Invoking /oauth2/customer/authorize with response_type=code token id_token adds the at_hash to the jwt, anyway we can remove this ? I tried overriding in the OIDC Claim script - can modify , but unable to remove.
Yes, we can always use response_type=code id_token , but this adds subname back to the token.
Anyway we can generate an Id token without at_hash and subname ?
Thanks
Josh
Hi @joshfr,
Removing at_hash will probably render the id_token non compliant or invalid as per the OIDC standard:
3.2.2.10. ID Token
The contents of the ID Token are as described in Section 2.
When using the Implicit Flow, these additional requirements
for the following ID Token Claims apply:
[...]
at_hash
Access Token hash value.
[...]
If the ID Token is issued from the Authorization Endpoint with an access_token value,
which is the case for the response_type value id_token token, this is REQUIRED;
it MAY NOT be used when no Access Token is issued, which is the case for
the response_type value id_token.
Regards
Patrick