Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

id_token doesn't have claim `at_hash` in implicit flow

See original GitHub issue

What version of UAA are you running?

4.19.0

How are you deploying the UAA?

I am deploying the UAA

Used https://mvnrepository.com/artifact/org.cloudfoundry.identity/cloudfoundry-identity-uaa/4.19.2 war and deployed to tomcat

What did you do?

I’m using the Implicit flow with below http request

GET /uaa/oauth/authorize?client_id=ui&redirect_uri=http%3A%2F%2Flocalhost%3A9000%2Fcallback&response_type=id_token%20token&scope=openid%20ui.magic&state=35832a9a455d42779705dca17c6650ac&nonce=13a23b28f3d2447f951dddb8356df9a9 HTTP/1.1

After entering credentials in the login screen, it redirected to the url: http://localhost:9000/callback#token_type=bearer&access_token=eyJhbGciOiJSUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJqdGkiOiIyMGQ2N2NiYjNkMzg0ZGMxOTYwNTdkMDdlZjBjMmIxMSIsIm5vbmNlIjoiMTNhMjNiMjhmM2QyNDQ3Zjk1MWRkZGI4MzU2ZGY5YTkiLCJzdWIiOiI2MjU5ZDEwZC1mNjZkLTQ3M2QtYmM0OS1iNjA3OWE1MjYyNDEiLCJzY29wZSI6WyJyZW1hcHBhcGkubGliX2FkbWluIiwib3BlbmlkIiwicmVtYXBwYXBpLnJzX2FkbWluIl0sImNsaWVudF9pZCI6InVpIiwiY2lkIjoidWkiLCJhenAiOiJ1aSIsInVzZXJfaWQiOiI2MjU5ZDEwZC1mNjZkLTQ3M2QtYmM0OS1iNjA3OWE1MjYyNDEiLCJvcmlnaW4iOiJsZGFwIiwidXNlcl9uYW1lIjoicmVtLWFsbCIsImVtYWlsIjoicmVtLWFsbEB1c2VyLmZyb20ubGRhcC5jZiIsImF1dGhfdGltZSI6MTUzMjYwNTg1MCwicmV2X3NpZyI6ImZkOTYyMTBmIiwiaWF0IjoxNTMyNjA2OTcyLCJleHAiOjE1MzI2NTAxNzIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4iLCJ6aWQiOiJ1YWEiLCJhdWQiOlsidWkiLCJvcGVuaWQiLCJyZW1hcHBhcGkiXX0.X9Y0H-ybvJQnw5WudTh9BBLUHeSWTH60rJyfP6m_Hhf4S5ZXc0-nrojOB8-Xy6uYM4u7OQ4Oear2wmhr8XX4bROBnI8AtEpUx6GmZ35AY7zOW7_GefAWJu5YghVaz7W_0kFa4zw4iEUUd-9NDl-tsznM_YyeK_0XUniOgGhsCQXv8J8z_U5a6FuEHdr7ODSsu92ipIQKB9VwxQjzfcp6yF9O4jNcAI0jWAK866eVBjhtaNRI4oQq2PLPXF8KsSu9Y6j8TfiXIr9h_IKsLPZK-O-5X7AJJ6qElgajDNmqGQl-FLPG_S3DAATHGrZYHPcn2-bAfFAcYFDLiMGRKH_GdA&id_token=eyJhbGciOiJSUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJzdWIiOiI2MjU5ZDEwZC1mNjZkLTQ3M2QtYmM0OS1iNjA3OWE1MjYyNDEiLCJhdWQiOlsidWkiXSwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3VhYS9vYXV0aC90b2tlbiIsImV4cCI6MTUzMjY1MDE3MiwiaWF0IjoxNTMyNjA2OTcyLCJhbXIiOlsiZXh0IiwicHdkIl0sImF6cCI6InVpIiwic2NvcGUiOlsib3BlbmlkIl0sIm5vbmNlIjoiMTNhMjNiMjhmM2QyNDQ3Zjk1MWRkZGI4MzU2ZGY5YTkiLCJlbWFpbCI6InJlbS1hbGxAdXNlci5mcm9tLmxkYXAuY2YiLCJ6aWQiOiJ1YWEiLCJvcmlnaW4iOiJsZGFwIiwianRpIjoiMjBkNjdjYmIzZDM4NGRjMTk2MDU3ZDA3ZWYwYzJiMTEiLCJwcmV2aW91c19sb2dvbl90aW1lIjoxNTMyNTk5NTA0NDkzLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsImNsaWVudF9pZCI6InVpIiwiY2lkIjoidWkiLCJ1c2VyX25hbWUiOiJyZW0tYWxsIiwicmV2X3NpZyI6ImZkOTYyMTBmIiwidXNlcl9pZCI6IjYyNTlkMTBkLWY2NmQtNDczZC1iYzQ5LWI2MDc5YTUyNjI0MSIsImF1dGhfdGltZSI6MTUzMjYwNTg1MH0.nwmEyq4wxSSYl_bY6NXE8S1_DMkPFbSKOw8rzps6efkgDlMwvddSsxoN2hZZRLw90MbqCT77ljBDZ_wPBvuXzlsS_FEz3DHkMeo9gXNIr2zFLGfPJcCTSpotLaHea9a7P3nf_1VHwfIADD_9grqn1iJ17z_-gX1UaDZ3tMJgWKWN6j9WGQjnY5oZ3nGEcQU4TjR_tLOzOy5PhcPnH68Syf1PKgi-ARvHfkdZixfgQcHYGAZD16wwYUId8zuFHgp1tYhh8s9s54ANQjAQomvJayar9LuUjvS6_-oxssnoanz4LJ-cbIx9j3Y-v145Cphzws11MvmMObLnvtB1sisd4w&state=35832a9a455d42779705dca17c6650ac&expires_in=43199&scope=remappapi.lib_admin%20openid%20remappapi.rs_admin&nonce=13a23b28f3d2447f951dddb8356df9a9&jti=20d67cbb3d384dc196057d07ef0c2b11

What did you expect to see? What goal are you trying to achieve with the UAA?

I expected the id token to have ‘at_hash’ claim as per openid spec.

What did you see instead?

I don’t find at_hash claim in id_token.

Issue Analytics

State:
Created 5 years ago
Reactions:8
Comments:10 (5 by maintainers)

Top GitHub Comments

1reaction

DennisDenutocommented, Aug 7, 2018

Hi @vinaylakkam Thanks for creating this issue. You are correct, the spec does specify providing the at_hash claim when using the hybrid flow with id_token and access_token. It should also provide the c_hash when using the hybrid flow with id_token and code.

Can you share how this is affecting your usage of the UAA? Is token validation failing due to this missing claim?

0reactions

strehlecommented, Oct 27, 2022

support public + PKCE until a few hours ago

This was deliverd with https://github.com/cloudfoundry/uaa/releases/tag/v75.21.0 , e.g. https://github.com/cloudfoundry/uaa/pull/1888

The use of public with an UAA client needs to be configured, default is off , but you can use uaac https://github.com/cloudfoundry/cf-uaac/releases

The rotation of refresh tokens was then only consequence of public usage but also no requirment,

Top Results From Across the Web

OAuth 2.0 implicit grant flow - The Microsoft identity platform

The defining characteristic of the implicit grant is that tokens (ID tokens or access tokens) are returned directly from the /authorize endpoint ...

Implicit Flow with OIDC - Auth0

Learn how the OIDC-conformant pipeline affects the Implicit Flow. ... workflow if the application needs only an ID token to perform user authentication; ......

Learn Authentication The Hard Way: Part Three - Andrew Best

It is one of the two flows we need to know to cover most of our application ... Client validates the ID token...

OAuth Implicit Flow | Curity Identity Server

It is less secure than the Code Flow since it doesn't authenticate the client. But it is still a useful flow in web...

Okta Groups or Attribute Missing from Id Token - Okta Support

This article explains why an Id token might have an attribute or Okta groups ... in implicit flow where response_type = id_token ,...