[Openid-specs-ab] [openid/connect] at_hash required in messages, missing in basic profile (issue #833)
issues-reply at bitbucket.org
Mon May 6 07:29:36 UTC 2013
New issue 833: at_hash required in messages, missing in basic profile
In section 126.96.36.199 of draft 18 of the messages specification, the c_hash and at_hash claims are defined as OPTIONAL or REQUIRED (c_hash is REQUIRED when the idtoken is issued at the same time as an authorization code, at_hash is REQUIRED when the idtoken is issued at the same time as an access token).
I read the above as stating that one of the two claims is required in every idtoken that uses either the code or token flow.
In section 2.2 of draft 26 of the basic profile, however, the claims at_hash and c_hash are not even mentioned.
Either c_hash and at_hash claims need to be added to the basic profile, or the messages definitions for c_hash and at_hash need to be fixed.
More information about the Openid-specs-ab