Why does SecurityAlgorithms.Aes256CbcHmacSha512 use a 32-byte hmac key?

[russellfoster]

Curious to know why the hmac key is truncated to 32 bytes here:

azure-activedirectory-identitymodel-extensions-for-dotnet/src/Microsoft.IdentityModel.Tokens/Encryption/AuthenticatedEncryptionProvider.cs

Line 363 in 72c5ecd

private AuthenticatedKeys GetAlgorithmParameters(SecurityKey key, string algorithm)

The recommendation is to use a 128 byte key:

The secret key for HMAC computation. The key can be any length. However, the recommended size is 128 bytes. If the key is more than 128 bytes long, it is hashed (using SHA-512) to derive a 64-byte key.

https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.hmacsha512.-ctor?view=net-9.0