- changed status to open
Messages, Basic - Proposal for adding hash to id_token
The proposal is that, when id_token issued in combination with code and/or access token, it includes a hash of those values.
Rationale: An authentication protocol implements a security service. That means it must provide all the security semantics reasonably expected by clients. If clients receive multiple tokens as the result of an authorization flow, it's reasonable for the client to assume that they all belong to the same user. If the id_token does not include a hash it implies that an additional RPC must be part of the authentication protocol necessarily (we can't make assumptions about how the client will use the tokens later, the security semantics should be correct regardless). That's much more expensive than a hash check.
The proposed semantics are discussed in these messages:
http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-20120109/001399.html
http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-20120109/001400.html
http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-20120109/001401.html
Comments (4)
-
reporter -
reporter Issue
#536was marked as a duplicate of this issue. -
Re
#510Add hash and hash check of access token and code to id_token to Messages -
- changed status to resolved
Fixes
#510Add hash and hash check of access token and code to id_token - Log in to comment
We will use the left hash using the same hash function that was used in the signature.