Skip to content

Commit 0afe6ef

Browse files
jalaurosjalauros
committed
to calculate at_hash and c_hash always using signing alg value
1 parent cf28e0e commit 0afe6ef

2 files changed

Lines changed: 13 additions & 4 deletions

File tree

src/main/java/org/oidc/msg/AbstractMessage.java

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -621,6 +621,17 @@ protected boolean isValidStructure() {
621621
}
622622
return true;
623623
}
624+
625+
/**
626+
* Get the jwe/jwt header of the message. Header exists only if the message is deserialized from
627+
* or serialized to jwe/jwt. If the message is serialized to, the header is the outermost header.
628+
* If message is deserialized from, then header is the innermost header.
629+
*
630+
* @return header.
631+
*/
632+
public Map<String, Object> getHeader() {
633+
return header;
634+
}
624635

625636
/**
626637
* Get error description of message parameter verification.

src/main/java/org/oidc/msg/oidc/AuthenticationResponse.java

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -22,8 +22,6 @@
2222
import java.util.HashMap;
2323
import java.util.List;
2424
import java.util.Map;
25-
26-
import org.oidc.msg.DeserializationException;
2725
import org.oidc.msg.ErrorDetails;
2826
import org.oidc.msg.ErrorType;
2927
import org.oidc.msg.ParameterVerification;
@@ -235,7 +233,7 @@ protected void doVerify() {
235233
"at_hash must be in id token if returned with access token"));
236234
} else {
237235
String atHash = TokenHash.compute((String) getClaims().get("access_token"),
238-
JWT.decode((String) getClaims().get("id_token")).getAlgorithm());
236+
(String) idToken.getHeader().get("alg"));
239237
if (!((String) idToken.getClaims().get("at_hash")).equals(atHash)) {
240238
getError().getDetails().add(new ErrorDetails("at_hash", ErrorType.VALUE_NOT_ALLOWED,
241239
String.format("at_hash in id token not same as expected value '%s'", atHash)));
@@ -251,7 +249,7 @@ protected void doVerify() {
251249
idTokenErrorDetails.toString()));
252250
} else {
253251
String codeHash = TokenHash.compute((String) getClaims().get("code"),
254-
JWT.decode((String) getClaims().get("id_token")).getAlgorithm());
252+
(String) idToken.getHeader().get("alg"));
255253
if (!((String) idToken.getClaims().get("c_hash")).equals(codeHash)) {
256254
ErrorDetails idTokenErrorDetails = new ErrorDetails("c_hash",
257255
ErrorType.VALUE_NOT_ALLOWED,

0 commit comments

Comments
 (0)