Is there a way to remove at_hash from the Id token

Invoking /oauth2/customer/authorize with response_type=code token id_token adds the at_hash to the jwt, anyway we can remove this ? I tried overriding in the OIDC Claim script - can modify , but unable to remove.

Yes, we can always use response_type=code id_token , but this adds subname back to the token.

Anyway we can generate an Id token without at_hash and subname ?


Hi @joshfr,

Removing at_hash will probably render the id_token non compliant or invalid as per the OIDC standard:  ID Token

The contents of the ID Token are as described in Section 2.
 When using the Implicit Flow, these additional requirements
 for the following ID Token Claims apply:

Access Token hash value. 
If the ID Token is issued from the Authorization Endpoint with an access_token value, 
which is the case for the response_type value id_token token, this is REQUIRED;
 it MAY NOT be used when no Access Token is issued, which is the case for
 the response_type value id_token.


1 Like