Size of generated client key

[chulkilee]

boruta_auth/lib/boruta/adapters/ecto/schemas/client.ex

Line 338 in b378bcd

private_key = JOSE.JWK.generate_key({:rsa, 1024, 65_537})

It uses 1024-bit key, which may not be suitable for alg (e.g. RS256 in the client creation doc.).

Is Boruta.Oauth.Client's id_token_signature_alg for id_token_signed_response_alg in the spec? The spec says its default should be RS256 (if omitted) but Boruta uses RS512 for new client. It's not "against" spec but I'm wondering why it choose RS512.

We may introduce an option for the default key size of generated key pairs.

[patatoid]

It is definitely a good point and makes part of my roadmap. I think the integrator should be able to configure the key pair for the created clients.

This would add a field to the client schema with the Erlang public_key configuration as a JSON in my thoughts.

[chulkilee]

As stated in https://datatracker.ietf.org/doc/html/rfc7518#section-3.1, the JWT algorithm is not dependent on the key size, then I am not sure of what expecting as size for this use case.

Actually, the spec requires the minimum key size for RSASSA-PKCS1-v1_5 (for RS*)

https://datatracker.ietf.org/doc/html/rfc7518#section-3.3

A key of size 2048 bits or larger MUST be used with these algorithms.

[patatoid]

I was not aware of that fact, it might be a validation constraint for the configuration and be taken into account for the defaults