Can an access token and id token pair be validated using the id token at_hash after the access token has been refreshed?
In my very limited testing with only one OIDC provider (WSO2), the access token validation method (in spec here<https://openid.net/specs/openid-connect-core-1_0.html#ImplicitTokenValidation>) does still work with the access token returned from the refresh endpoint and the id token returned from the token endpoint. I can’t find any mention of this being guaranteed in the specification. Also, if this does work, does anyone know how the access token left-most hash can still match the at_hash after access token has been refreshed. I mean, what is the mechanism used to create the refreshed access token to maintain compatibility with id token? Thank you so much for your time in considering my question! Scott Scott Dickerson Principal Software Engineer [cid:2d581e22-aa13-41e8-96df-13741bf600ac] Durham office 4813 Emperor Blvd., Suite 100 Durham, NC 27703 T 919.564.2236 E [email protected]<mailto:[email protected]> Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
_______________________________________________ security mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-security
