Auth0 Home Blog Docs

Migrated to hosted login, JWT now alway RS256 and not HS256


#1

I was using lock embedded on a SPA. I retrieve the JWT after login and pass it to AWS lambda functions, which then use JsonWebToken library’s verify call to validate the signature of the token. The lambda functions have the secret key for the app, so with HS256 used as the algorithm there was no issue, it checked the signature, all good.

Poor discipline on my part but when I tested all this on my test application the migration to hosted pages worked fine so pushed it all to production and all seemed well, I can’t be certain. Then users recently said they could get their info retrieved in the SPA, root cause is the JWT is now signed with RS256 so verify is failing, as it only has the secret.

I’m at a loss as how to force the hosted login page to return a HS256 signed JWT. Other posts here suggest it’s because Auth0 have decided an SPA isn’t secure enough to handle a HS256 signed JWT because it would need the secret key to verify it - yep, agree totally with that logic but my SPA doesn’t need to verify it, a secured back end process does.

So either I need to force Auth0 hosted login page to return a HS256 signed JWT or make JsonWebToken understand how to use RS256, which seems (from looking at the code) that I need to provide the public key in the verify call. I don’t know what best practices are there, ie embed the public key in the code or go get it from somewhere.

Looking for guidance please, on how to either force an HS256 signed JWT (preferred as it’s less code changes) or how to best implement RS256 verification in my back end lambda functions (they’re just javascript at the end of the day).

Thanks in advance!


#2

After wrestling this for hours, and reading various posts, I finally find the clue that even though I hadn’t asked for any of this OIDC compliant functionality, the fact that I requested an aud in the token means silently, Auth0 interprets this as meaning I want OIDC compliance. Fortunately I hadn’t started to leverage the audience values so by simply removing the request for an aud in the jwt, Auth0 returns a JWT signed with HS256.

There seem to be many nuances to this, I’d tried forcing the application type in the dashboard to different values (due to the SPA comments), but the one that worked was definitely removing the audience. Hope this is useful to someone and saves them some time.