Hi,
I'm working with a mobile development team working on Android.
They tried to sign a JWT using reasonably recent jwtt libraries and a recent version of Bouncy Castle.
This all worked fine with "RS256", but selecting "PS256" resulted in something that only passed validation using those same libraries.
Even
JWT.IO failed to validate the signed JWT!
I tested this out in Android Studio, and ended up in exactly the same situation.
This isn't just a Gateway issue, but it's very strange that that there doesn't appear to a uniformly enforced standard for PS256.
In the end, we got something working by backing off to an older version that specifically referenced
RSASSA-PSS using SHA-256 and MGF1 with SHA-256
Latest library just references "RSASSA-PSS" ... but if recent implementations of "PS256" aren't what's in RFC7518, then what are they?
This is difficult to explain to customers.
Attempting to Google this returns questions not answered or people pointing elsewhere.
Best Regards,
DaveV.