-
|
Hi, I'm trying to get As far as I understand, it is currently impossible to get The main issues: The JWS key used by Intuit is RSA with a modulus length of 1024 bits. This isn't super secure, but I can't change their keys so I have to live with them. This is rejected by Jose due to this check: https://github.com/panva/jose/blob/main/src/runtime/node/check_modulus_length.ts#L68-L71 The
Now I recognize that Intuit are to blame here for the short key, but I would like to see with this community if there's a way to work around this limitation. I have written to Intuit to get this changed but I am not very hopeful that they will address this. Is there a way to bypass the Is there a way to tell Jose to temporarily support 1024 bit modulus length on RSA256? Related issues: Any help appreciated. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
The use at least 2048 bit RSA modulus length is a normative requirement of the JWA specification.
There is no way to remove such check. Enforcing the correct callback method to be used for each respective flow (OpenID Connect or pure OAuth 2.0) is by design and to prevent the developer foot-gunning themselves thinking they perform all security checks when they in fact don't, a downgrade attack of sorts? Again, no intention to alleviate these. |
Beta Was this translation helpful? Give feedback.
The use at least 2048 bit RSA modulus length is a normative requirement of the JWA specification.
There is no way to remove such check.
Enforcing the correct callback method to be used for each respective flow (OpenID Connect or pure OAuth 2.0) is by design and to prevent the developer foot-gunning themselves thinking they perform all security checks when they in fact don't, a downgrade attack of sorts?
Again, no intention to alleviate these.