Troubleshoot Invalid Token Errors
Parsing an HS256-Signed ID Token Without an access token
Error Message: The ID token cannot be validated because it was signed using the HS256 algorithm and public applications (such as a browser) can’t store secrets.
Causes
Beginning with auth0.js version 9 and Lock version 11, when ID tokens are signed with HS256, they are discarded and a call to /userinfo
is made to retrieve user information.
Calling /userinfo
requires an Access Token. If you don't ask for an access token when authenticating, you will receive the following error:
The id_token cannot be validated because it was signed with the HS256 algorithm
and public applications (like a browser) can’t store secrets.
Please read the associated doc for possible ways to fix this.
Fixes
There are two ways to fix the error:
(RECOMMENDED) Change the application signature algorithm to RS256 instead of HS256.
Change the value of your
responseType
parameter totoken id_token
(instead of the default), so that you receive an access token in the response.
To change the application signature algorithm to RS256 instead of HS256:
Go to Auth0 Dashboard > Applications > Applications, and select the name of the application to view.
Scroll to the bottom of the Settings page, and select Show Advanced Settings.
Select the OAuth view, change the value of JsonWebToken Signature Algorithm to RS256, and select Save Changes.
If you proceed with this option and you are using the ID token to call your APIs, be sure to change your server code so that it validates tokens using the RS256 algorithm instead of HS256. Note that using ID tokens to call APIs is not recommended.
You can decode, verify and generate JWTs using the JWT Tool.