Access Token Validation in Openid Connectfleeting
Access Token Validation When using the Authorization Code Flow, if the ID Token contains an at_hash Claim, the Client MAY use it to validate the Access Token in the same manner as for the Implicit Flow, as defined in Section 126.96.36.199, but using the ID Token and Access Token returned from the Token Endpoint.
Access Token Validation To validate an Access Token issued from the Authorization Endpoint with an ID Token, the Client SHOULD do the following:
Hash the octets of the ASCII representation of the access_token with the hash algorithm specified in JWA [JWA] for the alg Header Parameter of the ID Token’s JOSE Header. For instance, if the alg is RS256, the hash algorithm used is SHA-256. Take the left-most half of the hash and base64url encode it. The value of at_hash in the ID Token MUST match the value produced in the previous step.