Hi, did you manage to get any solution for that? 

This is a bug in Liferay's source that is causing it to not work with auth0. Auth0 supports two JWT algorithms, HS256 and RS256. They are returned in that order, as the supporting algorithms [ HS256, RS256 ].

Liferay 7.3 does not support HS256, only RS256. However, the openid module does not handle the list of supported algorithms propertly. The code takes the first one in the list, HS256 in this case. What it should do is loop through the list looking for a supported algorithm and then select it.

This is the file with the problem:
portal-security-sso/portal-security-sso-openid-connect-impl/src/main/java/com/liferay/portal/security/sso/openid/connect/internal/OpenIdConnectMetadataFactoryImpl.java

Line 232:

if (ListUtil.isNotEmpty(jwsAlgorithms)) {
_oidcClientMetadata.setIDTokenJWSAlg(jwsAlgorithms.get(1));
}

In an ext module we changed 0 to 1, so it would select RS256 in the list of [ HS256, RS256 ].

The best solution is if on line 226 and 233 you looped through looking for supported algorithms instead of hardcoding 0, for the first item in the list. Hopefully Liferay can fix the code to not hardcode 0.

This issue was added to jira:

https://issues.liferay.com/browse/LPS-138756

Thanks for reporting @Susie AB and thanks for the investigation @Cameron McBride