In the CIBA spec, the AS sends a payload similar to the
Succesful Token Response in OIDC. The connection is authenticated using a bearer token provided by the client.
The CIBA spec is a profile of OIDC and therefore requires an ID Token to be sent in this payload.
Should this ID Token contain an
at_hash claim so that the client can be assured of the payload integrity?
at_hash claim is included, should there also be an
The current draft requires an