This repository has been archived by the owner on Feb 25, 2019. It is now read-only.
The at_hash in id_tokens does not follow the spec #349
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The spec for generating an at_hash can be seen on http://openid.net/specs/openid-connect-core-1_0.html#rfc.section.3.2.2.10 The existing code does not base64 encode the hash and therefore all existing id_token token flows should fail. Any clients that use this flow with anvil currently are breaking the standard.
|
Thanks @john-banks! Good catch. The only reason I'm not merging this just yet is to have a chance to look at the client libs that verify at_hash (I think just anvilresearch/connect-js) and make sure we have that updated as well. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The spec for generating an at_hash can be seen on http://openid.net/specs/openid-connect-core-1_0.html#rfc.section.3.2.2.10
The existing code does not base64 encode the hash and therefore all existing id_token token flows should fail. Any clients that use this flow with anvil currently are breaking the standard.