Core - c_hash and at_hash parameters
The parameters c_hash and at_hash are considered for the hybrid flow only and not for the auth code flow. I understand the reason for this choice. However, I would suggest adding them as optional for auth code flow as an additional security measure as well (against AT/Code injection).
What are your thoughts on this?
Comments (5)
-
-
reporter For
at_hash
you are absolutely right, it is already optional in the ID Token. Forc_hash
I get your point. I was just wondering if having thec_hash
as optional in the ID Token also for auth code flow could increase security (for example, as an additional mitigation against code injection). Does it make sense for you? -
I’m afraid not so much right now.
Would you mind expanding on the mechanism, given the code itself is not in the response, and the mitigation?
-
reporter I totally agree with you. After further analysis I finally realized that
c_hash
does not add additional security in auth code flow, but only makes sense for hybrid flow. I probably misunderstood the hybrid flow. Thanks for the insight. -
reporter - changed status to resolved
- Log in to comment
The
at_hash
ID Token claim is already optional in the ID Token returned from the Token Endpoint (as part of Authorization Code Flow). Its client side validation is defined in section 3.1.3.8. Access Token Validation.The
c_hash
has no place in ID Tokens issued by the Token Endpoint since nocode
is returned as part of the endpoint’s response.