When signing JWT member tokens the provided ghost JWKS endpoint exposed at:
/members/.well-known/jwks.json
does not provide a public key of sufficient length to validate said tokens signed with the RS512 algorithm.
The issued member token header, retreived from members/api/session/ looks like this:
{
"alg": "RS512",
"typ": "JWT",
"kid": "redacted"
}
According to the JOSE library requirements, RS512 requires the RSA key modulus length to be 2048 bits or larger. The current key exposed by Ghost’s JWKS endpoint appears to be smaller than this, resulting in the following error when verifying tokens:
Error: RS512 requires key modulusLength to be 2048 bits or larger
Expected Behavior:
The JWKS endpoint should provide an RSA key with a modulus length of at least 2048 bits when using RS512, in order to comply with JOSE and JWT library requirements.
Actual Behavior:
The key returned is shorter than 2048 bits, causing verification failures in standards-compliant JWT libraries.
Environment:
- Ghost version: 5.119.3