Receiving id_token as RS256 instead of HS256

alphatreader · May 29, 2020, 12:07am

I am trying to get id_token and access_token by using the implicit grant type: Implicit Flow with Form Post

https://<my_tenant>.auth0.com/authorize?audience=<my_audience>&response_type=id_token token&client_id=<my_client_id>&redirect_uri=http://localhost:3000/auth0-user&nonce=abc&state=123&scope=openid profile email

I have set the application to use HS256 by making it “OIDC incompliant”.
The audience parameter and its corresponding API setting has also been set to use the HS256 signing algo.

But when I receive the response, the access_token is in HS256 as expected but id_token is always RS256 signed.

How can I get id token in HS256?

konrad.sopala · May 29, 2020, 10:57am

Hey there @alphatreader!

Can you tell me or perfectly share the screenshot where you’re setting the signing algorithm?

alphatreader · May 30, 2020, 11:51am

Here are the application settings:

And here is the API setting:

konrad.sopala · June 5, 2020, 11:42am

Thanks! I must have missed your last message. Let me discuss it with the engineering team why it might be behaving this way.