[Openid-specs-ab] Is c_hash required in Basic Client Profile?
John Bradley
ve7jtb at ve7jtb.com
Mon Aug 19 21:24:59 UTC 2013
In Basic the id_token is never returned with a code, it is however returned from the token endpoint with a access token.
The id_token returned from the token endpoint can only have a at_hash.
It was Google that insisted on the id_tokens coming from the token endpoint contain at_hash. We should probably get them to flesh out the security reasons for that.
John B.
On 2013-08-19, at 1:08 PM, Chuck Mortimore <cmortimore at salesforce.com> wrote:
> In Messages Draft 20, we have c_hash as a required element of id_token if the response_type=code. However, Basic 28 does not cover c_hash at all in section 2.2 (at_hash is covered strangely enough, despite implicit not being covered in basic)
>
> I'm assuming this is required, and we've got a minor spec bug....?
>
> -cmort
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4507 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130819/892dfbd7/attachment.p7s>
More information about the Openid-specs-ab
mailing list