Skip to content

Commit a2cfd30

Browse files
leplatremleplatrem
committed
Address @mpdavis comments
1 parent 2266973 commit a2cfd30

File tree

1 file changed

+17
-12
lines changed

1 file changed

+17
-12
lines changed

jose/jwt.py

Lines changed: 17 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -408,21 +408,26 @@ def _validate_jti(claims):
408408

409409
def _validate_at_hash(claims, access_token, algorithm):
410410
"""
411-
Validates that the 'at_hash' parameter included in the claims matches
412-
with the access_token returned alongside the id token as part of
413-
the authorization_code flow.
411+
Validates that the 'at_hash' is valid.
412+
413+
Its value is the base64url encoding of the left-most half of the hash
414+
of the octets of the ASCII representation of the access_token value,
415+
where the hash algorithm used is the hash algorithm used in the alg
416+
Header Parameter of the ID Token's JOSE Header. For instance, if the
417+
alg is RS256, hash the access_token value with SHA-256, then take the
418+
left-most 128 bits and base64url encode them. The at_hash value is a
419+
case sensitive string. Use of this claim is OPTIONAL.
414420
415421
Args:
416-
claims (dict): The claims dictionary to validate.
417-
access_token (str): The access token returned by the OpenID Provider.
418-
algorithm (str): The algorithm used to sign the JWT, as specified by
419-
the token headers.
422+
claims (dict): The claims dictionary to validate.
423+
access_token (str): The access token returned by the OpenID Provider.
424+
algorithm (str): The algorithm used to sign the JWT, as specified by
425+
the token headers.
420426
"""
421-
if 'at_hash' not in claims and not access_token:
422-
return
423-
elif access_token and 'at_hash' not in claims:
427+
if 'at_hash' not in claims:
424428
return
425-
elif 'at_hash' in claims and not access_token:
429+
430+
if not access_token:
426431
msg = 'No access_token provided to compare against at_hash claim.'
427432
raise JWTClaimsError(msg)
428433

@@ -432,7 +437,7 @@ def _validate_at_hash(claims, access_token, algorithm):
432437
except (TypeError, ValueError):
433438
msg = 'Unable to calculate at_hash to verify against token claims.'
434439
raise JWTClaimsError(msg)
435-
440+
436441
if claims['at_hash'] != expected_hash:
437442
raise JWTClaimsError('at_hash claim does not match access_token.')
438443

0 commit comments

Comments
 (0)