summary refs log tree commit diff
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--changelog.d/18385.misc1
-rw-r--r--synapse/handlers/oidc.py2
2 files changed, 2 insertions, 1 deletions
diff --git a/changelog.d/18385.misc b/changelog.d/18385.misc
new file mode 100644

index 0000000000..a8efca68d0
--- /dev/null
+++ b/changelog.d/18385.misc
@@ -0,0 +1 @@
+Don't validate the `at_hash` (access token hash) field in OIDC ID Tokens if we don't end up actually using the OIDC Access Token.
\ No newline at end of file
diff --git a/synapse/handlers/oidc.py b/synapse/handlers/oidc.py

index fb759172b3..acf2d4bc8b 100644
--- a/synapse/handlers/oidc.py
+++ b/synapse/handlers/oidc.py
@@ -599,7 +599,7 @@ class OidcProvider:
         # from the userinfo endpoint. Therefore we only have a single criteria
         # to check right now but this may change in the future and this function
         # should be updated if more usages are introduced.
-        # 
+        #
         # For example, if we start to use the access_token given to us by the
         # IdP for more things, such as accessing Resource Server APIs.
         return self._uses_userinfo
generated by cgit-magenta 1.5.1 (git 2.48.1) at 2025-07-25 07:59:27 +0000