[security] Question about validating access token with id token at_hash claim after access token has been refreshed

Dickerson, Scott Scott.Dickerson at healthstream.com
Sat Feb 13 17:27:11 UTC 2021 

Can an access token and id token pair be validated using the id token at_hash after the access token has been refreshed?

In my very limited testing with only one OIDC provider (WSO2), the access token validation method (in spec here<https://openid.net/specs/openid-connect-core-1_0.html#ImplicitTokenValidation>) does still work with the access token returned from the refresh endpoint and the id token returned from the token endpoint. I can’t find any mention of this being guaranteed in the specification.

Also, if this does work, does anyone know how the access token left-most hash can still match the at_hash after access token has been refreshed. I mean, what is the mechanism used to create the refreshed access token to maintain compatibility with id token?

Thank you so much for your time in considering my question!

Scott



Scott Dickerson

Principal Software Engineer


[cid:2d581e22-aa13-41e8-96df-13741bf600ac]


Durham office

4813 Emperor Blvd., Suite 100

Durham, NC 27703



T   919.564.2236
E   scott.dickerson at healthstream.com<mailto:scott.dickerson at changehealthcare.com>



Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information.  Any unauthorized review, use, disclosure or distribution is prohibited.  If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20210213/964dc03b/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Outlook-eohcbtmu.png
Type: image/png
Size: 3912 bytes
Desc: Outlook-eohcbtmu.png
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20210213/964dc03b/attachment.png>

More information about the security mailing list