IDTokenClaimsSet.hasRequiredClaims() too strict

Checked in 4.13. Also applies to earlier versions:

Description:

hasRequiredClaims() from com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet is too strict:

    public boolean hasRequiredClaims(final ResponseType rt) {

        if (rt.impliesImplicitFlow() && getNonce() == null)
            return false;

        if (rt.impliesImplicitFlow() && rt.contains(ResponseType.Value.TOKEN) && getAccessTokenHash() == null)
            return false;

        if (rt.impliesCodeFlow() && getCodeHash() == null)
            return false;

        return true;
    }

It returns false if rt.impliesCodeFlow() && getCodeHash() == null. But this should not return "false". Response Type Code alone does not require c_hash to be set in ID Token. This is only required for the Hybrid Flow.

From the specification: If the ID Token is issued from the Authorization Endpoint with a code, which is the case for the response_type values code id_token and code id_token token, this is REQUIRED; otherwise, its inclusion is OPTIONAL.

As this is stated under chapter "3.3.2.11. ID Token", this probably only applies to the Hybrid Flow. It is not required for ID Tokens returned by the Token Endpoint.

Also from "3.3.3.6 ID Token": The at_hash and c_hash Claims MAY be omitted from the ID Token returned from the Token Endpoint even when these Claims are present in the ID Token returned from the Authorization Endpoint, because the ID Token and Access Token values returned from the Token Endpoint are already cryptographically bound together by the TLS encryption performed by the Token Endpoint.

I.e., it's probably not possible to include this check in hasRequiredClaims(ResponseType rt), as it is also dependent on where the ID Token was returned from.

Comments (3)