I am setting up Identity-Provider initiated SAML Login for a Single Page App using the Auth0 Lock widget. I had some trouble because the tokens we’re getting have the “at_hash” claim that our other tokens do not. The token gets passed to our backend without the “access_token” needed to verify the “at_hash” claim and even though the login succeeds from the Lock Widget perspective, the user gets kicked out of the app because all requests to our backend fail.
I’ve found the naming of these two tokens a little inconsistent, so to be explicit. During the IDP handshake, the browser is redirected to call: https://our_domain.auth0.com/login/callback?connection=our_connection
In the response to this request, auth0 sets the following header:
location:url-to-our-app/?environment=dev#access_token=short_code&expires_in=86400&id_token=app_token&token_type=Bearer&state=otherstuff
The “id_token” is a jwt token with the claims we need to validate a token on our backend. The access_token is a shorter coder which I assume is needed to verify the “at_hash” claim in the “id_token”.
Does the lock widget validate the at_hash claim for us from the Browser?
Do we need to verify the at_hash claim again on the backend? If we should, is there a standard way to pass this to the be like how we pass our id_token in an Authorization Header on the request to our backend?
Thanks!