Question: What’s the difference between RS256 and HS256 JWT signing algorithms?
- RS256 and HS256 are algorithms used for signing a JWT.
- RS256 is an asymmetric algorithm, meaning it uses a public and private key pair.
- HS256 is a symmetric algorithm, meaning it uses a shared secret.
- Auth0 uses RS256 as the default signing algorithm in JWTs. We recommend that you use RS256 instead of HS256 for several reasons.
RS256 and HS256 are two algorithms used for signing a JSON Web Token (JWT). To help explain what that means and why it’s important, it’s helpful to understand what a JWT is.
A JWT is a “compact, URL-safe means of representing claims to be transferred between two parties” (RFC-7519). It’s a base-64 encoded token composed of three parts: a header, a payload, and a signature. The header specifies the type and signing algorithm. The payload includes the data (or claims) being passed. The signature allows the consumer of the JWT to validate that it hasn’t been tampered with.
Following the OpenID Connect protocol, Auth0 uses JWTs for ID Tokens which are used for passing the claims about a user to your application after authentication. Your application needs to trust that the claims encoded in a JWT have not been altered in any way. This is why a JWT includes a signature.
The JWT signature allows its recipient to validate that it hasn’t been manipulated. To generate a signature, the JWT issuer uses a signing algorithm. There are several algorithm options, but the most common are RS256 (RSA Signature with SHA-256) and HS256 (HMAC with SHA-256). The key difference between these two algorithms is that RS256 is asymmetric, and HS256 is symmetric.
RS256 is an asymmetric algorithm, which means that the issuer (for example, Auth0) has a private key that it uses to generate the signature. The JWT consumer (for example, your application) uses a public key to validate the signature. You can retrieve your Auth0 tenant’s public keys from https://YOUR_DOMAIN/.well-known/jwks.json.
HS256 is a symmetric algorithm, which means instead of using a public/secret key pair, it uses one shared secret to sign and validate the token. When using HS256, both Auth0 and your application would use the same shared secret. This means that if the secret were to be found by a third party, they could generate a valid JWT for your application.
Configuring signing algorithms in Auth0
As mentioned, the ID Token your application receives from Auth0 is a JWT. To select the signing algorithm used in the ID Token, go to your application’s advanced settings and select JsonWebToken Signature Algorithm. The default and recommended algorithm is RS256.
When you register an API within your Auth0 tenant, your application can use the API as the audience when requesting an Access Token. In this scenario, the Access Token you receive from Auth0 is also a JWT. You can select the signing algorithm when registering the API.
- Signing Algorithms
- JSON Web Token (JWT) Signing Algorithms Overview
- JSON Web Token Introduction - jwt.io
- RFC 8725 - JSON Web Token Best Current Practices
Community Topic: JWT signing algorithms RS256 vs HS256!