maWxlIGVtYWlsIG9mZmxpbmVfYWNjZXNzIn0.FKdVA5umUPMdC-YVQ2wkeT-JdcL86ywb9pvjaJf99-sP6gOhYMLog3xAz_N0y7xv6YWNbgRnSjyV0FINMXLsCMzXox4SGka9wWkxVlfvghIcqMLPy2P-mbSVADl23Ax4Xi6k0fcslHttSUek6yXPlCqK2rhqDfzdBNoI3wv3dEQQ-c7LZreJBjsIUgwysR43k9sSIXayp7b9gwthNHlVSqxmPPZMFFnSIAujB2SweyELhSWvOyr7lFrvzpSLMaf9ZZDogyiQQmgLJX5LEvxq1vU_ny86-hQ40Rfk1r2UGc2a3GE2PnCIeHbFVoDOKtQcdZgFaaSEPdiKIfJMz9Qr7A

Accordingly to jwt.io and jsonwebtoken library is still RS256

tyf · June 9, 2022, 12:15am

Hi there @giovannilaperna!

Are you setting an audience to be a custom/external API that you’ve added in your Auth0 Dashboard? If so, you may need to re-create the API and change the signing algorithm.

Keep us posted!

giovannilaperna · June 9, 2022, 2:55am

Hi tyf,

Thanks for replying but I’m not sure I get your message.

The audience is the default one, https://esc-py.us.auth0.com/api/v2/

And the only API I have is the default one, Auth0 Management API

I used this API only to configure a custom SMS gateway for the app.

Changing the Signing Algorithm is disabled for that API (as in your screenshot).

If I create a new API, I can choose a HS256 Signing Algorithm, but I have also to provide a new Identifier and I have no idea how to choose it.

Which URL should I provide? I can’t provide https://esc-py.us.auth0.com/api/v2/ again.

What should I do in this case?

giovannilaperna · June 9, 2022, 4:12am

I switched back to RS256 for now and everything works correctly.

tyf · June 9, 2022, 11:58pm

No problem I’m happy to help where I can and thanks for following up!

I’d be curious as to the need for HS256 in your use case? The default (and recommended) signing algorithm is RS256 as you’ve noticed. Some more on signing algorithms in particular can be found in this FAQ:

When registering an API in Auth0 the identifier is typically the URL of the API that the API as it exists in Auth0 represents. Basically, you would use this identifier as the audience in an authorization flow where the token returned is verified on your end for said API. The following article goes into more detail regarding the validation of Access Tokens by an API:

Hope this helps at least clear things up a bit!

giovannilaperna · June 10, 2022, 5:48am

The reason was really silly:

I thought that storing the Client Secret as an environment variable was easier then the multiline certificate and for RS256 I was expecting to find a certificate starting with -----BEGIN PUBLIC KEY BLOCK-----.

But now I set the RS256 with the provided certificate and everything works correctly.

Thank you for your assistance!

tyf · June 10, 2022, 4:12pm

Great! Happy to hear everything works correctly and thanks for confirming here

tyf · June 25, 2022, 4:13pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.