ID token validation faling if the private key size is less than 2048

[DimuthuKasunWP]

Hi Team,

WSO2 Identity Server uses the Asgardeo React SDK for authenticating the Console & My Account.

After WSO2 Identity Server migrations to latest versions of identity server (v7), if the private key size of tenanted keystore is less than 2048, we cannot login into the Identity Server Console application or any react sample application because is causing ID token validation failure from the SDK level.

⚠️ We need to add the following TOML configuration in the Identity Server in-order to allow the keystores with the lesser key size.

[system.parameter]
allow_weak_rsa_signer_key=true

When troubleshooting further with sample react application, we are getting this error.

It seems the error object doesn't have information to print here 👇 .

• https://github.com/asgardeo/asgardeo-auth-spa-sdk/blob/562d46158e1f8f6931f932811eb364325ed7e5a2/lib/src/utils/crypto-utils.ts#L79-L82

⭐️ Workaround

In the console application, this issue can be skipped with the below configuration .
But since this disabled the signature validation, we need to check if there's any other option we can take.

[console]
idp_configs.validateIDToken = false

Product : 7.0.0

[pavinduLakshan]

This seems to be expected according to panva/jose#210

[brionmario]

This seems to be expected according to panva/jose#210

Since they require a minimum key length, the ideal solution here would be to migrate the keystore rather than disabling the id token signature validation.