NetSuite Discontinues Support for RSA PKCSv1.5 Scheme in OAuth 2.0 from March 1, 2025

As of March 1, 2025, NetSuite will no longer support the RSA PKCSv1.5 scheme for token signing in the OAuth 2.0 client credentials flow. This change is being made for security reasons, as the RSA PKCSv1.5 scheme has known vulnerabilities. This will impact all existing integrations that rely on this deprecated scheme.

What Does This Mean for Users?

If you currently use RSA PKCSv1.5 for token signing, you will need to update your integrations to ensure that they continue to work properly after the change takes effect. Specifically, you will need to adopt one of the following methods:

  • RSA-PSS Scheme: The RSA-PSS (Probabilistic Signature Scheme) will be the new standard for token signing. If you choose to stick with RSA keys, the key length must be 3072 bits or 4096 bits.
  • Elliptic Curve (EC) Keys: Alternatively, you can use EC keys for signing, which are considered more secure. The available key lengths for EC keys are 256 bits, 384 bits, or 521 bits.

What Action Should You Take?

  1. Update Your Integrations: If you are using the RSA PKCSv1.5 scheme, make sure to update your integrations to use either RSA-PSS or EC keys. If you are working with third-party integrations, be sure to inform them of the changes so they can update their configurations as well.
  2. Algorithm Change for JWT Signing: For JWT (JSON Web Token) signing, the alg parameter in the token request must be set to one of the following algorithms:
  • PS256
  • PS384
  • PS512
  • ES256
  • ES384
  • ES512

The value of the alg parameter determines which algorithm is used for signing the token. Make sure to configure your integrations accordingly to ensure continued compatibility after March 1, 2025.

Example of JWT Header Structure

When constructing the JWT token for the OAuth 2.0 request, ensure that your header includes the appropriate alg parameter. The structure should look as follows:

  • typ: Always set to JWT.
  • alg: Choose one of the algorithms listed above (e.g., PS256, ES256).
  • kid: This parameter represents the Certificate ID generated during the application mapping process.

For more detailed information on setting up and using the new algorithms, you can refer to the OAuth 2.0 Client Credentials Setup documentation.

Conclusion

NetSuite’s discontinuation of the RSA PKCSv1.5 scheme is an important step toward improving security for OAuth 2.0 integrations. All users and third-party integrators must update their configurations to use either RSA-PSS or EC keys before March 1, 2025, to avoid any disruptions. Be sure to test your integrations and confirm that all changes are correctly implemented ahead of the deadline to ensure continued functionality.

Leave a comment

Your email address will not be published. Required fields are marked *