Layer7 API Gateway: Decoded token at_hash value does not match

book

Article ID: 192979

calendar_today

Updated On:

Products

CA API Gateway CA Mobile API Gateway

Issue/Introduction

When trying to independently verify the at_hash value of an access token the produced signature does not match the decoded value.

Environment

OAuth Toolkit 4.x

API Gateway 9.x

Resolution

The at_hash value is a secure hash of the access token. The OpenID specification states: 

"Its value is the base64url encoding of the left-most half of the hash of the octets of the ASCII representation of the access_token value, where the hash algorithm used is the hash algorithm used in the alg Header Parameter of the ID Token's JOSE Header. For instance, if the alg is RS256, hash the access_token value with SHA-256, then take the left-most 128 bits and base64url encode them. The at_hash value is a case sensitive string."

It is important to note that the hash must be generated on the octets (ie: raw bytes) of the ASCII representation of the access_token value. Simply hashing the ASCII representation will produce a different and incorrect value.

You can calculate the SHA-256 digest and returns the value as a byte[] to ensure you are operating on the correct data. You can then take the left-most 128 bits (16bytes) and base64url encode those to generate the proper hash.

Additional Information

If you are using JWT access tokens, this hash must be performed on the JTI claim of the JWT. This value contains the UUID representation of the access token. Hashing the entire JWT will produce an invalid value.

 

{
  "iss": "https://<oauth_server>:8443",
  "iat": 1592229644,
  "aud": "54f0c455-4d80-421f-82ca-9194df24859d",
  "exp": 1593339699,
  "jti": "0ecbc405-5b1d-4e93-850d-f6fce7e70cfd",
  "token_details": {
    "scope": "openid email profile",
    "expires_in": 3600,
    "token_type": "Bearer",
    "preferred_username": "[email protected]",
    "name": "A User",
    "email": "[email protected]"
  }