at_hash required in messages, missing in basic profile

Comments (5)

1. 

   John Bradley

   The producer needs to include the hashes of the associated tokens when producing the id_token. Checking the hash by the client is not required with the response_type=code. This is because the id_token and token are bound by the TLS session directly between the client and token endpoint removing the opertunity for an attacker to swap the token. As the basic profile is only for the client the decision was to not confuse people creating simple clients by adding a explanation of a field that they don't need to validate.

   We could say the field must be present in the received token but is not required to be validated in the flow used by Basic. I have a feeling that adding it will cause more problems than it will fix.

   • 2013-05-06T14:16:03+00:00
2. 

   Pamela Dingle reporter

   I admit that your comment didn't clear anything up for me John. But Ryo Ito's email comment did. I only picked up on the difference between "idtoken sent with access token" vs "idtoken sent with code" but did not read between the lines to realize that since the idtoken is delivered by the Authorization endpoint this means that neither of these claims are applicable for the code flow in the first place.

   • 2013-05-06T15:29:15+00:00
3. 

   John Bradley

   We could probably remove c_hash as being optional when the token is issued from the token endpoint. The token endpoint, doesn't issue code, so that could be cleaned up in messages.

   In messages it differentiates between id_tokens issued from the authorization endpoint vs those issued from the token_endpoint.

   • 2013-05-06T17:35:41+00:00
4. 

   John Bradley

   Say at hash may occur

   • 2013-05-06T20:22:09+00:00
5. 

   Michael Jones

   • changed status to resolved

   Fixed #833 - Stated that an "at_hash" Claim MAY be present in the ID Token.

   → <<cset 3bada6d59c94>>

   • 2013-05-14T15:36:35+00:00
6. Log in to comment