Errors with code 'invalid_token'
Parsing an HS256-Signed ID Token Without an Access Token
Error Message: The ID Token cannot be validated because it was signed using the HS256 algorithm and public applications (such as a browser) can’t store secrets. Please read the associated doc for ways to fix this.
Why this error occurred
Beginning with auth0.js version 9 and Lock version 11, when ID Tokens are signed with HS256, they are discarded and a call to /userinfo is made to retrieve user information.
Calling /userinfo requires an Access Token. If you don't ask for an Access Token when authenticating, you will receive the following error:
Ways to fix this error
There are two ways to fix the error:
- (RECOMMENDED) Change the application signature algorithm to RS256 instead of HS256.
- Change the value of your responseType parameter to token id_token (instead of the default), so that you receive an Access Token in the response.
To change the application signature algorithm to RS256 instead of HS256: