Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-9635

Add optional field at_hash to idToken when using Authorization Code flow

    Details

    • Type: Enhancement
    • Status: Pull Request Sent (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 4.8.3.Final
    • Fix Version/s: Backlog
    • Component/s: Protocol - OIDC
    • Labels:
      None

      Description

      According to OIDC spec:

      ```
      3.2.2.9. Access Token Validation
      To validate an Access Token issued from the Authorization Endpoint with an ID Token, the Client SHOULD do the following:

      Hash the octets of the ASCII representation of the access_token with the hash algorithm specified in JWA [JWA] for the alg Header Parameter of the ID Token's JOSE Header. For instance, if the alg is RS256, the hash algorithm used is SHA-256.
      Take the left-most half of the hash and base64url encode it.
      The value of at_hash in the ID Token MUST match the value produced in the previous step.
      ```

      Note that `SHOULD` is used and not `MUST` since the field is optional but clearly encouraged if you read this.

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                youssef.elhouti Youssef Elhouti
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated: