Failed to verify access token ID Token doesn t contain at hash claim – How to solve this Elasticsearch exception

Opster Team

August-23, Version: 7.2-8.9

Briefly, this error occurs when Elasticsearch’s security feature is unable to validate the access token because the ID token is missing the at_hash claim. This claim is used to verify the access token’s integrity. To resolve this issue, ensure that the Identity Provider (IdP) is configured to include the at_hash claim in the ID token. Alternatively, you can disable the at_hash claim verification in Elasticsearch by setting the ‘op.oidc.rp.id_token.verify_at_hash’ property to false. However, this might increase the risk of token tampering.

This guide will help you check for common problems that cause the log ” Failed to verify access token. ID Token doesn’t contain at_hash claim ” to appear. To understand the issues related to this log, read the explanation below about the following Elasticsearch concepts: plugin.

Log Context

Log “Failed to verify access token. ID Token doesn’t contain at_hash claim” class name is OpenIdConnectAuthenticator.java. We extracted the following from Elasticsearch source code for those seeking an in-depth context :

 );
 }
 String atHashValue = idToken.getJWTClaimsSet().getStringClaim("at_hash");
 if (Strings.hasText(atHashValue) == false) {
 if (isValidationOptional == false) {
 throw new ElasticsearchSecurityException("Failed to verify access token. ID Token doesn't contain at_hash claim ");
 }
 } else {
 AccessTokenHash atHash = new AccessTokenHash(atHashValue);
 JWSAlgorithm jwsAlgorithm = JWSAlgorithm.parse(idToken.getHeader().getAlgorithm().getName());
 AccessTokenValidator.validate(accessToken; jwsAlgorithm; atHash);

 

How helpful was this guide?

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?