How does Resource server verifies token for HS256 or HS512

ethenhunt321 · February 6, 2020, 10:41am

I have created a token using any of the algorithm say HS256, when this is passed to resource server, I can see the implementation like below

TokenValidationParameters validationParameters = new TokenValidationParameters()
{
ValidAudience = ActiveDirectory.audience,
ValidIssuer = ActiveDirectory.issuer,
ValidateLifetime = true,
ValidateIssuerSigningKey = true,
LifetimeValidator = this.LifetimeValidator,
IssuerSigningKey = new SymmetricSecurityKey(System.Text.Encoding.Default.GetBytes(ActiveDirectory.clientSecret))
};

Notice here that while validating token, No algorithm is passed (it must be HS256 to compare hashing).

Now lets say, I have changed algorithm while creating token from HS256 to HS512, Here my resource server still validates the token successfully ?

Could anyone help me specifying algorithm on resource server to validate against token.

markd · February 6, 2020, 5:02pm

Hello @ethenhunt321,

Welcome to the Community! I believe the only options for signing tokens in Auth0, both ID tokens and access tokens, are RS256 (the default and preferred option) and HS256. The algorithm will be embedded in the header portion of the JWT. Have a look at https://jwt.io/.

konrad.sopala · February 7, 2020, 7:38am

Yep, that is correct

system · February 22, 2020, 7:38am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.