Token being returned signed with HS256, while RS256 specified

martin.vrkljan · December 13, 2022, 8:38am

I’m running into an issue and having trouble getting to the bottom of it:

After a successful login with a Google user, my PHP implementation (using official Auth0 library) is failing with the following error message:

Auth0\SDK\Exception\InvalidTokenException::unexpectedSigningAlgorithm(RS256, HS256)

Our code is configured to use RS256, as is visible from the error stack trace:

Auth0\SDK\Token\Parser->verify(RS256, ***…, ***…, 60, NULL)

And the API/audience is also configured to use RS256.

Auth0 Logs show successful login for the Google user and successful Authorization Code for Access Token.

When Auth0 redirects to my callback URL, it throws the above mentioned exception.

The confusing part is, though, I have two APIs/Clients, one for prod and one for dev. Both configured exactly the same. Dev works, but Prod throws this exception.

Is it possible something is erroneous on Auth0 end, or am I missing something in my configuration? Did anyone run into a similar issue?

dan.woda · December 13, 2022, 5:18pm

Hi @martin.vrkljan,

Let’s start by looking at your configuration. Can you please DM me an example token and the name of your tenant?

dan.woda · December 14, 2022, 3:00pm

Thanks for sending that info over!

It looks like the app is configured to send HS256-signed tokens.

You can change this by going to Your Application → Settings → Advanced Settings → OAuth → JSON Web Token (JWT) Signature Algorithm.

martin.vrkljan · December 14, 2022, 3:30pm

I totally missed the Advanced Settings section, thanks!

dan.woda · December 14, 2022, 3:31pm

No problem! Let me know if you run into anything else.

system · December 28, 2022, 3:31pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.