Briefly, this error occurs when Elasticsearchâs security feature is unable to validate the access token because the ID token is missing the at_hash claim. This claim is used to verify the access tokenâs integrity. To resolve this issue, ensure that the Identity Provider (IdP) is configured to include the at_hash claim in the ID token. Alternatively, you can disable the at_hash claim verification in Elasticsearch by setting the âop.oidc.rp.id_token.verify_at_hashâ property to false. However, this might increase the risk of token tampering.
This guide will help you check for common problems that cause the log â Failed to verify access token. ID Token doesnât contain at_hash claim â to appear. To understand the issues related to this log, read the explanation below about the following Elasticsearch concepts: plugin.
Log Context
Log âFailed to verify access token. ID Token doesnât contain at_hash claimâ class name is OpenIdConnectAuthenticator.java. We extracted the following from Elasticsearch source code for those seeking an in-depth context :
);
}
String atHashValue = idToken.getJWTClaimsSet().getStringClaim("at_hash");
if (Strings.hasText(atHashValue) == false) {
if (isValidationOptional == false) {
throw new ElasticsearchSecurityException("Failed to verify access token. ID Token doesn't contain at_hash claim ");
}
} else {
AccessTokenHash atHash = new AccessTokenHash(atHashValue);
JWSAlgorithm jwsAlgorithm = JWSAlgorithm.parse(idToken.getHeader().getAlgorithm().getName());
AccessTokenValidator.validate(accessToken; jwsAlgorithm; atHash);
