Integrating HubSpot JWT SSO with Azure B2C Token Algorithm Issues

Other Questions HubSpot
1

I’m running into problems trying to connect my Azure B2C setup with HubSpot’s JWT-based single sign on for private content.

I have Azure B2C working with custom user flows through the Identity Experience Framework. Now I want to enable SSO in HubSpot so users can access protected website content after authenticating through Azure B2C.

The main issue is with JWT signing algorithms. HubSpot’s SSO configuration only accepts HS256 algorithm, but Azure B2C tokens use RS256. When I configure the shared secret in HubSpot, it forces me to select HS256 since that’s the only option available.

However, the tokens coming from Azure B2C have this header structure:

{
  "alg": "RS256",
  "kid": "ABC123xyz_TokenSigningKey_ExampleValue",
  "typ": "JWT"
}

After users complete authentication, they get sent to HubSpot’s verification endpoint with the token, but I keep getting TOKEN_VERIFICATION_FAILED errors. The error message says the token might be empty, incorrect, or using unsupported parameters.

I think the problem is the algorithm mismatch between what HubSpot expects (HS256) and what Azure B2C provides (RS256). I’ve tried looking for ways to change Azure B2C to use HS256 instead, but everything I’ve found suggests that Azure B2C only supports RSA-based signing.

Has anyone successfully integrated Azure B2C with HubSpot’s JWT SSO feature? Is there a workaround for this algorithm compatibility issue?

2

Had this exact issue six months ago - yeah, it’s the algorithm mismatch. Azure B2C won’t do HS256 since it only uses RS256 for security reasons. I fixed it with an Azure Function that acts as a token exchange. The function grabs the RS256 token from B2C, validates it against the JWKS endpoint, pulls out the claims, then creates a fresh HS256 token for HubSpot using a shared secret. Works great and keeps everything secure. Running it on consumption plan keeps costs low, and it’s fast - usually under 200ms. Just make sure you add proper error handling and cache tokens so you’re not hitting B2C validation constantly.

3

totally feel ya, mikechen. I faced this same prob too! Azure’s RS256 is a pain with HubSpot’s HS256 limit. I ended up writing some middleware to translate the tokens. It was tough but def worth it in the end!