at_hash value of JWT token is incorrectly calculated

ging / fiware-idm

OAuth 2.0-based authentication of users and devices, user profile management, Single Sign-On (SSO) and Identity Federation across multiple administration domains.

https://keyrock-fiware.github.io

MIT License

36 stars 81 forks source link

at_hash value of JWT token is incorrectly calculated #290

Open a-mroz opened 2 years ago

a-mroz commented 2 years ago

Apparently, at_hash value for JWT token is improperly calculated – instead of using base64url it's using base64 function. I encountered this issue when I tried to integrate OIDC using express-openid-connect library and openid-client – a certified library for node.js.

Please see the details here: https://github.com/auth0/express-openid-connect/issues/382

I re-checked it using fiware/idm:latest docker image – the problem still persists.

a-mroz commented 1 year ago

The issue seems to be in here: https://github.com/ging/node-oauth2-server/blob/b6891e6b524fedae9c99b8a661f4ae9d87eea224/lib/utils/token-util.js#L39