Messages, Basic - Proposal for adding hash to id_token

Issue #510 resolved
Michael Jones created an issue

The proposal is that, when id_token issued in combination with code and/or access token, it includes a hash of those values.

Rationale: An authentication protocol implements a security service. That means it must provide all the security semantics reasonably expected by clients. If clients receive multiple tokens as the result of an authorization flow, it's reasonable for the client to assume that they all belong to the same user. If the id_token does not include a hash it implies that an additional RPC must be part of the authentication protocol necessarily (we can't make assumptions about how the client will use the tokens later, the security semantics should be correct regardless). That's much more expensive than a hash check.

The proposed semantics are discussed in these messages:

Comments (4)

  1. Michael Jones reporter
    • changed status to open

    We will use the left hash using the same hash function that was used in the signature.

  2. Log in to comment