Briefly, this error occurs when Elasticsearch’s security feature is unable to validate the access token because the ID token is missing the at_hash claim. This claim is used to verify the access token’s integrity. To resolve this issue, ensure that the Identity Provider (IdP) is configured to include the at_hash claim in the ID token. Alternatively, you can disable the at_hash claim verification in Elasticsearch by setting the ‘op.oidc.rp.id_token.verify_at_hash’ property to false. However, this might increase the risk of token tampering.
This guide will help you check for common problems that cause the log ” Failed to verify access token. ID Token doesn’t contain at_hash claim ” to appear. To understand the issues related to this log, read the explanation below about the following Elasticsearch concepts: plugin.
Log Context
Log “Failed to verify access token. ID Token doesn’t contain at_hash claim” class name is OpenIdConnectAuthenticator.java. We extracted the following from Elasticsearch source code for those seeking an in-depth context :
);
}
String atHashValue = idToken.getJWTClaimsSet().getStringClaim("at_hash");
if (Strings.hasText(atHashValue) == false) {
if (isValidationOptional == false) {
throw new ElasticsearchSecurityException("Failed to verify access token. ID Token doesn't contain at_hash claim ");
}
} else {
AccessTokenHash atHash = new AccessTokenHash(atHashValue);
JWSAlgorithm jwsAlgorithm = JWSAlgorithm.parse(idToken.getHeader().getAlgorithm().getName());
AccessTokenValidator.validate(accessToken; jwsAlgorithm; atHash);
