Is it possible to disable JWK validation or to ignore warning of too short key when using RSA?

[dfenerski]

My goal is to implement OpenID Connect with an existing IDP. They provide custom JWKs with RSA, however the keys are too short (1024 instead of the 2048). I've contacted them but is there something in the mean time I can do? For example are there options to disable the validation or to ignore such warnings. I'm using passport-openid strategy in NestJS environment.

[panva]

For example are there options to disable the validation or to ignore such warnings

There are no such options. The IdP should instead use keys that are suitable for the used JSON Web Algorithms.

A key of size 2048 bits or larger MUST be used with these algorithms.

[dfenerski]

@panva thanks for the info! Sorry to bother with another question, but this IdP provides an exponent and module fields to generate a key on your own as an alternative. Can openid-connect generate/use such custom key based on those fields and would this even help with the 'key-too-short for RSA' problem?

[panva]

🤷‍♂️ sorry, I don't know what you mean by such alternative. The only way to validate the ID Token is by applicable keys being exposed via the IdP's jwks_uri.