Support computation and validation of OIDC at_hash value #295
Description
Open ID Connect specifies an optional additional claim for its ID token JWTs: the at_hash.
It's just a hash of the access token issued alongside the ID token.
Although OIDC lists it as optional, it also states that it's required when performing the "Authorization Code Grant" (3-legged OAuth), which is confusing.
It's very easy to compute. Just
token_hash = hashlib.sha256(access_token).digest()
base64.urlsafe_b64encode(
token_hash[:(len(token_hash) / 2)]
).rstrip('=')replacing hashlib.sha256 with whatever alg is specified.
For those implementing OIDC servers, and clients of those servers, computing and validating this at_hash value, respectively, makes sense as PyJWT functionality.