[Openid-specs-ab] [openid/connect] at_hash required in messages, missing in basic profile (issue #833)

Ryo Ito ritou.06 at gmail.com
Mon May 6 11:59:36 UTC 2013


This depends on the response_type parameter of the authorization request.

- response_type=id_token token
ID Token includes at_hash.

- response_type=code id_token
ID Token includes c_hash.

- response_type=code id_token token
ID Token includes both c_hash and at_hash.

- response_type=code (Basic Profile)
ID Token doesn't need to include both.



2013/5/6 Pamela Dingle <issues-reply at bitbucket.org>

> New issue 833: at_hash required in messages, missing in basic profile
>
> https://bitbucket.org/openid/connect/issue/833/at_hash-required-in-messages-missing-in
>
> Pamela Dingle:
>
> In section 2.1.2.1 of draft 18 of the messages specification, the c_hash
> and at_hash claims are defined as OPTIONAL or REQUIRED (c_hash is REQUIRED
> when the idtoken is issued at the same time as an authorization code,
> at_hash is REQUIRED when the idtoken is issued at the same time as an
> access token).
>
> I read the above as stating that one of the two claims is required in
> every idtoken that uses either the code or token flow.
>
> In section 2.2 of draft 26 of the basic profile, however, the claims
> at_hash and c_hash are not even mentioned.
>
> Either c_hash and at_hash claims need to be added to the basic profile, or
> the messages definitions for c_hash and at_hash need to be fixed.
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>



-- 
====================
Ryo Ito
Email : ritou.06 at gmail.com
====================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130506/deb89feb/attachment.html>


More information about the Openid-specs-ab mailing list