[Openid-specs-ab] Is c_hash required in Basic Client Profile?

John Bradley ve7jtb at ve7jtb.com
Thu Aug 22 17:59:16 UTC 2013 

c_hash dosen't make sense fore the code response type.  It only make sense for "code id_token" or "code token id_token"  at the moment, someone could extend the response types so wording is tricky.     I don't find any ware that messages states it is used for "code" without an id_token. 

John B.

On 2013-08-22, at 1:44 PM, Brian Campbell <bcampbell at pingidentity.com> wrote:

> Where does it say that c_hash is a required element of id_token if the
> response_type=code?  I think that would be a spec defect. But I didn't
> see it in a quick scan of the doc.
> 
> I do see in 2.1.2.1 that  "c_hash ... Code hash value. If the ID Token
> is issued from the Authorization Endpoint with a code, this is
> REQUIRED" which basically means response_type=code+id_token or
> code+id_token+token or any other combination that results in both a
> code and id_token coming back directly from the authorization
> endpoint.
> 
> On Mon, Aug 19, 2013 at 3:24 PM, John Bradley <ve7jtb at ve7jtb.com> wrote:
>> In Basic the id_token is never returned with a code, it is however returned from the token endpoint with a access token.
>> 
>> The id_token returned from the token endpoint can only have a at_hash.
>> 
>> It was Google that insisted on the id_tokens coming from the token endpoint contain at_hash.   We should probably get them to flesh out the security reasons for that.
>> 
>> John B.
>> 
>> On 2013-08-19, at 1:08 PM, Chuck Mortimore <cmortimore at salesforce.com> wrote:
>> 
>>> In Messages Draft 20, we have c_hash as a required element of id_token if the response_type=code.   However, Basic 28 does not cover c_hash at all in section 2.2 (at_hash is covered strangely enough, despite implicit not being covered in basic)
>>> 
>>> I'm assuming this is required, and we've got a minor spec bug....?
>>> 
>>> -cmort
>>> _______________________________________________
>>> Openid-specs-ab mailing list
>>> Openid-specs-ab at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>> 
>> 
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4507 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130822/c8a79739/attachment.p7s>

More information about the Openid-specs-ab mailing list