Unexpected JWT alg received, expected RS256, got: HS256

Question

I have an Auth0 tenant which I first configured manually and it worked with my application. Now I have switched to managing it using terraform and since then I get an error when logging in that states

Callback handler failed. CAUSE: unexpected JWT alg received, expected RS256, got: HS256

I have checked the application and the token algorithm is still listed as RS256. Also in the Terraform Config I added this property specifically. What could be the reason the JWT is signed using the wrong algorithm?

This is how the API resource is defined in terraform:

resource "auth0_resource_server" "api" {
  identifier = "my-id"
  name       = "My Name"

  allow_offline_access                            = false
  enforce_policies                                = true
  skip_consent_for_verifiable_first_party_clients = true

  signing_alg            = "RS256"
  signing_secret         = null
  token_dialect          = "access_token_authz"
  token_lifetime         = 86400
  token_lifetime_for_web = 7200
  verification_location  = null
}

Answer 1

We were missing another part of the configuration. The provided config is only for the api, but the client does also allow to specify the jwt configuration:

resource "auth0_client" "client" {
  # ...

  jwt_configuration {
    alg                 = "RS256"
    # ...
  }
}

This fixes the issue.