Closed aslovtsov closed 8 years ago
Yep, will look into it. Thx for letting me know.
It says here that at_hash
is required: https://openid.net/specs/openid-connect-implicit-1_0.html#IDToken
Where do you see that it's optional?
Oh I see, it says: _"The value of at_hash in the ID Token MUST match the value produced in the previous step if athash is present in the ID Token. "
Yea, seems like the spec contradicts itself. Do you really have a OP that does not emit at_hash
?
Also, perhaps that clause is there in the scenario where you are are making id_token
requests, instead of id_token token
.
OidcClient.validateAccessTokenAsync is using at_hash for validation of access_token regardless the fact that it is an optional parameter (http://openid.net/specs/openid-connect-implicit-1_0.html#AccessTokenValidation) and should be used only if presented. So, if server is not returning at_hash validateAccessTokenAsync fails