I agree that the at_hash definition is bizarre. I suggest adding a sentence
when introducing the ath claim explaining that this is similar but
different from at_hash.
Thanks,
-rohan
On Tue, Mar 29, 2022 at 6:14 AM Justin Richer wrote:
> Yes, it was considered, discussed, and rejected. The reaso
Yes, it was considered, discussed, and rejected. The reason being “at_hash” has
a somewhat convoluted definition (left-bits of a hash of an access token in the
context of a JOSE object, etc), to fit some of the design constraints of ID
Tokens. DPoP proofs do not have those same constraints. DPoP
Hi,
Did you consider using the (already IANA registered) at_hash claim defined
in:
https://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken
instead of defining a new ath claim?
It seems like if we don't use at_hash we should explain why ath is
better/different.
Thanks,
-rohan
