Improper JWT used in token validation for hybrid "code id_token token" OpenId Connect flow

[mheyman]

My eyes are bleary trying to parse the OpenId Connect spec to try to determine the at-fault party and I'm not 100% sure it is this library but I think it is...

I'm using an IdentityServer3 authority for an OpenId Connect Hybrid flow asking for OpenIdConnectOptions.ResponseType = "code id_token token" and it seems to me that IdentityServer3 is replying properly but that src\Microsoft.AspNetCore.Authentication.OpenIdConnect\OpenIdConnectHandler.cs uses the wrong JWT when authenticating the "token" response. The error produced is something like:

IDX10300: The hash claim: 'MzRqDBY-SS-QQU6aztSeeQ' in the id_token did not validate with against: '63cea011ce8ee9c1f8faf0bff0a4b766', algorithm: 'RS256'.

With logging turned on, it isn't too hard to determine that the 'MzRqDBY-SS-QQU6aztSeeQ' hash claim above comes from the 'id_token' response, not the later 'token' response (in which, IdentityServer3 does not supply the optional at_hash hash claim).

If, around line 600 in OpenIdConnectHandler.cs, one replaces the OpenIdConnectProtocolValidationContext.ValidatedIdToken property which had been set to the jwt returned in the 'id_token' response with new JwtSecurityToken(tokenEndpointResponse.IdToken), that error goes away and authentication completes as it should.

I don't trust that fix because I'm not an OpenId Connect expert so I don't know if it breaks one of the other flows or response types that use that function (although I do believe that it is okay to not validate the JWT because the entire communication at this point is validated by the TLS connection).

[Tratcher]

@brentschmaltz?

[brentschmaltz]

@Tratcher having a look

[kevinchalet]

@Tratcher FYI, the fix works as expected 👏