Is there a way to avoid validation?

[slasia]

Hi!, I am receiving an error
RPError: at_hash mismatch, expected wtJejxJuXnw6YA0Gdw6irA, got: 74kT1QEi91iSOC529YcJcQ when the validateIdToken function is executed, I do not understand why, the access_token and the id_token are entered into https://jwt.io/#libraries and they have a correct signature.

Is there any way to avoid that validation within the library?

[panva]

There is no way to avoid validations required by the specification. at_hash is present to prevent access token injection in implicit and hybrid responses and it is a cryptographic binding of an access token value to an accompanying id token. It is also applicable in code flow.

[panva]

I do not understand why

https://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken

[slasia]

thanks!

[fchevallieratecna]

@slasia : did you manage to find a way ?
On my side, it seems that the oauth server gives wrong at_hash.

I always have something like this.

at_hash mismatch, expected _I9YvZMlk9fUgE4f3uEbhg, got: _I9YvZMlk9fUgE4f3uEb

Is there a way to generate only the access token without validation ?