RS256 signature verification simply indicates "invalid signature" with small key size

[BenjaminPelletier]

I pasted in this JWT:

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJ1c2VyMiIsImV4cCI6MzAwMDAwMDAwMCwiaXNzIjoiZHVtbXkiLCJzY29wZSI6Im15c2NvcGUiLCJzdWIiOiJ1c2VyMSJ9.JWQKMNxbQIrJdRRk9hz7bg0SwlMrBxJWiy8TMKi0p7XeZeuH_l2tkGey2ZGXXa4Mxju6ZFJz6muf1EZGtpNoHOeejQ-38GOqmPjPFbRBslgzjmH-DZny1dF1TYsX5_oJLsz_qQMDDuw9TTa9eahlTEF3xEGzg81W9GvQqxDODw4

...then I pasted this text into the Public Key text box:

-----BEGIN PUBLIC KEY-----
MIGeMA0GCSqGSIb3DQEBAQUAA4GMADCBiAKBgHkNtpy3GB0YTCl2VCCd22i0rJwI
GBSazD4QRKvH6rch0IP4igb+02r7t0X//tuj0VbwtJz3cEICP8OGSqrdTSCGj5Y0
3Oa2gPkx/0c0V8D0eSXS/CUC0qrYHnAGLqko7eW87HW0rh7nnl2bB4Lu+R8fOmQt
5frCJ5eTkzwK5YczAgMBAAE=
-----END PUBLIC KEY-----

...and the page indicates that the signature is not valid. However, the signature is valid as verified with https://dinochiesa.github.io/jwt/, pyjwt, and github.com/golang-jwt/jwt.

[panva]

It may technically be valid but the key's modulus length is not the minimum 2048 bits required by the JOSE specifications.

[BenjaminPelletier]

Thanks for the response. For others, the reference for that claim is here:

https://datatracker.ietf.org/doc/html/rfc7518#section-3.3

This issue should probably now be considered a feature request: "Invalid key" is a pretty unhelpful error message and arises from many very different situations. It would be great if there were some hint as to why the signature was invalid.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. If you have not received a response for our team (apologies for the delay) and this is still a blocker, please reply with additional information or just a ping. Thank you for your contribution! 🙇‍♂️

[DanOnCall]

Benjamin, I am working on a new version of jwt.io and this critical functionality. cc @byron-okta let's test this scenario :)