unexpected JWT alg received, expected RS256, got: HS256

[LamaDabbeet]

Hello
I am using "openid-client": "^5.4.2"this with nuxt3 inside the netro server , when trying to get the token I got this errorunexpected JWT alg received, expected RS256, got: HS256
I am using client.callback() instead of client.oauthCallback() the reason behind that , I got this error earlier
id_token detected in the response, you must use client.callback() instead of client.oauthCallback()
So now I am not sure what is the main problem here ,and how to solve it ,
Thank you

[julien-maitan]

Not sure why, but if the algorithm used by your auth server is different from the default client config RS256, you must set it explicitly:

new googleIssuer.Client({
  client_id: 'zELcpfANLqY7Oqas',
  client_secret: 'TQV5U29k1gHibH5bx1layBo0OSAvAbRT3UYW3EWrSYBB5swxjVfWUa1BS8lqzxG/0v9wruMcrGadany3',
  redirect_uris: ['http://localhost:3000/cb'],
  response_types: ['code'],
  id_token_signed_response_alg: 'HS256' // (default "RS256")
})

[PedroHase]

When I set id_token_signed_response_alg to HS256, suddenly client_secret is required, although I have set token_endpoint_auth_method to none. Am I maybe missing something or can I only use symmetric signing with a client_secret?

[panva]

Yeah, the ID Token is signed with the client secret when using HMAC, the secret therefore becomes required again even with none as auth method.

[PedroHase]

Ah thanks @panva, this makes sense! Changed it to RSA256 using jose and it works flawless 👍