Skip to content

Commit be6b22d

Browse files
leplatremleplatrem
committed
Address @mpdavis comments
1 parent a6923bb commit be6b22d

File tree

1 file changed

+17
-12
lines changed

1 file changed

+17
-12
lines changed

jose/jwt.py

Lines changed: 17 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -406,21 +406,26 @@ def _validate_jti(claims):
406406

407407
def _validate_at_hash(claims, access_token, algorithm):
408408
"""
409-
Validates that the 'at_hash' parameter included in the claims matches
410-
with the access_token returned alongside the id token as part of
411-
the authorization_code flow.
409+
Validates that the 'at_hash' is valid.
410+
411+
Its value is the base64url encoding of the left-most half of the hash
412+
of the octets of the ASCII representation of the access_token value,
413+
where the hash algorithm used is the hash algorithm used in the alg
414+
Header Parameter of the ID Token's JOSE Header. For instance, if the
415+
alg is RS256, hash the access_token value with SHA-256, then take the
416+
left-most 128 bits and base64url encode them. The at_hash value is a
417+
case sensitive string. Use of this claim is OPTIONAL.
412418
413419
Args:
414-
claims (dict): The claims dictionary to validate.
415-
access_token (str): The access token returned by the OpenID Provider.
416-
algorithm (str): The algorithm used to sign the JWT, as specified by
417-
the token headers.
420+
claims (dict): The claims dictionary to validate.
421+
access_token (str): The access token returned by the OpenID Provider.
422+
algorithm (str): The algorithm used to sign the JWT, as specified by
423+
the token headers.
418424
"""
419-
if 'at_hash' not in claims and not access_token:
420-
return
421-
elif access_token and 'at_hash' not in claims:
425+
if 'at_hash' not in claims:
422426
return
423-
elif 'at_hash' in claims and not access_token:
427+
428+
if not access_token:
424429
msg = 'No access_token provided to compare against at_hash claim.'
425430
raise JWTClaimsError(msg)
426431

@@ -430,7 +435,7 @@ def _validate_at_hash(claims, access_token, algorithm):
430435
except (TypeError, ValueError):
431436
msg = 'Unable to calculate at_hash to verify against token claims.'
432437
raise JWTClaimsError(msg)
433-
438+
434439
if claims['at_hash'] != expected_hash:
435440
raise JWTClaimsError('at_hash claim does not match access_token.')
436441

0 commit comments

Comments
 (0)