From 086bdd1700e19cac97be642c1621900c4a05d6aa Mon Sep 17 00:00:00 2001
From: Youssef El Houti <youssef.elhouti@gmail.com>
Date: Fri, 1 Feb 2019 16:18:50 +0100
Subject: [PATCH] add optional field at_hash to idToken when using
 Authorization Code flow since it improves performance and allows to follow
 the recommandation in RFC for clients to use hash for access_token validation

---
 .../keycloak/protocol/oidc/endpoints/TokenEndpoint.java   | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java
index 64083555039a..d5ae1891701d 100644
--- a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java
+++ b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java
@@ -414,7 +414,7 @@ public Response codeToToken() {
         }
 
         if (TokenUtil.isOIDCRequest(scopeParam)) {
-            responseBuilder.generateIDToken();
+            responseBuilder.generateIDToken().generateAccessTokenHash();
         }
         
         AccessTokenResponse res = null;
@@ -614,7 +614,7 @@ public Response resourceOwnerPasswordCredentialsGrant() {
 
         String scopeParam = clientSessionCtx.getClientSession().getNote(OAuth2Constants.SCOPE);
         if (TokenUtil.isOIDCRequest(scopeParam)) {
-            responseBuilder.generateIDToken();
+            responseBuilder.generateIDToken().generateAccessTokenHash();
         }
 
         // TODO : do the same as codeToToken()
@@ -688,7 +688,7 @@ public Response clientCredentialsGrant() {
 
         String scopeParam = clientSessionCtx.getClientSession().getNote(OAuth2Constants.SCOPE);
         if (TokenUtil.isOIDCRequest(scopeParam)) {
-            responseBuilder.generateIDToken();
+            responseBuilder.generateIDToken().generateAccessTokenHash();
         }
 
         // TODO : do the same as codeToToken()
@@ -925,7 +925,7 @@ protected Response exchangeClientToClient(UserModel targetUser, UserSessionModel
 
         String scopeParam = clientSessionCtx.getClientSession().getNote(OAuth2Constants.SCOPE);
         if (TokenUtil.isOIDCRequest(scopeParam)) {
-            responseBuilder.generateIDToken();
+            responseBuilder.generateIDToken().generateAccessTokenHash();
         }
 
         AccessTokenResponse res = responseBuilder.build();