Skip to content
This repository was archived by the owner on Feb 25, 2019. It is now read-only.

The at_hash in id_tokens does not follow the spec#349

Open
john-banks wants to merge 1 commit intoanvilresearch:masterfrom
john-banks:master
Open

The at_hash in id_tokens does not follow the spec#349
john-banks wants to merge 1 commit intoanvilresearch:masterfrom
john-banks:master

Conversation

@john-banks
Copy link
Copy Markdown

@john-banks john-banks commented Aug 17, 2016

The spec for generating an at_hash can be seen on http://openid.net/specs/openid-connect-core-1_0.html#rfc.section.3.2.2.10

The existing code does not base64 encode the hash and therefore all existing id_token token flows should fail. Any clients that use this flow with anvil currently are breaking the standard.

@john-banks
The at_hash in id_tokens does not follow the spec
bdde505 
The spec for generating an at_hash can be seen on http://openid.net/specs/openid-connect-core-1_0.html#rfc.section.3.2.2.10

The existing code does not base64 encode the hash and therefore all existing id_token token flows should fail. Any clients that use this flow with anvil currently are breaking the standard.
@coveralls
Copy link
Copy Markdown

coveralls commented Aug 17, 2016

Coverage Status

Coverage increased (+0.007%) to 79.75% when pulling bdde505 on john-banks:master into a21dd1f on anvilresearch:master.

@christiansmith
Copy link
Copy Markdown
Member

christiansmith commented Aug 17, 2016

Thanks @john-banks! Good catch. The only reason I'm not merging this just yet is to have a chance to look at the client libs that verify at_hash (I think just anvilresearch/connect-js) and make sure we have that updated as well.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@john-banks @coveralls @christiansmith