The at_hash in id_tokens does not follow the spec

anvilresearch / connect

A modern authorization server built to authenticate your users and protect your APIs

http://anvil.io

MIT License

361 stars 85 forks source link

The at_hash in id_tokens does not follow the spec #349

Open john-banks opened 7 years ago

john-banks commented 7 years ago

The spec for generating an at_hash can be seen on http://openid.net/specs/openid-connect-core-1_0.html#rfc.section.3.2.2.10

The existing code does not base64 encode the hash and therefore all existing id_token token flows should fail. Any clients that use this flow with anvil currently are breaking the standard.

coveralls commented 7 years ago

Coverage increased (+0.007%) to 79.75% when pulling bdde505352e1f10537f96e60d40beb4b29d72ab1 on john-banks:master into a21dd1ff17d4893bb97eb7beb455888afb10eea0 on anvilresearch:master.

christiansmith commented 7 years ago

Thanks @john-banks! Good catch. The only reason I'm not merging this just yet is to have a chance to look at the client libs that verify at_hash (I think just anvilresearch/connect-js) and make sure we have that updated as well.