The short access token means that this authentication response is for an authentication request that did not specified that it wanted to obtain an access token one of your configured API’s, more specifically, the request did not include an audience parameter and a default audience is also not configured.
In these situation, the access token is not usable to call your own API’s and as such does not need to be a JWT. In relation to the ID token being signed as HS256 although you say that you changed that setting. The most simple explanation would be that (bear with me, as this also happened to me a couple of time) you did not save the changes. Can you ensure that the settings were indeed saved and try to obtain a new ID token performing a new authentication process?