@@ -410,24 +410,28 @@ def _validate_jti(claims):
410410
411411def _validate_at_hash (claims , access_token , algorithm ):
412412 """
413- Validates that the 'at_hash' parameter included in the claims matches
414- with the access_token returned alongside the id token as part of
415- the authorization_code flow.
413+ Validates that the 'at_hash' is valid.
414+
415+ Its value is the base64url encoding of the left-most half of the hash
416+ of the octets of the ASCII representation of the access_token value,
417+ where the hash algorithm used is the hash algorithm used in the alg
418+ Header Parameter of the ID Token's JOSE Header. For instance, if the
419+ alg is RS256, hash the access_token value with SHA-256, then take the
420+ left-most 128 bits and base64url encode them. The at_hash value is a
421+ case sensitive string. Use of this claim is OPTIONAL.
416422
417423 Args:
418- claims (dict): The claims dictionary to validate.
419- access_token (str): The access token returned by the OpenID Provider.
420- algorithm (str): The algorithm used to sign the JWT, as specified by
421- the token headers.
424+ claims (dict): The claims dictionary to validate.
425+ access_token (str): The access token returned by the OpenID Provider.
426+ algorithm (str): The algorithm used to sign the JWT, as specified by
427+ the token headers.
422428 """
423- if 'at_hash' not in claims and not access_token :
429+ if 'at_hash' not in claims :
424430 return
425- elif 'at_hash' in claims and not access_token :
431+
432+ if not access_token :
426433 msg = 'No access_token provided to compare against at_hash claim.'
427434 raise JWTClaimsError (msg )
428- elif access_token and 'at_hash' not in claims :
429- msg = 'at_hash claim missing from token.'
430- raise JWTClaimsError (msg )
431435
432436 try :
433437 expected_hash = calculate_at_hash (access_token ,
0 commit comments