Closed terion-name closed 2 years ago
It is perfectly fine if they drop the hash. But the conform behaviour is to omit the claim entirely, not setting it to null.
Adding workarounds for non-confirmity is not something openid-client generally does.
Where is it stated explicitly that at_hash should be dropped at all, not null?
Authentik is kinda one of major identity providers out there, do you think they failed the spec conform and an issue should be opened there?
To clarify: this happens only on refresh. Auth response contains at_hash, refresh — doesn't
Where is it stated explicitly that at_hash should be dropped at all, not null?
Its definition says it's optional and that the at_hash value is a case sensitive string. There is no optionality that would allow null
which is an explicit JSON type / value.
do you think they failed the spec conform and an issue should be opened there?
yes.
@panva they commited a fix for this, thanx
Some openid servers (namely Authentik) don't provide at_hash on refresh and instead of dropping the key from payload — are setting it to null.
Example of idToken upon refresh from authentik:
This is breaking validation. This commit ads null check