by Justin Richer, Lead Technologist at Mitre Corporation on Jul 22, 2014
Fixed - Summer ‘14 The ID token returned from the token endpoint in the response to a successful OAuth request includes a c_hash value rather than an at_hash value. Based on the OpenID Connect spec (http://ift.tt/1fbGmM4), the token should contain the at_hash value. Repro Use the token endpoint http://ift.tt/LNrmHd with the openid scope for authorization, using an OAuth flow. Workaround The value for the c_hash is generated from the access token, so it’s currently the same as the expected at_hash.