ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

at_hash wrong if we use the new feature "Access Token in JWT Format"


Article ID: 212283


Updated On:


CA Single Sign On Federation (SiteMinder)



When running CA Access Gateway (SPS) and Policy Server as OIDC
Provider, then enabling "Generate Access Token in JWT Format" function
on the client, the access_token cannot be validated.

The Apache client reports error :

  [Tue Mar 23 12:31:16.634826 2021] [auth_openidc:error] [pid 6516:tid
  140443631068928] [client]
  oidc_proto_validate_hash: provided "at_hash" hash value
  (WQGjm_YAkG7aaIFo1LonBxhiqqvKiHrt) does not match the calculated
  value, referer:

  [Tue Mar 23 12:31:16.634832 2021] [auth_openidc:error] [pid 6516:tid
  140443631068928] [client]
  oidc_proto_validate_access_token: could not validate access token
  against at_hash, referer:




Policy Server 12.8SP5 on RedHat 8;
CA Access Gateway (SPS) 12.8SP5 on RedHat 8;




Upgrade to Policy Server 12.8SP6 when this one will be available.