jwt signature: RS256 or HS256

Question

In Auth0 there are 2 algorithms for jwt token signature: RS256 and HS256.

RS256 is an asymmetric algorithm which means that there are two keys: one public and one private (secret). Auth0 has the secret key, which is used to generate the signature, and the consumer of the JWT has the public key, which is used to validate the signature.

HS256 is a symmetric algorithm which means that there is only one secret key, shared between the two parties. The same key is used both to generate the signature and to validate it. Special care should be taken in order for the key to remain confidential.

In their docs they describe the advantages of RS256. Could someone explain me the advantages to use HS256 algorithm, I don't see them now but I'm pretty sure that there are some.

Answer 1

You have asked for benefits of HS256 over RS256 eg.

• perceived convenience
• easy to understand and get started with if new to Oauth2 / OIDC (related to perceived convenience)
• performance (?)

Lets take a quick look at each of these:

Perceived convenience / understand what to do - It is true that copying a clientId, and clientSecret into configuration on the application is both easy to understand, and quick accomplish. However, today's libraries make RS256 simple too to setup - the library / framework will often offer the functionality to retrieve the public key and do the verification with similar configuration to HS256 but without the need to supply a secret. See some Auth0 examples using your technology choice to get an understanding on this if unfamiliar.

Performance - Yes, here HS256 potentially has a niche. Caching public certs etc aside (for caching example using node.js see here and here), having a symmetric key and using that locally at the application without the need for any network request at all etc, may prove more efficient. That said most good JWKS libraries / sdks will handle caching options out of the box.

But really the question you should be asking is whether these benefits (performance optimization?) outweigh the disadvantages - certainly from a Security perspective.

See this answer and feel free to leave comments there (Auth0 Community website) if still not convinced. Auth0 has switched to using RS256 by default for new Clients, and its Resource APIs also default to RS256.

A major benefit of RS256, which trumps most arguments for choosing HS256, is simply that there is no need to store (co-locate) secrets with the Client application - the private key is only known by the Authorization Server (Auth0 etc), and the secret cannot be leaked. That alone pretty much tells you why RS256 is overwhelmingly the better choice for most situations.

Confidential vs Public Clients - you should only even consider HS256 if your Client is considered a Confidential Client. Since confidential clients are capable of holding secrets, you can choose to have ID tokens issued to them that have been signed in one of two ways - for non-confidential clients, you should never be using HS256 as by definition the client is not capable of keeping the secret confidential.

There are other considerations that make HS256 a poorer choice too, for example the need to manually update all applications using a given Client configuration if there is a signing key rollover.