[Openid-specs-ab] RP Certification has launched to Pilot Phase

Filip panva.ip at gmail.com
Fri Dec 9 10:54:01 UTC 2016


You still get an id_token with these _hash values (albeit optionally) from
the token endpoint issued id_token, the client MAY still validate it if
it's present.


> - When using the Hybrid Flow, the Access Token returned from the Token
> Endpoint is validated in the same manner as for the Authorization Code
> Flow.

- When using the Authorization Code Flow, if the ID Token contains an
> at_hash Claim, the Client MAY use it to validate the Access Token in the
> same manner as for the Implicit Flow, as defined in Section 3.2.2.9, but
> using the ID Token and Access Token returned from the Token Endpoint.


Best,
*Filip Skokan*

On Fri, Dec 9, 2016 at 11:42 AM, Roland Hedberg <roland at catalogix.se> wrote:

>
> On 8 Dec 2016, at 17:15, Filip <panva.ip at gmail.com> wrote:
>
> Hello,
>
> While testing for all specified test/profiles in the PDF i've encountered
> the following five issues for these test + response_type combinations
>
>    1. id_token/rp-id_token-bad-at_hash
>    - is listed in the PDF for implicit profile, test description clearly
>       only mentions access_token issuing response types, this test should not be
>       listed in the PDF under implicit-id_token, since no at_hash check will be
>       performed without access_token being present
>
>
>
>    1. code+id_token/rp-id_token-bad-at_hash
>    1. authentication request is failing when response_type=code+id_token,
>       Response {"error_description": "Wrong response_type", "error":
>       "incorrect_behavior”}
>
> You get at_hash'es in the id_token when an access token is return in the
> same response. If you have response_type=code+id_token
> there is no access token returned hence no at_hash. Hence, it makes no
> sense running this combination.
>
>
>    1. code+token/rp-id_token-bad-at_hash
>    1. authentication request is failing when response_type=code+id_token,
>       Response {"error_description": "Wrong response_type", "error":
>       "incorrect_behavior”}
>
> Sort of the same, if you don’t get back an id_token (which you don’t with
> response_type=code+token) where would the at_hash appear ?
>
>
>    1. code+token/rp-id_token-bad-c_hash
>       1. authentication request is failing when
>       response_type=code+id_token, Response {"error_description": "Wrong
>       response_type", "error": "incorrect_behavior”}
>
> Same as previous but about c_hash instead of at_hash..
>
> — Roland
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20161209/d109f709/attachment-0001.html>


More information about the Openid-specs-ab mailing list