Based on the fact that you mentioned that it works for social connection and not database connection then the most likely cause is that the SDK call you’re performing is going through
/oauth/token for the username/password scenario. That endpoint implies OIDC compliance behavior even you did not explicitly enabled it.
See this other answer for additional information on this situation. For a mobile application, the recommendation is to adapt it to support the validation of RS256 ID tokens. Have in mind that ID tokens are only meant to be consumed by the client application itself and that they are always a JWT where the
aud claim is the client application identifier. If you need a token to then send to your back-end API as an authorization method then you should be relying on access tokens (see API Authorization). In this case, since the back-end API can keep a secret you can freely choose to use HS256 signed JWT access tokens.