Merge pull request #246 from 55728/fix/at-hash-algorithm-mismatch

nbulaj · web-flow · commit 1bd20e2467ee · 2026-04-23T10:21:04.000+03:00
Fix `at_hash` to use correct hash algorithm based on `signing_algorithm`
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,7 @@
 
 - Please add here
 - [#241] Fix NameError on doorkeeper master by deferring AR model loading in run_hooks (see [Doorkeeper PR](https://github.com/doorkeeper-gem/doorkeeper/pull/1804))
+- [#246] Fix `at_hash` to use correct hash algorithm based on `signing_algorithm`
 
 ## v1.9.0 (2026-03-16)
 
diff --git a/lib/doorkeeper/openid_connect/id_token_token.rb b/lib/doorkeeper/openid_connect/id_token_token.rb
@@ -24,12 +24,19 @@ def claims
       #   access_token value with SHA-256, then take the left-most 128 bits and
       #   base64url-encode them. The at_hash value is a case-sensitive string.
       def at_hash
-        sha256 = Digest::SHA256.new
-        token = @access_token.token
-        hashed_token = sha256.digest(token)
+        hashed_token = at_hash_digest.digest(@access_token.token)
         first_half = hashed_token[0...hashed_token.length / 2]
         Base64.urlsafe_encode64(first_half).tr('=', '')
       end
+
+      def at_hash_digest
+        case Doorkeeper::OpenidConnect.signing_algorithm.to_s
+        when /256\z/ then Digest::SHA256
+        when /384\z/ then Digest::SHA384
+        when /512\z/ then Digest::SHA512
+        else Digest::SHA256
+        end
+      end
     end
   end
 end
diff --git a/spec/lib/id_token_token_spec.rb b/spec/lib/id_token_token_spec.rb
@@ -33,4 +33,37 @@
       })
     end
   end
+
+  describe '#at_hash' do
+    # Per OIDC Core 1.0 §3.1.3.6 / §3.2.2.9, at_hash must use the hash algorithm
+    # that matches the alg of the ID Token's JOSE header (e.g. HS512 -> SHA-512).
+    let(:token_value) { 'jHkWEdUXMU1BwAsC4vtUsZwnNvTIxEl0z9K3vx5KF0Y' }
+
+    before { access_token.update(token: token_value) }
+
+    def expected_at_hash(token, hasher)
+      digest = hasher.digest(token)
+      Base64.urlsafe_encode64(digest[0, digest.length / 2]).tr('=', '')
+    end
+
+    it 'uses SHA-256 for the default RS256 signing algorithm' do
+      expect(subject.claims[:at_hash]).to eq(expected_at_hash(token_value, Digest::SHA256))
+    end
+
+    context 'when signing_algorithm is HS512' do
+      before { configure_hmac }
+
+      it 'uses SHA-512' do
+        expect(subject.claims[:at_hash]).to eq(expected_at_hash(token_value, Digest::SHA512))
+      end
+    end
+
+    context 'when signing_algorithm is ES512' do
+      before { configure_ec }
+
+      it 'uses SHA-512' do
+        expect(subject.claims[:at_hash]).to eq(expected_at_hash(token_value, Digest::SHA512))
+      end
+    end
+  end
 end
