Token being returned signed with HS256, while RS256 specified

I’m running into an issue and having trouble getting to the bottom of it:

After a successful login with a Google user, my PHP implementation (using official Auth0 library) is failing with the following error message:

Auth0\SDK\Exception\InvalidTokenException::unexpectedSigningAlgorithm(RS256, HS256)

Our code is configured to use RS256, as is visible from the error stack trace:

Auth0\SDK\Token\Parser->verify(RS256, ***…, ***…, 60, NULL)

And the API/audience is also configured to use RS256.

Auth0 Logs show successful login for the Google user and successful Authorization Code for Access Token.

When Auth0 redirects to my callback URL, it throws the above mentioned exception.

The confusing part is, though, I have two APIs/Clients, one for prod and one for dev. Both configured exactly the same. Dev works, but Prod throws this exception.

Is it possible something is erroneous on Auth0 end, or am I missing something in my configuration? Did anyone run into a similar issue?

Hi @martin.vrkljan,

Let’s start by looking at your configuration. Can you please DM me an example token and the name of your tenant?

Thanks for sending that info over!

It looks like the app is configured to send HS256-signed tokens.

You can change this by going to Your ApplicationSettingsAdvanced SettingsOAuthJSON Web Token (JWT) Signature Algorithm.

I totally missed the Advanced Settings section, thanks!

1 Like

No problem! Let me know if you run into anything else.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.