From Scott.Dickerson at healthstream.com Sat Feb 13 17:27:11 2021 From: Scott.Dickerson at healthstream.com (Dickerson, Scott) Date: Sat, 13 Feb 2021 17:27:11 +0000 Subject: [security] Question about validating access token with id token at_hash claim after access token has been refreshed Message-ID: Can an access token and id token pair be validated using the id token at_hash after the access token has been refreshed? In my very limited testing with only one OIDC provider (WSO2), the access token validation method (in spec here) does still work with the access token returned from the refresh endpoint and the id token returned from the token endpoint. I can?t find any mention of this being guaranteed in the specification. Also, if this does work, does anyone know how the access token left-most hash can still match the at_hash after access token has been refreshed. I mean, what is the mechanism used to create the refreshed access token to maintain compatibility with id token? Thank you so much for your time in considering my question! Scott Scott Dickerson Principal Software Engineer [cid:2d581e22-aa13-41e8-96df-13741bf600ac] Durham office 4813 Emperor Blvd., Suite 100 Durham, NC 27703 T 919.564.2236 E scott.dickerson at healthstream.com Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: Outlook-eohcbtmu.png Type: image/png Size: 3912 bytes Desc: Outlook-eohcbtmu.png URL: