IdentityModel / oidc-token-manager

Apache License 2.0
51 stars 36 forks source link

OidcClient.validateAccessTokenAsync fails if at_hash is not presented #47

Closed aslovtsov closed 8 years ago

aslovtsov commented 8 years ago

OidcClient.validateAccessTokenAsync is using at_hash for validation of access_token regardless the fact that it is an optional parameter (http://openid.net/specs/openid-connect-implicit-1_0.html#AccessTokenValidation) and should be used only if presented. So, if server is not returning at_hash validateAccessTokenAsync fails

    if (!id_token_contents.at_hash) {
        return error("No at_hash in id_token");
    }
brockallen commented 8 years ago

Yep, will look into it. Thx for letting me know.

brockallen commented 8 years ago

It says here that at_hash is required: https://openid.net/specs/openid-connect-implicit-1_0.html#IDToken

Where do you see that it's optional?

brockallen commented 8 years ago

Oh I see, it says: _"The value of at_hash in the ID Token MUST match the value produced in the previous step if athash is present in the ID Token. "

Yea, seems like the spec contradicts itself. Do you really have a OP that does not emit at_hash?

Also, perhaps that clause is there in the scenario where you are are making id_token requests, instead of id_token token.