There's discussions around this in the mail and meeting archives, if you want to dig into it. But generally the "at_hash" approach has proven to be complicated while not really achieving the algorithm agility it aims for. We opted for something more straightforward with "ath" in DPoP.
On Wed, Oct 27, 2021 at 7:25 AM Dmitry Telegin <dmitryt= 40backbase....@dmarc.ietf.org> wrote: > As of -03, the "ath" DPoP proof claim has been introduced: > > ath: hash of the access token (REQUIRED). The value MUST be the result of >> a base64url encoding (with no padding) the SHA-256 hash of the ASCII >> encoding of the associated access token's value. >> > > OpenID Connect has a similar concept used to bind ID token to access token: > > at_hash OPTIONAL. Access Token hash value. Its value is the base64url >> encoding of the left-most half of the hash of the octets of the ASCII >> representation of the access_token value, where the hash algorithm used >> is the hash algorithm used in the alg Header Parameter of the ID Token's >> JOSE Header. For instance, if the alg is RS256, hash the access_token >> value with SHA-256, then take the left-most 128 bits and base64url encode >> them. The at_hash value is a case sensitive string. >> >> > OIDC derives the hashing algorithm from the token header, while DPoP uses > SHA-256 unconditionally. OIDC uses the left-most half of the hash, while > DPoP uses the whole hash. Would it make sense to be aligned with OIDC on > this? > > Regards, > Dmitry > Backbase > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
