How to Disable signature at_hash for JWT id_token
search cancel

How to Disable signature at_hash for JWT id_token

book

Article ID: 276434

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

The new OTK version the client has installed (4.6.1) adds an at_hash signature to the JWT id_token. 

The customer needs to disable this functionality because the tokens are already linked to the certificate in our Application and at_hash is not necessary.

In addition, the resulting at_hash, generated from the signature of the original UUID, does not match the signature of the JWT token and generates an error.
 
How can the  at_hash generation be disabled at the time the JWT id_token is signed (using "Encode Json Web Token")?

It was not possible to find an option to disable this functionality.

Environment

Gateway 10.1 , 11.0

Cause

code new feature

Resolution

Topic reported in DE582966

This is the only way available for the moment as workaround

 from engineering:

at_hash (from id-token claim) is essential for access_token integrity check that is received from the front channel

i.e., via redirect url as part of the authorization response. This claim is expected if response_type contains token and id_token.

 

Work around:

In the policy #OTK id_token Custom Claims:

Set context variable ${access_token} = ""      

By setting as above, the at_hash is not added to the id-token

 

 Permanent fix (To be taken up in future)

- use actual access_token string for calculating the at_hash claim. This might demand gateway change too (openid custom assertion packaged with gateway).