'disableAtHashCheck' by default if responseType is 'id_token'

If the response type 'id_token' is in the implicit flow, no at_hash value is provided in the id_token.
manfredsteyer · Apr 29, 2020 · 169d749 · 169d749
1 parent c587f55
commit 169d749
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/projects/lib/src/oauth-service.ts b/projects/lib/src/oauth-service.ts
@@ -2068,7 +2068,7 @@ export class OAuthService extends AuthConfig implements OnDestroy {
     // addressing https://github.com/manfredsteyer/angular-oauth2-oidc/issues/661
     // i.e. Based on spec the at_hash check is only true for implicit code flow on Ping Federate
     // https://www.pingidentity.com/developer/en/resources/openid-connect-developers-guide.html
-    if (this.hasOwnProperty('responseType') && this.responseType === 'code') {
+    if (this.hasOwnProperty('responseType') && (this.responseType === 'code' || this.responseType === 'id_token')) {
       this.disableAtHashCheck = true;
     }
     if (