No access_token provided to compare against at_hash claim.
mchingotto opened this issue · 13 comments
Hello and Thank you !!!!!!
I am very new with Keycloak and also with Django.
I am using a fresh install of keycloak 12.0.2 (before that I was using 4.5.0 and not problems).
I got this message error in django when the keycloak server redirect the login approval to Django:
Error => "No access_token provided to compare against at_hash claim."
if not access_token:
msg = 'No access_token provided to compare against at_hash claim.'
raise JWTClaimsError(msg)
Also, I had to add the client scopes: openid, given_name, family_name in order for the request no be not invalid.
My questions:
It makes sense to implement 12.0.2 instead of 4.5.0?
Is there a way I can fix this?
Thank you, I really appreciate it.
Mariano
Hello,
Reading... and learning a little bit.
Maybe is there enforcement of at_hash value no matter if access_token is being used or not?
"The at_hash value is a case sensitive string. If the ID Token is issued from the Authorization Endpoint with an access_token value, which is the case for the response_type value code id_token token, this is REQUIRED; otherwise, its inclusion is OPTIONAL."
Thank you,
Mariano
I'm encountering the very same problems (despite that the custom client scope openid is not required) and hoping someone here could explain what we are doing wrong?!
Did someone got this module to work with the current Keycloak version and could provide some tips?
Maybe the 18 months old issue statement is still valid and this plugin is still unusable with key cloak > v4?!
(What means we should consider this plugin as abandoned at the moment)
see #25
I use this package with keycloak 9.0.3 and it works ok. After update keycloak to version 12.0.4 I have the same problems like you. @mchingotto where you add client scopes? Because I have invalid request too 😢
I am also encountering this issue. Did anyone find a fix?
I don't know if this was the case for previous versions of keycloak, but you have to set "Use Refresh Tokens For Client Credentials Grant" to ON for the client for this plugin to work.
Hello @citos88, sorry for the delay.
What I did was adding those scopes in Configure/Client Scopes.
Then, inside Clients => Client Scopes => Add to "Assigned Default Client Scopes".
Hello, I could not make this work yet, I posted a traceback on @boladjivinny commit.
Please, let me know if somebody has this working on keycloak 12.0.2 or newer.
Thank you,
I appreciate it.
It is working now with 15.0.1.
I am suspecting a cache problem. Not sure if it was not possible to make this work on 12.0.2 (maybe my fault ?)
Thank you @boladjivinny !!
M
Getting the same error in KeyCloak 11.0.2 and 12.0.4 versions. I am not allowed to upgrade the KeyCloak services to higher version. Any fixes available for the above versions ?
Hello @pmahindrakar, for some reason it happened to me also in 15.0.1 the first time and it kept doing the error first minutes.
I have no clue about the why yet. I am suspecting a cache issue or similar. I am mostly sure I did the same steps every time.
Did you try to renew certificates, etc from django side ? I guess you did.
Hope it fixes in some way or another.
Yes worked after renewing the renew certificates, etc from django side. Thank you @mchingotto
In the file: services/oidc_profile.py in the function _update_or_create line 218, you should call the function client.openid_api_client.decode_token with the extra parameter access_token=token_response["access_token"]
The complete function call looks like this:
token_object = client.openid_api_client.decode_token(
token=token,
key=client.realm.certs,
algorithms=client.openid_api_client.well_known[
'id_token_signing_alg_values_supported'],
issuer=issuer,
access_token=token_response["access_token"],
)