Skip 'at_hash' claim validation when missing

python-social-auth · Nov 7, 2023 · f7ed3a3 · f7ed3a3
1 parent 6c69c60
commit f7ed3a3
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/social_core/backends/open_id_connect.py b/social_core/backends/open_id_connect.py
@@ -236,7 +236,9 @@ def validate_and_return_id_token(self, id_token, access_token):
 
         # pyjwt does not validate OIDC claims
         # see https://github.com/jpadilla/pyjwt/pull/296
-        if claims.get("at_hash") != self.calc_at_hash(access_token, key["alg"]):
+        if "at_hash" in claims and claims["at_hash"] != self.calc_at_hash(
+            access_token, key["alg"]
+        ):
             raise AuthTokenError(self, "Invalid access token")
 
         self.validate_claims(claims)