JWT Signing Algorithm validator incorrectly assumes no jwt configuration defaults to RS256

[thegrahamking]

Description

As title. While the auth0 management web UI displays RS256 as the default when an Application is created without a jwt_configuration HS256 is actually used as the default when an OIDC authentication occurs.

Reproduction

1. Create an Application without a jwt_configuration object
2. Perform a successful OIDC code flow authentication using client secret
3. Decode the id_token and/or access_token
4. Review the header, note that no alg claim is present and/or attempt to verify the signature using one of the RS256 public key keys for your tenant (this will fail) and/or attempt to verify with the client secret (this will pass)
5. Run auth0checkmate
6. Note that the JWT Signing Algorithm does not fail

Environment

• Version of this library used: 1.6.1
• Version of the platform or framework used, if applicable: N/A
• Other relevant versions (language, server software, OS, browser): Windows
• Other modules/plugins/libraries that might be involved: N/A

[thegrahamking]

Support have confirmed that this is a bug on the auth0 service side, however, IMO this tool should flag that the configuration is not set and so the default should be used but users should verify this.

[yangwang-okta]

Fixed on the Auth0 side, default is HS256