Open john-banks opened 7 years ago
Thanks @john-banks! Good catch. The only reason I'm not merging this just yet is to have a chance to look at the client libs that verify at_hash (I think just anvilresearch/connect-js) and make sure we have that updated as well.
The spec for generating an at_hash can be seen on http://openid.net/specs/openid-connect-core-1_0.html#rfc.section.3.2.2.10
The existing code does not base64 encode the hash and therefore all existing id_token token flows should fail. Any clients that use this flow with anvil currently are breaking the standard.