Troubleshoot Invalid Token Errors

Parsing an HS256-Signed ID Token Without an access token

Error Message: The ID token cannot be validated because it was signed using the HS256 algorithm and public applications (such as a browser) can’t store secrets.

Causes

Beginning with auth0.js version 9 and Lock version 11, when ID tokens are signed with HS256, they are discarded and a call to /userinfo is made to retrieve user information.

Calling /userinfo requires an Access Token. If you don't ask for an access token when authenticating, you will receive the following error: The id_token cannot be validated because it was signed with the HS256 algorithm and public applications (like a browser) can’t store secrets. Please read the associated doc for possible ways to fix this.

Fixes

There are two ways to fix the error:

  1. (RECOMMENDED) Change the application signature algorithm to RS256 instead of HS256.

  2. Change the value of your responseType parameter to token id_token (instead of the default), so that you receive an access token in the response.

To change the application signature algorithm to RS256 instead of HS256:

  1. Go to Auth0 Dashboard > Applications > Applications, and select the name of the application to view.

  2. Scroll to the bottom of the Settings page, and select Show Advanced Settings.

  3. Select the OAuth view, change the value of JsonWebToken Signature Algorithm to RS256, and select Save Changes.

If you proceed with this option and you are using the ID token to call your APIs, be sure to change your server code so that it validates tokens using the RS256 algorithm instead of HS256. Note that using ID tokens to call APIs is not recommended.

You can decode, verify and generate JWTs using the JWT Tool.