[Openid-specs-ab] [openid/connect] at_hash required in messages, missing in basic profile (issue #833)
ritou.06 at gmail.com
Mon May 6 11:59:36 UTC 2013
This depends on the response_type parameter of the authorization request.
- response_type=id_token token
ID Token includes at_hash.
- response_type=code id_token
ID Token includes c_hash.
- response_type=code id_token token
ID Token includes both c_hash and at_hash.
- response_type=code (Basic Profile)
ID Token doesn't need to include both.
2013/5/6 Pamela Dingle <issues-reply at bitbucket.org>
> New issue 833: at_hash required in messages, missing in basic profile
> Pamela Dingle:
> In section 22.214.171.124 of draft 18 of the messages specification, the c_hash
> and at_hash claims are defined as OPTIONAL or REQUIRED (c_hash is REQUIRED
> when the idtoken is issued at the same time as an authorization code,
> at_hash is REQUIRED when the idtoken is issued at the same time as an
> access token).
> I read the above as stating that one of the two claims is required in
> every idtoken that uses either the code or token flow.
> In section 2.2 of draft 26 of the basic profile, however, the claims
> at_hash and c_hash are not even mentioned.
> Either c_hash and at_hash claims need to be added to the basic profile, or
> the messages definitions for c_hash and at_hash need to be fixed.
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
Email : ritou.06 at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab