Oauth Implicit Flow – Client must validate the signature – but what is the at_hash exactly?

02/08/2021

In Oauth, the Implict flow makes reference to the at_hash. So lets consider this parameter in more detail.

Step 1 – take the access token (we’ll call it x).

Step 2 – hash the access token with SHA-256 (we’ll call it Y).

Step 3 – take the left hand side of the hashed token Y1 (which is only 128 bits).

Step 4 – Base64 encode the left hand side of Y1 (we’ll call it Z).

Step 5 – Z is the at_hash, ie the hash of the access token, after its been hashed with SHA-256, only the first left hand halve of the hash taken, and that half is encoded with Base64 to form the at_hash.

The Implict flow spec states that the client MUST validate the SIGNATURE of the ID Token.

From → Encryption, SAML, Security Tools, Uncategorized

Oauth Implicit Flow – Client must validate the signature – but what is the at_hash exactly?

Step 1 – take the access token (we’ll call it x).

Step 2 – hash the access token with SHA-256 (we’ll call it Y).

Step 3 – take the left hand side of the hashed token Y1 (which is only 128 bits).

Step 4 – Base64 encode the left hand side of Y1 (we’ll call it Z).

Leave a comment Cancel reply

Blog Stats

Top Posts & Pages

Archives

Follow Blog via Email

Startpage.com

IVPN

XeroCrypt – USW InfoSec Blog

SupraFortix – USW InfoSec Blog

Top Clicks

Oauth Implicit Flow – Client must validate the signature – but what is the at_hash exactly?

Step 1 – take the access token (we’ll call it x).

Step 2 – hash the access token with SHA-256 (we’ll call it Y).

Step 3 – take the left hand side of the hashed token Y1 (which is only 128 bits).

Step 4 – Base64 encode the left hand side of Y1 (we’ll call it Z).

Share this:

Leave a comment Cancel reply

Blog Stats

Top Posts & Pages

Archives

Follow Blog via Email

Startpage.com

IVPN

XeroCrypt – USW InfoSec Blog

SupraFortix – USW InfoSec Blog

Top Clicks