auth0
Auth0 is sending a RS256 signed token instead of HS256 signed token
I am trying to obtain an auth token with Auth0 java client.
In Auth0, I have a non interactive client. JsonWebToken Signature Algorithm is set to HS256 in the client. I use following code to obtain the token.
AuthAPI auth = new AuthAPI("my.domain", "my_client_id", "my_client_secret");
AuthRequest request = auth.login("username", "password").setAudience("my_audience");
TokenHolder holder = request.execute();
But, the token I receive is signed with RS256 instead of HS256.
What could be the problem here?
Solution
This is expected behaviour. The JWT Access token is signed by your API (the audience is set to the Identifier of the API) and not by the Client.
From the Auth0 Dashboard, check under APIs, and you'll find what the API is using. It is recommended always to use (prefer) RS256.
If you need any further info, please leave me comments.
- Integrating Auth0 Signin in Laravel 10: Restricting Login to Auth0 Credentials or OTP Only [Resolved]
- PyJWT installed but keey getting: ModuleNotFoundError: No module named 'jwt'
- How can Authorization Code Flow with PKCE be more secure than Authorization Code Flow without client_secret
- How can I mock auth0 authentication for testing?
- Spring Boot 3.3.2 with Spring Security 6.3.1 issue (no support of auth0-spring-security-api with Spring Framework 3.3.2)
- Auth0 Signout issue - User href works but router.push doesnt?
- Auth0 plus Capacitor plus React not recognising login
- Unexpected JWT alg received, expected RS256, got: HS256
- Auth0 Nextjs to Protected Api
- Login with Auth0 was successful but still a 401 'access denied' is returned?
- JWT token location in Blazor WASM
- How can the browser show an incorrect URL?
- How to write unit test for SecurityConfig for spring security
- How does browser is directed to new URL when last respone's code is 200 instead of 301
- How to set an AuthorizationRequestCustomizer on a DefaultOAuth2AuthorizationRequestResolver?
- Extracting Parameter Values Returned by APEX_AUTHENTICATION.CALLBACK?
- ABP.IO - MultiTenancy - Setting Tenant from External IDP
- How can I resolve "Error: You forgot to wrap your app in <UserProvider>" in NextJS 14 app
- How do I integrate envoy as a gateway, auth0 as an authentication system and OPA as an authorization system?
- Hoppscotch Pre-request Script async request
- Migrate AWS Cognito users to Auth0
- java-jwt with public/private keys
- User authentication + dynamic routing problems (Auth0 & next.js App Router)
- Universal login page appearence changed after I integrated server part
- While sending request to Auth0 to get access token, is it possible to hide payload with secret keys which are visible?
- access token from auth0provider outside of react components
- Error 401 on Angular-NestJs page when refreshing token with Auth0
- How to refactor common react code for a sign in redirect?
- How to auto redirect to Auth0 IDP from Azure AD B2C custom polcieis based on certain condition
- Header in the response must not be the wildcard '*' when the request's credentials mode is 'include'