On Sat, Oct 31, 2020 at 6:13 AM Nat Sakimura wrote:
>
> Hi Watson,
>
> Thanks very much for the review. I thought I have sent my response
> earlier, which I actually did not. It was sitting in my draft box. I
> apologize for it.
My apologies for missing it in my inbox for a number of months.
>
>
I went and implemented this proposal of including a token hash in both an AS
(java) and client (javascript) on a system that was already using DPoP and
OpenID Connect. What I did there was just use the existing code we had on the
AS-side to calculate the “at_hash” in the ID Token from OIDC, whic
