fix: omit *_hash ID Token claims if signed with "none" (code flow only)

panva · Nov 5, 2019 · 5c540c0 · 5c540c0
1 parent c6b1770
commit 5c540c0
Showing 1 changed file with 7 additions and 5 deletions.
diff --git a/lib/models/id_token.js b/lib/models/id_token.js
@@ -139,11 +139,13 @@ module.exports = function getIdToken(provider) {
           throw new TypeError('invalid use option');
       }
 
-      hashes.forEach((claim) => {
-        if (payload[claim]) {
-          payload[claim] = tokenHash(payload[claim], alg);
-        }
-      });
+      if (alg && alg !== 'none') {
+        hashes.forEach((claim) => {
+          if (payload[claim]) {
+            payload[claim] = tokenHash(payload[claim], alg);
+          }
+        });
+      }
 
       const signed = await (() => {
         if (!alg) {