From a15ddb06371b9df71bb73835bc7e9503bcdb62b2 Mon Sep 17 00:00:00 2001 From: Glauco <37829079+rglauco@users.noreply.github.com> Date: Mon, 19 Jun 2023 12:09:50 +0200 Subject: [PATCH 1/3] chore: expanded at_hash explanation --- docs/it/token_endpoint.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/it/token_endpoint.rst b/docs/it/token_endpoint.rst index 13553037..f379292a 100644 --- a/docs/it/token_endpoint.rst +++ b/docs/it/token_endpoint.rst @@ -284,7 +284,7 @@ Di seguito i claim disponibili nell'ID Token. - Livello di autenticazione effettivo. PUÒ essere uguale o superiore a quello richiesto dal RP nella Authentication Request. - |spid-icon| |cieid-icon| * - **at_hash** - - Vedi `OpenID.Core#CodeIDToken`_. Il client DEVE verificare che questo valore corrisponda all'*Access Token* restituito insieme all'ID Token. + - Vedi `OpenID.Core#CodeIDToken`_. Il suo valore è la codifica base64url della prima metà dell'hash calcolato sulla rappresentazione ASCII dell'*Access Token*, usando l'algoritmo di hashing indicato in **alg** nell'header dell'ID Token. Il client DEVE verificare che questo valore corrisponda applicando la medesima funzione all'*Access Token* restituito insieme all'ID Token. - |spid-icon| |cieid-icon| * - **iat** - UNIX Timestamp con l'istante di generazione del JWT, codificato come NumericDate come indicato in :rfc:`7519` From c7d36623bf88717b5481294f870e7d2332760f36 Mon Sep 17 00:00:00 2001 From: Glauco <37829079+rglauco@users.noreply.github.com> Date: Mon, 19 Jun 2023 12:22:27 +0200 Subject: [PATCH 2/3] chore: expanded at_hash explanation in english version --- docs/en/token_endpoint.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/en/token_endpoint.rst b/docs/en/token_endpoint.rst index e4ee1a09..8d1435f9 100644 --- a/docs/en/token_endpoint.rst +++ b/docs/en/token_endpoint.rst @@ -290,7 +290,7 @@ The claims available in the *ID Token* are given below. - Effective authentication level. It MAY be equal or greater than the one requested by the client in the Authentication Request. - |spid-icon| |cieid-icon| * - **at_hash** - - See `OpenID.Core#CodeIDToken`_. The client MUST verify that this value matches the *Access Token* returned with the Token ID. + - See `OpenID.Core#CodeIDToken`_. Its value is the base64url encoding of the left-most half of the hash of the octets of the ASCII representation of the *Access Token* value, where the hash algorithm used is the hash algorithm used in the alg Header Parameter of the ID Token's JOSE Header. The client MUST compare this value by applying the same function to the *Access Token* returned with the Token ID. - |spid-icon| |cieid-icon| * - **iat** - UNIX Timestamp with the time of JWT issuance, coded as NumericDate as indicated in :rfc:`7519`. From 9acf1b0b1531ff5d7f8d4d880fa7662facb1dedc Mon Sep 17 00:00:00 2001 From: Glauco <37829079+rglauco@users.noreply.github.com> Date: Mon, 19 Jun 2023 12:25:10 +0200 Subject: [PATCH 3/3] fix: at_hash clarification --- docs/en/token_endpoint.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/en/token_endpoint.rst b/docs/en/token_endpoint.rst index 8d1435f9..bab2472b 100644 --- a/docs/en/token_endpoint.rst +++ b/docs/en/token_endpoint.rst @@ -290,7 +290,7 @@ The claims available in the *ID Token* are given below. - Effective authentication level. It MAY be equal or greater than the one requested by the client in the Authentication Request. - |spid-icon| |cieid-icon| * - **at_hash** - - See `OpenID.Core#CodeIDToken`_. Its value is the base64url encoding of the left-most half of the hash of the octets of the ASCII representation of the *Access Token* value, where the hash algorithm used is the hash algorithm used in the alg Header Parameter of the ID Token's JOSE Header. The client MUST compare this value by applying the same function to the *Access Token* returned with the Token ID. + - See `OpenID.Core#CodeIDToken`_. Its value is the base64url encoding of the left-most half of the hash of the octets of the ASCII representation of the *Access Token* value, where the hash algorithm used is the hash algorithm used in the alg Header Parameter of the ID Token's JOSE Header. The client MUST verify this value by applying the same function to the *Access Token* returned with the Token ID. - |spid-icon| |cieid-icon| * - **iat** - UNIX Timestamp with the time of JWT issuance, coded as NumericDate as indicated in :rfc:`7519`.