Docs

Errors with code 'invalid_token'

Parsing an HS256-Signed ID Token Without an Access Token

Error Message: The ID Token cannot be validated because it was signed using the HS256 algorithm and public applications (such as a browser) can’t store secrets. Please read the associated doc for ways to fix this.

Why this error occurred

Beginning with auth0.js version 9 and Lock version 11, when ID Tokens are signed with HS256, they are discarded and a call to /userinfo is made to retrieve user information.

Calling /userinfo requires an Access Token. If you don't ask for an Access Token when authenticating, you will receive the following error:

Ways to fix this error

There are two ways to fix the error:

  1. (RECOMMENDED) Change the application signature algorithm to RS256 instead of HS256.
  2. Change the value of your responseType parameter to token id_token (instead of the default), so that you receive an Access Token in the response.

To change the application signature algorithm to RS256 instead of HS256: