[Openid-specs-ab] Is c_hash required in Basic Client Profile?
Brian Campbell
bcampbell at pingidentity.com
Thu Aug 22 17:44:20 UTC 2013
Where does it say that c_hash is a required element of id_token if the
response_type=code? I think that would be a spec defect. But I didn't
see it in a quick scan of the doc.
I do see in 2.1.2.1 that "c_hash ... Code hash value. If the ID Token
is issued from the Authorization Endpoint with a code, this is
REQUIRED" which basically means response_type=code+id_token or
code+id_token+token or any other combination that results in both a
code and id_token coming back directly from the authorization
endpoint.
On Mon, Aug 19, 2013 at 3:24 PM, John Bradley <ve7jtb at ve7jtb.com> wrote:
> In Basic the id_token is never returned with a code, it is however returned from the token endpoint with a access token.
>
> The id_token returned from the token endpoint can only have a at_hash.
>
> It was Google that insisted on the id_tokens coming from the token endpoint contain at_hash. We should probably get them to flesh out the security reasons for that.
>
> John B.
>
> On 2013-08-19, at 1:08 PM, Chuck Mortimore <cmortimore at salesforce.com> wrote:
>
>> In Messages Draft 20, we have c_hash as a required element of id_token if the response_type=code. However, Basic 28 does not cover c_hash at all in section 2.2 (at_hash is covered strangely enough, despite implicit not being covered in basic)
>>
>> I'm assuming this is required, and we've got a minor spec bug....?
>>
>> -cmort
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
More information about the Openid-specs-ab
mailing list