Failed to verify access token. ID Token doesn’t contain at_hash claim – How to solve this Elasticsearch error

Opster Team

March-22, Version: 1.7-8.0

Before you begin reading this guide, we recommend you try running the Elasticsearch Error Check-Up which analyzes 2 JSON files to detect many configuration errors.

To easily locate the root cause and resolve this issue try AutoOps for Elasticsearch & OpenSearch. It diagnoses problems by analyzing hundreds of metrics collected by a lightweight agent and offers guidance for resolving them.

This guide will help you check for common problems that cause the log ” Failed to verify access token. ID Token doesn’t contain at_hash claim ” to appear. To understand the issues related to this log, read the explanation below about the following Elasticsearch concepts: plugin.


Log Context

Log “Failed to verify access token. ID Token doesn’t contain at_hash claim”classname  is OpenIdConnectAuthenticator.java We extracted the following from Elasticsearch source code for those seeking an in-depth context :

);
 }
 String atHashValue = idToken.getJWTClaimsSet().getStringClaim("at_hash");
 if (Strings.hasText(atHashValue) == false) {
 if (isValidationOptional == false) {
 throw new ElasticsearchSecurityException("Failed to verify access token. ID Token doesn't contain at_hash claim ");
 }
 } else {
 AccessTokenHash atHash = new AccessTokenHash(atHashValue);
 JWSAlgorithm jwsAlgorithm = JWSAlgorithm.parse(idToken.getHeader().getAlgorithm().getName());
 AccessTokenValidator.validate(accessToken; jwsAlgorithm; atHash);

 

Watch product tour

Try AutoOps to find & fix Elasticsearch problems

Analyze Your Cluster
Skip to content