Authenticator does not validate `at_hash` claim in OIDC token

[jcwomack]

In the PyJWT documentation's example OIDC Login Flow, the at_hash claim from the JWT payload is validated, in addition to the validation of the signature associated with the JWT.

at_hash appears to be a part of the hash of the the entire access token (prior to decoding).

The OIDC specification mentions at_hash several times. In some flows it appears to be optional (e.g. 3.1.3.8 Access Token Validation for Authorization Code Flow), while in others it is required (e.g. 3.2.2.9 Access Token Validation for Implicit Flow).

It is not clear to me whether it is necessary or useful for us to validate the at_hash claim (which does seem to be present in the JWTs received by the JupyerHub Authenticator), given that we already validate the signature on the token.

Thoughts/discussion welcome.

[owhere]

If I understand correctly, we primarily use the Authorization Code Flow, and validate the token signature and claims (like exp, aud, iss), could skip validating at_hash without a significant loss of security.

[jcwomack]

Thanks for clarifying. In that case, I think we can leave this issue open and leave at_hash verification as a "nice to have" feature to implement in future.