{"id":15660440,"url":"https://github.com/panva/oidc-token-hash","last_synced_at":"2025-04-04T14:07:36.664Z","repository":{"id":57313894,"uuid":"68470774","full_name":"panva/oidc-token-hash","owner":"panva","description":"Create and validate hashes pushed by OpenID Connect providers to ID Tokens.","archived":false,"fork":false,"pushed_at":"2025-02-21T16:09:31.000Z","size":120,"stargazers_count":22,"open_issues_count":0,"forks_count":9,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-03-28T13:08:47.836Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"JavaScript","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/panva.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":"panva"}},"created_at":"2016-09-17T18:28:56.000Z","updated_at":"2025-03-21T23:33:45.000Z","dependencies_parsed_at":"2023-02-08T10:02:02.720Z","dependency_job_id":"37070085-d283-4bf6-a466-a32010aa26e8","html_url":"https://github.com/panva/oidc-token-hash","commit_stats":{"total_commits":64,"total_committers":4,"mean_commits":16.0,"dds":0.09375,"last_synced_commit":"4e240350d602436e564c4833d7e722fd5ba91f4b"},"previous_names":[],"tags_count":11,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/panva%2Foidc-token-hash","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/panva%2Foidc-token-hash/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/panva%2Foidc-token-hash/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/panva%2Foidc-token-hash/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/panva","download_url":"https://codeload.github.com/panva/oidc-token-hash/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247190250,"owners_count":20898702,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-03T13:21:44.615Z","updated_at":"2025-04-04T14:07:36.637Z","avatar_url":"https://github.com/panva.png","language":"JavaScript","funding_links":["https://github.com/sponsors/panva"],"categories":[],"sub_categories":[],"readme":"# oidc-token-hash\n\noidc-token-hash validates (and generates) ID Token `_hash` claims such as `at_hash` or `c_hash`\n\n\u003e Its [`*_hash`] value is the base64url encoding of the left-most half of the hash of the octets of\n\u003e the ASCII representation of the `token` / `state` / `code` value, where the hash algorithm used is\n\u003e the hash algorithm used in the `alg` Header Parameter of the ID Token's JOSE Header. For instance,\n\u003e if the `alg` is `RS256`, hash the `token` / `state` / `code` value with SHA-256, then take the\n\u003e left-most 128 bits and base64url encode them. The `*_hash` value is a case sensitive string.\n\n## Matrix\n\n| JWS algorithm | used hash algorithm | Note |\n| --- | --- | --- |\n| HS256, RS256, PS256, ES256, ES256K | sha256 | |\n| HS384, RS384, PS384, ES384 | sha384 | |\n| HS512, RS512, PS512, ES512 | sha512 | |\n| EdDSA w/ Ed25519 curve | sha512 | [connect/issues#1125](https://bitbucket.org/openid/connect/issues/1125) |\n| EdDSA w/ Ed448 curve | shake256 | [connect/issues#1125](https://bitbucket.org/openid/connect/issues/1125) |\n| Ed25519 | sha512 | [connect/issues#1125](https://bitbucket.org/openid/connect/issues/1125) |\n| Ed448 | shake256 | [connect/issues#1125](https://bitbucket.org/openid/connect/issues/1125) |\n\n## Usage\n\nValidating\n```js\nconst oidcTokenHash = require('oidc-token-hash');\n\nconst access_token = 'YmJiZTAwYmYtMzgyOC00NzhkLTkyOTItNjJjNDM3MGYzOWIy9sFhvH8K_x8UIHj1osisS57f5DduL-ar_qw5jl3lthwpMjm283aVMQXDmoqqqydDSqJfbhptzw8rUVwkuQbolw';\n\noidcTokenHash.validate({ claim: 'at_hash', source: 'access_token' }, 'x7vk7f6BvQj0jQHYFIk4ag', access_token, 'RS256'); // =\u003e does not throw\noidcTokenHash.validate({ claim: 'at_hash', source: 'access_token' }, 'EGEAhGYyfuwDaVTifvrWSoD5MSy_5hZPy6I7Vm-7pTQ', access_token, 'EdDSA', 'Ed25519'); // =\u003e does not throw\noidcTokenHash.validate({ claim: 'at_hash', source: 'access_token' }, 'EGEAhGYyfuwDaVTifvrWSoD5MSy_5hZPy6I7Vm-7pTQ', access_token, 'Ed25519'); // =\u003e does not throw\noidcTokenHash.validate({ claim: 'at_hash', source: 'access_token' }, 'x7vk7f6BvQj0jQHYFIk4ag', 'foobar', 'RS256'); // =\u003e throws AssertionError, message: at_hash mismatch, expected w6uP8Tcg6K2QR905Rms8iQ, got: x7vk7f6BvQj0jQHYFIk4ag\n```\n\nGenerating\n```js\n// access_token from first example\noidcTokenHash.generate(access_token, 'RS256'); // =\u003e 'x7vk7f6BvQj0jQHYFIk4ag'\noidcTokenHash.generate(access_token, 'HS384'); // =\u003e 'ups_76_7CCye_J1WIyGHKVG7AAs2olYm'\noidcTokenHash.generate(access_token, 'ES512'); // =\u003e 'EGEAhGYyfuwDaVTifvrWSoD5MSy_5hZPy6I7Vm-7pTQ'\noidcTokenHash.generate(access_token, 'Ed25519'); // =\u003e 'EGEAhGYyfuwDaVTifvrWSoD5MSy_5hZPy6I7Vm-7pTQ'\noidcTokenHash.generate(access_token, 'EdDSA', 'Ed25519'); // =\u003e 'EGEAhGYyfuwDaVTifvrWSoD5MSy_5hZPy6I7Vm-7pTQ'\noidcTokenHash.generate(access_token, 'Ed448'); // =\u003e 'jxsy68_eG9-91VnHsZ2VnCr_WqDMv4nspiSuUPRdNZnv1y5lNV3rPVYYWNiY_TbUB1JRwlgiDTzZ'\noidcTokenHash.generate(access_token, 'EdDSA', 'Ed448'); // =\u003e 'jxsy68_eG9-91VnHsZ2VnCr_WqDMv4nspiSuUPRdNZnv1y5lNV3rPVYYWNiY_TbUB1JRwlgiDTzZ'\n```\n\n## Changelog\n- 5.1.0 - add support for Ed25519 and Ed448 JWS Algorithm Identifiers\n- 5.0.2 - avoid use of deprecated String.prototype.substr\n- 5.0.1 - use `base64url` native encoding in Node.js when available\n- 5.0.0 - fixed `Ed448` and `shake256` to use 114 bytes output\n- 4.0.0 - using `sha512` for `Ed25519` and `shake256` for `Ed448`, refactored API, removed handling of `none` JWS alg\n- 3.0.2 - removed `base64url` dependency\n- 3.0.1 - `base64url` comeback\n- 3.0.0 - drop lts/4 support, replace base64url dependency\n- 2.0.0 - rather then assuming the alg based on the hash length `#valid()` now requires a third\n  argument with the JOSE header `alg` value, resulting in strict validation\n- 1.0.0 - initial release\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpanva%2Foidc-token-hash","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpanva%2Foidc-token-hash","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpanva%2Foidc-token-hash/lists"}