Core - c_hash and at_hash parameters
Issue #1530
resolved
The parameters c_hash and at_hash are considered for the hybrid flow only and not for the auth code flow. I understand the reason for this choice. However, I would suggest adding them as optional for auth code flow as an additional security measure as well (against AT/Code injection).
What are your thoughts on this?
Comments (5)
-
-
reporter
For
at_hashyou are absolutely right, it is already optional in the ID Token. Forc_hashI get your point. I was just wondering if having thec_hashas optional in the ID Token also for auth code flow could increase security (for example, as an additional mitigation against code injection). Does it make sense for you? -
I’m afraid not so much right now.
Would you mind expanding on the mechanism, given the code itself is not in the response, and the mitigation?
-
reporter
I totally agree with you. After further analysis I finally realized that
c_hashdoes not add additional security in auth code flow, but only makes sense for hybrid flow. I probably misunderstood the hybrid flow. Thanks for the insight. -
reporter
- changed status to resolved
- Log in to comment
The
at_hashID Token claim is already optional in the ID Token returned from the Token Endpoint (as part of Authorization Code Flow). Its client side validation is defined in section 3.1.3.8. Access Token Validation.The
c_hashhas no place in ID Tokens issued by the Token Endpoint since nocodeis returned as part of the endpoint’s response.