OpenID Connect "at_hash" claim requirement during ID token validation #849

aaronmarkey · 2023-11-02T15:53:19Z

Expected behaviour

Per the OpenID Connect specification, the at_hash claim in ID Token can be optional, depending on circumstance. Thus, I'd expect ID token validation to succeed when the at_hash ID cliam is not required and not provided.

This was the actual behavior up to social-core 4.4.2.

Actual behaviour

Since social-core version 4.5, the OpenIdConnectAuth backend incorrectly raises an AuthTokenError when the Authorization Code flow is used without the use of the at_hash claim in an ID token.

What are the steps to reproduce this issue?

Input clear steps to reproduce the issue for a maintainer.

Use the OpenIdConnectAuth backend with the code RESPONSE_TYPE.
Make a request to a ID provider which does not include an at_hash claim in the ID token, such as Auth0.com.
Error occurs upon ID token validation.

Any logs, error output, etc?

The problematic code in question is here. This check should succeed when at_hash is not in the claim set, as is the behavior in the original python-jose functionality.

Any other comments?

The text was updated successfully, but these errors were encountered:

nijel · 2023-11-02T19:26:35Z

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

OpenID Connect "at_hash" claim requirement during ID token validation #849

OpenID Connect "at_hash" claim requirement during ID token validation #849

aaronmarkey commented Nov 2, 2023

nijel commented Nov 2, 2023

OpenID Connect "at_hash" claim requirement during ID token validation #849

OpenID Connect "at_hash" claim requirement during ID token validation #849

Comments

aaronmarkey commented Nov 2, 2023

Expected behaviour

Actual behaviour

What are the steps to reproduce this issue?

Any logs, error output, etc?

Any other comments?

nijel commented Nov 2, 2023