ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

at_hash wrong if we use the new feature "Access Token in JWT Format"

book

Article ID: 212283

calendar_today

Updated On:

Products

CA Single Sign On Federation (SiteMinder)

Issue/Introduction

 

When running CA Access Gateway (SPS) and Policy Server as OIDC
Provider, then enabling "Generate Access Token in JWT Format" function
on the client, the access_token cannot be validated.

The Apache client reports error :

  [Tue Mar 23 12:31:16.634826 2021] [auth_openidc:error] [pid 6516:tid
  140443631068928] [client 192.168.1.111:50015]
  oidc_proto_validate_hash: provided "at_hash" hash value
  (WQGjm_YAkG7aaIFo1LonBxhiqqvKiHrt) does not match the calculated
  value, referer: https://wa.training.com/oidc/redirect

  [Tue Mar 23 12:31:16.634832 2021] [auth_openidc:error] [pid 6516:tid
  140443631068928] [client 192.168.1.111:50015]
  oidc_proto_validate_access_token: could not validate access token
  against at_hash, referer: https://wa.training.com/oidc/redirect

 

Environment

 

Policy Server 12.8SP5 on RedHat 8;
CA Access Gateway (SPS) 12.8SP5 on RedHat 8;

 

Resolution

 

Upgrade to Policy Server 12.8SP6 when this one will be available.