Skip to content

id_token generation does not work with EdDSA #799

New issue
New issue
Closed
Bug
#800
Closed
id_token generation does not work with EdDSA#799
Bug
#800
@azmeuk

Description

@azmeuk
azmeuk
opened on Aug 22, 2025

It seems id_token generation is broken with EdDSA jwks.

The create_half_hash method is called in the generate_id_token method:

authlib/authlib/oidc/core/grants/util.py

Lines 102 to 107 in c9890da

if code:
payload["c_hash"] = to_native(create_half_hash(code, alg))
access_token = token.get("access_token")
if access_token:
payload["at_hash"] = to_native(create_half_hash(access_token, alg))

However, it seems it does not support EdDSA keys:

>>> from authlib.oidc.core.util import create_half_hash
>>> assert create_half_hash("test", "RS256")
>>> assert create_half_hash("test", "EdDSA")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
AssertionError

After investigation, it seems this is because authlib tries to access hashlib.shaDSA, which does not exist:

authlib/authlib/oidc/core/util.py

Lines 7 to 14 in c9890da

def create_half_hash(s, alg):
hash_type = f"sha{alg[2:]}"
hash_alg = getattr(hashlib, hash_type, None)
if not hash_alg:
return None
data_digest = hash_alg(to_bytes(s)).digest()
slice_index = int(len(data_digest) / 2)
return urlsafe_b64encode(data_digest[:slice_index])

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    Bug

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions